MS updated key concepts in Windows LAPS

Microsoft changed the key concept for LAPS. 

New Policies, LAPS for Windows, LAPS in Azure AD etc.

Check out the following Link:

https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-concepts

Troubleshooting time sync issues on a AD domain computer

Most time there should be warning events in the System event log, with a source called Time-Service. 

To verify network connection and ntp settings you can use w32tm.

show source server:

w32tm /query /source

verify network connectivity to an NTP server:

w32tm /stripchart /computer:ntp01.mydomain.zz

show configuration:

w32tm /query /configuration

(NT5DS using domain hierarchy)

force client to use domain hierarchy:

w32tm /config /syncfromflags:domhier /update

Get Zerlologons CVE-2020-1472 using PowerShell

Find attached a script to get all systems that using zerologon (event 5829) described in CVE-2020-1472. I want to upload this script to my technet gallery, but MS changed it all so I cant acces it...

More infos about this topic and how to handle the update process:

https://support.microsoft.com/en-us/topic/how-to-manage-the-changes-in-netlogon-secure-channel-connections-associated-with-cve-2020-1472-f7e8cc17-0309-1d6a-304e-5ba73cd1a11e

You can change the event to find other objects like trusts etc.

# --------------------------------------------------------------------------------------------------------
# Author: Tim Buntrock
# Script: Get_ZeroLogons5829.ps1
# Description: Get all machinesamaccountnames that appear in Event 5829, to find systems using zerologon!
# --------------------------------------------------------------------------------------------------------


# Prepare Variables
Param (
        [parameter(Mandatory=$false,Position=0)][String]$DCName = "localhost",
        [parameter(Mandatory=$false,Position=1)][Int]$Minutes = 15)

# Create an Array to hold the values
$InsecureNetLogons = @()

# Grab the appropriate events
$Events = Get-WinEvent -ComputerName $DCName -FilterHashtable @{Logname='System';Id=5829; StartTime=(get-date).AddMinutes("-$Minutes")}

# Loop through each event
ForEach ($Event in $Events) {
    $eventXML = [xml]$Event.ToXml()
    $Client = ($eventXML.event.EventData.Data[0]) #get Machinesamaccountname
    # Add Them To a Row in our Array
    $Row = "" | select Client
    $Row.Client =$Client
    # Add the row to our Array
    $InsecureNetLogons += $Row    
}

# Dump it all out to a CSV and open gridview
Write-Host $InsecureNetLogons.Count "records found ... saving unique entries to .\InsecureNetLogons.csv for DC" $ComputerName -ForegroundColor DarkYellow
$InsecureNetLogons | Sort-Object -Unique -Property Client| Export-CSV -NoTypeInformation .\InsecureNetLogons.csv
$InsecureNetLogons | Sort-Object -Unique -Property Client| Out-GridView

Enabling debug logging for the Netlogon service

Activate debug logging using nltest and set log size using registry

Type the following command, and then press Enter to enable logging:

Nltest /DBFlag:2080FFFF

 

Setting the maximum log file size for Netlogon logs using Registry

The MaximumLogFileSize registry entry can be used to specify the maximum size. You must create this entry, because it doesn´t exist.

Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Value Name: MaximumLogFileSize

Value Type: REG_DWORD

Value Data: <max log file size in bytes>

1073741824 Bytes is 1 GB

This registry setting specify the disk space for the Netlogon.log and Netlogon.bak file. For example, a setting of 1 GB can require 2 GB of disk space.

Using Policy to enable logging and configuring log size

You can use the following Computer policy to configure the log file size in bytes and debug level:

Computer Configuration\Administrative Templates\System\Net Logon\Specify maximum log file size

1073741824  (1073741824 is 1 GB)

Computer Configuration\Administrative Templates\System\Net Logon\Specify log file debug output level

545325055     (545325055 is equivalent to 0x2080FFFF and enables verbose Netlogon logging!)

 

LDAP Binds and LDAPS

Bind operations are used to authenticate clients to the Domain Controller, to establish an authorization identity that will be used for subsequent operations processed on that connection, and to specify the LDAP protocol version that the client will use.

This LDAP authentication process supports three types:

1. Simple bind
2. Simple Authentication and Security Layer (SASL) bind
3. Sicily bind

Simple Bind

With a LDAP Simple Bind, the credentials of a user, that are used to bind the LDAP client to the Domain Controller are unencrypted.

SASL

SASL is the term for a framework of mechanisms that allow for secured authentication to take place over an unencrypted or encrypted communications channel. In this case Kerberos V5 is used for authentication. Most Microsoft Consoles using SASL to authenticate.

Sicily authentication

Active Directory also supports this authentication approach during LDAP binds and is intended for compatibility with legacy systems and will result in NTLM being used as underlying authentication protocol.

So let´s clarify what´s LDAPS about... 

LDAPS

It's a mechanism that uses TLS to secure communication between LDAP clients and Domain Controllers to avoid insecure simple bind or securing auth for clients that are not supporting SASL.

The following scenarios are possible:

LDAPS over port 636 (DC) or port 3269 (GC) where the connection is immediately secured by the certificate. SSL/TLS is negotiated before any LDAP traffic happens.

LDAP using StartTLS over port 389 (DC) or 3268 (GC) where the StartTLS operation is used to establish secure communications. It requires the LDAP client to support StartTLS operation.

Create a keytab file to use SSO for KeyCloak or another tool

You can use this post to create a KeyTab file for your application to use SSO.

Find attached the details for the sample setup.

Domain: test.zz

user: srviceuser1

pw: HDPw8912hs17!/hsd7

url: auth-test.service.test.zz

Required enycryption: AES256

Command:

ktpass -out c:\auth-test.keytab -princ HTTP/auth-test.test.zz@TEST.ZZ -mapuser srviceuser1 -pass HDPw8912hs17!/hsd7 -kvno 0 -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1

If another type of encryption is needed you should have a look at the following article:

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ktpass

You can verify if the spn is applied to the account using the following command.

setspn -L srviceuser1

The last thing we have to do is to enable the support of AES256 encryption on the account serviceuser1. Open Active Directory  Users & Computers, select properties of serviceuser1, go to the account tab and select the following checkbox in Account options: “This account supports Kerberos AES 256 bit encryption”

Microsoft Security Compliance Toolkit

For someone who hasn‘t any sec baseline tools for Windows and Microsoft products, you should check it out. Microsoft Security Compliance Toolkit is a collection of tools and templates released by Microsoft to give security admins access to recommended security configuration baselines for Windows OS and some Microsoft products. You can manage both domain and local policies!

You can download the tool here:

https://www.microsoft.com/en-us/download/details.aspx?id=55319

Hunting insecure LDAP Binds

Look at your DC Event log for Event ID 2886 and 2887 in your Directory Service log.

If Event ID 2886 is logged, it indicates that LDAP signing is not being enforced by your DC!

The second Event ID 2887 occurs every 24 hours and will report how many unsigned / clear text binds has occurred to your DC.

How do we get the systems that performing such binds?

We need to set our logging, so we can get a new Event with the ID 2889 logged. With that event we can see the IPs and accounts that are binding insecurely.

Set Simple LDAP Bind Logging:

Set-ItemProperty -Path 'HKLM:SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics' -Name '16 LDAP Interface Events' -Value "2"

Later use this PS command to disable Simple LDAP Bind Logging:

Set-ItemProperty -Path 'HKLM:SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics' -Name '16 LDAP Interface Events' -Value "0"

After enabling, we can see the event in our Directory Services log.

To get an overview about that events you can use the following script:

Query-InsecureLDAPBinds.ps1

Just change the last part to only get unique entries:
$InsecureLDAPBinds | Sort-Object -Unique -Property User,Ipaddress| Export-CSV -NoTypeInformation .\InsecureLDAPBinds.csv

The script exports a CSV from the specified domain controller containing all unsigned and Clear-text LDAP binds made to the DC by extracting Event 2889 from the "Directory Services" event log.

Example execution to get all insecure binds happening in the last 24 hours for DC01:

.\Query-InsecureLDAPBinds.ps1 -computername DC01 -Hours 24

The output .CSV will include IP Addresses, Ports, Username and the binding type.

"IPAddress","Port","User","BindType"

"10.120.0.88","60966","TIM\ldapuser","Simple"

"10.120.1.110","65445","TIM\ldapuser2","Simple"

PowerShell Get LDAP limits / Default Query Policy

Hi guys,

to get the LDAP limits, defined in the Default Query Policy just run the PowerShell snippet. Before you do so replace DC=DOMAIN,DC=ZZ with your domain!

Get-ADObject -Filter 'ObjectClass -eq "querypolicy"' -SearchBase 'CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=DOMAIN,DC=ZZ' -Properties lDAPAdminLimits | foreach {$_.lDAPAdminLimits}

Configure ADWS debug Log

To configure ADWS debug logging, you have to add some lines to the <appSettings> section:
First you have to set the log level:

<add key="DebugLevel" Value="<Loglevel>" />

<Loglevel> could be one of following values:
None, Error, Warn or Info.

Than you must configure the debug file path:

<add key=”DebugLogFile” value=”<Logpath>” />

To log Error and Warnings you should add these two lines:

<add key="DebugLevel" Value="Warn" />

<add key="DebugLogFile" value="C:\AdwsDebug.log" />

After that you have to restart ADWS:
Restart-Service –name ADWS

GET AZURE AD USER SYNCHRONIZATION TIME

First you have to connect to MSOnline using your credentials:

$credential = Get-Credential
Import-Module MSOnline
Connect-MsolService -Credential $credential

Than you can get the attribute called LastDirSyncTime using the following command:

Get-MSOlUser -UserPrincipalName "tim.buntrock@domain.com" | Select-Object LastDirSyncTime

PowerShell Get Domain Controller OS and hardware infos

You can use the following Script to recieve the following information:

ComputerName
OperatingSystem
Memory in GB
CPU


$DCs = Get-ADDomainController -Filter *

foreach ($DC in $DCs) {
if (-not (Test-Connection -ComputerName $DC -Quiet -Count 1)) {
        Write-Verbose -Message "The DC [$DC] is offline."
    } else {
        $os = Get-CimInstance -ComputerName $DC -ClassName Win32_OperatingSystem
        $mem = [math]::Round((Get-WmiObject -Class Win32_ComputerSystem  -computer $DC).TotalPhysicalMemory/1GB)
        $cpu = Get-CimInstance -ComputerName $DC -ClassName Win32_Processor
        [pscustomobject]@{
            ComputerName = $DC
            OperatingSystem = $os.Caption
            Memory = $mem
            CPU = $cpu.Name
        }
    }
}

Adding the Attribute Editor tab for Active Directory objects

For some objects and maybe for some systems using a specific language, the attributes tab won’t appear, even when you have the “Advanced” view selected. This was maybe caused by a faulty forest update or misconfiguration. To fix this issue we must update the DisplaySpecifiers in our AD Configuration.

The following example will show you how to update it for AD User objects.

Open ADSIEdit

Click “Connect to” under the actions menu

Leave the defaults except select the well known naming context “Configuration”

Expand the Configuration Branch and select CN=DisplaySpecifiers container

Expand your language code CN=407 (for de-DE) other languages codes could be found at: https://support.microsoft.com/en-us/help/324097/list-of-language-packs-and-their-codes-for-windows-2000-domain-control

Click on CN=user-Display

Double click AdminPropertyPages and add the following value: 11,{c7436f12-a27f-4cab-aaca-2bd27ed1b773}


If you want to see the attribute flag on other objects you have to add 12,{c7436f12-a27f-4cab-aaca-2bd27ed1b773} to the AdminPropertyPages, like CN=organizationalUnit-Display or CN=computer-Display.

Get all DFS Folder targets of a DFS path

Find attached the script to get the DFS folder targets. The targets will be saved to c:\temp\DFSFolderTargets.csv. Just change the variable $DFSPath = "\\Domainfqdn\Folder\*" to your DFS path.

$DFSPath = "\\Domainfqdn\Folder\*"
$DFSPath
$DFSNFolders = Get-DfsnFolder $DFSPath
foreach($DFSNFolder in $DFSNFolders )
    {
    $DFSTarget = Get-DfsnFolderTarget $DFSNFolder.Path | Select Path,TargetPath
    $DFSTarget | Export-Csv "c:\temp\DFSFolderTargets.csv" -NoTypeInformation -Append
    }

Hunting bad LDAP queries on your DC

This is a quick guide to find bad LDAP queries running against your Domain Controller.

To get the needed events on your DC, set the following registry settings using PowerShell:

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Services\NTDS\Diagnostics' -Name '15 Field Engineering' -Value "5"
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Services\NTDS\Parameters' -Name 'Expensive Search Results Threshold' -Value "0"
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Services\NTDS\Parameters' -Name 'Inefficient Search Results Threshold' -Value "0"
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Services\NTDS\Parameters' -Name 'Search Time Threshold (msecs)' -Value "120"

Your DC is now logging event 1644, with information about the LDAP queries.

If you are using this cmds any LDAP Query that´s taking over 120ms(Search Time Threshold (msecs)) will be logged.

The Log Level is set to 5 ('15 Field Engineering' -Value "5") that means it logs all events, including debug strings and configuration changes. Also a complete log of the service is recorded.

Expensive LDAP search reults, are the searches those visit large number of entries. The default threshold for expensive search is 10000. We can set it using Expensive Search Results Threshold reg key, in this case we set it to 0 to get all queries.

Inefficient Search Results Threshold, are the searches those return less than 10% of visited entries. The default visited entries threshold limit for inefficient query is 1000 which means if a query visit less than 1000 entries then it will not be consider inefficient query even though if it return no entry. So we set it to 0 to get all queries.

So now you can open the Event Viewer, go to Directory Services log and depending of the number of "bad" LDAP queries, you will see a lot of 1644 events. In this events you will get information like User,Filter,Client and the attribute that preventing Optimization. So with this values you can identify the source and fix it.


Find attached an example event:

Internal event: A client issued a search operation with the following options. 
Client:
10.10.10.10:54601 
Starting node:
dc=domain,dc=int
Filter:
( |  (uid=Jon.Doe)  (sAMAccountName=Jon.Doe) )  
Search scope:
subtree 
Attribute selection:
uid,sAMAccountName 
Server controls:
Visited entries:
359807 
Returned entries:
1 
Used indexes:
DNT_index:662818:N; 
Pages referenced:
2945008 
Pages read from disk:
0 
Pages preread from disk:
0 
Clean pages modified:
0 
Dirty pages modified:
0 
Search time (ms):
4111
Attributes Preventing Optimization:
uid  
User:
domain\serviceaccount.1

In this case you can contact the responsible admin for Client 10.10.10.10 and modify the query to use a better filter. For example if you don´t use the uid field in AD, you can remove it from the LDAP query and just search for teh samaccountname.

If you have enough logs collected, you can revert your changes using the following commands:

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Services\NTDS\Diagnostics' -Name '15 Field Engineering' -Value "0"
Remove-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Services\NTDS\Parameters' -Name 'Expensive Search Results Threshold'
Remove-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Services\NTDS\Parameters' -Name 'Inefficient Search Results Threshold'
Remove-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Services\NTDS\Parameters' -Name 'Search Time Threshold (msecs)'

Get and copy LAPS generated Admin password to clipboard

Just a PowerShell script to get and copy LAPS generated Admin password to your clipboard

Check it out on TechNet

Attribute Editor tab missing in Active Directory Users and Computers search

Problem:

If you search for a user account, you doesn´t see the Attribute Editor tab in the properties of the user account.

First the „Advanced Features“ have to be activated in the “Active Directory Users and Computers” console. Just select View and click on Advanced Features.

Using a LDAP Query:

• Right-click Saved Queries and click the New-Query option
• Type in a name for your saved query, such as "Search SamAccount"
• Click the Define Query button
• Under the Find drop-down list, select Custom Search
• Click the Advanced tab
• Type in your query
• (objectcategory=person)(samaccountname=*tim.buntrock*)

Using the group trick:

• Search for a user
• Click on the member of tab
• Open a group from user
• Close the user properties tab
• Search for the user in the group member tab and double click him
• Now you should see the Attribute Editor tab

Using Active Directory Administrative Center instead of ADUC

If you are using the AD Administrative Center you can directly access the Attribute Editor after a search.

Get and setup ADMX Files for Office 365 ProPlus, Office 2019 and Office 2016

The new ADMX/ADML files are used by Group Policy to configure installations of Office 365 products, such as Office 365 ProPlus, and volume licensed versions of Office 2019 and Office 2016.
https://www.microsoft.com/en-us/download/details.aspx?id=49030

You have to copy the files to:
%SYSTEMROOT%\PolicyDefinitions

Or if you are using a CentralStore, just copy these files to:
\\DOMAIN-FQDN\SYSVOL\DOMAIN-FQDN\policies\PolicyDefinitions

PowerShell: Get Files on your SYSVOL that are greater than 1 MB

Folks,

you can use the following script, to get files on your SYSVOL that are greater than 1 MB and save the output to CSV and XLSX. ADM Files will be excluded.

Download my script on SPICEWORKS

Have a nice day.

Cheers,
Tim

lastLogon vs lastLogonTimestamp vs lastLogonDate - explained

Today I want to write about this "last Logon attributes"... This could be a little bit confusing if you check it on the internet. So with my post I will try to explain it easily.

lastLogon 
The lastLogon is only updated on the Domain Controller where login has actually happened and it wouldn´t be replicated. It´s being updated each time after each interactive logon. 
An interactive logon to a computer can be performed either locally, when the user has direct physical access, or remotely, through Terminal Services, in which case the logon is further qualified as remote interactive.