my personal blog about systemcenter

All posts in AD

Count your Domain Controllers Often and Always

Categories: Active Directory, AD, Advanced Threat Analytics, ATA, Security
Comments Off on Count your Domain Controllers Often and Always

Had a talk the other day with a friend around domain controllers , we talked about how fast many orgs would actually detect a new domain controller , and if they did how fast

As this is a normal operation its not flagged by ATA , but it would be a very nice feature to add ( as far as i can see , this is a new install so no 30 days ML with admin behavior) , ATA should detect a admin logging on to a new server but need to test on a aged system

There is most likely a lot of eventlog hints of new domain controllers added need to examine for them also

image

Adding a new domain controller

image

We can see the new object as domain controller

image

Adding Domain Controllers Group to Sensitive Groups could h

image

So we could get a report like this if a DC was added could be a very good feature

image

Or list domain controllers not monitored by ATA

Detecting Domain Controllers being added

One method could be to use @LazyWinAdm 

https://github.com/lazywinadmin/Monitor-ADGroupMembership

Running

.\Monitor-ADGroupMembership.ps1 -group “Domain Controllers” -Emailfrom [email protected] -Emailto “[email protected]” -EmailServer 10.0.0.51 –Verbose

on a rapid schedule

image

image

First run find the now 2 domain controllers

image

And we will now get a email alart when a new domain controller is added or removed

Protecting your secrets, one more step to remember

Categories: Active Directory, AD, Backup, Disaster Recovery, Password, TSM
Comments Off on Protecting your secrets, one more step to remember

If you are using hosted backup with TSM there is one more step to cover when people leave the org

The protection for many hosted backups are

Protection against “rouge” TSM Administrator

Client Side Encryption

Protection against “rouge” Backup Administrator

Node ID

Node Password (separation of duties one for password one for encryption)

And the last one is the issue here as its often not rotated, default TSM is 90 days but looking at different hosted TSM password is often set to no expire

This is not a TSM problem but a problem with password rotation

In the perfect world, the NodeID password and the encryption is not known by the same person, but then nodeid / password / secret is in registry so an AD admin can access this

Scenario

TSM BA Client installed on demodc01.stackdemo.dk

clip_image002

Starting the TSM client , prompting for Node Password on first backup

clip_image004

Ready for Action

clip_image006

Starting the first backup , prompts for encryption key , and after a short while the backup is completed

clip_image008

On a rouge server, outside of the environment we install the TSM BA Client and reuse the nodeID and password from the disgruntled backup admin

clip_image010

Adding the nodeid and nodepassword

clip_image012

And we restore a dummy file to see that’s its working, and is prompted for the encryption key

dsmc q b “{DEMODC01\SystemState\NULL\System State\SystemState}\ntds.dit” -sub=y

clip_image014

If we can’t remember where ntds.dit is located we can search for it

rest “{DEMODC01\SystemState\NULL\System State\SystemState}\\DEMODC01\C$|\WINDOWS\ntds\*” C:\EVILDC\ -sub=y

clip_image016

And we can restore the files

clip_image018

And we now have something we can attack , if we boot up in a winPE enviroment we can follow the procedure for system state and have a working domain controller

clip_image019

If the attacker had access to the domain controller aka disgruntled former employee the password and encryption is available on the source node in registry , since TSM used both the password and the encryption to access TSM server and backup/restore data it needs to be stored somewhere that the service can access

It’s very hard to protect anything from a domain admin even with the assume breach state of mind

clip_image021

So, we can logon without getting prompted for credentials/encryption

So what can we do

First off , prevent people from being disgruntled

And since we can’t control human nature change the password on the nodes, either scheduled or when high privilege staff leaves or both, and again the default for a TSM node is that it will be changed

clip_image023

Single Node example, log on the TSM , change password

clip_image025

Something old Something New

clip_image026

And Success , and password change can be scripted so cycling the password shouldn’t be a big issue

clip_image028

And our EvilDC can’t access TSM anymore and everything is back to normal

Upgrading Microsoft Advanced Threat Analytics from 1.4 to version 1.5

Categories: AD, ATA, Microsoft Advanced Threat Analytics
Comments Off on Upgrading Microsoft Advanced Threat Analytics from 1.4 to version 1.5

Our experience upgrading Microsoft ATA to version 1.5

Following

https://msdn.microsoft.com/en-us/library/mt612814.aspx

Follow these steps to update to ATA version 1.5:

1.Download update 1.5

2.Update the ATA Center

3.Download the updated ATA Gateway package

4.Update the ATA Gateways

We did a prodcution upgrade of our ATA installation , and ratined data to avoid relearing everything

After the upgrade of the central ATA server we jumped into the ATA console

clip_image002

Health Center says System Healthy but a drill down to configuration shows that all gateways are outdated as step 4 wasn’t completed

clip_image003

So configuration shows all gateways needs a update

clip_image005

And since this is one of the first upgrades everything is handled manually

clip_image007

Update is 30 seconds in our environment

clip_image009

Gateways goes into not synced and after a few seconds its synced correctly and we can continue with the next gateways

clip_image010

And repeat times 4 , we had one gateway that needed a reboot

clip_image012

And we now have ATA running version 1.5 ready to detect once again

Overall very smooth installation and in our small environment we have less than an hour downtime for upgrading to a never and better install.

Personally I would love the system heath to report on the main screen that gateways needs update , if this is handled from separate teams in a large org it could be help full on the main screen

Dump AD user password hashes on-the-fly to a file of chosen format

Categories: Active Directory, AD
Comments Off on Dump AD user password hashes on-the-fly to a file of chosen format

So, you achieved Domain Admin permissions during a security assessment (penetration test) and you want to crack all of those nice password hashes from Active Directory, or you might have to perform a password audit, but you just hate exporting NTDS.DIT + SYSTEM and extracting the database afterwards…?

Instead you can now do live, in-memory on-the-fly Mimikatz-DCSync-style, synchronization of all those user password NT-hashes in PowerShell and write them to a pwddump format of your own choice, all ready for having lots of cracking fun!

Check out: https://github.com/ZilentJack/Get-ADHashDump

A few things to consider.

  1. Michael Grafnetter, who developed the DSInternals module, hasn’t released the source code yet. Therefore, you will have to trust his code (blindly) at the moment. However, Michael has told me that he will release the code later this year when he has had time to clean it up a bit. Thanks to Michael for his hard work and help.
  2. Be sure to have permissions to extract (and crack?) hashes from Active Directory :-)

BTW. Have you seen this related tool and post: Crack and detect weak passwords in Active Directory on-the-fly

/Jakob H. Heidelberg
@JakobHeidelberg

image

dcpromo went on holliday after Windows Server 2008 R2 so to promte a server to domain controller we need to use powershell or server manager , so with 12 years with dcpromo i exept to type that a few times more until i remember its gone away

 

 

image

Head to server manager and add role on local server

 

 

image

Select Active Directory Domain Services

 

image

In task details select Action Promote this server to a domain controller

 

image

As this is the start of a new forest we need to add the forest and specifi root doman name

 

image

 

One VERY handy new feature most places in Windows Server 2012 ish the view script command

 

#
# Windows PowerShell script for AD DS Deployment
#

Import-Module ADDSDeployment
Install-ADDSForest `
-CreateDnsDelegation:$false `
-DatabasePath “C:\Windows\NTDS” `
-DomainMode “Win2012” `
-DomainName “internal.systemcenterdemo.dk” `
-DomainNetbiosName “INTERNAL” `
-ForestMode “Win2012” `
-InstallDns:$true `
-LogPath “C:\Windows\NTDS” `
-NoRebootOnCompletion:$false `
-SysvolPath “C:\Windows\SYSVOL” `
-Force:$true

And we get the syntax for creating a new forest from powershell instead of using 10ish mouse clicks

 

 

image

And we know have a functional forest Smiley