Enabling debug logging for the Netlogon service

Activate debug logging using nltest and set log size using registry

Type the following command, and then press Enter to enable logging:

Nltest /DBFlag:2080FFFF

 

Setting the maximum log file size for Netlogon logs using Registry

The MaximumLogFileSize registry entry can be used to specify the maximum size. You must create this entry, because it doesn´t exist.

Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Value Name: MaximumLogFileSize

Value Type: REG_DWORD

Value Data: <max log file size in bytes>

1073741824 Bytes is 1 GB

This registry setting specify the disk space for the Netlogon.log and Netlogon.bak file. For example, a setting of 1 GB can require 2 GB of disk space.

Using Policy to enable logging and configuring log size

You can use the following Computer policy to configure the log file size in bytes and debug level:

Computer Configuration\Administrative Templates\System\Net Logon\Specify maximum log file size

1073741824  (1073741824 is 1 GB)

Computer Configuration\Administrative Templates\System\Net Logon\Specify log file debug output level

545325055     (545325055 is equivalent to 0x2080FFFF and enables verbose Netlogon logging!)

 

LDAP Binds and LDAPS

Bind operations are used to authenticate clients to the Domain Controller, to establish an authorization identity that will be used for subsequent operations processed on that connection, and to specify the LDAP protocol version that the client will use.

This LDAP authentication process supports three types:

1. Simple bind
2. Simple Authentication and Security Layer (SASL) bind
3. Sicily bind

Simple Bind

With a LDAP Simple Bind, the credentials of a user, that are used to bind the LDAP client to the Domain Controller are unencrypted.

SASL

SASL is the term for a framework of mechanisms that allow for secured authentication to take place over an unencrypted or encrypted communications channel. In this case Kerberos V5 is used for authentication. Most Microsoft Consoles using SASL to authenticate.

Sicily authentication

Active Directory also supports this authentication approach during LDAP binds and is intended for compatibility with legacy systems and will result in NTLM being used as underlying authentication protocol.

So let´s clarify what´s LDAPS about... 

LDAPS

It's a mechanism that uses TLS to secure communication between LDAP clients and Domain Controllers to avoid insecure simple bind or securing auth for clients that are not supporting SASL.

The following scenarios are possible:

LDAPS over port 636 (DC) or port 3269 (GC) where the connection is immediately secured by the certificate. SSL/TLS is negotiated before any LDAP traffic happens.

LDAP using StartTLS over port 389 (DC) or 3268 (GC) where the StartTLS operation is used to establish secure communications. It requires the LDAP client to support StartTLS operation.

Create a keytab file to use SSO for KeyCloak or another tool

You can use this post to create a KeyTab file for your application to use SSO.

Find attached the details for the sample setup.

Domain: test.zz

user: srviceuser1

pw: HDPw8912hs17!/hsd7

url: auth-test.service.test.zz

Required enycryption: AES256

Command:

ktpass -out c:\auth-test.keytab -princ HTTP/auth-test.test.zz@TEST.ZZ -mapuser srviceuser1 -pass HDPw8912hs17!/hsd7 -kvno 0 -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1

If another type of encryption is needed you should have a look at the following article:

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ktpass

You can verify if the spn is applied to the account using the following command.

setspn -L srviceuser1

The last thing we have to do is to enable the support of AES256 encryption on the account serviceuser1. Open Active Directory  Users & Computers, select properties of serviceuser1, go to the account tab and select the following checkbox in Account options: “This account supports Kerberos AES 256 bit encryption”

Azure Security link collection

Hi guys,

find attached a link collection, with useful information regarding Azure Security.

• Azure Security Documentation https://docs.microsoft.com/en-us/azure/security/ 
• Azure Security Announcements https://azure.microsoft.com/en-us/blog/topics/security/ 
• Azure Security Experts Series https://www.youtube.com/playlist?list=PLLasX02E8BPA0ZNzg-BsHio7yTciN-UVu 
• Azure Blog RSS Feed https://azure.microsoft.com/blog/feed/ 
• Azure Reference Architectures https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/ 
• PDF: Azure Security Center Security Alerts Playbook https://gallery.technet.microsoft.com/Azure-Security-Center-f621a046 
• PDF: Azure Security Center Playbook: Hunting Threats https://gallery.technet.microsoft.com/Azure-Security-Center-549aa7a4 
• PDF: Azure Security Response https://gallery.technet.microsoft.com/Azure-Security-Response-in-dd18c678 
• Performance and Productivity: Your Guide to Managing Cloud Sprawl https://azure.microsoft.com/en-us/resources/your-guide-to-managing-cloud-sprawl/ 
• Microsoft Azure infographics https://azure.microsoft.com/en-us/resources/infographics/

HF

Tim

Microsoft Security Compliance Toolkit

For someone who hasn‘t any sec baseline tools for Windows and Microsoft products, you should check it out. Microsoft Security Compliance Toolkit is a collection of tools and templates released by Microsoft to give security admins access to recommended security configuration baselines for Windows OS and some Microsoft products. You can manage both domain and local policies!

You can download the tool here:

https://www.microsoft.com/en-us/download/details.aspx?id=55319