Beruflich Dokumente
Kultur Dokumente
1 DESIGNING A SECURE DIRECTORY AND THAT MEETS THE NEEDS OF THE COMPANY ........................... 6
3.1 A The NALYSER ES NEEDS OF NOW FOR THE PASSWORD POLICY .................................................. .. 59
3.2 R Reduce the number of LOGIN / PASSWORD DIFFERENT WORDS .................................................. ........................... 60
3.2.1 Limit the number of login / password to remember ....................................... .............................. 60
3.2.2 Configure your applications to authenticate with Active Directory ........................................ .. 60
3.2.3 Use Windows safe ............................................ .................................................. ........ 61
3.2.4 Using .......................................... identity federation protocols ................................... 61
3.3 ES WORD PASSWORD MANAGEMENT TOOLS M ICROSOFT .................................................. ................................... 62
3.3.1 The password strategies Default Domain Policy ....................................... ................ 62
3.3.2 The PSO (fine-grained password) ......................................... ............................................... 64
3.4 L ES MANAGEMENT TOOLS THIRD PASSWORD ......................................... .................................................. .. 64
3.4.1 Reset his password without contacting the IT team ....................................... .... 65
3.4.2 Ensuring the identity of the user .......................................... .................................................. ...... 65
3.4.3 Configure the complexity of passwords ........................................... ...................................... 65
6.1 D EPLOYER ONLY ONE SUPPORTED VERSION W INDOWS S erver .................................................. ........ 123
6.2 H EBERGER DOMAIN CONTROLLERS IN A SECURE LOCATION ......................................... ............ 124
6.2.1 What are the risks if an attacker has physical access to a domain controller? ........ 124
7.1 UDITER CHANGE (NEW ITEMS) AND DRAW THE SIGN AT THE DIRECTORY OF A CTIVE irectory WITH AUDIT W INDOWS ..................................................
.................................................. ................................... 152
2. Strengthening the security of their IT infrastructure. The year 2013 was marked by the revelations of Edward SNOWDEN on NSA practices.
The year 2014 was marked by the hacking of Sony Pictures and leakage of confidential data.
These two topics directly affecting the Active Directory domain infrastructure. The CLOUD projects require infrastructure implementation
allowing users to authenticate with their login / Active Directory password to access services hosted online. Strengthening of IT infrastructure
security through strengthening the security of Active Directory. It is necessary to remember that an Active Directory domain administrator is the
default local administrator of all machines in the domain (servers and workstations).
Microsoft's Active Directory organizes around 4 types of objects, forests, domains, organizational units and the trust relationships.
A forest is a set of domains that share the same configuration, the same pattern and the same global catalog. In a forest each domain trusts
directly or indirectly other areas of the forest. These trust relationships can not be deleted. The forest is the security boundary of Active Directory.
To ensure that users of an entity does not have access to the directory of another entity, two separate forests must be created.
A domain is a partition in an Active Directory forest. The Administrative default owner of a domain is the group Domain Admins of this area. The
group Enterprise Admins who has permissions on all objects in all areas of the forest is in the root domain. An administrator of the forest root
domain can therefore have all the rights to all areas of the forest. This is usually why the root domain is not used in the structures featuring a
forest with multiple domains.
An organizational unit (OU) is a container within a domain. An OR can contain user accounts, groups, computers, accounts and other OR
(among others). The OR therefore possible to organize the directory. It is possible to delegate the administration of the contents of an OU to a
group and / or specific user groups and apply policies to users and computers in that OU.
A trust relationship is a relationship of trust established between two Active Directory domains (or between an Active Directory domain and a
Windows NT4 domain or from an Active Directory domain and a non-Windows Kerberos realm). When the field " AT " trusts domain " B "Domain
administrators" AT "Can set permissions on a machine in the field" AT "For users / groups / computers in the domain" B ". Domain users " B "So
can access domain resources A. trust relationships enable among others to extend to both areas the group's scope Authenticated users. This
group has by default the right to log on to a Windows workstation and many permissions on the file system. In forests natively, 2003, it is
possible to create authentication type of trust relationships selective. With this approval, the group's scope Authenticated users is not extended.
To allow a B-domain user to access the server domain SRV2012B " AT "Domain administrator" AT "Should give the right Allowed to authenticate the
domain user account " B "At the computer account SRV2012B in the area "A".
The topology of your Active Directory (forest, domain, organizational units) must match the needs of your company. Before designing your
directory architecture you need to analyze the operation of your business.
in the container System each of the two areas. A special user account in the container Users
What are the technical constraints of your company?
Do you have applications that modify the Active Directory schema as Exchange, Lync, SCCM or store their configuration in Active Directory
(usually in the configuration partition)?
Host your servers, applications and data to your customers? Do you publish applications on the Internet (extranet, email, business
applications)? Do you provide access to your information system providers, partners? These providers, they can become partners / be potential
competitors? What is the risk of data theft?
Msreport - Guillaume MATHIEU - All rights reserved When a trust relationship is established, a TDO object ( Trusted Domain Object) is created
Active Directory is an LDAP directory. It is mainly used to authenticate users but can also host information at user accounts as telephone
number, email address, employee number, type of account (supplier, employee, service account).
The more you add domains / forests in an Active Directory architecture, more administration becomes complex. For this reason, the Active
Directory architecture is a priority area in a forest (mono-domain) with some exceptions / special cases.
Create a forest with an area for each entity of the company if these two conditions are met:
• The management of the company wants to sell this entity shortly.
• The exchanges between users of the entity and those of other corporate entities are reduced (only the direction).
Create a forest with a domain to host applications that modify the Active Directory schema. This applies especially for internally developed
applications that need to create attributes / specific object classes. It is indeed not possible to delete an attribute / object class added to the
Active Directory schema . It applies partially for applications such as Microsoft Exchange, Microsoft Lync. Microsoft tests the compatibility of
schema extensions between different applications. Note, however, two known issues:
• OCS 2007 R2 (former Lync trade name) no longer works correctly after Active Directory schema update for the deployment of Windows
2008 R2 domain controller. The solution is to reapply the schema extension for OCS 2007 R2 after the schema extension for Windows
2008 R2 Domain Controllers:
http://support.microsoft.com/kb/982020/en-us
• It is not possible to launch the schema extension for OCS 2007 R2 after you have updated the schema for Lync 2010. This can cause
problems in the migration scenario framework LCS 2005 towards Lync 2010 ( Passing by OCS 2007 R2). This problem is very serious
because the only solution is to completely restore the forest (Forest Recovery). I invite you to read this article carefully http://blogs.technet.com/b/askpfeplat/arc
In all cases, a schema update must be tested a qualifying environmental copy of the production environment. A Complete walkthrough to create
this type of environment is provided to the following address: http://msreport.free.fr/?p=154 .
If you are a host, I invite you to deploy a specific forest to authenticate users of your company and a second forest to authenticate your
customers (see a forest per customer). You can set a trust relationship selective authentication to enable IT to your company to administer or
forests dedicated to your customers.
If the activity of one of your units or your services requires complete isolation, you must create a forest with a field for this entity / service and
establish a trust relationship with selective authentication ( if you need to share resources between entities).
Several solutions are possible if you provide access to your business applications to employees of another company that is a partner on a file /
project as well a competitor on other issues / projects.
• Solution 1: create Active Directory user accounts for these users in your domain.
• Solution 4: create local accounts on workstations and servers on which the partner has to work.
• Solution 5: use identity federation solution (ADFS, PING Identity or other). Your partner can authenticate users with accounts of its
directory to access your application. Your application must be compatible with identity federation protocols such as SAML.
All domain users are members of the group Authenticated users and the group Domain users. User accounts for providers / competitors thus
have access to all domain machines. For restricting such access, apply the following procedure: Create Group GG_EXTERNAL_USERS.
GG_EXTERNAL_USERS and apply the GPO on all field machines except those to which external users are allowed to connect. Configure the
GPO setting Deny Access to this computer from the network group
GG_EXTERNAL_USERS and apply this GPO on Windows machines reserved for internal users. This setting will prevent external users to
access internal resources.
This solution has no interest in security. In addition, Active Directory environments with forests containing several areas are more complex to
manage (DNS configuration, increasing the number of required domain controllers). By default, Active Directory creates trust relationships
between domains in the same forest that can not be removed and which can not enable selective authentication. A user in domain A will be
Authenticated Users in domain B and vice versa. We are left with the safety limits of Scenario 1.
This is the scenario that offers the best level of security. The principle is:
1. Create a domain in a separate forest.
2. Create a two-way trust (see unidirectional as needed) between the two forests (inter-forest trust relationship).
Some applications can not authenticate with accounts in two separate forests. It is mandatory to enable selective authentication at the trust
relationship if we have the same constraints as the scenario 1 and 2.
This solution may work if local users do not have the right administrator on local stations. Wherever possible, the machines (servers /
workstations) should then be in a workgroup. We will see in the following paragraphs a local administrator who has the privilege debug programs for
privilege elevations by performing a type of attack Pass the NTLM HASH or Pass the Kerberos ticket.
In general, the applications hosted in the Cloud offers two authentication methods:
• Authentication with the local application directory: This mode allows users to access services without basic configuration but requires
that the user stores a new login / password. We will see that it is necessary to minimize the number of login / password that the user must
remember the words to enhance the security of Active Directory.
• Authentication Directory Active Directory / LDAP to the company: these applications allow the usually via support identity federation
protocols such as SAML ( Security Assertion Markup Language ).
• The service provider (SP): it is the application in the Cloud (SalesForce, Office 365 ...)
• The identity federation solution: it creates a relationship of trust between the IDP (Active Directory) and the SP (the Cloud application).
The goal is to allow users to access / authenticate Cloud application (Salesforce, Office 365) with their Active Directory user account
without giving direct access to the directory to the cloud application. Ping Identity or Microsoft ADFS are identity federation solutions.
The advantage of this solution is that the host application does not have direct access to the directory. The application has access only to
identity federation server.
The relationship of trust applies only to a specific application. The scope of this trust relationship is more restricted than that established with a
trust relationship.
I invite you to read the documentation of the solution ping Federate to better understand how identity federation protocols (example
implementation with Office 365)
http://documentation.pingidentity.com/display/PF66/PDF+Downloads
http://documentation.pingidentity.com/pages/viewpage.action?pageId=10518544
Msreport - Guillaume MATHIEU - All Rights Reserved " Logon Failure. The machines you are logging onto is protected by an authentication
If you do not want to implement an identity federation solution, you must create a trust relationship with selective authentication between your
forest (containing your user accounts) and the forest that contains the resources used by the application hosted in the Cloud. This reduces the
security level of your directory.
It is not recommended to create a standard user account and open access LDAP / LDAPS. With this account, the provider of the cloud
implementation would have a read-only access to almost all directory data (including the configuration of this book).
Active Directory is a standard LDAP directory that can be used to host the data (coordinates, HR information) to your users as the phone
number, email address, employee number, type of account (supplier, employee , service account), service, entity or function.
Applications that rely on Active Directory as Exchange, Lync, SharePoint will have access to this data. A user can thus find via the email client
(Outlook, OWA ...) contact information (phone, address ...) to another user. Host HR business data in Active Directory, however, poses the
following questions:
1.4.1 S YNCHRONISER The DIRECTORY WITH OTHER DATA SOURCES (BASES ... RH)
Sample implementation with Office 365: http://technet.microsoft.com/fr-fr/library/jj205456.aspx
synchronization solutions between different data sources (SQL Server, LDAP) as Forefront
Identity Manager (FIM / MIM 2016) or Talend Open Studio for Data
Integration exist but their cost of implementation is important (licensing, benefits). A simpler alternative is to generate an HR foundation for
export to CSV and use a PowerShell script to update the attributes of user accounts. The PowerShell import script can be run every day or
every hour.
The PowerShell script below allows for example to create user accounts in the Active Directory using a CSV file. The CSV file must use
semicolon-separated and contain the columns " first name "" name "" such "And" login "Complemented each user to create.
Import-Module ActiveDirectory
$ Base = Import-CSV -Path C: \ adm \ base.csv -UseCulture foreach ($ line
basis in $) {
Take the example of a company that wants to migrate to Office 365 Enterprise E3 plan. This solution is in fact based on the following 6 products
are all based on a book called Azure
Msreport - Guillaume MATHIEU - All rights reserved There is also an open source solution called Shibboleth ( https://shibboleth.net/about ).
Active Directory ( a mix between a standard Active Directory and a directory Active Directory Lightweight Services)
• Exchange Online: users have a mailbox 50GB with all the collaboration features of Exchange 2013 Server. With the license Office 365
Plan E3, users have unlimited email archiving. Users can encrypt / sign their mail with S / MIME or rely on the solution Azure Active
Directory Rights Management for secure email exchanges.
• Lync Online: users have the features of presence, instant messaging, audio conferencing and video conferencing Lync 2013 Server.
• SharePoint Online: users have an online storage space of 1TB they can synchronize their workstation with the client Onedrive for
Business
(Formerly SharePoint Workspace and SkyDrive Pro).
Users can also have all types of SharePoint 2013 sites (collaborative intranet, team websites). Office 365 secures all SharePoint data with
Azure Active Directory Right (based on Right Management Services).
• Azure Active Directory Rights Management: Office 365 Plan E3 incorporates the functionality of Active Directory Rights Management
Services. This solution allows you to encrypt / sign your documents, prevent the transfer of documents out of your business, block features
like copy / paste, printing, editing your documents. For more information, see the following article: http://technet.microsoft.com/fr-fr/library/jj585026.aspx
• Yammer Enterprise: Microsoft has recently purchased an enterprise social network solution. You can see Yammer as a kind of Facebook
for business (creating events, link sharing, polls, creating groups, file sharing, conversations, articles). For more information, see http://www.zdnet.com/yammer
.
• Office 365 ProPlus: this is a special version of Office 2013 Professional. This version requires an Office 365 account to activate (periodic
activation every 30 days) and has a new streaming system called accelerated deployment Click to Run. For more information, see http://technet.microsoft.com/e
• Applications for mobile devices / tablets: Microsoft makes available all the tools of the Office 365 suite (Outlook Web Access, Lync,
Word, Excel ...) on mobile devices and tablets. Users can download in Office 365 Office 365 ProPlus on their IPAD / IPHONE.
• Define what resources (user accounts / groups) respond with Azure Active Directory.
• Prevent information (confidential attributes) to replicate the directory Azure Active Directory.
• The user connects to Office 365 with his login / Active Directory password.
• Able to view all the resources in its directory management interfaces Office 365 (Office 365 portal or PowerShell modules Office 365).
Example: A user called melanie.mathieu was created in Active Directory. Now you want to assign a license Office 365 Enterprise Plan E3
this user so that it can connect to Office 365 services.
These actions are possible with synchronization tools as Azure Active Directory Sync
(AD-SYNC, http://www.microsoft.com/en-us/download/details.aspx?id=44225 ). This tool is actually based on the engine Forefront Identity
Manager 2010 It will allow:
• To define user objects that will respond based on the value of one or more attributes.
• Possibly replicate the user password in the directory Azure Active Directory. This solution allows in part to avoid the use of an identity
federation protocol but a copy Hash derived from the user's password in the directory Azure Active Directory. This could pose security
problems even if Microsoft is committed to the fact that no mathematical function retrieves the Hash Active Directory user account
password from the copied version of the Hash password in Azure active Directory.
Basic, Active Directory has many attributes to host users' data. I invite you to read the article http://msdn.microsoft.com/en-us/library/ms683980(v=vs.85).aspx
detailing the fields available in the base Active Directory schema (after deployment of the first domain controller). If you need more attributes,
you can prepare the Active Directory schema for Exchange 2013 (does not require the purchase of Exchange 2013 licenses). This schema
extension will allow you to use the following attributes to host your data at user accounts objects:
• extensionAttribute1
• extensionAttribute2
• ...
• extensionAttribute15
• msExchExtensionCustomAttribute1
• ...
• msExchExtensionCustomAttribute5 Attributes extensionAttribute are of type string. The LDAPDisplayName this attribute begins extensionAttribute
(example: extensionAttribute1 but their adminDisplayName
C: \ _ adm \ sources \ Exchange2013 on the domain controller with the master role of Active Directory schema.
4. Disable inbound / outbound replication of this domain controller with the following commands (in the example below SRV2012R2 is the
domain controller name with the role of schema master):
6. Once the Schema update is complete, validate the proper functioning of the domain controller. Reactivate the incoming / outgoing replication
to the domain controller with the pattern master role by entering the following commands:
The administration consoles like Active Directory Users and Computers do not display the values of all the attributes available. It is not possible
to change this behavior. Since Windows 2008 R2, you have tab attribute Editor in the console Active Directory Administration Center and in the
console Active Directory Users and Computers ( display mode
Advanced features).
You also have a PowerShell module with Windows 2008 R2 domain controllers to manage the contents of your Active Directory. If you have
previous domain controller to Windows 2008 R2, I invite you to use the PowerShell Module Dell ActiveRoles Management Shell 1.6 ( free)
production environment
downloadable beforeaddress:
at the following applyinghttp://software.dell.com/frfr/trials/#a
to production. . It will be necessary to deploy .Net Framework 3.5 on the
administrative machine.
You can also use HTA files. These files allow to have an interface in HTML that you pair with VBSCRIPT code. The website http://bbil.developpez.com/tutoriel/vbs/int
makes available databases to develop its HTA script.
Msreport - Guillaume MATHIEU - All rights reserved This procedure should be tested and validated a model of environmental copy of the
Example administration interface for Active Directory administrators:
http://community.spiceworks.com/scripts/show/573-aduc-update-utility
These tools enable thus to delegate if necessary administration of directory data to non-IT staff. We will see later in this paper how to delegate
administrative rights to those users.
By default the group Authenticated users has a read-only access to all attributes not a user account system. How to allow only certain users /
groups to read the value of an attribute containing confidential data?
Microsoft defines an attribute is confidential by adding the decimal value 128 to attribute
searchFlags at the object attribute in the Active Directory schema partition. Note that in the partition of Active Directory schema, Active Directory
attributes (such as the attribute GivenName which is the first name field) are objects that themselves have attributes. I invite you to read this
article in the Microsoft Knowledge Base that has this feature: http://support.microsoft.com/kb/922836/en-us
This action can not be performed on the basis of attributes (with the attribute systemsFlags at 0x10).
http://windowsitpro.com/active-directory/using-confidentiality-bit-hide-data-active-directory
We go Example below set attributes extensionAttribute1 and
EmployeeNumber confidential attributes.
Launch console Active Directory Schema and set the attribute EmployeeNumber to be indexed (search optimization that rely on this attribute). It
can be seen as the attribute
SearchFlags updated while retaining personalization (Passage 0x80 to 0x81).
To launch the console Active Directory Schema, enter the command regsvr32 schmmgmt.dll, create a blank MMC and add the snap Active
Directory Schema.
The attribute extensionAttribute1 is displayed with its adminDisplayName. You therefore find MSEXCH-Extension-Attribute-1 in ADSIEDT.MSC
console. The attribute systemFlags ms-Exch-Extension-Attribute-1 (extensionAttribute1) has no value. This is not a core attribute. By
searchFlags against the attribute has the value 17 (decimal). For this attribute is always indexed and copied when a Helpdesk function uses the Copy
An Account
Msreport - Guillaume MATHIEU - All rights reserved Check that the attribute systemFlags is set to 0x0 and add value to the attribute 128
user, you must add the value 128 (decimal) to the existing value 17 (decimal) or 145 (decimal).
If given the value 1234 in the EmployeeNumber melanie.mathieu account, a standard user does not see this value, while a domain
administrator sees this value.
Now that the attribute ExtensioAttribute1 is configured as confidential attribute, we want the user account tigrou.mathieu ( standard user) can
read and domain administrators. Other accounts are not able to read the value of this attribute. You must use the LDP.EXE tool and connect to
the directory.
Note :
For attributes that store the Active Directory password is yet another type of protection.
The DNS protocol ( Domain Name Services) was created to help solve basic full names (DNS FQN) to IP (IP and FQDN and the FQDN in other
FQDN). It is easy indeed to store a name as an IP address.
Active Directory export the configuration directory as DNS entries. The workstations can thus locate domain controllers by performing DNS
queries.
srv2012b.msreport.be. The DNS server has a feature called Round Robin ( in the properties of the DNS server) that allows him to select a DNS
entry randomly when multiple entries exist.
Once the machine srv2012c found a domain controller, it will look for its Active Directory site of attachment. For this, it will make its calculate
subnet address and send that information to the domain controller. The domain controller will determine the Active Directory site connecting the
workstation using the Active Directory site configuration (jersey in this example) and return the Active Directory site name to the machine. Srv2012c
will then resolve the DNS entry _ ldap._tcp.Maillot.msreport.be ( use of the feature round robin DNS) because it is the site Shirt which is attached
to the IP subnet 192.168.1.0/24. SRV2012C will store the name of the Active Directory site in the entrance DynamicSiteName the registry under HKEY_LOCAL_MAC
\ SYSTEM \ CurrentControlSet \ Services \ Netlogon \ Parameters.
These DNS entries are dynamically updated by the domain controllers using DNS dynamic update feature. The NETLOGON service on each
domain controller will record the file DNS entries c: \ windows \ system32 \ config \ netlogon.dns.
Each domain controller will also register its hostname in the DNS zone corresponds to its primary DNS suffix (the name of the default domain)
every 5 minutes. It is possible to manually force the registration by typing ipconfig / registerdns.
Practically all Windows machines will try to create / update a DNS entry that matches the name of the machine and the primary DNS suffix.
The primary DNS suffix of the machine defaults to the Active Directory domain DNS name.
Do not uncheck Change primary DNS suffix domain membership When exchange. This would result to generate very big problems. Indeed
when you type ping srv2012c, the system will actually make ping srv2012c.msreport.be ( He adds the primary DNS suffix).
For information, Microsoft blocks dynamic DNS registration when the DNS suffix is the root zone or a top-level domain (eg. fr.). This prevents the
working group workstations trying to perform dynamic DNS update in this type of DNS zones.
A client had problems with the values of the type A DNS entries (FQDN resolved to an IP). Printers and workstations at the client were DHCP.
Each floor in the customer's premises had a VLAN (dedicated IP range).
• Case 1: Active Directory computer account for a Windows workstation was deleted and recreated.
• Case 2: it moved a printer / non-Windows machine between VLANs (same DHCP server)
• Case 3: if you moved a printer / non-Windows machine between two sites (change DHCP servers).
• Case 4: if an individual computer was manually created the DNS entry of a work / printer station.
• Case 5: If you had recently changed DHCP server (Windows 2003 migration to Windows 2012 R2).
The DNS zone was msreport.be directory-integrated and configured to allow secure dynamic DNS updates only ( Secure Only).
These objects have permissions. Now, to be able to update the IP address of a DNS entry type A (type Host, name resolved to an IP), you must
have the right To write the DNS entry (the dnsNode type object).
For machines that retrieve an IP address via DHCP, it depends on the DHCP server configuration. Depending on the case, the DHCP server
computer account, the DHCP client computer account or a specific user account that has the right to change the DNS entry (which is configured
at the DHCP server).
1. If you select, Dynamically update DNS records of only requested by the DHCP clients Windows machines DHCP themselves create the DNS
entry. So this is the computer account of the Windows machine that has the right to change the DNS entry. For other machine (who can not
make available to secure DNS dynamic update), the computer DHCP server or a special user account account. In our example, the DHCP
server has been configured to enable DNS dynamic update using an account called Dhcp_update. This configuration is done in the DNS tab of
IPV4 and IPV6 properties DHCP server.
2. If you select Always update DNS records, it is the computer account of the DHCP server or a special user account that has the right to change
the DNS entries.
Employing a user account for dynamic DNS updates made by the DHCP server is configured in the tab Advanced in DHCP server properties.
Click on
Credentials. See Microsoft article http://support.microsoft.com/kb/282001/en-us
Never delete computer accounts workstations (reset if needed). Configure the DHCP server to perform dynamic DNS updates using a service
account. See Microsoft article: http://support.microsoft.com/kb/282001/en-us . At the DNS server, give the level DNS zone msreport.be the right
of Read and Modify
all DNS entries in the special account ( DHCP_Update). Click on the tab Advanced. It is indeed necessary to set the permission so that it applies
on This all objects and objects descendants.
_ldap._tcp.msreport.be. When the service DHCP Client is stopped, the message was Error: The system can not find the file specified when
making a ipconfig / registerdns. The service DNS Client only manages the DNS cache functionality. For more information :
http://support.microsoft.com/kb/264539/en-us
http://support.microsoft.com/kb/306602/en-us
http://support.microsoft.com/kb/318803/en- us
An attacker can disrupt the operation of the directory (replication) by altering the DNS entries that allow workstations to locate its domain
controller, enterprise servers and enabling each domain controller to replicate with other domain controllers.
the attacker able to change the DNS entry www.msreport.be in the DNS zone, it will eventually recover the login / user password. The only
limitation of this attack is that the certificate will not be valid. The user will be a warning message in Internet Explorer.
More sophisticated attacks allow an attacker to pollute the DNS cache of a DNS server or DNS client. Indeed, when a machine is a name
resolution, it puts the result in
To delete the cache of a DNS server, open the DNS console, go to the DNS server properties and select Clear Cache.
If an attacker manages to insert a DNS entry in the DNS server's cache, it can redirect a user on a machine it manages.
You should deploy the DNS service on all Active Directory domain controllers because as seen previously Active Directory relies on DNS to
allow customers to detect a domain controller. To secure a DNS server, the following actions must be performed:
• Integrate all DNS zones in Active Directory and configure DNS dynamic update on the parameter Secure Only.
• Do not allow zone transfers to any server and configure zone transfer with the IPSEC protocol.
1.5.4.1 Integrate DNS zones in Active Directory and enable secure dynamic update DNS
All DNS zones must be integrated into Active Directory. DNS zones will then be an object DnsZone and DNS entries become objects dnsNode that
replicate to all domain controllers. If you have multiple domains in the Active Directory forest, it is advisable to store DNS zones in ForestDnsZones
(Choose how you want data to be replicated area: To all DNS servers running on domain controllers in this Forest: msreport.be)
Msreport - Guillaume MATHIEU - All rights reserved cache. The cache can be displayed with the command ipconfig / displaydns and purge with
the forest that have the DNS service. In this configuration, all DNS servers will have access in read / write on the DNS zones.
It is recommended to only allow the secure dynamic update or disable the DNS dynamic update. This configuration can set permissions on the
zone and the DNS entries and ensures that an attacker can not modify DNS entries.
Msreport - Guillaume MATHIEU - All rights reserved zones hosted in the directory partition ForestDnsZones replicate to all domain controllers in
1.5.4.2 Securing the transfer of DNS zones
The zone transfer is the DNS native mechanism that enables server (s) DNS hosting the read-only zone (secondary zone) to replicate with the
server that hosts the read / write zone (main zone). It is recommended to protect replication traffic between servers by enabling IPSEC
(configuration in Windows Firewall level or via Group Policy). The transfer of a DNS zone should also be permitted from certain servers (those
that host a secondary zone). If you want to avoid DNS zones expire (this often generates production problems), be sure to configure the
notification. When a change is made in the DNS zone, the DNS server that has the read / write area then notifies the DNS servers that have the
read-only area of change.
The procedure for enabling IPSec between two DNS servers is explained in detail in this article:
http://technet.microsoft.com/fr-fr/library/ee649192(v=ws.10).aspx
To perform this type of attack, the attacker will send requests to the DNS server for the IP address www.microsoft.com and will send the same
time answers to the DNS server with an incorrect IP www.microsoft.com ( 192.168.0.1).
The DNS server will do a DNS query to the DNS redirection to get the IP of www.microsoft.com.
The DNS server will take into account the different answers (good and bad) and will then select one and add it in its cache. With any luck, it will
select the wrong. If another user requests to resolve www.microsoft.com FQDN, the DNS server will check its cache and return the wrong
information to the other client.
Tools like ARPWNER or ettercap allow polluting the cache of a DNS server.
http://www.darknet.org.uk/2013/02/arpwner-arp-dns-poisoning-attack-tool/
http://www.thegeekstuff.com/2012/05/ettercap-tutorial/
1. The DNS response received by the server must have the same identifier of 16 bits that the DNS query generated by the DNS server. This
protection is native in the DNS protocol.
3. The option Secure Cache contre pollution also limits the risk of DNS cache pollution and configured (by default) at the DNS server properties. I
invite you to read the article http://support.microsoft.com/kb/316786 for more information on this option.
4. Windows Server 2008 R2 DNS servers (and later) can block the change to DNS cache entry for a period of time corresponding to a
percentage of the life of the DNS entry (Time To Live or TTL ). In the example below the lifetime of the DNS entry CXCIRSEVEN-PC.msreport.be
is 20 minutes.
The main defect of the DNS is that it fails to authenticate the client and DNS server. DNS is therefore vulnerable to attacks such as DNS cache
pollution although the mechanisms provided in the previous sections are implemented. A new extension called DNS protocol DNSEC has been
implemented and allows truly secure DNS. It is available in DNS services to Windows 2008 R2 (and later).
DNSEC is activated at the DNS server and each DNS zone. Protected DNS zones appear with a padlock. Microsoft offers a guide to implement DNSEC:
http://technet.microsoft.com/fr-fr/library/hh831411.aspx
Msreport - Guillaume MATHIEU - All rights reserved This setting corresponds Locking cover. A setup procedure is available at this address http://technet.microsoft.co
on DNSSEC:
http://technet.microsoft.com/fr-fr/library/ee649205%28v=ws.10%29.aspx
http://blogs.msmvps.com/vista/2012/11/22/windows-server-2012-signer-vos-zones-avec-dnssec/
http://technet.microsoft.com/fr-fr/library/ hh831411.aspx
http://www.labo-microsoft.org/articles/DNSSECPRES/2/Default.asp#_Toc277269110
Our goal is to migrate the SID of the user TPO \ melanie.mathieu to the SID History attribute of the user msreport \ tigrou.mathieu. Tigger
MATHIEU and have all the user access Melanie MATHIEU (privilege escalation). The attribute SIDHistory is protected by the operating system.
A group member Domain Admins
has no right to add or delete a SID History (see error message below). The sIDHistory attribute is a table that can hold
several SID.
Create a first STUB area to area msreport.be. Embed this area at the
ForestDNSZones ( replicates to all domain controllers in the forest TPO.NET). Create a second-stub for the area _ msdcs.msreport.be ( same
configuration as for the area
msreport.be). A stepper is available at this address http://support.microsoft.com/kb/308201 . Check that all DNS servers in the domain TPO.NET
(DCs) can now resolve DNS entries in the DNS zone msreport.be and _ msdcs.msreport.be. You can do this using the NSLOOKUP tool.
Configure the DNS service for the domain controllers msreport.be resolve DNS entries tpo.net
The principle is the same as the previous step. You must create two STUB areas tpo.net and
_msdcs.tpo.net that you include in the directory at the partition level ForestDnsZones.
In this example, we will create a cross-forest trust relationship without selective authentication. Login to the PDC Emulator domain msreport.be and
launch the console Active Directory Domain and Trust.
Right-click on the domain name (msreport.be) in this example and click New Trust.
Enter the domain name to endorse (tpo.net). Choosing a Forest
Trust.
Then select Two-Way for the trust relationship is created on the 2 areas.
The forest users tpo.net So will members of the group Authenticated users in the forest
msreport.be and vice versa.
It is now necessary to disable SID filtering and activate the SID History at the trust relationship. Microsoft has developed SID filtering (enabled by
default) to fight against the privileges of elevations with the SID History (what one is doing).
When SID filtering is enabled, the SID contained in the SID History attribute are ignored. Disabling SID filtering History therefore lowers
significantly the security level of your Active Directory. This option is, however, necessary in the context of the merger of two Active Directory
domains with tools like Microsoft ADMT or Dell Migration Manager for Active Directory.
Example: You want to migrate domain resources tpo.net ( user accounts, computer accounts, groups, workstations, and domain member
servers) in the field
msreport.be.
Type the following commands on the PDC Emulator domain controller in the domain msreport.be:
Note that if you have domain controllers installed in French, there is a translation error in the order. You must type the command:
netdom trust msreport.be /domain:tpo.net / Quarantine: No / usero: administrator / passwordo: XXXXX netdom trust msreport.be
/domain:tpo.net / EnableSidHistory Yes / usero: administrator / passwordo: XXXXX
As controllers of tpo.net areas and msreport.be are Windows 2008 R2 and Windows 2012 R2, it is not necessary to create the registry entry TcpipClientSupport
as stated in the documentation of ADMT.
"If you are migrating from a domain with domain controllers That Run Windows Server 2003 or later to Reviews another domain with domain
controllers That Run Windows Server 2003 or later, the TcpipClientSupport registry entry does not-have to be modified. "
The domain local group TPO $$$ was created in the container Users Domain tpo.net. configure Default Domain Controller Policy in the fields msreport.be
and tpo.net with the following auditing settings as required in the documentation of ADMT.
The operation requires That destination domain auditing be enabled. ADMT detects the problem and offers to fix it when migrating a user.
Create Account Service-admt in the source domain (tpo.net). This user must be a member of the group Domain Admins in the source domain and
must be configured so that the password never expires. At the target area (msreport.be), add the user tpo \ petrol admt in the group msreport \
Administrators.
Download and install Visual C ++ Redistributable for Visual Studio 2012 Update 4:
https://www.microsoft.com/en-us/download/details.aspx?id=30679
Create the C: \ _ adm.
Copy SIDCloner.dll file (SIDCloner_binaries.zip) from the website below and put it in the folder C: \ _ adm. Take the X64 release.
https://code.msdn.microsoft.com/windowsdesktop/SIDCloner-add-sIDHistory-831ae24b
Create the file c: \ _ adm \ identities.csv and edit it with Notepad. This file must be separated by commas and have the following format:
param (
[Parameter (Mandatory = $ false)] [String] $
inFile
)
$ ErrorPreference = 'Continue'
# constant
$ TargetDomain = "msreport.be"
[System.Reflection.Assembly] :: LoadFile ( "c: \ _ adm \ SIDCloner.dll") | Out-Null
# process parameters
# customize file / folder names
if ([String] :: IsNullOrEmpty ($ inFile)) {$ inFile = "c: \ _ adm \ identities.csv"}
# clear the log file
if ([System.IO.File] :: Exists ( "c: \ _ adm \ CloneFailed.csv")) {
Remove-Item -path. "\ Log \ CloneFailed.csv"}
[Wintools.sidcloner] :: CloneSid (
$ Record.sourceSAMAccountName, $
record.sourceDomain, $
record.targetSAMAccountName, $ targetDomain
)
Write-Host "Account $ ($ record.sourceDomain) \ $ ($ record.sourceSAMAccountName) cloned"}
catch {
Write-Warning -message: "Account
$ ($ Record.sourceDomain) \ $ ($ record.sourceSAMAccountName) failed to clone`n`tError: $ (. $ ($
_ Exception) .Message) "
"$ ($ Record.sourceSAMAccountName) $ ($ record.sourceDomain) $ ($ record.targetSAMAccountName)"
> > "C: \ _ adm \ CloneFailed.csv"}
Download AdFind and AdMod tools and install them in the folder c: \ _ adm ADMT on the server.
http://www.joeware.net/freetools/tools/adfind/
http://www.joeware.net/freetools/tools/admod/
Run the following command to delete the SID History for user tigrou.mathieu.
C: \ _ adm \ adfind.exe -b " CN = Tirgrou Mathieu, OU = Techdays, DC = msreport, DC = be "sIDHistory -adcsv | c: \ _ adm \ AdMod.exe -sc
csh -unsafe
They do not support the contents of the directory (no management of user accounts, groups, computer accounts, group policy objects ...). Only
administrators of Active Directory must have significant privileges on the directory. An Active Directory administrator usually has a registered
account administration groups as member
Domain Admins and a standard user account (for Internet access and enterprise applications).
By default, when a domain is created, users and administrative groups presented in the following table are created.
These groups have very important permissions on the directory. Only accounts of the Active Directory service administrators must be members
of these groups. It is also important to note that applications like Exchange, Lync SCCM and create their own security groups that also have
very important rights on the directory. Members of these groups are therefore also to supervise.
The following script to list the direct and indirect members of the main Active Directory administrative groups.
The goal is not to add this standard user into groups with significant administrative privileges. The objects in Active Directory have permissions.
You can view these permissions in the tab Security an object. You must configure the console Active Directory Users and Computers display
mode Advanced features for that.
In the example above This objects and all descendant objects corresponds to the organizational unit (OU) T echdays and all this in OR OR.
We see in the following that the group catches GG_Helpdesk_Techdays also all rights to the attributes of the class User.
Msreport - Guillaume MATHIEU - All Rights Reserved Microsoft provides the wizard Delegation of Control to simplify the implementation of the
Msreport - Guillaume MATHIEU - All rights reserved
Msreport - Guillaume MATHIEU - All rights reserved
2.1.3.1 The WellKnown Security Principals
There are many groups / special accounts called WellKnown Security Principals or in French Entities known safety. These entities have a
standard and specific SIDs.
http://support.microsoft.com/kb/243330/en-us
http://technet.microsoft.com/en-us/library/cc779144(v=ws.10).aspx
The predefined group Authenticated users has the SID S-1-5-11. The membership to this group are managed by the system and can not be
changed manually. This group contains all users and computers that have logged at all areas of an Active Directory forest and have logged in
with a user account based SAM (local database) with the exception of account Guest (Guest).
It is possible to assign NTFS permissions to this group or to add it to a group of the local SAM database from one machine. It is not possible to
add Authenticated users as a member of a Local, global group or
By default Authenticated Users also has very important rights on the file system of a Windows 7 machine.
If you create a new folder C: \ Msreport, Authenticated users have the right Modify on this issue:
http://searchwindowsserver.techtarget.com/news/1195097/Foreign-security-principals-and-the-ActiveDirecory-architecture
The group Authenticated Users is located in the container Wellknow Security Principal the configuration partition (which is replicated to all
domains in the forest). This group is common to all domains in the same forest.
Trust relationships with selective authentication possible not to expand the group members Authenticated users users to a trusted domain. For
this, the two forests that are approved to be in fashion native 2003.
content Authenticated users all user accounts and computers that have logged on to a trusted domain (without selective authentication).
Msreport - Guillaume MATHIEU - All rights reserved It is also in the container ForeignSecurityPrincipal. This object can extend the group's
2.2 DELEGATE ADMINISTRATION WITH ORGANIZATIONAL UNITS
To delegate administration to the various teams Active Directory content administrators, it is necessary to design a topology organizational units
(OUs) that reflects the organization of society.
If you have a standalone IT team at each company's website, you can create an OU for each location of your company and delegate rights on
each OR IT staff in charge of this OR (this site).
If you want to delegate the administration of certain accounts / groups of department heads, you can create an OU for each service.
It is fundamental to create user accounts dedicated to the administration of the directory. These accounts must be registered in order to trace
the changes made by each director. Logon with an administrator account should be possible over secure machines and dedicated to the
administration of the directory. If possible, the local logon with an administrative account to be blocked on other business machines.
For this reason, the administration teams generally have two accounts:
• An account to log on the administrative machinery. Active Directory administration tools must be installed on these machines.
• A standard account without administrative privileges on the directory to access email, the Internet and other enterprise applications.
To restrict the machines on which users can login with their account administration, it is possible to use the following: Go to the properties of the
administrative user account at the tab Account then click on Log on To and check the box The Following computers. Enter the list of machines
where the user can open session (up to 1024 machines). This method prevents the local session opening but the user can still access
unauthorized machine via the network (access to shares).
An alternative to this method is to configure the GPO setting Deny logon locally a user group representing all administrative accounts and apply
this GPO on all machines in the domain except the administrative machinery. This is necessary because the attacks Pass The NTLM Hash and Access
Token Stealing ( with Incognito) may allow an attacker to recover access to all user accounts that have logged on to a machine (hence the need
to secure the administrative machinery).
As previously stated, you must delegate the minimum rights to teams in charge of administering the contents of the directory.
The more you delegate rights, the more you increase the risk that an attacker increases privileges by compromising a management station and
using attacks like Pass The NTLM Hash and Access Token Stealing ( with INCOGNITO).
The guest account must be disabled. Good security practice to rename view to disable the default administrator account. The rename little
impact because this account has a specific SID (ends with 500) and is therefore easy to find.
It is possible to audit the permissions on the Active Directory with the console Active Directory Users and Computers, Active Directory
Administrative Center, with the tool Dsacls.exe or with PowerShell Get-ACL. I invite you to read these two articles if you want to create scripts to
audit the permissions on your directory:
http://blogs.technet.com/b/heyscriptingguy/archive/2012/03/12/use-powershell-to-explore-activedirectory-security.aspx
http://windowsitpro.com/active-directory/view-remove-ad-delegated-permissions
ANSI also provides an answer to this problem with its tool AD-permissions:
http://www.ssi.gouv.fr/IMG/pdf/Audit_des_permissions_en_environnement_Active_Directory_article.pdf
Sources installation of the AD-Permissions tool are available at:
https://github.com/ANSSI-FR/AD-permissions
Active Directory provides a mechanism called AdminSDHolder permissions set to protect the sensitive groups: Account Operators,
Administrator, Administrators, Backup Operators, Domain Admins, Domain Controllers, Enterprise Admins, krbtgt, Print Operators, Readonly
Domain Controllers, Replicator, Schema Admins, and Server Operators.
The principle ?
When an object is defined as protected, the attribute AdminCoun t is set to 1 at this item. The inheritance of permissions parent objects in the
Active Directory is deactivated. A scheduled task called SDPROP will copy every 60 minutes (configurable interval) the permissions set on an
object model called AdminSDHolder at each protected object (such as the group Domain Admins).
The AdminSDHolder object in the SYSTEM container at the root of each Active Directory domain.
no permission inherited and the latter has the same permissions as the AdminSDHolder object. The object also has guillaume.mathieu
SDPROP will reset the permissions of that object. We see in the example below the object guillaume.mathieu ( group member Domain Admins) has
Msreport - Guillaume MATHIEU - All rights reserved If a user is added to the protected group as Domain Admins, the latter is then protected too.
It is possible to define at what time interval runs the SDPROP task by modifying the following registry entry:
You can configure AdminSDHolder not to protect certain groups. For this, we must modify the attribute dSHeuristics Object AdminSDHolder. For
more information :
http://support2.microsoft.com/kb/817433/en-us
It is recommended to enable automatic standby screen with passwords after 5 to 10 minutes of inactivity. It is not uncommon for an
administrator forgets to lock his session. It is possible to configure the screen saver on the field of machine using a GPO setting in User
Configuration | Policies | Administrative Templates | Control Panel | Personalization.
It is necessary to disable inactive user accounts. In general, longer absences last six months or 180 days. This is normally the responsibility of
the administrator of teams contents of the directory. But for many customers, management departures for providers is a very complex task.
Often providers accounts are not disabled. For this reason, the team in charge of the Active Directory administration must check on active
accounts but not used.
The solution proposed below to automatically disable user accounts and can generate an output file. It works with Windows domain controllers
2003 and later versions. It uses the PowerShell Module Quest ActiveRoles Management Shell. I invite you to use the plugin version 1.5 or 1.6 for
large directories because there is a memory leak problem with version 1.7 when you need to load a directory with more than 10,000 entries.
Deploy:
Install a domain member machines PowerShell Module Quest ActiveRoles Management Shell. This module can be downloaded at the following
address: http://software.dell.com/fr-fr/trials/#a
Create file c: \ _ adm \ scripts \ DisableUnusedAccount-180days.ps1 on a server. Start PowerShell ISE and copy the
code below. Set the variable $ datelimit and create a scheduled task to run this script.
$ Newdescription = ""
# Analysis and updating the description field if ($ ($ user.description)
-notlike "* * Service Account") {
$ Newdescription = "This account has been disabled" + $ ((get-date) .ToString (DD-MM-yyyy ')) + "by your administrator -" + $ ($
user.description)
# Changing the value of the description field
Set-QADUser $ -Identity ($ user.SamAccountName) -Description $ newdescription} else {
$ Newdescription = "This account has been disabled" + $ ((get-date) .ToString ( "MM-dd-yyyy ')) +" by your administrator. "
Active Directory natively allows to delegate permissions on the directory so very fine. There are many tools such as management consoles, PowerShell
the HTA scripts to be able to delegate the administration of the Directory of non-computer. These tools, however, do not allow:
• To have a tracking changes made to the objects (user account, group, OR).
• Manage membership in security groups based on the location of the user in the OR.
• To run scripts to perform additional tasks. When a user deletes an account, it is not possible to automatically delete personal directory, the
mailbox for example. These actions must be performed manually.
• To require the approval of a third party to make a change on an Active Directory object.
The tool Dell ActiveRoles Server 6.9 (ARS 6.9) incorporates the following features to meet these needs:
• Dynamic groups: addition of a resource in a group according to an attribute value or as the location of the user (LDAP path). This feature
allows for example to provide access to the intranet for all internal users of the company (based on the value of the attribute EmployeeType).
• Temporary groups: adding an object in a group for a limited time. This can help give temporary access to a service provider.
• The approval workflow (workflows) one or more persons can validate or not certain actions on the directory by others. An action
performed on a user account can trigger eg sending a mail to this user.
• A customizable web console: The tool comes with an MMC (very easily customized) and a web console. The latter can be fully
customized (changes in forms of management objects, adding commands ...). Take the case of a company that would use the attribute extensionAttribute2
to store license information Office 365. This attribute is not present not default in the properties of a user account in the console Active
Directory Users and Computers.
• The history of actions taken on an object and history of actions taken by an administrative account: officials will be delighted to find
the person who
• The policies (strategies): What DSI has not dreamed of one day having to book with reliable and respectful of validated formalism. With
ARS policies, you can force the teams in charge of the directory management to enter certain fields with a particular formalism (phone
number in international format, last name in capital letters, company and address field completed ...). ActiveRoles Server provides via the
module script Policies run VBS / PowerShell scripts before or after seizure (among others) a form. Nothing prevents you to automatically
configure
• The deprovisionning: ActiveRoles Server also has the function deprovisionning which will allow us to define a certain number of tasks to
be performed automatically when
• Creating virtual attribute: ActiveRoles Server allows to create virtual attributes. These do not exist in the Active Directory but can be used
by the LRA scripts. For example you can create a virtual attribute Site. A Policy ARS script then will automatically complete the address
fields, city and country of the user account depending on the value of this field Site.
• The delegation of administration this is by far the most important feature of the tool
ActiveRoles Server. It is possible to delegate only the rights to administrators in the ActiveRoles Server tool. These administrators have no
rights in the Active Directory. They are therefore forced to use the ActiveRoles Server tool to perform administrative tasks. This feature
ensures that all administrative actions will be drawn into the tool. This also helps delegate rights very precisely without affecting software
that rely on Active Directory. You can for example prevent HELPDESK users to see the organizational units they do not have the right to
manage without disrupting the operation of other software that would build on the directory.
The product allows for very many actions but has the following limitations:
• For advanced needs, it will be necessary to create policy ARS scripts. An SDK explains how to develop these scripts. The development of
these scripts can be long.
• Think separate historical database of the basic pattern data. This is a check box during installation.
• SQL knowledge is recommended especially if you want to deploy two servers that replicate the same configuration databases and history.
• Reduce the number of user accounts with the option Password never expires .
• Replacement service accounts (which have the option Password Never expires by
Managed Services Account ( MSA) or Group Managed Services Account ( GMSA).
• To list all the accounts that have not changed their passwords for years.
• How, why and where are stored passwords on machines domain (other than domain controllers).
• Finally set from all of these strategy target passwords in coordination with the management of the company, the Helpdesk team
(responsible for resetting the passwords) and representatives.
The first basic step is to define the need for enterprise-level passwords. For this you need to ask yourself the following questions:
• Users they accept to have a 10-character password that changes every 90 or 120 days (correct level of security)? Is a change
management necessary?
• What are the user accounts that have significant administrative privileges on your information system? These accounts should have a
password of 16 characters minimum (24 characters minimum for service accounts).
• What is the level of security required by the company? The company does have legal requirements (contract with the Ministry of Defense,
financial organization)? Is the security level homogeneous for all services / enterprise users?
• The complexity of under Active Directory Password requires a 6-character password with a minimum of 3 typefaces from the existing 5
(lowercase, uppercase, number and special characters, Unicode character). The password P @ ssword is considered a complex password
with Active Directory. Such passwords estil secure enough for your business?
• Do you have a team in charge of the reset password (if the user has forgotten his password? Are they available 24/7?
• How to validate that the user calls to reset their password is who he claims to be?
• How to reset a user's password when it is not connected to the corporate network?
We will see in the next paragraph the tools integrated with Active Directory, third-party solutions and actions to be implemented to meet all
business needs
Standard users can average store up to 3 login / different passwords. Beyond these, the 4 following phenomena are observed:
1. If passwords expire every 90/120 days and the Active Directory complexity is enabled, users confuse different passwords. The call IT support
rate for password reset requests increases sharply.
2. If user accounts Lock is on, the call IT support rate unlock accounts increases sharply because users incorrectly enter their password multiple
times.
3. Users write their different logins / passwords on paper, text or behind their keyboard file.
4. Users trying to align the passwords for different accounts and change only one character when changing passwords.
All this penalizes the company's productivity and reduces the company's security.
It is therefore necessary to reduce the number of login / password that a user must remember.
3.2.2 C Iles YOUR APPLICATIONS FOR S ' AUTHENTICATION WITH A CTIVE D irectory
Business applications typically allow to perform LDAP authentication over SSL. Often, they also enable authentication protocols such as NTLM
or Kerberos. We will see below how to allow Apache Linux Kerberos to authenticate with Active Directory domain controllers.
If you have application with a login / password rarely or never expire (this is not a good practice), you can save the password in Windows safe.
The user will no longer enter the login / password as it will be saved in the user profile. The Windows safe ( Credential Manager) is accessible
from the control panel.
CIOs are increasingly likely to switch to applications hosted in the cloud as Microsoft Office 365 or SalesForce. These solutions have many
advantages but contribute to increase the number of logins / passwords that users must memorize.
identity federation solutions (such as Microsoft ADFS or Ping Identity) allow to address this problem by establishing a relationship between a
configuration of Active Directory ( Identity Provider or IDP) and an application hosted in the cloud ( Service Provider or
SP). The advantage of this solution is that the scope of this trust is much smaller than that of a trust relationship between two domains.
The strategy of passwords for user accounts can be configured in several locations:
• At the component level Password Policy Group Policy Default Domain Policy.
• At the container level PSO ( Password Policy Object).
• In terms of Active Directory user accounts.
It is necessary to understand the difference between changing passwords and resetting passwords. A change of passwords is performed by a
user. The latter must know his old password to perform the procedure. A reset password is performed by Active Directory administrator. The
administrator does not need to know the old user password. The historic setting of the password (see below) is ignored when a reset
passwords.
With Active Directory domain controllers (all versions), administrators can configure their strategy passwords at the Default Domain Policy in
Computer Configuration | Policies | Security Settings | Account Policies | Password Policy. Microsoft defines the following criteria:
Password Policies set at the DefaultDomainPolicy apply for users of Active Directory accounts, but also for the SAM basic user
accounts on domain member machines.
It is important to note that the password strategies can be defined as a level of Group Policy Default Domain Policy although the graphical
Windows suggests that one interface can define at any GPO linked to an OU.
In fact passwords strategies defined at an OR apply only to the SAM basic user accounts on domain member machines.
They allow you to set the same password policy settings than the Default Domain Policy but users and specific groups. The PSO (also called finegrained
password) appeared with native mode 2008. In Windows 2008 R2, the PSOs were to be created manually ADSIEDIT.MSC. Since Windows 2012
R1, a wizard for creating PSOs is available in the console Active Directory Administrative Center
(ADAC). This requires going into the container System | Password Settings Container. In the window Tasks, click on New | Password Settings.
In the example below, we create a password policy for all user group members GG_Administrative_Accounts.
Better to define a strategy words granular pass that use at least the security settings of the Default Domain Policy. This is indeed the most
restrictive combination of the two that apply to the user. In the example below, the Default Domain Policy requires a password of 8 characters.
The PSO requires 15 characters. The user group member GG_Administrative_Accounts must have a password of 15 characters.
• Microsoft native tools does not guarantee the identity of the user requesting a reset passwords.
The PWM tool (open source and free) makes available a web interface to reset their password. The user connects to that interface and must
meet secret and personal issues as his favorite band, the nickname of his spouse or pet. Pay as tools Hitachi Password Manager or Microsoft
Forefront Identity Manager also possible to have this type of function.
The principle of these tools is relatively simple, however their implementation is complex. The personal data that you store in these tools require
to make a declaration to the CNIL and consult the unions. The choice of questions can also be highly political and sensitive.
The implementation of a reset tool password-based security questions will also ensure the identity of the calling user and protect the company
against a striker who is posing as an employee of society to obtain access.
The complexity of passwords is managed by the DLL Microsoft Windows Passfilt.dll. It is possible to develop a DLL Additional to impose the use
of more complex passwords and configure Windows to manage this second DLL. For simplicity, the two DLL will analyze the password supplied
by the user. If both return true then the password is accepted. Otherwise, an error message appears and the change / reset the password is
denied. All information provided by Microsoft to develop a DLL Custom is available at:
http://msdn.microsoft.com/en-us/library/ms721766.aspx
http://msdn.microsoft.com/en-us/library/ms721849.aspx#password_filter_functions
http://msdn.microsoft.com/en-us/library/ms721884.aspx http://msdn.microsoft.com/ en-us / library / ms722458.aspx
To retrieve a user's password over the network, an attacker needs a lot of time. It must not exceed a certain threshold could trigger lock the user
account or be detected by IDS. The good pace would be to test one password per minute. Assuming that the password expires after 60 days,
an attacker could test 86400 passwords during this period.
The script below can test all the passwords in the file c: \ password.txt
(One per line password) for guillaume account on the 192.168.1.15 machine. If the command is successful, a player
on the maps V C $ share of the machine.
For / F% i IN (c: \ password.txt) do use @net V: \\ 192.168.1.15 \ c $% i / u guillaume
Enable account lockout on very low thresholds (very failures passwords) will mainly block the clumsy users or who do remember more
passwords. Better to set the lock accounts on important thresholds and record these authentication failures over a longer time. Microsoft blocks
the threshold to 999 attempts. The consideration of duration with resetting the password failure counter will also set the duration of the account
lockout (stress the Microsoft solution).
If account lockout is enabled, an attacker can specify voluntarily bad passwords to generate a huge denial of service. It is mainly for
this reason that account lockout should be turned off in my opinion.
An alternative to locking accounts (method) is to analyze the log Security all domain controllers in search of authentication failures and generate
an alert upon detection. This methodology would also detect connection attempts with low thresholds (test password per minute) by counting
the number of authentication failure in the long term. A sample script is provided later in this document (part audit).
3.6 USE AND MSA GMSA OBJECTS TO SERVICES AND TASKS PLANNED
For many customers, user accounts are used to run services and scheduled tasks. These accounts usually have very important privileges
(sometimes Domain Admins) have a password that does not expire and are not restricted in their use. They can for example open sessions on
any area of the machines. If the compromise of a service with a tool like Metasploit, an attacker can retrieve access corresponding to the user
account performing this service (in our example, one group member account Domain Admins). It can also recover the password of the service
account by analyzing memory LSASS.EXE machine process with a tool like CAIN (for more information, see later in this document).
An MSA, as a computer account password automatically changes every 30 days words (at the same time that the password for the computer
account). An MSA does not apply password policies of the Default Domain Policy and do not apply the PSO settings. A Managed Service
Account (MSA) however, some limitations:
• It is not possible to use the same MSA on multiple machines. It is linked to a specific computer account. It is therefore not possible to use
MSA with a Microsoft cluster FailOver or NLB cluster (more Kerberos authentication).
• Many applications do not support MSA. It is therefore necessary to validate the support MSA for each application. Microsoft SQL Server
2012 supports the use of a
MSA if SQL Server is deployed in standalone mode (not clustered). For more information :
http://blogs.msdn.com/b/sqlosteam/archive/2014/02/19/msa-accounts-used-with-sql.aspx
I invite you to read the following Microsoft articles for more information on MSA:
http://blogs.technet.com/b/askds/archive/2009/09/10/managed-service-accounts-understandingimplementing-best-practices-and-troubleshooting.aspx
http://technet.microsoft.com/fr -fr / library / dd548356 (v = ws.10) .aspx
Microsoft has improved the MSA Windows 2012 R2 and created a new object type (class
msDSGroupManagedServiceAccount) called Group Managed Service Account ( GMSA). Contrary to MSA a GMSA is no longer linked to the
computer account of the machine. It is the service
Kerberos Key Distribution Center (KDC) that changes the password of a GMSA.
GMSA the same object can be used on different machines. The cluster FailOver service should not run with a GMSA but services hosted by
the cluster can run with GMSA. This functionality was not possible with an MSA object. Note that the GMSA are not yet supported with Microsoft
SQL Server 2012 ( contrary to MSA). I invite you to read the following articles on the Microsoft GMSA:
http://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managedservice-accounts.aspx
http://technet.microsoft.com/en-us/library/jj128431 (US)
http://technet.microsoft.com/fr-fr/library/hh831782.aspx (FR)
MSA and GMSA are stored in the container Managed Service Account at the root of the domain.
How to Configure the VMware Tools service on SRV2012C machine with MSA:
Install the Active Directory module for PowerShell on SRV2012C in the Server Manager.
Msreport - Guillaume MATHIEU - All rights reserved Then type the following
3.7 LIST ALL ACCOUNTS THAT HAVE NOT CHANGE PASSWORDS FOR SEVERAL YEARS
It is necessary to identify accounts that have not changed their passwords from more than 5 to 10 years (configured with a password that never
expires). These are usually former generic service accounts, non-nominal, known to all IT staff and employees / providers who are not part of
society, the use of which is not well known (several applications use the same Service account).
The approach :
1. You must identify the applications that use these service accounts using the auditing feature of Active Directory connections (see later in this
document).
2. You must identify the risk in terms of security of each of these accounts. The password for this account is it complex? The password is it
known by former employees / providers? What is the privilege level of the account?
3. You must plan campaigns to change passwords for service accounts. Whenever possible, set passwords to 24 characters minimum for
service accounts. This ensures that the password is not stored in the format LMHash in the directory (14 characters maximum).
If it is not possible to change the password of a service account, you must reset it with its current value a number of times corresponding to the
historical value of passwords + 1 after disabling storing passwords in LM hash format (see later in this document). If history passwords is 15
passwords, reset 16 times the password.
If the password does not meet complexity requirements, it will be necessary to temporarily change Default Domain Policy in order to redefine the
password identically (for really blockers cases).
You must do the same action if you have disabled the encryption LMHash format. The LM hash is removed at an existing account attribute dBCSPwd
that when changing the password for the user account.
During an interactive logon (local or via Remote Desktop), users can authenticate with their smart cards (instead of a login / password).
However, access to network resources is done transparently by the system using the NTHASH (HASH password). This NTHASH is stored in
memory after the interactive logon process by lsass.exe. Moreover, when the box Smart card required for interactive logon is checked, the
password is automatically generated by the system but configured not to change.
For this reason, it is advisable to periodically reset the password of these accounts (once every 6 months). This action should be performed
when the user is not working.
3.9 RESTRICT USE OF THE OPTION " PASSWORD NEVER EXPIRES "
No user account must not have that option except service accounts. The following PowerShell command to list the accounts whose password
never expires. It requires the deployment of PowerShell Module Dell ActiveRoles Management Shell 1.6 and works with controllers in Windows
2003 and later domain (free download http://software.dell.com/fr-fr/trials/#a).
A user account password (or computer account) must not be stored in clear in an LDAP directory for security reasons. Therefore, Active
Directory stores the password for all computer accounts and all user accounts in the form of an impression (also called HASH). Two different
passwords do not generate the same fingerprint as the mathematical function generation footprint (or Hash) is unidirectional. It is not possible to
recover the original password from its footprint. The rainbow tables possible to overcome this limitation by calculating a fingerprint for each
possible password in a database. An attacker can then search the password corresponding to the impression it has. I invite you to visit the
website below:
http://fr.wikipedia.org/wiki/Rainbow_table.
Some fingerprint generation algorithms allow the use of a salt (also called seed). Salt is a value that appends (adds) the original password. This
will enhance the security of passwords with a small number of characters. With the use of a salt, two identical passwords do not produce the
same footprint.
Active Directory can generate two types of fingerprint for an account password user / computer:
The LM hash is stored in the attribute dBCSPwd. The history of passwords is stored at the attribute lmPwdHistory. These two attributes are
protected by the operating system against read access (including a Member user group Domain Admins). In the example below, the Active
Directory is configured to store the password in the format LMHash.
After changing the account password guillaume.mathieu , attribute dBCSPwd remains unavailable (displayed Not set).
4. The result of this processing is divided into two blocks of 7 bytes (56 bits). For each 7 byte block (56 bits) is added all 7 bits, a 0 bit to obtain a
value of 64 bits (8 bytes) to be used as a DES encryption key.
5. Each of the two DES keys is used to encrypt the string " KGS! @ # $% ". The result (64 bits) of the two operations is concatenated to obtain a
value of 16 bytes (128 bits). This value is the LM hash.
To summarize : LM = DES (Password [0..6] KGS @ # $%!) | OF (Password [7..13], KGS! @ # $%)
The LM hash is very weakly secure because it does not handle the case (uppercase / lowercase), supports passwords of less than 15
characters, does not include salt and uses encryption keys DES 64-bit ( which 8 bits are 0). If the password is less than 8 characters, like all the
bits of the second DES keys are 0, a known hash value is obtained ( 0xAAD3B435B51404EE). 5 These weaknesses can generate a rainbow sky
table ( Rainbow Table) 17 GB (instead of 310 TB with the algorithm Philippe OECHSLIN) containing for each possible password the value of LMHash
corresponding. Since Windows 2008 R1, domain controllers no longer generate a default footprint LMHash format when the password is
updated. Many directory under Windows 2012 R2 still have LMHash footprint in the database because the password of some service
accounts has never been changed since sometimes 10 years or more!
The NTHASH is stored at the attribute UnicodePwd. The history of passwords is stored at the attribute ntPwdHistory. These two attributes are
protected by the operating system against read access (including a Member user group Domain Admins).
The NTHASH is an imprint / Hash password which is based on the Hash function MD4 (without salt). For the NTHASH, the system performs
these actions:
• The password is encoded in Unicode format and can contain up to 255 characters.
• MD4 protocol is applied to obtain the NTHASH
To sum up : NTLM HASH (NTHASH) = MD4 (Password Unicode)
We will see in the next paragraph it is possible to recover the contents of the attributes
UnicodePwd and ntPwdHistory using tools LIBESEDB / NTDSXtract and therefore recover the password in the clear with Rainbow Table
(depending on the complexity of passwords). The NTHASH does not suffer the same design flaws that LMHash. Although HASH algorithm does
not include salt / seed, the rainbow table for NTHASH not generally allow that to recover passwords up to 16 characters conditional (dictionary
word ...) and 8
• The password is not based solely on a password dictionary and / or a sequence of numbers. The password Vachette1 is in all rainbow
tables MD4 / NTHASH.
• The password must have 10 characters for standard users, 16 for VIP and 24 for service accounts.
3.11.1 L A PROCEDURE
We will see in the next section how to create a copy of the directory and mount it as a simple LDAP database with the tool LIBESEDB. The tool NTDSXtract
will extract the value attributes UnicodePwd, ntPwdHistory, dBCSPwd and lmPwdHistory.
To use the tool LIBESEDB, we need to get the file NTDS.DIT ( Active Directory database) and the SYSTEM file (the hive file that contains
registry entries in
HKEY_LOCAL_MACHINE \ SYSTEM). For this you can create a MFI (promoting a domain controller with media), a snapshot of the Active
Directory or use a backup of the system state (restore to a different location).
To generate an MFI:
You must have a domain controller in Windows 2008 R1 ( or later). Log in with a user account member of the Domain Admins group, and
type the following commands:
Ntdsutil
Activate instance ntds Ifm
Install a virtual machine Kali ( https://www.kali.org ) Under VMware Workstation 10 (in this example) connected to the corporate network. You
can also use VMware ESXi, Hyper-V or
VirtualBox.
then install VMware Tools. You need to install Linux and Headers Autoconf.
apt-get install autoconf
apt-get install linux-headers - $ (uname -r)
In the menu VM click on Install VMware Tools. This will load the ISO VMware Tools in the DVD drive of the virtual machine.
LIBESEDB to mount an ESE database (Extensible Storage Engine). Remember, Active Directory is an ESA basis. Download LIBESEDB at this
address : https://github.com/libyal/libesedb/releases
esedbexport: error while loading shared libraries: libesedb.so.1: can not open shared object file: No such file or directory
The command esedbexport /ntds.dit.export generates a directory in the file esedbtools with the following files:
2767300 rw-r - r-- 1 root root 19 Jan 5:00 p.m. 9,616,462 2,767,301 datatable.3 rw-r -. R-- 1
root root 693 Jan. 19 5:00 p.m. hiddentable.4
2767302 rw-r - r-- 1 root root 6563 Nov 19 5:00 p.m. link_table.5 2767297 rw-r -.. R-- 1 root root 75441 Jan
19 5:00 p.m. MSysObjects.0 2,767,298 -rw- r - r-- 1 root root 75441 Jan 19 5:00 p.m.
MSysObjectsShadow.1 2767299 rw-r -. r-- 1 root root
103 Jan. 19 5:00 p.m. MSysUnicodeFixupVer2.2
2767303 rw-r - r-- 1 root root 80 Jan. 19 5:00 p.m. quota_rebuild_progress_table.6
2767304 rw-r - r-- 1 root root 638 Jan. 19 5:00 p.m. quota_table.7
2767305 rw-r - r-- 1 root root 14 Jan. 19 5:00 p.m. sdpropcounttable.8
2767306 rw-r - r-- 1 root root 96 Jan. 19 5:00 p.m. sdproptable.9
2768102 rw-r - r-- 1 root root 29626 Jan 19 5:00 p.m. sd_table.10.
PC /root/libesedb-20141110/ntds.dit.export/datatable.3 /root/NTDSXTRACT/datatable.3 PC
/root/libesedb-20141110/ntds.dit.export/link_table.5 /root/NTDSXTRACT/link_table.5 cd / root / NTDSXTRACT
Scanning database - 100% -> 3717 records processed Searching for Schema object - 100%
-> 12 records processed Extracting information scheme - 100% -> 1549 records processed
Extracting object links ... List of users: ========= ===== Record ID:
5768
User name: Guillaume Mathieu
User principal name: guillaume.mathieu@tphat.intra SAM Account name:
guillaume.mathieu
SAM Account Type: SAM_NORMAL_USER_ACCOUNT GUID:
1eaee5d6-5f8f-4e8c-a840-31caddad6755 SID:
S-1-5-21-2163606747-459301225-4249714960-1121 When created:
2013-08-05 8:12:08
When changed: 2013-08-17 6:20:58 p.m.
Account expires: Never
Password last set: 2013-08-17 18: 20: 58.095203 Last logon:
2013-08-15 12: 30: 01.708144
Last logon timestamp: 2013-08-12 18: 41: 32.890748 Bad time password
2013-08-15 12: 29: 32.988494 Logon count:
18
Bad password count: 0 User
Account Control:
NORMAL_ACCOUNT PWD Never
Expires Ancestors:
Msreport - Guillaume MATHIEU - All rights reserved Copy the SYSTEM file in the / root /
Last logon: 2013-08-15 12: 30: 01.708144
Last logon timestamp: 2013-08-12 18: 41: 32.890748 Bad time password
2013-08-15 12: 29: 32.988494 Logon count:
18
Bad password count: 0 User
Account Control:
NORMAL_ACCOUNT PWD
Never Expires Ancestors:
In the example below, we have several times the same password because the administrator has reset the password from the console Active
Directory Users and Computers.
Log on the objective Site security and enter the LMHash ( http: //www.objectif-
securite.ch/ophcrack.php).
In the case of guillaume.mathieu account, there are two lines Password Hashes:
Password hashes:
Guillaume Mathieu: $ NT $ 13b29964cc2480b4ef454c59562e675c ::: Guillaume Mathieu
11cb3f697332ae4c4a3b108f3fa6cb6d :::
The line with $ NT $ 1 corresponds to NTHASH. The second line
is the LM hash.
the password is found in upper case. The application website uses NTHASH to determine the characters to uppercase.
The tool also allows Lm2ntcrack.exe recover the password with uppercase and lowercase. For this type the following command:
http://support.microsoft.com/kb/272129/en-us
http://support.microsoft.com/kb/299656/en-us
http://support.microsoft.com/kb/828861/en- us
http://support.microsoft.com/kb/890761/en-us
http://support.microsoft.com/kb/895092/en-us
http://www.markwilson.co.uk/blog/2004/06/problems-with-microsoft-clusters.htm
http://blogs.technet.com/b/askcore/archive/2011/08/11/windows -2003-server-cluster-and-accessdenied-errors.aspx
You can reset with the same password value all service accounts. The password of a computer account changes every 30 days so I suggest
you wait. These two actions will remove the attribute value dBCSPwd.
To remove the attribute values lmPwdHistory ( Historical passwords in LM hash format) will require changing passwords a number of times
corresponding to the historical passwords. This does not cause problems with service accounts because you know their password. For user
accounts I offer you the following trick: Reset all user accounts with default passwords. Communicating this new password to users by checking
the box User must change password at next logon at the user account. The user thus change their password at next logon.
A less ethical method is to recover all passwords with the procedure of the preceding paragraph and reset with the same value. Then check the
box User must change password at next logon to lose the knowledge of the password for all users.
To remove the attribute values lmPwdHistory, we must change the password a number of times corresponding to the historical passwords.
The LM hash is disabled by default on Windows 2008 domain controllers (the default setting when the GPO Network security: Do not store LAN
Manager hash value on next password change is not set / configured. This information is important for Windows migration projects 2000/2003 to
Windows 2008 R1 and later. For more information :
http://support.microsoft.com/kb/299656/en-us
http://support.microsoft.com/kb/946405/en-us
3.12.1 L A PROCEDURE
The principle is exactly the same as the LMHash. We must use the tools LIBESEDB and
NTDSXtract NTHASH to recover.
The tool NTDSXtract had generated the following line with the NTHASH account Guillaume MATHIEU.
Guillaume Mathieu: $ NT $ 13b29964cc2480b4ef454c59562e675c :::
Take only the string after $ NT $ 3 characters and remove ":" either:
13b29964cc2480b4ef454c59562e675c
Copy this value to the web site that includes a rainbow table as MD4:
https://crackstation.net .
http://www.onlinehashcrack.com/
http://www.onlinehashcrack.com/
Msreport - Guillaume MATHIEU - All rights reserved Do the same action at the GPO Default
A video presentation of ophcrack st available at:
https://www.youtube.com/watch?v=x4WfTdlmwyY
Installation is very simple and automatically downloads 4 tables ( Free Vista, Vista probabilistic free, XP and XP Free free Small). You have to
manually download the table Vista num at this address
http://ophcrack.sourceforge.net/tables.php . The tables XP Free and XP free small help break the LMHash. We therefore will disable.
We will now see how to test this tool. Login to the website https://defuse.ca/checksums.htm . Enter the password 14127487. Copy the value of
NTHASH obtained: b8895eced52341edfc6a078bb962cb3b .
Go to the menu Load | Single hash. The input format is LMHash: NTHASH. It is assumed that LMHash is disabled (so that the field is empty). So
enter the following value:
: b8895eced52341edfc6a078bb962cb3b
Then click on the button Crack. We find the password in less than 5 seconds. There are other free or paid tools such as:
The NTHASH MD4 is a fingerprint password format Unicode without salt. Although this method HASH be much less effective than the SHA1 ( or
other more modern functions), the NTHASH does not suffer the same design flaws that LMHash. The rainbow table
MD4 available on the Internet (free or paid) generally allow to recover the password from NTHASH for passwords less than 9/10 and characters
up to 16 characters Conditional. To ensure the security of your passwords, it is necessary to adopt the following password policy:
• The minimum length of the password: 10 characters for standard users, 16 characters for sensitive users (VIP accounts with
administrative privileges) and 24 characters for service accounts.
The adoption of a tool like Hitachi ID Password Manager can help block the passwords with a dictionary word as Vachette1 ( which is available in
all rainbow tables). A good practice is to test the strength of the password sensitive accounts by checking that they are not in the rainbow
tables. Generate why the NTHASH from this website
https://defuse.ca/checksums.htm and install ophcrack to try to find the password from the resulting NTHASH.
You must also prevent an attacker to obtain the file NTDS.DIT and SYSTEM one of your domain controllers (read / write). Both files can be
obtained via a backup directory, a IFM (Install From Media) flying a physical domain controller or by copying a virtual domain controller
(snaphsot). You can encrypt your disk read-only domain controllers / write BitLocker. If the disk is encrypted, an attacker can not view the
contents of the disk with tools like a LiveCD.
You can deploy RODC ( read-only domain controller) on sites that do not have a secure computer room. The RODC does not contain passwords
for user accounts / computers (except for accounts defined exception).
You must enhance the security of your directory to prevent an attacker gets administrative privileges on the directory as Administrators, Domain
Admins, Enterprise Admins. He could then make a backup of the directory or generate a IFM.
Many passwords are also present on the machines of domain other than the domain controllers. In the example below the service VMware Tools was
configured with the account guillaume.mathieu domain msreport.be. This account is a member of Domain Admins.
The password for the account used by a service or scheduled task is stored in the registry key Hkey_Local_Machine \ Security \ Policy \
Secrets. You can access this key by connecting with an administrator account on the machine and manually setting permissions on Hkey_Local_Machine
\ Security.
If we develop the key secrets we can see that there is a key under to the VMware Tools service called _ SC_VMTools. This key
contains in turn 5 key
When the service starts, password ( NTHASH and LMHash if enabled) is stored in the process memory Lsass.exe ( service Netlogon).
Tools like CAIN ( http://www.oxid.it/cain.html ) or NirLauncher ( http://launcher.nirsoft.net ) Can recover passwords by analyzing the process
memory Lsass.exe or by analyzing the contents of register entries in Hkey_Local_Machine \ Security \ Policy \ Secrets.
How can you log on to a laptop when you are not connected to the corporate network and domain controllers are not available? Why do not you
the error message below?
You can authenticate the evening on your laptop with your domain user account because Windows caches your login / password on your laptop
in the Windows registry at the key HKEY_LOCAL_MACHINE \ SECURITY.
In Windows 2003, the password of the user cache ( MSCASH) is an MD4 hash of the user NTHASH concatenated to the user login is: MSCASH:
MD4 (MD4 (password) + username)
In Windows 2008, this algorithm has evolved (known format MSCASH2). PKCS # 5 (MD4 (MD4 (password)
+ username))
I invite you to read the articles below and disable caching sessions on servers and fixed workstations. This feature can be turned on laptops
with Windows Vista and later.
http://www.securiteam.com/tools/5JP0I2KFPA.html
http://www.jedge.com/wordpress/windows-password-cache-mscache-mscash-v2/
It is important to set a different local administrator password on each machine company (servers and workstations). This can be done using the
Microsoft tool LAPS.
This solution is provided free by Microsoft and can be downloaded at the following address:
https://support.microsoft.com/en-us/kb/3062591 .
It replaces the solution provided by Microsoft through the Group Policy Preference which should no longer be used as a standard user can find
the password of the SAM database user account using the following procedure:
http://blogs.technet.com/b/askpfeplat/archive/2014/05/19/how-to-automate-changing-the-localadministrator-password.aspx
LAPS can automatically change the password of a local based administration account SAM on the domain member machines. A unique
password is generated for each machine and is stored in the attribute ms-Mcs-AdmPwd Account computer of the machine.
This attribute is said protected because it is necessary to have the right ExtendedRight in order to display the value of this attribute. Otherwise,
we see that empty attribute (for a standard user).
The solution on the client machines uses a DLL ( % ProgramFiles% \ LAPS \ SSC \ AdmPwd.dll )
extending Group Policy. The solution is based entirely on the engine group policies. The change of password is done when a machine applies
group policies (every 90 minutes + 0 to 30 minutes).
The solution manages the bultin administration account or another account. The solution allows to maintain a single user account of the
SAM database.
Once the solution is deployed, when a machine applies the GPO, it does the following:
• It checks if the password account administrator of the SAM database has expired by making a request on attribute ms-Mcs-AdmPwdExpirationTime
at his computer account.
• If the password has expired, it generates a new password for the administrator account of the local SAM database.
• She writes the value of the new password in the attribute ms-Mcs-AdmPwd and the expiration date of the new password in the attribute ms-Mcs-AdmPwdExpira
. The machine must therefore have the right to write the attribute but not to read the value of this attribute.
When the machine is offline, the solution does nothing because the CSE client detects that there is no connectivity with a domain controller. The
diagram below shows the view entire solution.
Computer account in AD
...
...
active Directory
Managed Machine
GPO Framework
AdmPwd.dll
scecli.dll
.. .
It is necessary to connect on port 636 (LDAPS) or using native tools LAPS (which provide protection) when accessing a password stored in the
attribute ms-mcs-admpwd
a computer account. Otherwise, the password travels unencrypted over the network as any data.
http://www.cert.ssi.gouv.fr/site/CERTFR-2016-ACT-008/index.html
http://blogs.msdn.com/b/laps/archive/2015/06/01/laps-and-password-storage-in-clear-text-in-ad.aspx
Microsoft Premier customers can access a special version of Microsoft LAPS that supports the history management password of the local
administrator account (in a new attribute) that can store encrypted so the password in Active Directory.
The value of deploying Microsoft's solution to protect against attacks by privilege elevation is presented in the following video:
https://experiences.microsoft.fr/Video/avec-laps-metsys-premunit-un-si-dattaques-par-elevation-deprivileges/fd1a804d-c21d-4bbe-97d7-1697364fe5b5#f7GY1f7uVyK
The tool LAPS has a PowerShell module administration and a graphical interface to search for passwords. Both tools require the deployment of
.Net Framework 4.0. It is recommended that deployed PowerShell V3 or the following procedure only if one has PowerShell V2 (Windows 2008
R2 default):
If one has PowerShell V2, you must make a change if it does not work. It works by default PowerShell v3.
We must create the file C: \ windows \ system32 \ WindowsPowerShell \ v1.0 \ powershell.exe.config to allow the compiled assembly for loading
.net Framework 4.0.
Sample glad of file below: <? Xml version
= "1.0"?>
LAPS requires updating the Active Directory schema. This action is via PowerShell module LAPS (screenshot below).
It is necessary to delegate to computer accounts allowed to read and write the attribute ms-McsAdmPwdExpirationTime and the right to write
only at the attribute ms-Mcs-AdmPwd.
It is then necessary to delegate to the directors not members of groups with high privileges as Domain Admins the ability to read the attribute ms-Mcs-AdmPwd
. This is done through the following PowerShell command:
The last step is to configure the GPO that is used to set the LAPS tool.
Once you evaluate your needs and you have an idea of the technical solutions to be implemented, you need to arrange meetings with the
company management, the teams responsible for resetting passwords and employee representatives . Nothing can be done without them or
against them.
For the perfect project to secure password management to validate your approach and will update if necessary the IT charter to describe the
potential penalties for non-compliance with safety rules for passwords (forbidden write it on a POST-IT ...). A user writes their password behind
his keyboard should be highly aware of the security risks. Union representatives must approve technical solutions implemented, the IT charter
and the measures taken against employees who violate the new safety rules.
The teams responsible for resetting the passwords must be associated with the implementation of such solutions PWM that allows a user to
reset his own password (without the intervention of the Helpdesk team) by answering his secret questions. This tool will indeed also the
Helpdesk teams to identify the applicant before resetting their password.
If some VIP users refuse to change their passwords, you may consider lowering the security settings of the Default Domain Policy ( minimum
standard) and implementing PSOs to other users (standard norm).
The security level of a system corresponds to the lowest security level of any of these items. It is preferable to implement a strategy of secure
passwords for 90 percent of users and low of 10 percent that will implement any strategy passwords. When 90 percent of users have switched,
you demonstrate that the solution is viable and you can convince 10 percent of recalcitrant users to apply security standards.
Avoid implementing a strategy too complex passwords with third party tools such as
Hitachi ID Password Manager. Users must succeed in changing password in 1 try applying basic instructions. Prohibit all common
dictionary words can be very counterproductive.
Avoid configure accounts with administrative privileges significant level of planned services or jobs on insecure machines and the Active
Directory team does not control.
Active Directory is a directory LDAP. A user can use a tool like LDP.EXE to connect to a domain controller and
run commands LDAP as bind
(User authentication) Search ( Finding Objects) Add ( add a new object). Active Directory supports two methods for placing an order LDAP Bind:
This method is to send the login and user password in clear text over the network to authenticate. Active Directory supports several types of
login in an LDAP query Simple Bind:
• The value of attribute distinguishedName ( example: CN = Guillaume Mathieu, OU = IT,
DC = msreport, DC = FR)
• The value of the attribute UserPrincipalName ( example: guillaume.mathieu@msreport.fr)
• The value of the attribute SamAccountName, with the @ character and the DNS domain name (example: gmathieu@msreport.fr)
• The value of the attribute SamAccountName, with the @ character and the UPN suffix (example:
gmathieu@msreport.fr)
• The NetBIOS name of the domain with the \ character and the value of SamAccountName
(Example: Msreport \ gmathieu)
• The canonical name of the object (example: msreport.fr/IT/Guillaume Mathieu)
• The value of the attribute ObjectGUID ( example: 43a1fa2b-9a8e-4d46-92e5-aca403197f3f)
• The value of the attribute displayName ( example: Guillaume MATHIEU)
• One of the attribute values ServicePrincipalName
• The value of the attribute ObjectSID (S-1-5-21-2479351881-651737401-1049745595-1105)
• One of the values of the SIDHistory attribute.
Active Directory supports SSL / TLS (LDAPs connection) to prevent an attacker to obtain the user's password in a LDAP Simple Bind.
SASL stands for Simple Authentication and Security Layer. This method allows to use protocols like Kerberos, NTLM V2, NTLM, or LM DIGEST
to authenticate to an LDAP server. It avoids sending the login / password in the clear over the network. SASL allows you to use 4 authentication
protocols presented in the table below.
protocols
Additional authentication information
GSS-SPNEGO Used to authenticate with the Kerberos protocol, LM, NTLM and NTLM V1 V2.
GSSAPI Used to authenticate with the Kerberos protocol, LM, NTLM and NTLM V1 V2.
EXTERNAL Used to authenticate with an external method such as a certificate.
DIGEST-MD5 Used to authenticate with the Digest-MD5
The NTLM V2 authentication protocol is still used and active in Microsoft Windows environments although the Kerberos authentication protocol
is more secure because:
1. Only NTLM allows users to authenticate to a resource when accessed via its IP address.
2. If an external trust relationship was established between two domains (in two separate forests) and your domain controllers are running
Windows 2003, only the NTLM protocol allows a domain user A to authenticate to a domain resource B (and vice versa). With Windows 2008
R2 domain controllers (and higher) it is now possible to make Kerberos with an external trust relationship. For more information, see
http://jorgequestforknowledge.wordpress.com/2011/09/14/kerberos-authentication-over-an-externaltrust-is-it-possible-part-6/
3. Only the NTLM protocol is supported when it authenticates with an account of the local SAM database to a Windows machine.
4. Only the NTLM protocol is supported by some systems (like Windows NT4) or applications.
We'll see how a client can access a C O server by authenticating with NTLM V2 protocol. The client C and the server S are both members of
the domain msreport.be.
The NTLM V2 Authentication Protocol is a stimulus / response mechanism that allows clients to authenticate (prove identity) without sending
their passwords in clear text over the network. The NTLM V2 protocol is an evolution of the LM and NTLM. We will see later in this document
that the LM and NTLM protocols (NTLM V1) must be disabled because they are much less secure than NTLM V2.
In our example, the client has not yet authenticated to the Active Directory domain controller. It is assumed that the LMHash disabled. NTLM V2
Authentication then requires 7 steps.
1. Client C logs on by entering their login and password. the DLL msgina.dll will transfer the login and user password process Lsass.exe ( NETLOGON
service).
2. The Windows client C generates a hash of the user's password (NTHASH). It clears from memory the password in clear entered by the user.
The process Lsass.exe NTHASH keep the user in memory after authentication. The client sends plaintext the user login to the server S.
3. The server S generates a random number of 16 bytes (called nonce or challenge) and sends it to the client.
4. The client encrypts the challenge with its password NTHASH format and sends the result (response) to the server S.
5. The server S sends the user login, the challenge and response (encrypted challenge with NTHASH of the user) to the domain controller.
6. The domain controller fetches the NTHASH user (it is in the attribute UnicodePwd
Active Directory user account) and encrypts the challenge with. The domain controller then compares the result with the response sent by the
server S. If it matches, the domain controller returns to the server S that the client C is authenticated.
In this section, we will see how a customer can access the C S servers by authenticating with the Kerberos protocol. The client C and the server
S are both members of the domain msreport.be.
The Kerberos protocol is the most secure protocol to authenticate a user (or computer) that wishes to access a resource (file sharing) on a
member server of an Active Directory domain. In a typical scenario, there are 3 players:
• The client C (the user in this case) who wants to authenticate to a server S.
• The S server (file server or the computer account of the server S) to ensure the authenticity of C.
• The trusted third party, the KDC (Active Directory domain controller).
Each domain controller has service Kerberos Key Distribution Center (KDC).
To access the file server S, the client C must use a domain name NetBIOS or DNS. This name should be added at the account of S computer
file server in the attribute
ServicePrincipalName in the following format:
<Service-type> / <NetBIOS or DNS name>: <port number> / <service name>
example: Host / SRV2012C
IF you specify an IP address to connect to a share, you can not authenticate with Kerberos as the attribute ServicePrincipalName ignores entries
with IP addresses. You must use the NTLM V2 authentication protocol for this scenario.
Kerberos authentication will consist of 6 exchanges networks to allow the client C to be authenticated by the server S. In the example below it is
assumed that the client has never yet authenticated to a controller domain. It must therefore seek TGT its domain controller and a session key S CK
( between the client C and the domain controller).
The client generates a hash of the password (NTHASH) and erases from memory the password in plain he entered. The process Lsass.exe NTHASH
keep the user in memory after authentication.
The customer will calculate its secret key K C which is derived from their password (at NTHASH format) as the encryption function used by
Kerberos ( des-cbc-md5, aes128-cts-HMACSHA1, aes256-cts-HMACSHA1, RC4-HMAC-MD5).
The diagram below summarizes the 6 exchanges between the client C, the server S and the domain controller.
a TGT to the domain controller and a session key between the client and the KDC (S CK). The process
The exchanges are secure because the client C, the server S and the DC have secret keys. The domain controller knows the key K S and K C because
the keys are stored in the Active Directory in the attribute supplementalCredentials user accounts and computers in the domain. So it
can decrypt the messages of the client C and server S.
• The secret key of the client C ( K C) is derived from the password for the user account based on Kerberos encryption algorithm used ( des-cbc-md5-aes128
ctshmac-SHA1, aes256-ctshmac-SHA1, MD5 rc4-hmac )
• The secret key of the server S (K S) is derived from the computer account password as the service
Server ( file sharing) runs in the context of the account System either the computer account of the server S based on Kerberos encryption
algorithm used ( des-cbc-md5, aes128-cts-hmac-SHA1, aes256-cts-hmac-SHA1, MD5 rc4-hmac )
• The key K KDC is derived from the user account password KRBTGT based Kerberos encryption algorithm used ( des-cbc-md5,
aes128-cts-hmac-SHA1, aes256-cts-hmac-SHA1, MD5 rc4-hmac ). As this password replicates to all domain controllers (as any object),
the key K KDC is the same on all domain controllers.
Msreport - Guillaume MATHIEU - All rights reserved The request and KRB_AS_REQ the answer KRB_AS_REP will enable the client to request
Algorithm Salt Extra information
des-cbc-md5 Yes Protocol moderately secure.
aes128-cts-hmac-sha1 Yes highly secure encryption protocol (Windows novelty 7 / Windows 2008 R2).
aes256-cts-hmac-sha1 Yes
rc4-hmac-MD5 No Historic Protocol. Poorly secured. To disable.
Msreport - Guillaume MATHIEU - All rights reserved Parameter Network Security - configure encryption type allowed for Kerberos to define the
The authenticating includes the time and date. This allows Kerberos to prevent a replay attack by allowing default 5 minutes time difference
between the client C, the server S and the domain controller (KDC).
The standard Kerberos authentication protocol provides authentication but does not provide access control. Indeed, the model of the Windows
Policy Default Domain Policy.
access control is based on the SID ( Security Identifier). Microsoft has developed the CAP protocol that is an extension of the Kerberos protocol.
The CAP protocol to retrieve from the directory the SID of the user and the groups they belong to (including SID History) and store them in the
field Authorization Data TGT. Windows will then generate from the TGT information an access token that will be used to control access of each
process initiated by the user.
If you want to understand in detail the Kerberos protocol, I invite you to read the document Aurelian BORDES which is very comprehensive, well
done and served as the basis for writing this chapter on Kerberos.
http://www.ssi.gouv.fr/IMG/pdf/Aurelien_Bordes_-
_Secrets_d_authentification_episode_II_Kerberos_contre-attaque.pdf
http://blogs.msdn.com/b/openspecification/archive/2011/05/31/windows-configurations-for-kerberossupported-encryption-type.aspx
Msreport - Guillaume MATHIEU - All rights reserved The life of TGT ( 10 hours) and Session Ticket T S ( 10 hours) is configured at the Group
4.4 DELEGATION AUTHENTICATION KERBEROS
Kerberos delegation is a feature that allows a server A (which hosts a website for example) to authenticate taking the identity of a user B (Who
previously authenticated on server A) to access a resource on the server C.
When Kerberos delegation is enabled, the user sends a special TGT generated for him but with the attribute Forwarded to server B (known Forwarded
TGT).
2. If the user has authorized the delegation. This is the default case. The option Account is sensitive and can not be delegated will block the
delegation for specific user accounts. It must be enabled for administrative accounts.
An LDAP Simple Bind is to send the user login and password in the clear over the network. This method is not secure because a third party can
intercept login and user password with a network analyzer as Wireshark ( https://www.wireshark.org ). The screenshot below shows how a
potential attacker sees an LDAP Simple Bind connection on the network.
It is recommended "to generate a certificate based on the model Domain Controller on all domain controllers. It will then be possible to perform
an LDAP Simple Bind secured using SSL / TLS connection.
Some customers May be Relying Currently we unsigned SASL LDAP binds or binds over a single nonSSL / TLS connection, and will stop
working if this configuration change is made. To assist in Identifying thesis customers Such binds Occur if this directory server will log a
summary event once every 24 hours indicating indication How Many Such binds occurred. You are Encouraged to configure Those
customers to not use Such binds. Once no such events are year Observed for extended period, it is recommended That You configure the
server to reject Such binds.
You can enable additional logging to log an event Each time a customer Makes Such a bind, Including Data-qui customer made the bind.
To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or Higher.
2. Edit Group Policy Default Domain Policy. Go in Computer Configuration \ Windows Settings \ Security Settings \ Local Policies \ Security
Options. Configure the setting Network security: LDAP client signing requirements sure Require signing.
enable LDAP signing to block the LDAP Simple Bind commands without SSL / TLS and to block the LDAP SASL Bind orders without signature.
To verify that the new setting is in production, launch LDP.EXE utility. Click on Connection | Connect. Enter the domain controller IP. Do not
check the SSL checkbox. The directory sends this information:
Msreport - Guillaume MATHIEU - All rights reserved Article Microsoft http://support.microsoft.com/kb/935834/en-us explains that it is possible to
should appear:
Error 0x2028. A more secure authentication method is required for this server.
Indeed, LDAP Simple Bind controls are no longer allowed without SSL / TLS.
Install Active Directory Certificate Services ( see attached procedure) on a member server. Create an enterprise root certification authority (1 a
third certification authority is sufficient for demonstration).
By default Windows 2012 R2 domain controllers are configured to obtain a type certificate Domain controller via the autoenrollment. To force the
generation of the certificate, type the command
gpupdate / force on the domain controller Windows 2012 R2. You now have a type certificate Domain Controller.
Now you can test an LDAP SIMPLE BIND with SSL / TLS. Enter the domain controller DNS name and
check the SSL checkbox.
click on View | Tree. Add the path LDAP domain (DC = msreport, dc = be in this example).
Enable LDAP signing only after having validated on model and after identifying all applications that perform authentication requests LDAP
Simple Bind.
To identify the applications that perform LDAP Simple Bind, you have to filter the event log on the ID 2887 as stated in Article http://support.microsoft.com/kb/935834/
.
Active Directory allows users to authenticate with the LM protocol, NTLM V1, V2 NTLM and Kerberos (we disregard the DIGEST protocol
requires special configuration unsafe and not activated). If you only have machines running Windows 7 and Windows 2008 R2, you can disable
LM and NTLM. Only NTLM authentication protocol Kerberos and V2 will be allowed.
It is also possible to prohibit the NTLM V2 protocol but that requires a very thorough study phase (see later in this document).
The use of protocols LM, NTLM V1 and V2 is controlled by NTLM Group Policy
Network security: LAN Manager authentication level.
Start gpmc.msc console and edit the Default Domain Policy. Go in Computer Configuration | Policies | Windows Settings | Security Settings |
Security Options.
Configure the setting Network security: LAN Manager authentication level sure Send NTLMv2 response only. Refuse LM & NTLM.
Do the same action at the Default Domain Controller Policy ( to avoid any potential conflict).
With this setting, protocols LM and NTLM V1 are disabled, allowing to increase the security level of the directory.
Msreport - Guillaume MATHIEU - All rights reserved You can now browse the Active
NTLM or LM protocols:
• File servers / NAS that rely on SAMBA must be at least version 3.0 as stated on the website http://www.samba.org/samba/history/ .
A study of the impact of disabling LM & NTLM should be performed before setting this parameter to the production environment.
It is possible to go further and also disable NTLM V2 protocol. This action is strongly discouraged and requires a very thorough analysis
of the impacts at the application level . It can be applied in research environments with very high security requirements.
In this mode, all NTLM traffic is prohibited except for machinery added to the GPO setting Network security: Restrict NTLM: Add server
exceptions for NTLM authentication in this domain. Logon with an account of the local SAM database on a Windows machine is always in NTLM
too.
To view the ServicePrincipalName attribute, configure console Active Directory Users and Computers display mode Advanced Features. Then go
to the tab attribute Editor and select ServicePrincipalName. To add or remove an SPN, use the tool Setspn.exe.
CHBAADMT ADMT instance SQL Server 2008 R2. To authenticate to the SQL Server 2008 R2, the attribute
To disable NTLM V2, it is necessary to check whether all applications that authenticate with Active Directory user accounts and Kerberos
support if you have created all required ServicePrincipalName.
If the NTLM protocol is disabled, access to an application via its IP is no longer possible. The error message The network name can not be
found.
To help you in this task, it is possible to activate a GPO setting that will create a log with all applications / machines that use NTLM to log level
Applications and Services Log / Microsoft / Windows / NTLM. This setting requires the availability of Windows 2008 R2 domain controller.
I invite you to read these two articles for more information on how to block LM and NTLM V1 authentication, NTLM V2.
all the servers and enterprise applications. It will be necessary to create an SPN for all DNS alias. In the example below, the server has a
http://blogs.technet.com/b/askds/archive/2009/10/08/ntlm-blocking-and-you-application-analysis-andauditing-methodologies-in-windows-7.aspx
http://technet.microsoft.com/en-us/library/jj865680(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/jj865671(v=ws.10) .aspx
Msreport - Guillaume MATHIEU - All rights reserved The use of Kerberos authentication requires a ServicePrincipalName be created to identify
4.5.4 C Iles ALGORITHM ENCRYPTION K ERBEROS
If you have only machines running Windows 7 / Windows 2008 R2 and later versions, you can only allow encryption protocols AES128_HMAC_SH1
and
AES256_HMAC_SH1SH1 for Kerberos. The encryption algorithms AES128_HMAC_SH1 and
AES256_HMAC_SH1 are indeed
more secure than DES_CBC_MD5 or RC4_HMAC_MD5 ( the less secure protocol).
This setting affects all user accounts and all computers in the domain accounts. It overwrites the settings at the user and computer accounts as
explained in the following Microsoft:
http://blogs.msdn.com/b/openspecification/archive/2011/05/31/windows-configurations-for-kerberossupported-encryption-type.aspx
http://technet.microsoft.com/en-us/library/dd560670(v=WS.10).aspx
http://windowsitpro.com/security/q-can-default-encryption-types-kerberos-authentication-protocoluses-windows-7-and-windows-
https://dirteam.com/sander/2014/07/15/security-thoughts-leveraging-ntlm-hashes-using-kerberos-rc4hmac-encryption-aka-aorato-s-active-directory-vulnerability/
The Kerberos protocol supports a maximum of 5 minutes time difference (configurable in Kerberos strategies Default Domain Policy).
It is therefore vital to set time synchronization policy. The latter is done (default) through service W32Time. On domain member machines, the
service serves customer
NTP.
The domain member machines are synchronized to one of the controllers of their field. The entrance
of register
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ W32Time \ Parameters \ Type must
have as value NT5DS.
On domain controllers, the W32Time service plays both the role of NTP client and NTP server. Domain controllers must synchronize their time
from the domain controller with the PDC Emulator role in their field or with a controller of the parent or root domain.
At the forest root domain, the domain controllers must be synchronized to the Emulator PDC of the root domain.
In turn this server (the root domain controller with the PDC Emulator role) will have to be synchronized with a reliable time source. registry entry
This requires spending Type the value NTP and define an NTP server as time.windows.com.
We can see that the entry type register has been set to the value NTP ( instead of NT5DS ).
For other virtual machines (including domain controllers), it remains on the standard setting shown above.
http://blogs.technet.com/b/nepapfe/archive/2013/03/01/it-s-simple-time-configuration-in-activedirectory.aspx
http://technet.microsoft.com/fr-fr/library/dd723673(v=ws.10).aspx
When Kerberos delegation is enabled, the user A sends a TGT Forwarded (TGT user) to server B. This behavior is very risky with users
accounts with important privileges because an attacker can do elevation of privilege if he can compromise the server B.
A good practice is to set the option Account is sensitive and can not be delegated all user accounts with administrative privileges on the Active
Directory.
In the example below it is assumed that the LMHash disabled. The user is already authenticated with the domain controller using the NTLM
protocol.
Once the user is authenticated on the station (local logon), how he manages to access resources on other machines without having to
re-authenticate every time (without application login / password) ? The process Lsass.exe will generate a HASH from the user's password (the
NTHASH) and store it in memory after the logon performed.
To access network resources, the user makes a network logon. With NTLM, the network logon only requires that the machine has the NTHASH
(the hash of the user's password) to encrypt the challenge sent by the server.
Windows therefore asks no login / password because it already has this information in memory.
Type attacks Pass-the-hash are to be authenticated, rather than using the user's password but its footprint (the NTHASH). The attacker can
recover NTHASH the user in several ways:
As it is not always possible (even with rainbow tables) to recover the password in the clear from NTHASH, the attacker will simulate the
operation of a network logon with NTLM. Details of this exchange is presented below:
1. The attacker sends the clear text user login to the server S.
2. The server S generates a random number of 16 bytes (called nonce or challenge) and sends it to the client.
3. The attacker encrypts the challenge with the password to the user NTHASH format he has recovered (the answer) and sends it to the server
S.
5. The server S sends the user login, the challenge and response (encrypted challenge with NTHASH of the user) to the domain controller.
6. The domain controller fetches the NTHASH (user password in Active Directory) and encrypts the challenge with. The domain controller then
compares the result with the response sent by the server S. If it matches, the domain controller returns to the server S that the authentication is
correct.
The principle is similar with the Kerberos authentication protocol (attack Pass The Key)
If an attacker manages to extract the key K C the user, it can request a TGT without knowing the user's password. This attack requires modifying
the contents of the memory process Lsass.exe ( service Netlogon).
The attacker must then enter the command klist purge to remove the existing ticket. Once the attacker will access a new network resource, a
new ticket TGT will be generated.
The main tools to attack NTLM Pass the Hash running Windows 7 are:
• PSEXEC Metasploit module the tool smbpass toggles the Hash to another machine.
• Tenable smbshell: toggles the Hash of a machine.
• Avoid the local administrator password is the same on all workstations and servers.
4.7 PROTECT AGAINST ATTACKS BY THE KERBEROS TICKET WITH A TOOL AS MIMIKATZ
• Systems privileges.
• The process.
• Access tokens.
We will see in this part how the processes and Windows services.
A SID is a unique security identifier. User accounts, groups and computer accounts in Active Directory have a SID. User accounts and SAM basic
groups (local account database) also have a SID.
In Microsoft environments, access control is done using access tokens. A access token contains inter alia the SID the account of the user and the
SID each group member which is directly or indirectly the user (group member of another group). A SID is divided into 3 portions (example S-1-5-21-1712426984-161
The SID is stored at the attribute objectSid which is managed by the system. An administrator can not change the value of this attribute or affect SID
a user account that has been deleted by another user account (hence the problem of accidental deletion of account).
The (SID attribute objectSid) should not be confused with the (GUID objectGuid) that it is the unique identifier of an object in the Active Directory
forest.
When a position is migrated from one domain (NT4, Samba or Active Directory) to another domain with a migration tool as Microsoft ADMT or Dell
Migration Manager for Active Directory the
SID the user account of the former estate (source domain) can be copied into the attribute
).
SIDHistory the user account of the new domain (target area). This enables migration between two areas smoothly. We will see later in this
document that the use of SID History ( attribute SidHistory) poses security problems. For more information on migration with Microsoft ADMT, visit
the following links:
http://msreport.free.fr/?p=443
http://www.microsoft.com/en-US/download/details.aspx?id=19188
5.2 PERMISSIONS
NTFS permissions (Security tab in folder / file properties) are based on 13 permissions. The most important is permission Take ownership . It can
become the owner of a file / folder. Excluding the owner of a file / folder can change permissions and give access to files / folders.
Directory Users and Computers and Active Directory Administrative Center or PsGetSid tool ( http://technet.microsoft.com/en-us/sysinternals/bb897417.aspx
Msreport - Guillaume MATHIEU - All rights reserved To view the SID a user, use the console ADSIEDIT.MSC, the attribute editor in brackets Active
The permissions on the registry entries are based on 11 permissions. The most important is permission Write owner. It can become the owner of
the key or the registry entry. The owner has the right to change permissions.
The permissions on Active Directory objects are much more complex. I invite you to refer to Part 2 of this document " Good practices to delegate
administration of the Active Directory directory " for more information.
NTFS permissions, the permissions on the registry and permissions in the Active Directory has a mechanism called Heritage allowing the
permissions of a parent container (folder, registry key or an OR for example) to child objects (files, registry entries, account user / group).
Inheritance can be disabled if required.
If given on a domain controller to a standard user (not a member of the administrative groups) permission Full Control all files of all disk
volumes, all the registry entries and all objects of all partitions of Active Directory, the user will have rights equivalent to almost a local
administrator of the machine, an administrator domain, an administrator of the company and a schema administrator.
However, it may still not log on to a domain controller. This is related to the fact that the user does not have the
privilege Allow Log on locally.
What will happen if you delete the user account who the owner of a file and he was the only one with rights to the file?
Microsoft has managed this case and created for it the privilege of Directors Take ownership of files or other objects. We will see that this
privilege allows a default local administrator to become the owner of a file (among others) and thus change the permissions on this file.
Privileges are the rights given to a user as being able to bypass NTFS permissions ( Take ownership of files or other objects) or access the
memory used by all processes ( Debug programs) or log locally ( Allow Log on locally).
Privileges are at number 44 on a Windows Server 2012 R2 machine and are configured in the form of GPO settings in Computer Configuration |
Policies | Windows Settings | Security Settings | Local Policies | User Rights Assignment.
Administrator accounts and System have all the rights on a Windows machine because they have access Total control on almost all system
components (files, registry entries ...) and almost all privileges. Article Microsoft http://technet.microsoft.com/en-us/library/bb457125.aspx explains
the concept of details in privilege on a Windows system.
The privileges with the most significant impacts on the security of Active Directory are described below.
• Act as share of the operating system (SeTcbPrivilege) This privilege allows you to override certain controls during logon. It is reserved
for expected process open user sessions. Winlogon.exe and seclogon services need this privilege. It is recommended that this person
privilege. By default, it is not assigned to anyone.
• Add workstations to domain (SeMachineAccountPrivilege) Adds a machine in the field (up to 10 workstations default). By default this
privilege is given to groups Authenticated Users. If you do not want a standard user to join a machine to the domain, this privilege must be
reconfigured.
• Back up files and directories (SeBackupPrivilege) saves data even without permissions. This privilege is very critical and is given to
groups Backup Operators and Server Operators. It is for this reason that content administrators do not need to be a member of these two
groups.
• Create a token object (secreatetokenprivilege) this privilege can create an access token. It is not given to any user account and it must
remain so.
• Debug programs (SeDebugPrivilege) This right allows a user to open any process to access its memory and copy resources. It is this
privilege based tool INCOGNITO.EXE ( presented later in this document). Normally, no production service should not be based on that
privilege, it is generally used for application development and advanced troubleshooting. By default, the Administrators have this privilege.
Ideally, no one should have this privilege. It should activate on demand or create a dedicated security group.
• Generate security audits (SeAuditPrivilege) determines who can generate events in the security log. This privilege is important because
there is a group policy that blocks the login when the newspaper Security is full (except for administrators). An attacker could generate
thousands of audit events for the sole purpose of blocking the login for standard users.
• Impersonate a customer after-authentication (SeImpersonatePrivilege) allows a process to assume the identity of a user that would
authenticated. We must study the relevance to leave this privilege to an administrator. By default, the Administrators, SERVICE, LOCAL
SERVICE and
NETWORK SERVICE have this privilege.
• Manage auditing and security log (SeSecurityPrivilege) determines who can view and clear the log Security. By default administrators
have this right. Only people in charge of monitoring actions on the directory (audits and controls) should have the right to clear the log Security
on the domain controllers.
• Restore files and directories (SeRestorePrivilege) to determine the user accounts that can override permissions during restore
operations. The user has an equivalent NTFS permissions Traverse Folder / Execute file and Write.
• Take ownership of files or other objects (SeTakeOwnershipPrivilege) allows to become owner of a file, registry key (among others)
and thus redefine the NTFS permissions on the file or registry key.
There are also privileges that allow or prohibit an interactive logon (logon locally or via remote desktop) or as a scheduled task. These privileges
must be configured carefully.
A process is spawned for each executable that starts on the Windows system (service or application). You can see the list of processes in the Task
Manager ( tab Details Windows 2012 R2). You can customize the column display for viewing including the executable that generated the
process, memory consumption, the context of the process (the user account, the security entity, the MSA or GMSA running the process).
5.5 SERVICES
To view and configure services, you can use the MMC SERVICES.MSC or edit the registry entries under HKEY_LOCAL_MACHINE \ SYSTEM \
CurrentControlSet \ Services.
Services are executables that start automatically or manually in the context of a user account. Services can run in the context of a user account,
a security principal (System, Local System, Network Service ...), an MSA or GMSA. The NETLOGON service runs with the account System ( Local
System account) and runs the executable c: \ windows \ system32 \ lsass.exe.
Some services perform specific actions if the service stops incorrectly. The service Remote Procedure Call (RPC) reboots the machine for
improper stop the RPC service. The virus BLASTER generated a service crash CPP using a security flaw described in the article http://support.microsoft.com/kb/8269
the sole purpose of forcing a reboot.
services). All service groups managed by SVCHOST are in the following registry key:
All services of the same group services SVCHOST run in the same process ( c: \ windows \ system32 \ svchost -k
nom_du_group_services_Svchost) and thus run in the context of the same account. We can see this operation in the Windows Task Manager
(Processes tab).
Windows services. Multiple instances of Svchost.exe can run simultaneously. Each instance can run one or more services (said group
Msreport - Guillaume MATHIEU - All rights reserved Windows uses SVCHOST (C: \ windows \ system32 \ svchost.exe) to charge certain
For more information on SVCHOST: http://support.microsoft.com/kb/314056/fr
Since Windows Server 2008 R1, Microsoft has included a mechanism called level Windows Service Hardening to better protect services against
attacks. This feature requires the Windows Firewall service is started . This service should not be stopped. To turn off the Windows firewall
without stopping the Windows Firewall Service, configure 3 profiles firewall Off.
Msreport - Guillaume MATHIEU - All rights reserved Tab Services of Task Manager lets see the different service groups SVCHOST.
• None: the service does not have a SID.
• Unrestricted: the service will have a SID.
• Restricted: the service will have a SID and a restricted token (same principle as the UAC). Each department may then have a SID which
will allow to give rights to the file system, Windows registry entries to this service.
I invite you to read these two articles for more information on functionality Windows Service Hardening.
Msreport - Guillaume MATHIEU - All rights reserved With functionality Windows Service Hardening, each service can now have a SID. This is
http://blogs.technet.com/b/askperf/archive/2008/02/03/ws2008-windows-service-hardening.aspx
http://blogs.msdn.com/b/sql_protocols/archive/2009/09
/21/connection-from-a-windows-service-couldbe-blocked-by-firewall-even-if-firewall-is-disabled.aspx
A access token (Token Access) is generated by the process Lsass.exe ( service Netlogon) Once the user is authenticated with protocol Kerberos or
NTLM. A access token contains:
• The SID and the SID History Account User
• The SID and SID History of all groups in the domain that the user is a member directly and indirectly (group member of another group ...).
• The SID all based groups SAT Local which the user belongs (as
Administrators)
• The list of privileges (as SeDebugPrivilege) available to the user on the local machine.
To view the contents of a access token it is possible to use the tool token SZ downloadable at: http://www.microsoft.com/en-us/download/details.aspx?id=1448
The command below lists the SID the user account and SID groups to which they belong directly (or indirectly) and all its privileges.
The access token created during the interactive logon (the user enters his login / password) is called primary access token (Primary Access
token).
Each time a process is started by the user, a copy of token primary access is attached to this process. Whenever a process requires access
(NTFS permission) or privileges on the system, Windows will analyze the content of this token to validate whether or not the user has the right
to access the resource. To understand what an access token in more detail, I invite you to read the following Microsoft products:
http://blogs.technet.com/b/askds/archive/2007/11/02/what-s-in-a-token.aspx
http://technet.microsoft.com/en-us/library/cc759267 (v = ws.10) .aspx
Sometimes a process runs in the context of a user account A but needs to perform another task in the context of a user B. Each of these tasks
is called a
Thread. By default a thread uses the access token of the process said j andthe primary access (Primary Access Token). In this example the Primary
Access Token has the rights of the user A. If
thread needs to run in the context of a user B, it uses the functionality of Impersonation Token allowing the thread to run in the context of the user
account B.
To perform this impersonation, the file sharing service process must be privileged Impersonate a customer after-authentication (SeImpersonatePrivilege).
The tool INCOGNITO steals existing access tokens and uses them to perform tasks. It requires privileges SeDebugPrivilege,
SeAssignPrimaryTokenPrivilege, SeImpersonatePrivilege
to work. It must run as INCOGNITO System.
Incognito is able to run locally or remotely. Once started, it scans all processes that are running on the target machine and list all associated
access tokens to these processes.
INCOGNITO duplicates all access tokens and groups them by users. It is at this stage that the tool needs the privilege SeDebugPrivilege (Debug
programs) because this privilege allows it to open any process to access its memory and copy resources.
Once the list of obtained access tokens, the tool will be able to launch new process as another user using the access tokens that he copied.
The tool will be able to use the impersonation feature to use the access token associated with a process via the API
ImpersonateLoggedOnUser. This action requires the privilege SeImpersonatePrivilege (Impersonate a customer after-authentication). For more
information see:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa378612(v=vs.85).aspx
The tool will create a new process that associates with an access token (API usage
CreateProcessAsUser. This action requires the privilege SeAssignPrimaryTokenPrivilege (Replace a process-level token).
To list all available tokens, open a command prompt with the account System. To do this, download the tool PSEXEC ( http://technet.microsoft.com/fr-fr/sysinternals/b
) And run the following command: Psexec.exe -i -d -s cmd
Once the command prompt run as user SYSTEM, type the following command:
incognito.exe -h localhost -u administrator -p P @ ssword list_tokens -u
Once we see access tokens, those marked Delegation can be stolen and used to launch a command prompt with the following command (it
steals msreport \ administrator token in this example is Domain Admins the qualification environment.
Avoid users to be local administrators on workstations. Configure the antivirus on all the company's machines to block executable
Microsoft typically supports an operating system for 10 years, including 5 years as standard (development of new functionalities) and 5 years
extended mode (bug fixes). When the OS is no longer supported, Microsoft no longer develops security patches and the system becomes
vulnerable to new discovered security vulnerabilities that are not corrected.
A critical security flaw in the SCHANNEL component has been discovered by Microsoft. It would allow an attacker to take control of a machine
on all Microsoft OS currently supported. Microsoft provides a patch for this vulnerability in the MS14-066 bulletin ( https://technet.microsoft.com/library/security/MS14-
).
Note that Microsoft does not provide information on this vulnerability nor fix for Windows 2000 Server. Domain controllers running Windows
2000 Server, however, are probably vulnerable to this flaw.
The Windows 2003 support ends July 14, 2015 as described on the Microsoft website
http://support2.microsoft.com/lifecycle/?LN=fr&C2=1163
For all these reasons, you should not have and deploy domain controllers with a version earlier than Windows 2008 R1.
Companies typically use machine models ( template) to deploy their physical servers and virtual servers. These models often integrate multiple
components / applications that are useless to a domain controller and increase the attack surface.
It is very important to avoid adding services that would execute in the context of the account System.
The latter has full administrative rights on the domain controller (including rights to all objects in the directory).
In some companies, the teams in charge of deploying servers may be different (different administration teams, outsourcing some sites).
deployment methodologies may therefore vary as configuring servers.
For all these reasons, it is recommended to deploy domain controllers with an image (template) managed by Active Directory
Management team.
Start your domain controller on a DVD installation of Windows 2008 R2 or Windows 2012 R2. Select the option Repair your computer .
The C drive of the server appears as the D drive Type the following commands in the
command prompt.
move d: \ Windows \ System32 \ sethc.exe d: \ Windows \ System32 \ sethc.old copy d: \ Windows \
System32 \ cmd.exe d: \ Windows \ System32 \ sethc.exe
Then restart the server.
can now reset the password for the domain administrator account (member groups Domain admins and Enterprise admins ) because the
Msreport - Guillaume MATHIEU - All rights reserved Console Active Directory Users and Computers appears. Show console Advanced features . You
mode Native 2012 R2.
This technique allows to have full access to the directory and all its accounts. This is the first step before a more dangerous attack will be to
recover the passwords of the users reported from NTHASH or LMHash.
To ensure the security of your directory, so you must prevent a user can start your domain controller from a parallel OS (LiveCD) and
modify files and Windows Server registry.
Msreport - Guillaume MATHIEU - All rights reserved In the example above, the forest msreport.be is
6.2.2 C OW TO PREVENT AN ATTACKING OF GO TO FILE NTDS.DIT?
Microsoft supports the deployment of domain controllers on physical servers and virtual machines. Microsoft's official support is done through
the SVVP ( Windows Server Virtualization Validation Program). I invite you for it to consult the following website:
http://www.windowsservercatalog.com/svvp.aspx
So we have to deal with the protection of physical domain controllers and virtual domain controllers.
The first step is of course to protect the server room against unauthorized access. The physical domain controllers must be hosted in a secure
server room. However, this technique does not apply to virtual domain controllers. Indeed, the hard drives of virtual machines have VHD files
(with Hyper-V), VMDK (VMware) that can be copied when the virtual machine is on or off.
The table below shows the cons-measures applicable to the controllers of physical and virtual domain.
Countermeasure Note
Hosting the domain controller in a This measure-cons apply for physical servers. You must disable the BIOS boot on a DVD / USB
secure data center. which is not always possible.
BitLocker uses the TPM. This solution works for controllers physical realm but does not work for
virtual machines. Indeed the latter are not able to emulate a TPM. We will have to use a password
Encrypting the hard disk with
to enter at startup.
BitLocker
If you can not host the domain controllers in a secure room and that the risk of machine theft is
very important, to deploy an RODC (Domain RODC) is required. This type of domain controller
stores no default password. You can set up accounts for which passwords are cached on the
RODC. If the domain controller compromise, you need only change the passwords of those user
accounts. To function properly, you must have a Windows 2008 domain controller read / write in
at least one Active Directory site. The update http://www.microsoft.com/enus/download/details.aspx?id=7707
must be deployed
Deploy RODC
the
Machines Windows XP / 2003 to enable the proper functioning of authentication with RODC.
The procedure to enable BitLocker on domain controllers (physical server and virtual machine) is presented in appendix in this document.
Security breaches are defects in the programming that enable an attacker to hijack the traditional operation of this software in order to get
access to the system or interrupting its operation (software crash).
Security breaches are often linked to defects in the interpretation of the parameters passed to the program. This software is written to receive a
variable of type INTEGER (integer) parameter receives a variable FLOAT ( float number) and then stops working.
Deploying an antivirus will not protect you against the exploitation of security vulnerabilities (exploits) by an attacker. It eventually will detect the
use of a known program exploiting the security flaw (as Incognito, Metasploit ...).
Today it is very easy to download internet tools like Metasploit incorporating thousands of exploits that target key software solutions used by
companies.
The solution Metasploit offers through a console or a GUI to launch sophisticated attacks against Active Directory domain controllers. It allows
for example via the security hole MS08-67 to take control of a Windows 2003 domain controller or via the security hole MS012-020 to crash (blue
screen) server on Windows 2008 R2.
I invite you to read the articles that are the most critical flaws to exploit and news outlets of new exploits.
https://community.rapid7.com/community/metasploit/blog/2012/12/11/exploit-trends-new-exploitsmake-the-top-10
https://community.rapid7.com/community/metasploit/blog
You can download Metasploit at this address :
http://www.rapid7.com/products/metasploit/download.jsp .
Metasploit integrates an exploit based on the fault MS12_020 that crashes a Windows 2008 R2 server not updated. One step to complete is not
available at this location:
http://www.metasploit.com/modules/auxiliary/dos/windows/rdp/ms12_020_maxchannelids
In one isolated network environment , installing a virtual machine Windows 2008 R2 (outdated) and activate Remote office. Get the IP of this
machine. In the console Metasploit type the following commands:
The service Server ( file sharing) plant on the target machine. Type ? for a list of commands and getsystem to get admin rights,
clearenv to purge the event observers. Type getpid for the PID of METADSPLOIT process on the target machine. Confirm with Task Manager of
the attacked machine if process exists (see PID column).
Type the command ps to list the processes on the target machine. Stop the process using the command kill PID-number
You should always update the domain controllers (every month). Indeed installation linked the risk of failure of a patch is much less than
the risk of default in case of attack or infection by a virus / worms exploiting a security hole .
Today there are many free solutions ( WSUS, Windows Update) or paid ( Landesk Management Suite Dell Kace, System Center Configuration
Manager (SCCM) ...) that can support the deployment of security patches.
Companies usually have a patch deployment solution but rarely control patches are actually deployed on the machines. However, many factors
can block the deployment of patches. Administrators can forget approve an essential fix. The fix may refuse to install if the deposit WMI is corrupt
because the patch launches a request WMI for detecting patches already installed ( http://msreport.free.fr/?p=459) . An addiction to install the
hotfix may also be missing. It is therefore recommended to use a third party tool such as MBSA (other than your deployment tool) to confirm
that your domain controllers are current.
The deployment of security patches can sometimes generate failures / malfunctions. Microsoft has conducted numerous studies have shown
that not upgraded systems encountered more outages / failures that day systems. Microsoft releases security patches on the second Tuesday
of the month (US time). Breakdowns are usually detected after 2 to 3 days and a version 2 patch is then provided by Microsoft or the patch is
removed. To reduce the risk of negative impact of a fix, you can deploy patches on pilot domain controllers in the second Thursday of each
month and deploy patches on all other domain controllers on the third Tuesday of each month ( a week after the release of the security patch).
The customer Automatic Update Windows tries to reboot automatically when the hotfix installation is complete. This behavior may be a problem
with the production servers. He did not used to set the exact time that the patches should be installed and the exact time of the restart. It has
reduced functionality on servers
Windows 2008 R1 and Windows 2008 R2 installed mode Core. You can use a tool like WuInstall and create with this tool Scheduled Tasks for
deploying patches
domain controllers. WuInstall can be downloaded at:
https://www.wuinstall.com .
To reduce the attack surface, it is necessary to deploy only the Windows roles and features (Server Manager) required on a domain controller.
A domain controller requires that the role Active Directory Domain Services and role (DNS unless DNS is managed by a third solution). On
Windows 2012 R1 and later, the GUI is available as a 2 optional features. The below commands show how to deploy the GUI on a server Core
fashion:
In fashion Core ( Server-Gui-Mgmt-Infra and Server-Gui-Shell not installed), it is possible to administer the server with PowerShell locally or
remotely (from another server) with consoles
MMC, the Server Manager or PowerShell.
One of the disadvantages of the Core mode is difficult to see the event viewers locally (with the PowerShell command Get-Eventlog). The
analysis of events remotely observers is not always possible if the line is too slow or if network access is cut.
Since Windows 2012 R1, it is possible to deploy the server mode minimal interface
(functionality Server-Gui-Mgmt-Infra installed). This mode allows to perform all MMC consoles but without a GUI.
Since Windows Vista / Windows 2008 R1, the Windows Firewall is enabled by default. This firewall integrates many features as explained in the
article http://technet.microsoft.com/enus/library/cc753180.aspx . The Windows Firewall is a stateful firewall. It stores the state of all TCP and UDP
connections and can dynamically create rules to allow traffic inbound / outbound legitimate (eg the response to an HTTP request (code of the
web page) returned by the web server to server ).
The Windows Firewall allows you to create rules to filter incoming and outgoing traffic based on a program (allow any of this Application traffic
...), port or IP. It also includes a set of predefined rules that allow the proper operation of Windows roles and features deployed on the server.
When a server becomes a domain controller (after deployment of the role Active Directory Domain Services, the predefined rule in the Windows
Firewall Active Directory Domain Services is activated. Inbound and outbound rules below are then activated.
The Windows Firewall has 3 profiles for connections Public, Private, and Domain. Specific rules may apply only to a profile. If you're working
group, the firewall will ask you to start if you want to apply the rules of the firewall profile Public
or Private. If you are a member of an Active Directory domain, you must apply the rules of profile Domain if you are connected to the corporate
network (otherwise, the system asks if you want to be in profile Public or Private). This mode allows you to create rules that apply only when the
user is working from home or from a public Internet connection.
The Windows firewall can be managed from the control panel ( Control Panel | Windows Firewall) or via the console Windows Firewall with
Advanced Security. Always configure the firewall from the console Windows Firewall with Advanced Security !
Indeed on Windows 2008 R1, the system offered only to disable the firewall for the current profile. When deploying Windows 2008 R1,
administrators often they disabled the firewall from the control panel when the machine was still working group. They therefore they disabled the
firewall profile Public or Private. When the server was joined to the domain, the firewall happening in profile Domain and then active again. This
interface problem was corrected with Windows 7 / Windows 2008 R2.
If you want to disable the firewall on a Windows Server 2008 (and later) you must not stop the Windows Firewall Service . This is not
supported by Microsoft and blocks the following features: the ability to encapsulate traffic in frames IPSEC and Windows Service Hardening. To
stop the firewall, configure profiles Public, Private and Domain on condition
Off.
Windows Service Hardening helps protect Windows services that run in the user account context with high privileges. This feature is explained in
detail in the articles below and in the "L has access management with Active Directory " This document:
http://blogs.technet.com/b/askperf/archive/2008/02/03/ws2008-windows-service-hardening.aspx
http://blogs.msdn.com/b/sql_protocols/archive/2009/09
/21/connection-from-a-windows-service-couldbe-blocked-by-firewall-even-if-firewall-is-disabled.aspx
The UAC under Windows is a set of security components which allows among others:
Msreport - Guillaume MATHIEU - All rights reserved This is also true for Windows
Generate two access tokens:
An access token with all privileges and user's SID is generated. A second token is generated with reduced rights (suppression of groups like
SID Administrators). The user can use his unfiltered token only after high (confirmation window or the user has executed the application as
administrator).
By default, UAC is disabled for the account Administrator ( account created by default Windows) and enabled for all other user accounts. It can
only be disabled by group (GPO) for other users who are administrators of the machine.
The UAC is disabled based on a deployed mode server Core and reduced interface ( no graphical interface).
Article Microsoft http://support.microsoft.com/kb/2526083 explains that UAC can be deactivated on a machine where only administrators can
connect. So you could disable UAC on domain controllers. Personally, I prefer to keep UAC but the 2 following settings are acceptable for
domain controllers:
• Completely disable UAC: this also disables Protected Mode Internet Explorer.
• Disable partially UAC (equivalent to the level 1 of AUC in Control Panel | Users Accounts | Change User Account Control Settings).
To launch the Explorer as an administrator must use another trick described on this website:
https://social.technet.microsoft.com/Forums/windows/en-US/1798a1a7-bd2e-4e42-8e980bc715e7f641/unable-to-open-an-elevated-windows-explorer-window
Launch the task manager. Finish the explorer.exe process. Then start Explorer.exe cohant box Create this task with administrative
privileges.
Msreport - Guillaume MATHIEU - All rights reserved If you disable UAC via Control Panel | Users Accounts | Change User Account Control
It works. We unrestricted explorer. More may alter the permissions.
When a user logs in, the login / password is cached on the machine HKEY_LOCAL_MACHINE \ SECURITY \ CACHE. By default, only the
account System has the rights to view the content of this key. This allows for example a user with a laptop computer from logging in when it is
not connected to the corporate network. This mode of operation is not applicable to servers and fixed workstations. For this reason and for
security reasons, I invite you to disable caching sessions for all machines except desktops.
To disable caching of user logons via GPO, you must define the following parameters:
Whenever possible, you should minimize the direct connections in Remote Desktop (TSE) on the domain controllers. The administration of the
Active Directory must be from administrative machinery on Windows 2008 R1 or later. These devices must only Active Directory administrative
tools such as Active Directory Users and Computers, Active Directory Administrative Center and the Active Directory module for PowerShell. Internet
access on the administrative machinery must be restricted (banned if possible). These machines must be housed in secure facilities to protect
against theft. Reminder attacks like Pass The NTLM Hash or with a tool such as INCOGNITO
could allow a user with administration stolen machine to perform elevation of privilege (recover access user accounts with privileges to Active
Directory). For the same reason, it is not recommended to administer Active Directory from standard non-secure workstations. For this, you
need to restrict the machines on which the user accounts with administrative privileges can log on.
The RDP access is via TLS. However, these machines have a self-signed certificate. You must generate a computer certificate for each
administration machine with an external certification authority or a Microsoft Enterprise certification authority (see deployment procedure in
appendix).
Then you configure the Remote Desktop with the correct settings. This can be done in the Remote tab Control Panel | System.
Check the boxes Allow remote connections to this computer and Allow only connections from computers running Remote Desktop with Network
administrative privileges on the directory.
Level Authentication.
values. An alternative to this method is to configure the GPO setting Deny logon locally a user group whose members are all user accounts with
box The Following computers. Enter the list of machines on which the user can open the session. The underlying attribute manages up to 1024
Msreport - Guillaume MATHIEU - All rights reserved Go to the properties of the user account tab Account then click on Log on To and check the
You can also configure the RDP service for not map printers within TSE sessions ( Computer Configuration | Policies | Administrative Templates
| Windows Components | Remote Desktop Services | Remote Desktop Session Host | Printer Redirection).
NLA.
Desktop Services | Remote Desktop Session Host | Security. Set GPO settings as follows to configure RDP over SSL access with authentication
GPO called Administrative-computers. Go in Computer Configuration | Policies | Administrative Templates | Windows Components | Remote
6.8.3 A UTORISER ONLY TOOLS ADMINISTRATION
You can greatly increase the safety of the directory strengthening security administrative workstations. You can indeed activate AppLocker these
workstations to allow only the administrative tools required by administrators.
AppLocker will for example to prevent the execution of a third party browser or even Internet Explorer. I invite you to read this document outlining
how to secure servers Remote Desktop Services with AppLocker. In it, the basic rules AppLocker authorizing all executables in C: \ Windows is
event logs). For this, move the computer accounts of the administrative machinery in a separate OR. Start GPMC and create and link a new
deleted. Only binaries required to start a Remote Desktop session and the administrative tools are allowed:
http://msreport.free.fr/articles/Securisation_RDS_2008_R2_V.1.0.1.pdf
AppLocker requires workstations on Windows 7 Enterprise / Ultimate (or later) or Windows Server 2008 R2 (or later).
We must therefore set up the server by GPO. This will thus allow you to disable printer mapping (which usually generates many errors in the
If your management stations are Windows 2003 Server, you can use software restriction policies: http://msreport.free.fr/?p=202
Msreport - Guillaume MATHIEU - All rights reserved Console Remote Desktop Session Host Configuration does not exist in Windows 2012 R2!
6.8.4 C Iles CUSTOMER B FFICE REMOTE
You must deploy the RDP client 7.0 (minimum) on all Windows Vista workstations or later. There is a procedure to enable NLA authentication
with Windows XP SP3 ( http://support.microsoft.com/kb/951608/en-us ) But the use of this system is strongly discouraged (over security patch
since April 2014).
At the Remote Desktop client, go to the tab Advanced then select Do not connect
for the field If server authentication fails. This parameter can be set at the GPO setting Configure server authentication for customer under Computer
Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services.
If the connection attempt from a workgroup machine (which does not recognize the certificate as trusted), an error message appears.
This is a new Remote Desktop feature that helps to fight against such attacks Pass The NTLM hash. This new feature lets have administrator
access only on the local machine. If access to another machine, one has only the computer account permissions on the server where it is
logged. this feature
Configure domain controllers to have limited access to the Internet (DNS, HTTP and HTTPS, NTP)
This configuration is simpler to implement. To avoid compromising security, I invite you however to leave the active UAC to have Internet
Explorer in protected mode.
The DSRM password is required during the Active Directory restore operations. This password is very critical and must meet the following
requirements:
• Being known by the Active Directory service management team.
• Being stored in a secure location.
• If possible be different for each domain controller.
• Contain at least 24 characters.
This password is set when promoting a domain controller. It is possible to use the tool
Ntdsutil to change the password DSRM later.
By default since Windows 2008 R1, IPV6 has priority over the IPv4 protocol. When you do a ping localhost this is the address :: 1 which responds
by not 127.0.0.1. Microsoft recommends not disable IPv6 completely but configuring IPv4 as preferred protocol. Launch
Antivirus for the operating system must be deployed to domain controllers. This must however be configured to exclude from scanning files /
folders indicated in the Microsoft article http://support.microsoft.com/kb/822158/en-us as the files of the Active Directory database or directory SYSVOL.
Since Windows 2003 Server SP1, Microsoft offers a wizard to strengthen the security of servers. In Windows 2012 R2, this wizard is available
at the Server Manager in the menu Tasks.
The wizard uses a configuration based on the roles deployed on the machine model. This tool will automatically detect the configuration of the
machine (a domain / DNS server controller in our case) and will provide an ideal configuration based on the services on the machine. The
implementation of this solution presupposes that the roles deployed on the servers do not change over time. You can not deploy a new
role on your servers if they are configured with this wizard without providing a reconfiguration phase.
The wizard Security Configuration Wizard and its control line equivalent scwcmd
allow:
• Create a model configuration (generation of an XML file).
• To analyze if a machine conforms to a model configuration.
• To apply a configuration template to a machine.
• Delete a model configuration applied to a machine.
• Convert a configuration (XML) in a GPO using the following command:
scwcmd transform /p:"C:WindowssecuritymsscwPoliciestest.xml "/ g," Server Security "
The tool analyzes the roles on the server and will propose:
• Disable unnecessary services on the server.
• Configure required exceptions in the Windows firewall.
• Configure the security settings of the machine.
The following site provides some experience feedback on enhanced security of Windows clusters. The conclusion is clear. use Security
Configuration Wizard provides a secure and functional configuration.
http://blogs.technet.com/b/mspfe/archive/2014/05/29/why-you-should-avoid-manual-serverhardening.aspx
To test the domain controller deployment image it is necessary to deploy a model of environmental copy of the production environment.
If you have that physical domain controllers, I invite you to deploy a temporary domain controller on a virtual machine (by area). Avoid P2V as
this may generate USN rollback as explained in this article: http://support.microsoft.com/kb/875495/en-us .
6.11.4.2 Step 1: virtualizing a domain controller per domain (such as with a forest containing 2 fields):
Stop a domain controller in each domain and copy these two domain controllers by copying the files to the virtual machine (VM) corresponding
to the test server. We must stop the two domain controllers at the same time! Warning, this can have impact on applications such as Exchange
because this solution relies on some domain controllers ( DS Access). This is even more problematic if DS ACCESS were forced. For more
information, I invite you to read this article http://support.microsoft.com/kb/910999 .
When copying two domain controllers (one for the root domain and one for the child domain) is complete, restart the production domain
controllers (the original version). Especially do not start copying the 2 two domain controllers (VMs) at that time.
Duplicate domain controller should preferably be a DNS server if you want to retrieve the DNS zones. Reminder DNS zones hosted in ForestDnsZones
and in the
DomainDnsZones are replicated on domain controllers that are DNS servers.
We must remove the domain controllers that have not been copied. Transfer (forced mode) if necessary FSMO roles. It is as if you had done a DCPROMO
/ forceremoval on all domain controllers that have not been copied. For this, we will use the tool Ntdsutil and follow the procedures below:
http://support.microsoft.com/kb/255504/en-us
http://support.microsoft.com/kb/216498/en-us
http://support.microsoft.com/kb/230306 http: /
/support.microsoft.com/kb/887424/fr
To test our image, it is necessary to restore critical applications on the model environment. Applications such as Exchange hosting their
configuration at the Active Directory can be restored mode Disaster Recovery.
You can now test your new Windows image in the qualification environment.
1. The keyboard configuration is done from the Control Panel | Language ( choice of language and keyboard) and in Control Panel | Region ( setting
the default keyboard at logon by checking the box Welcome screen and system accounts).
However, if you installed a Core server mode and then activated the GUI functionality this setting is not retained. I then prompts you to add the
new keyboard in French (by temporarily adding another type of keyboard). Do not forget then to redefine the correct keyboard for Welcome
Screen.
2. Some features like the .Net Framework 3.5.1 refuse to install because it lacks the installation sources. This problem is an installation Full or
Core. To correct this problem, use the directory sources \ SxS the installation DVD.
Msreport - Guillaume MATHIEU - All rights reserved With Exchange 2003: setup.exe
Msreport - Guillaume MATHIEU - All rights reserved
7 IMPLEMENTING POLICY RISK PREVENTION
To anticipate attacks and their consequences, it is necessary to be proactive and to put in place the following measures:
• Protect backups of Active Directory and MFIs media ( Install From Media).
An attacker can indeed recover passwords for user accounts and computer accounts if it has the NTDS.DIT and SYSTEM files.
7.1 Audit CHANGE (NEW ITEMS) AND DRAW THE SIGN AT THE DIRECTORY ACTIVE DIRECTORY AUDIT WITH WINDOWS
The audit to generate entries in the domain controllers of the security log. It allows monitoring among other actions performed by the directory
administration teams or to trace authentication requests.
The ANSSI wrote a white paper that details the audit settings to be deployed in an Active Directory domain. This organization also recommends
enabling advanced logging (segmented into subcategories) appeared with Windows 2008 R2.
https://www.ssi.gouv.fr/uploads/IMG/pdf/NP_ActiveDirectory_NoteTech.pdf
https://technet.microsoft.com/en-us/library/dn319056(v=ws.11).aspx
the parameter computer | Policies | Windows Settings | Security Settings | Local Policies | Security options | Audit: Force audit policy
subcategory settings (Windows Vista or later) must be activated at the Default Domain Policy and Default Domain Controller Policy to force the
advanced audit policy and disable the classic audit strategies as described in the articles:
https://www.petri.com/enable-advanced-audit-policy-configuration-windows-server
The Domain Controller Security log must be configured with a maximum size of 4 GB and an automatic log rotation (if the log is full, the older
entries are deleted to allow the creation of new entries). For this, the following GPO settings must be defined:
Computer Configuration | Policies | Windows Settings | Security Settings | Logs Events | Maximum security log size: to the value 2048000 .
Computer Configuration | Policies | Windows Settings | Security Settings | Logs Events | Retention method for security log: to the value Overwrite
events as needed .
The strategy Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Security options | Audit: Shut down
system time immediately if Unable to log security audit must also be disabled.
Enabling all parameters recommended by ANSSI can greatly increase the size of the log Security . After the implementation of these settings,
some customers no longer possessed only 30 minutes from logs with a newspaper Security configured with a maximum size of 2GB.
legend:
• ( 1): this generates many messages ID 4662 Directory Service Access ().
• ( 2): this generates top posts ID 5447 (Policy Change Events).
• ( 3): left undefined (instead of No auditing) to allow enable auditing of files / registry entries on servers in each case.
All parameters in Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies will be set as shown below but will
be ignored unless you still have Windows 2003 domain controllers.
Settings Configuration
Audit system events Successes and Failures
Audit process tracking Successes and Failures
Audit privilege use Undefined
Audit policy change Successes and Failures
Audit object access Undefined
Audit logon events Successes and Failures
Audit directory service access Successes and Failures
Audit account management Successes and Failures
Audit account logon events Successes and Failures
Same settings to domain controllers will be applied on workstations and member servers in the domain.
For this, we use a PowerShell script called AuditConnexion . This script requires that audits 4 parameters below are enabled:
Account Logon \ Credential Validation: ID 4776 and 4777 Account Logon \ Kerberos Authentication
Service: ID 4768, 4771, 4772 Account Logon \ Kerberos Service Ticket Operations: 4769, 4770
Logon / Logoff \ Audit logon: ID 4624, 4625, 4648
4624 All Netlogon and Sysvol the domain controller and therefore generates a logon network types Domain
controllers (diverted method for detecting a logon).
Lets see logon failures when an administrator logs on to the domain controller directly (MSTSC)
or when a service running on a domain controller does not start because of a problem login /
4625 All password password.
Detects a secondary logon as starting a service / Scheduled Task or use a tool like LDP.EXE to
make a connection LDAP Simple Bind the
4648 All
Used to trace the activity of a user by listing the resources to which it connects (Kerberos).
4769
Used to trace login failures (failures generation TGT after the pre-authentication). This event is very
rare because the Kerberos failures are at the phase called pre-authentication (bad login / password
4772 ...).
The solution is based on a first script that copies the Security log of each domain controller on a calculation server.
Then you run the PowerShell script and Pass in the domain controller's name and EVTX file to analyze. example:
C: \ Windows \ System32 \ WindowsPowerShell \ v1.0 \ powershell.exe -ExecutionPolicy Bypass -File D: \ _ adm \ AuditConnexion \
AuditConnexion.ps1 -DC DC1 -DossierAuditConnexion D: \ _ adm \ AuditConnexion \ -EventName DC1.evtx
This operation predicts export log Security ( EVTX file) several times a day on domain controllers whose newspaper Security does not contain 24
hours of logs.
The script creates subfolders Job and Results automatically. The result file shows the date of the last
event of EVTX newspaper.
The Events folder containing the event logs must be created manually. You have to manually create a sub folder with the domain controller
name.
The following script (agent) must be running on the domain controllers to copy the file to the computing server (called here serveurrapport ).
We must determine the time required to copy the file EVTX the Analysis Server and schedule this task before launching the main script (usually
10 minutes).
The script generates a zip file using a third PowerShell function (this prevents the V5 PowerShell prerequisites).
The script is based on the command wevutil instead of the control Get-WinEvent which is far too slow. Examples of commands with wevtutil tool:
wevtutil qe / lf: True "C: \ _ adm \ Scripts \ AuditConnexionV12 \ Security-DC1.evtx" "/ q * [System
[(EventID = 4648)]]" | Select -First 1
The script has a variable $ MaxResultatZipSize which allows to define if we send a link or attachment depending on the size of the ZIP file.
The script has a variable $ MaxResultatSize which can cut the work files that exceed a certain size. Excel can not open a file of more than 1
million rows.
The writing of the disk is made by block lines X (variable $ EcritureNbLigne ). This optimizes greatly the speed of execution of the script and
reduces I / O required.
It is recommended to make entries in blocks of 10,000 lines. Be careful not to saturate the server memory (PowerShell process) when used for
larger blocks.
The script will saturate a heart 100%. The generation server reports must therefore have multiple cores (minimum 2).
The script has an instruction PowerShell force to clear its memory. It is performed when the main job file is written to disk.
https://gist.github.com/gravejester/b16bab17b80619f2b964
https://communary.net/2015/12/13/observations-on-writing-to-screen-and-file-in-powershell/ http://ss64.com/ps/zip.txt
http://stackoverflow.com/questions/14827716/adding-a-complete-directory-to-an-existing-zip-file-withsystem-io-compression-f
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4768
http://my-powershell.fr/aide-memoire-powershell
http://www.ehow.com/how_7719350_split-string-two-variables-powershell.html
http://technet.microsoft.com/fr-FR/library/dd772712(WS.10).aspx
https://social.technet.microsoft.com/Forums/windows/en-US/6f158957-28ea-4ce9-a688ccfa7bbd16bd/wevtutil-command-options-for-date?forum=w7itprogeneral
# ------------------------------------------ #
# Script Parameters
# ------------------------------------------ #
param (
[STRING] $ DC
[STRING] $ DossierAuditConnexion [STRING] $
EventName
)
echo "The script must be run with 3 settings (Required)" echo "Do not forget the \ at the end of the road for DossierAuditConnexion
parameter!" echo "Example: AuditConnexion.ps1 -DC DC1 -DossierAuditConnexion D: \ _ adm \ AuditConnexion \ EventName DC1.evtx"
# ------------------------------------------ #
# variables
# ------------------------------------------ #
# Reference date: recovering the date of the last event. DateReference = $ (Get-WinEvent -Path $ EventFile |
-First select 1) .timeCreated
# It retrieves the events of the last 24 hours + 1 minutes DateDebutTemp $ = (Get-Date -Date $ DateReference) .AddMinutes
(-1441) $ StartDate = "" + (Get-Date $ -Date DateDebutTemp -Format 'yyyy-MM -ddTHH: mm: ss') + ""
# record results
$ = $ DossierResultats DossierAuditConnexion + "Results \" + $ EventName + "\"
# files results
# Link to file $ result = ResultatZipLink "\\ serveurrapport \ results $ \ "+ $ EventName +" \ "+ $ + DC" - AuditConnection - "+ $
DateReference.Year +" - "+ $ DateReference.Month +" - "+ $ DateReference.Day + '_' + + $ DateReference.Hour "-" + $
DateReference.Minute + "-" + $ + DateReference.Second ".zip"
# Maximum size of output file in the file in bytes work MaxResultatSize $ = 104857600
# $ MaxResultatSize = 24857600
# Index for naming files results in the work folder (set to 1) $ Index = 1 $ = 1 Index4776 Index4768 $ 1 = $ 1 =
Index4769 Index4771 $ 1 = $ 1 = Index4624 Index4625 $ 1 = $ 1 = Index4648
# Mail server
# Title of email
$ Title = "Audit successful authentication requests and failures on $ DC"
# ------------------------------------------------------------------------------- #
# Prerequisite check and creation of output files
# The EVTX file must exist.
# The working folder and the results of file are created if necessary.
# If the script sends an email and stops.
# ------------------------------------------------------------------------------- #
$ $ Body = Body + "<P> The IT team Msreport </ P>" $ ratio = ConvertTo-Html Title -Title -Body
$ $ $ Body -head Format
Send-MailMessage $ -To To -subject "Audit successful authentication requests and failed on $ CD" -Body "$ Report" -SmtpServer $
SMTPServer -From From $ -BodyAsHtml -Encoding ([System.Text.Encoding] :: UTF8)
# Deleting the working folder if it exists. The file is recreated vacuo. Remove-Item $ DossierTravail
-Recurse -Force: $ True New-Item -Path $ DossierTravail -itemtype Directory -Force
# Removing the output file if it already exists (it restarts the job for the same event log). if ((Test-Path $ ResultatZip) -eq $ True) {
# Creating the domain controller Results folder if it does not exist. if ((Test-Path $ DossierResultats)
True -do $) {
# ----------------------------------------------------------------- #
# Creation results files with headers
# Creating result tables (stored in memory lines)
# ----------------------------------------------------------------- #
# ------------------------------------------------- #
# Generate $ Result file
# ------------------------------------------------- #
wevtutil qe / lf: $ EventFile True "/ q * [System [(EventID = 4624 = 4625 gold EventID EventID = 4768 gold gold gold EventID = 4769 =
EventID EventID = 4771 gold 4776 gold EventID = 4648) and TimeCreated [@SystemTime > = $ StartDate and @SystemTime <= $
EndDate]]] "| {foreach
# Create the XML variable with the contents of the log. [XML] $ XML = ($ _)
If (! ($ TargetUserName.Contains ( "$"))) {
# Exclude entries whose user name is the name of a computer account. If (! ($ TargetUserName.Contains (
"$"))) {
# Exclude entries whose user name is the name of a computer account. If (! ($ TargetUserName.Contains (
"$"))) {
# Exclude entries whose user name is the name of a computer account. If (! ($ TargetUserName.Contains (
"$"))) {
elseif ($ Status -eq" 0x3 ") {$ status =" Failure - 0x3 - Requested protocol version not supported # "} elseif ($ Status -eq" 0x4 ") {$ status =" Failure - 0x4 - Client's key encrypted in old master
key "} elseif ($ Status -eq" 0x5 ") {$ status =" Failure - 0x5 - Server's key encrypted in old master key "} elseif ($ Status -eq" 0x6 ") {$ Status = "Failure - 0x6 - Client not found in Kerberos
database"} elseif ($ Status -eq "0x7") {$ status = "Failure - 0x7 - Server not found in Kerberos database"} Elseif ($ Status -eq "0x8") {$ status = "Failure - 0x8 - Senior Multiple entries in
database"} elseif ($ Status -eq "0x9") {$ status = "Failure - 0x9 - The customer server or : has a null key "} elseif ($ Status -eq" 0xA ") {$ status =" Failure - 0xA - Ticket not eligible for
postdating "} elseif ($ Status -eq" 0xB ") {$ status =" Failure - 0xB - Requested start time is later than end time "} elseif ($ Status -eq" 0xC ") {$ status =" Failure - 0xC - KDC policy rejects
request (Could Be workstation restrictions) "}} Elseif ($ Status -eq "0xA") {$ status = "Failure - 0xA - Ticket not eligible for postdating"} elseif ($ Status -eq "0xB") {$ status = "Failure - 0xB -
Requested start time is later than end time "} elseif ($ Status -eq" 0xC ") {$ status =" Failure - 0xC - KDC policy rejects request (Could Be workstation restrictions) "}} Elseif ($ Status -eq
"0xA") {$ status = "Failure - 0xA - Ticket not eligible for postdating"} elseif ($ Status -eq "0xB") {$ status = "Failure - 0xB - Requested start time is later than end time "} elseif ($ Status -eq"
0xC ") {$ status =" Failure - 0xC - KDC policy rejects request (Could Be workstation restrictions) "}
elseif ($ Status -eq "0xD") {$ status = "Failure - 0xD - KDC can not Accommodate requested option"} elseif ($ Status -eq "0xE") {$ status =
"Failure - 0xE - KDC Has No Support for encryption-type "} elseif ($ Status -eq" 0xF ") {$ status =" Failure - 0xF - KDC Has No Support for
checksum kind "} elseif ($ Status -eq" 0x10 ") {$ status =" Failure - 0x10 - KDC Has No Support for padata kind "} elseif ($ Status -eq" 0x11
") {$ status =" Failure - 0x11 - KDC Has No Support for transited kind "} elseif ($ Status -eq" 0x12 ") {$ Status = "Failure - 0x12 - Customers
credentials-have-been revoked (Account Could Be disabled, expired, locked)"}
elseif ($ Status -eq "0x13") {$ status = "Failure - 0x13 - Credentials for server-have-been revoked"} elseif ($ Status -eq "0x14") {$ status =
"Failure - 0x14 - TGT has-been revoked "} elseif ($ Status -eq" 0x15 ") {$ status =" Failure - 0x15 - Client not yet valid - try again later "} elseif
($ Status -eq" 0x16 ") {$ status =" Failure - 0x16 - Server not yet valid - try again later "} elseif ($ Status -eq" 0x17 ") {$ status =" Failure - 0x17 -
Password has expired "} elseif ($ Status -eq" 0x18 ") {$ Status =" Failure - 0x18 - Pre-authentication information Was invalid (bad password
specified Could Be) "}
elseif ($ Status -eq "0x19") {$ status = "Failure - 0x19 - Additional pre-authentication required"} elseif ($ Status -eq "0x1F") {$ status = "Failure
- 0x1F - Integrity check is decrypted field failed "} elseif ($ Status -eq" 0x20 ") {$ status =" Failure - 0x20 - Ticket expired (frequently logged by
computer accounts) "}
elseif ($ Status -eq "0x21") {$ status = "Failure - 0x21 - Ticket not yet valid"} elseif ($ Status -eq "0x22") {$ status = "Failure - 0x22 - Request
is a replay"} elseif ($ Status -eq "0x23") {$ status = "Failure - 0x23 - The ticket is not for us"} elseif ($ Status -eq "0x24") {$ status = "Failure -
0x24 - ticket and authenticator do not match "} elseif ($ Status -eq" 0x25 ") {$ status =" Failure - 0x25 - Clock skew too great (workstation
clock's too far out of sync with the DC's) "}
elseif ($ Status -eq "0x26") {$ status = "Failure - 0x26 - Incorrect net address"} elseif ($ Status -eq "0x27") {$ status =
"Failure - 0x27 - Protocol version mismatch"} elseif ( $ Status -eq "0x28") {$ status = "Failure - 0x28 - Invalid
msg-type"}
elseif ($ Status -eq "0xD") {$ status = "Failure - 0xD - KDC can not Accommodate requested option"} elseif ($ Status -eq "0xE") {$ status =
"Failure - 0xE - KDC Has No Support for encryption-type "} elseif ($ Status -eq" 0xF ") {$ status =" Failure - 0xF - KDC Has No Support for
checksum kind "} elseif ($ Status -eq" 0x10 ") {$ status =" Failure - 0x10 - KDC Has No Support for padata kind "} elseif ($ Status -eq" 0x11
") {$ status =" Failure - 0x11 - KDC Has No Support for transited kind "} elseif ($ Status -eq" 0x12 ") {$ Status = "Failure - 0x12 - Customers
credentials-have-been revoked (Account Could Be disabled, expired, locked)"}
elseif ($ Status -eq "0x13") {$ status = "Failure - 0x13 - Credentials for server-have-been revoked"} elseif ($ Status -eq "0x14") {$ status =
"Failure - 0x14 - TGT has-been revoked "} elseif ($ Status -eq" 0x15 ") {$ status =" Failure - 0x15 - Client not yet valid - try again later "} elseif
($ Status -eq" 0x16 ") {$ status =" Failure - 0x16 - Server not yet valid - try again later "} elseif ($ Status -eq" 0x17 ") {$ status =" Failure - 0x17 -
Password has expired "} elseif ($ Status -eq" 0x18 ") {$ Status =" Failure - 0x18 - Pre-authentication information Was invalid (bad password
specified Could Be) "}
elseif ($ Status -eq "0x19") {$ status = "Failure - 0x19 - Additional pre-authentication required"} elseif ($ Status -eq "0x1F") {$ status = "Failure
- 0x1F - Integrity check is decrypted field failed "} elseif ($ Status -eq" 0x20 ") {$ status =" Failure - 0x20 - Ticket expired (frequently logged by
computer accounts) "}
elseif ($ Status -eq "0x21") {$ status = "Failure - 0x21 - Ticket not yet valid"} elseif ($ Status -eq "0x22") {$ status = "Failure - 0x22 - Request
is a replay"} elseif ($ Status -eq "0x23") {$ status = "Failure - 0x23 - The ticket is not for us"} elseif ($ Status -eq "0x24") {$ status = "Failure -
0x24 - ticket and authenticator do not match "} elseif ($ Status -eq" 0x25 ") {$ status =" Failure - 0x25 - Clock skew too great (workstation
clock's too far out of sync with the DC's) "}
elseif ($ Status -eq "0x26") {$ status = "Failure - 0x26 - Incorrect net address"} elseif ($ Status -eq "0x27") {$ status = "Failure - 0x27 - Protocol version mismatch"} elseif ( $ Status -eq
"0x28") {$ status = "Failure - 0x28 - Invalid msg-type"} elseif ($ Status -eq "0x29") {$ status = "Failure - 0x29 - Message stream modified"} elseif ($ Status -eq "0x2A") {$ status = "Failure -
0x2A - Message out of order"} elseif ($ Status -eq "0x2C") {$ status = "Failure - 0x2C - Version of Specified key is not available"} elseif ($ Status -eq "0x2D") {$ status = "Failure - 0x2D -
Service key not available"} elseif ($ Status -eq "0x2E") {$ status = "Failure - 0x2E - Mutual authentication failed"} Elseif ($ Status -eq "0x2F") {$ status = "Failure - 0x2F - Wrong Message
direction"} elseif ($ Status -eq "0x30") {$ status = "Failure - 0x30 - Alternative authentication method required"} elseif ($ Status -eq "0x31") {$ status = "Failure - 0x31 - Incorrect sequence
number in message"} elseif ($ Status -eq "0x32") {$ status = "Failure - 0x32 - Inappropriate kind of checksum in message "} elseif ($ Status -eq" 0x3C ") {$ status =" Failure - 0x3C - Generic
error (described in e-text) "} elseif ($ Status -eq" 0x3D ") {$ status =" Failure - 0x3D - Field is too long for this implementation "} else {$ Status =" Failure - other error "}Failure - 0x2F - Wrong
Message direction "} elseif ($ Status -eq" 0x30 ") {$ status =" Failure - 0x30 - Alternative authentication method required "} elseif ($ Status -eq" 0x31 ") {$ Status =" Failure - 0x31 - Incorrect
sequence number in message "} elseif ($ Status -eq" 0x32 ") {$ status =" Failure - 0x32 - Inappropriate kind of checksum in message "} elseif ($ Status -eq" 0x3C ") {$ Status = "Failure -
0x3C - Generic error (described in e-text)"} elseif ($ Status -eq "0x3D") {$ status = "Failure - 0x3D - Field is too long for this implementation"} else {$ Status = "Failure - other error"}Failure -
0x2F - Wrong Message direction "} elseif ($ Status -eq" 0x30 ") {$ status =" Failure - 0x30 - Alternative authentication method required "} elseif ($ Status -eq" 0x31 ") {$ Status =" Failure -
0x31 - Incorrect sequence number in message "} elseif ($ Status -eq" 0x32 ") {$ status =" Failure - 0x32 - Inappropriate kind of checksum in message "} elseif ($ Status -eq" 0x3C ") {$
Status = "Failure - 0x3C - Generic error (described in e-text)"} elseif ($ Status -eq "0x3D") {$ status = "Failure - 0x3D - Field is too long for this implementation"} else {$ Status = "Failure -
other error"}} Elseif ($ Status -eq "0x31") {$ status = "Failure - 0x31 - Incorrect sequence number in message"} elseif ($ Status -eq "0x32") {$ status = "Failure - 0x32 - Inappropriate kind of
checksum in message "} elseif ($ Status -eq" 0x3C ") {$ status =" Failure - 0x3C - Generic error (described in e-text) "} elseif ($ Status -eq" 0x3D ") {$ Status =" Failure - 0x3D - Field is too long for this implementation "} els
# Send an email without the attachment with a link to download the result file $ format = "<style>"
$ $ Body = Body + "<P> The IT team Msreport </ P>" $ ratio = ConvertTo-Html Title -Title -Body
$ $ $ Body -head Format
Send-MailMessage $ -To To -subject "Audit successful authentication requests and failed on $ CD" -Body "$ Report" -SmtpServer $
SMTPServer -From From $ -BodyAsHtml -Encoding ([System.Text.Encoding] :: UTF8)}
There are many tools to assess the security level of your directory and perform a security audit of the Active Directory (penetration testing).
• Mimikatz: this tool can display clear the password of all users connected to a machine. It can also generate Golden Ticket (Kerberos
attack Pass The Ticket). The tool is free and is available online: http://blog.gentilkiwi.com/mimikatz
Prerequisite 1: Finding the SID field with the command whoami / user .
https://experiences.microsoft.fr/Video/avec-laps-metsys-premunit-un-si-dattaques-par-elevationde-privileges/fd1a804d-c21d-4bbe-97d7-1697364fe5b5#EDHCo
• Metasploit: is the reference tool. It incorporates many exploits that perform elevations privileges or generate a failure of a Windows
machine. A basic version of the tool is free and can be downloaded at:
http://www.rapid7.com/products/metasploit/download.jsp
• BTA: this tool provided by ANSSI. I invite you to read the following documents on BTA:
http://www.information-security.fr/audit-lactive-directory-bta/
https://www.sstic.org/media/SSTIC2014/SSTIC-
acts / BTA_Analyse_de_la_securite_Active_Directory /
SSTIC2014-ArticleBTA_Analyse_de_la_securite_Active_Directory-czarny_biondi.pdf
https://www.sstic.org/2014/presentation/BTA_Analyse_de_la_securite_Active_Directory/
• ADRAP: This tool is provided by Microsoft. This is a comprehensive audit covering all the risks associated with Active Directory. ADRAP
allows for example to detect the Active Directory configuration issues that might result in failure as the risks in terms of security.
It is necessary to monitor Active Directory to identify potential failures generated by an attack. The solution below is based on a PowerShell
script that analyzes the output of the command DCDIAG / V / E, which is run from a single server. The script must be installed on a Windows
Server 2008 R2 (or later) English because the command DCDIAG
must produce an outcome in English. Note: the download version of DCDIAG English works only on Windows
2003. It does not support such replication SYSVOL folder with the DFS-R engine.
For more information see http://www.microsoft.com/en-
us / download / Details.aspx? id = 31063
Therefore you must install an English domain member server to oversee domain controllers installed with a French Windows.
This is an Active Directory diagnostic tool that allows comprehensive checking the availability of domain controllers, the proper functioning of
replication, availability FSMO roles, that the services are started ...
Install a Member Server Windows 2008 R2 / Windows 2012 English . The script only works for English DCDIAG. Launch Server Manager and
click Add Features.
Add functionality AD DS Snap-Ins and Command-Line Tools in Remote Server Administration Tools | AD DS and AD LDS Tools | AD DS
Tools.
Enter the following command to allow the execution of unsigned scripts (or better to sign the code of the script): Set-ExecutionPolicy
Unrestricted
$ Connectivity = "KO"}
{
$ Configuration = "KO"}
{
$ Sysvol = "KO"}
Configure your management application (like Nagios) for reading the 4 files results and display a warning depending on the contents of each
file: okay or KO.
If the security compromise of your Active Directory, Microsoft recommends performing a restore by scenario Forest Recovery. This type of
restoration is very impacting for production because it needs to stop all pre domain controllers. The fact test this procedure to limit the
downtime of the directory so the impact on the business. Test at least once every 6 months, the procedure Forest Recovery
a model of environmental copy of the production environment. The procedure for Forest Recovery from Microsoft is available
at this address (Appendix A).
http://technet.microsoft.com/fr-fr/library/planning-active-directory-forest-recovery(v=ws.10).aspx
7.6 PROTECT YOUR BACKUP AND ACTIVE DIRECTORY FILES MFIs (INSTALL FROM MEDIA)
Windows Server Backup is the integrated tool in Windows Server 2008 R1 and later. It can perform a full backup (Image BareMetal) a domain
controller and generates a file VHD VHDX or (depending on the version of Windows). It allows to easily restore a domain controller (with
BareMetal backup) by booting from the Windows installation DVD and selecting the option Repair computer. If an attacker manages to copy a
backup directory, it will probably restore the domain controller, get the files NTDS.DIT
and SYSTEM then apply the above methodology to have administrative access to the domain controller ( cmd.exe copied and renamed sethc.exe).
It will also try to recover the passwords for all user accounts and computer accounts from LMHash or NTHASH.
The tool Ntdsutil allows a domain administrator (and other group with privilege) to create a media IFM. This type of media allows you to install a
new domain controller without replicate the contents of the directory through the network. It contains an offline copy file connection NTDS.DIT,
SYSTEM (hive HKEY_LOCAL_MACHINE \ SYSTEM the registry). To generate an IFM, use the following procedure:
Ntdsutil ifm
The tool Ntdsutil also allows a user with privileges to create the Active Directory snapshot using the following procedure: Open a command
prompt and type the following commands:
ntdsutil
snapshot
activate instance ntds create
The administrator can now copy / paste files NTDS.DIT and SYSTEM which are no longer protected by the system.
It can then dismount and delete the snapshot by typing the following commands:
list all
Unmount} {ID_SNAPSHOT Delete}
{ID_SNAPSHOT
Msreport - Guillaume MATHIEU - All rights reserved To mount the snapshot generated,
8 NOTES
8.1 DEPLOYMENT PROCEDURE FOR MICROSOFT CERTIFICATION AUTHORITY
launch the Server Manager on a Windows 2012 R2 machines domain member with a member of the group account Enterprise Admins and follow
the procedure below.
BitLocker to encrypt the system drive, a fixed disk (non-system) or a removable disk (USB key ...). BitLocker is included as a feature in
Windows 2008 R2 and later.
BitLocker automatically creates two partitions: a 100MB partition that is marked active and contains the boot files and the system partition that
contains the system data (C: \ windows). Only the system partition is encrypted. The solution BitLocker can use different devices to store the
encryption / decryption key:
• A USB key (ignition key only): This method only figure the reader. It does not provide validation of the components of the boot sequence
and no guarantee against tampering of equipment. To use this method, your computer must support reading USB devices in the preboot
environment.
• A smart card: BitLocker is then based on the certificate from the smart card to encrypt / decrypt the hard drive.
• TPM ( Trusted Platform Module). This is the method recommended by Microsoft. It helps protect the hard drive and validate that the
components of the starting sequence has not been altered.
The first step is to install the feature BitLocker on a domain controller (physical machine or virtual machine). A restart will be required. For more
information : http://technet.microsoft.com/fr-fr/library/jj612864.aspx
Then you change the GPO Default Domain Controller Policy to properly configure BitLocker. Go in Computer Configuration | Administrative
Templates | Windows Components | BitLocker Drive Encryption to show the policy settings | Provide the single identifiers for your organization. Enable
this setting and select the following settings:
Go in Computer Configuration | Policies | Administrative Templates | Windows Components | BitLocker Drive Encryption | Operating System
Drives | Require additional authentication at startup.
Enable GPO setting with the following configuration: Check the box Allow BitLocker
without a TPM-compatible.
Select the following choices:
allow TPM
Do not allow startup PIN with TPM Do not allow startup Key
with TPM Do not allow startup PIN with TPM and Key
To secure the hard drive system of the virtual domain controllers, use BitLocker with a startup password. Current virtualization solutions do not
natively emulate a TPM and complex it is to emulate a USB key on a virtual machine. The administration teams will therefore have access to
the console of virtualization solution (Hyper-V, VMware, ...) to restart the domain controllers because they will enter a BitLocker password at
startup.
Go in Computer Configuration | Policies | Administrative Templates | Windows Components | BitLocker Drive Encryption | Operating System
Drives | Choose how BitLocker-protected operating system drive can be: recovered.
Enable GPO setting with the following configuration: Uncheck the box Allow data
recovery agent
Check the box Omit recovery options from the BitLocker setup wizard
Check the box Save BitLocker recovery information to AD DS.
To select Store recovery passwords and key packages
Check the box Do not enable BitLocker recovery information is up to Stored to AD DS for operating system drive
These settings allow you to force the backup key recovery BitLocker in the Active Directory.
Platform Module Services | Turn on TPM backup to Active Directory Domain Services.
Msreport - Guillaume MATHIEU - All rights reserved Go Computer Configuration | Policies | Administrative Templates | System | Trusted
configuration below.
Force replication (NTDS / DFS-R) to all domain controllers and then run the gpupdate / force command on your domain controllers.
Add rights in the directory to update the password for the TPM owner. As explained in the TechNet article http://technet.microsoft.com/fr-fr/library/dd875529(v=ws.10)
It is necessary to use the script Add-TPMSelfWriteACE.vbs in order to allow registration of the password TPM owner in the attribute msTPM-OwnerInformation.
By default only members of the group users Domain Admins have the right to view:
• The BitLocker Recovery Key
• The Trusted Platform Module (TPM) owner password
It is possible to use the script Get-TPMOwnerInfo.vbs to view Trusted Platform Module (TPM) owner password or use the script Get-BitLockerRecoveryInfo.vbs
to view the
BitLocker Recovery Key.
You can now turn BitLocker your physical or virtual domain controller at the control panel. In our case, the domain controller is running Windows
2012 R2. The Active Directory database (Ntds.dit) and the SYSVOL directory are hosted on the system disk.
Msreport - Guillaume MATHIEU - All rights reserved Enabling this setting GPO with the
Msreport - Guillaume MATHIEU - All rights reserved
the computer account. To do this, press ESC.
From other domain controller, start the console Active Directory Users and Computers.
Skip mode console Advanced Features and Users, Contacts, and Computers as containers.
Go to the properties of the domain controller computer account.
Msreport - Guillaume MATHIEU - All rights reserved If you have forgotten the password BitLocker, you can use the recovery key that is stored at
Msreport - Guillaume MATHIEU - All rights reserved
8.3 REFERENCES:
I invite you to read the book on Hacking techniques Jon Erickson edited by PEARSON.
This book will help you understand the main attack and to write scripts for basic attacks.
Microsoft provides on MSDN the technical specification Active Directory. The reading of paragraph 5 Security is essential to understand how a
secure Active Directory. To download this guide in PDF format (English):
http://msdn.microsoft.com/en-us/library/cc223122.aspx
8.3.3 P OUR UNDERSTANDING NTLM PROTOCOL AND WITH A K ERBEROS CTIVE D irectory
I invite you to read these two documents are very complete, very clear and French. Thank you, among other Aurelien BORDES for clarity of
explanation.
https://www.sstic.org/media/SSTIC2007/SSTIC-
acts / Secrets_d_authentification_sous_Windows /
SSTIC2007-ArticleSecrets_d_authentification_sous_Windows-bordes.pdf
http://www.ssi.gouv.fr/IMG/pdf/Aurelien_Bordes_-
_Secrets_d_authentification_episode_II_Kerberos_contre-attaque.pdf
The ANSII (National Agency of computer security) wrote a very comprehensive document on safety recommendations for Active Directory. Many
elements of this book
are from of these recommendations:
http://www.ssi.gouv.fr/IMG/pdf/NP_ActiveDirectory_NoteTech.pdf
Microsoft has written a comprehensive document on security recommendations for Active Directory that can be downloaded from one of the two
links below:
http://www.microsoft.com/en-us/download/details.aspx?id=38785 http://aka.ms/bpsad .
This document explains the inner workings of the RDP, its evolution and how to configure it securely:
https://www.sstic.org/media/SSTIC2012/SSTIC-actes/securite_rdp/SSTIC2012-Article-securite_rdpebalard_bordes_rigo_2.pdf
I invite you to read these two documents on the attack Pass The NTLM Hash:
http://www.microsoft.com/en-us/download/details.aspx?id=36036
http://www.sans.org/reading-room/whitepapers/testing/pass-the-hash-attacks-tools-mitigation-33283