Active Directory Archives - Flemming Riis's System Center Blog

Jul

Count your Domain Controllers Often and Always

Categories: Active Directory, AD, Advanced Threat Analytics, ATA, Security

Comments Off

Had a talk the other day with a friend around domain controllers , we talked about how fast many orgs would actually detect a new domain controller , and if they did how fast

As this is a normal operation its not flagged by ATA , but it would be a very nice feature to add ( as far as i can see , this is a new install so no 30 days ML with admin behavior) , ATA should detect a admin logging on to a new server but need to test on a aged system

There is most likely a lot of eventlog hints of new domain controllers added need to examine for them also

Adding a new domain controller

We can see the new object as domain controller

Adding Domain Controllers Group to Sensitive Groups could h

So we could get a report like this if a DC was added could be a very good feature

Or list domain controllers not monitored by ATA

Detecting Domain Controllers being added

One method could be to use @LazyWinAdm

https://github.com/lazywinadmin/Monitor-ADGroupMembership

Running

.\Monitor-ADGroupMembership.ps1 -group “Domain Controllers” -Emailfrom [email protected] -Emailto “[email protected]” -EmailServer 10.0.0.51 –Verbose

on a rapid schedule

First run find the now 2 domain controllers

And we will now get a email alart when a new domain controller is added or removed

Feb

Protecting your secrets, one more step to remember

Categories: Active Directory, AD, Backup, Disaster Recovery, Password, TSM

Comments Off

If you are using hosted backup with TSM there is one more step to cover when people leave the org

The protection for many hosted backups are

Protection against “rouge” TSM Administrator

Client Side Encryption

Protection against “rouge” Backup Administrator

Node ID

Node Password (separation of duties one for password one for encryption)

And the last one is the issue here as its often not rotated, default TSM is 90 days but looking at different hosted TSM password is often set to no expire

This is not a TSM problem but a problem with password rotation

In the perfect world, the NodeID password and the encryption is not known by the same person, but then nodeid / password / secret is in registry so an AD admin can access this

Scenario

TSM BA Client installed on demodc01.stackdemo.dk

Starting the TSM client , prompting for Node Password on first backup

Ready for Action

Starting the first backup , prompts for encryption key , and after a short while the backup is completed

On a rouge server, outside of the environment we install the TSM BA Client and reuse the nodeID and password from the disgruntled backup admin

Adding the nodeid and nodepassword

And we restore a dummy file to see that’s its working, and is prompted for the encryption key

dsmc q b “{DEMODC01\SystemState\NULL\System State\SystemState}\ntds.dit” -sub=y

If we can’t remember where ntds.dit is located we can search for it

rest “{DEMODC01\SystemState\NULL\System State\SystemState}\\DEMODC01\C$|\WINDOWS\ntds\*” C:\EVILDC\ -sub=y

And we can restore the files

And we now have something we can attack , if we boot up in a winPE enviroment we can follow the procedure for system state and have a working domain controller

If the attacker had access to the domain controller aka disgruntled former employee the password and encryption is available on the source node in registry , since TSM used both the password and the encryption to access TSM server and backup/restore data it needs to be stored somewhere that the service can access

It’s very hard to protect anything from a domain admin even with the assume breach state of mind

So, we can logon without getting prompted for credentials/encryption

So what can we do

First off , prevent people from being disgruntled

And since we can’t control human nature change the password on the nodes, either scheduled or when high privilege staff leaves or both, and again the default for a TSM node is that it will be changed

Single Node example, log on the TSM , change password

Something old Something New

And Success , and password change can be scripted so cycling the password shouldn’t be a big issue

And our EvilDC can’t access TSM anymore and everything is back to normal

Jan

Thycotis Weak Password Finder and Microsoft Advanced Threat Analytics

Categories: Active Directory, Advanced Threat Analytics, ATA, Thycotic

Comments Off

Thycotic made a free tool available to check for bad password in Active Directory

UNCOVER YOUR MOST VULNERABLE SECURITY GAPS: FREE WEAK PASSWORD FINDER FOR ACTIVE DIRECTORY

https://thycotic.com/solutions/free-it-tools/

If we dig into the about file

The core functionality of this product has been inspired by Jakob Heidelberg https://www.linkedin.com/in/heidelberg and developed by Michael Grafnetter https://www.linkedin.com/in/grafnetter.

We can see where the inspiration and development came from , and thank you to Thycotic for making this tool available for free

This is just a quick drill through with the detection from Advanced Threat Analytics

Running on a member server pointing to DC and Domain

Using the overpowered administrator i have logged on with

and ready to scan

Looking through all AD objects

And reporting time

Something very pretty to present to security/management

with 26 items on the todo list to fix

and to the point of the post , Microsoft Advanced Threat Analytics catches the non standard replication

When time permits further digging in the tool , for production enviroment i would always run this in a restored domain controller without network access even though i trust the people involved in this

Aug

Updating ATA to version 1.7

Categories: Active Directory, ATA, Security

Comments Off

Microsoft is keeping the fast pace with update to the star of their “classic” AD security solution

So we saw version 1.7 drop yesterday

New Major Features are

· Role based access control.

· Windows Server core support.

· Reconnaissance using Directory Services Enumeration detection.

· Pass-the-Ticket detections enhancements.

Unusual Protocol Implementation detection enhancements

Link : https://support.microsoft.com/en-us/kb/3185481

Personally we are looking fwd to RBAC its a major improvement for the majority of our customers and highly requested

Starting the install , we are upgrading fra 1.6.1 , we have a few enviroments on 1.4 and there is NO direct upgrade to 1.7

At upgrade we can either upgrade the whole database or do a partial migration , we opted for partial as having ATA offline for a longer duration wasnt a option , the database is placed on SSD so its unlikely it will take a day but we will test that in another enviroment

Sucess

New UX for updating agent and improved progress indicator

And we now have a few new security groups

This now means we can give auditors access to the enviroment without handing them the keys to the kingdom Smile

Jun

Deploying Data Protection Manager in a dedicated domain

Categories: Active Directory, Data Protection Manager, Disaster Recovery, DPM, Hyper-V

Comments Off

Data Protection and the ability recover data is key to keeping your job and your company alive.

The demo setup thats is going to be used in this post are

PROTECTDC01 Domain Controller in the PROTECT Forest
PROTECTDC02 Domain Controller in the PROTECT Forest
PROTECTDDPM01 Data Protection Manager Server in the PROTECT Forest
FABRICDC01 Domain Controller in the FABRIC Forest
FABRICDC02 Domain Controller in the FABRIC Forest
FABRICHV01-04 Hyper-V HyperConverged Instal
FABRICHVC01 Hyper-V Cluster with member FABRICHV01-04
WORKLOAD01-05 Virtual Workload in the FABRIC Hyper-V Cluster

As this is a test enviroment everything are stuck on one box.

For the real world deployment the FABRIC and PROTECT domain must be seperated , the whole point in this post will be if you for some reason get compromised in your FABRIC domain , you will still have access to the PROTECT domain and maintain the ability to recover your data.

This also means that in a larger enviroment you can easier seperate the roles so one team wont have access to both source and target of backup data

We do in the example log in interative on the fabric domain , so if the host is compromised before agent install the protect domain is going down the same path , so there is still some work to be done but beats having everything in one domain.