Directory Admin: LDAP

Showing posts with label LDAP. Show all posts

Monday, June 15, 2020

LDAP Binds and LDAPS

Bind operations are used to authenticate clients to the Domain Controller, to establish an authorization identity that will be used for subsequent operations processed on that connection, and to specify the LDAP protocol version that the client will use.

This LDAP authentication process supports three types:

Simple bind
Simple Authentication and Security Layer (SASL) bind
Sicily bind

Simple Bind

With a LDAP Simple Bind, the credentials of a user, that are used to bind the LDAP client to the Domain Controller are unencrypted.

SASL

SASL is the term for a framework of mechanisms that allow for secured authentication to take place over an unencrypted or encrypted communications channel. In this case Kerberos V5 is used for authentication. Most Microsoft Consoles using SASL to authenticate.

Sicily authentication

Active Directory also supports this authentication approach during LDAP binds and is intended for compatibility with legacy systems and will result in NTLM being used as underlying authentication protocol.

So let´s clarify what´s LDAPS about...

LDAPS

It's a mechanism that uses TLS to secure communication between LDAP clients and Domain Controllers to avoid insecure simple bind or securing auth for clients that are not supporting SASL.

The following scenarios are possible:

LDAPS over port 636 (DC) or port 3269 (GC) where the connection is immediately secured by the certificate. SSL/TLS is negotiated before any LDAP traffic happens.

LDAP using StartTLS over port 389 (DC) or 3268 (GC) where the StartTLS operation is used to establish secure communications. It requires the LDAP client to support StartTLS operation.

Wednesday, March 11, 2020

Hunting insecure LDAP Binds

Look at your DC Event log for Event ID 2886 and 2887 in your Directory Service log.

If Event ID 2886 is logged, it indicates that LDAP signing is not being enforced by your DC!

The second Event ID 2887 occurs every 24 hours and will report how many unsigned / clear text binds has occurred to your DC.

How do we get the systems that performing such binds?

We need to set our logging, so we can get a new Event with the ID 2889 logged. With that event we can see the IPs and accounts that are binding insecurely.

Set Simple LDAP Bind Logging:

Set-ItemProperty -Path 'HKLM:SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics' -Name '16 LDAP Interface Events' -Value "2"

Later use this PS command to disable Simple LDAP Bind Logging:

Set-ItemProperty -Path 'HKLM:SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics' -Name '16 LDAP Interface Events' -Value "0"

After enabling, we can see the event in our Directory Services log.

To get an overview about that events you can use the following script:

Query-InsecureLDAPBinds.ps1

Just change the last part to only get unique entries:
$InsecureLDAPBinds | Sort-Object -Unique -Property User,Ipaddress| Export-CSV -NoTypeInformation .\InsecureLDAPBinds.csv

The script exports a CSV from the specified domain controller containing all unsigned and Clear-text LDAP binds made to the DC by extracting Event 2889 from the "Directory Services" event log.

Example execution to get all insecure binds happening in the last 24 hours for DC01:

.\Query-InsecureLDAPBinds.ps1 -computername DC01 -Hours 24

The output .CSV will include IP Addresses, Ports, Username and the binding type.

"IPAddress","Port","User","BindType"

"10.120.0.88","60966","TIM\ldapuser","Simple"

"10.120.1.110","65445","TIM\ldapuser2","Simple"

Thursday, February 20, 2020

PowerShell Get LDAP limits / Default Query Policy

Hi guys,

to get the LDAP limits, defined in the Default Query Policy just run the PowerShell snippet. Before you do so replace DC=DOMAIN,DC=ZZ with your domain!

Get-ADObject -Filter 'ObjectClass -eq "querypolicy"' -SearchBase 'CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=DOMAIN,DC=ZZ' -Properties lDAPAdminLimits | foreach {$_.lDAPAdminLimits}

Wednesday, October 30, 2019

Hunting bad LDAP queries on your DC

This is a quick guide to find bad LDAP queries running against your Domain Controller.

To get the needed events on your DC, set the following registry settings using PowerShell:

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Services\NTDS\Diagnostics' -Name '15 Field Engineering' -Value "5"
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Services\NTDS\Parameters' -Name 'Expensive Search Results Threshold' -Value "0"
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Services\NTDS\Parameters' -Name 'Inefficient Search Results Threshold' -Value "0"
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Services\NTDS\Parameters' -Name 'Search Time Threshold (msecs)' -Value "120"

Your DC is now logging event 1644, with information about the LDAP queries.

If you are using this cmds any LDAP Query that´s taking over 120ms(Search Time Threshold (msecs)) will be logged.

The Log Level is set to 5 ('15 Field Engineering' -Value "5") that means it logs all events, including debug strings and configuration changes. Also a complete log of the service is recorded.

Expensive LDAP search reults, are the searches those visit large number of entries. The default threshold for expensive search is 10000. We can set it using Expensive Search Results Threshold reg key, in this case we set it to 0 to get all queries.

Inefficient Search Results Threshold, are the searches those return less than 10% of visited entries. The default visited entries threshold limit for inefficient query is 1000 which means if a query visit less than 1000 entries then it will not be consider inefficient query even though if it return no entry. So we set it to 0 to get all queries.

So now you can open the Event Viewer, go to Directory Services log and depending of the number of "bad" LDAP queries, you will see a lot of 1644 events. In this events you will get information like User,Filter,Client and the attribute that preventing Optimization. So with this values you can identify the source and fix it.

Find attached an example event:

Internal event: A client issued a search operation with the following options.
Client:
10.10.10.10:54601
Starting node:
dc=domain,dc=int
Filter:
( | (uid=Jon.Doe) (sAMAccountName=Jon.Doe) )
Search scope:
subtree
Attribute selection:
uid,sAMAccountName
Server controls:
Visited entries:
359807
Returned entries:
1
Used indexes:
DNT_index:662818:N;
Pages referenced:
2945008
Pages read from disk:
0
Pages preread from disk:
0
Clean pages modified:
0
Dirty pages modified:
0
Search time (ms):
4111
Attributes Preventing Optimization:
uid
User:
domain\serviceaccount.1

In this case you can contact the responsible admin for Client 10.10.10.10 and modify the query to use a better filter. For example if you don´t use the uid field in AD, you can remove it from the LDAP query and just search for teh samaccountname.

If you have enough logs collected, you can revert your changes using the following commands:

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Services\NTDS\Diagnostics' -Name '15 Field Engineering' -Value "0"
Remove-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Services\NTDS\Parameters' -Name 'Expensive Search Results Threshold'
Remove-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Services\NTDS\Parameters' -Name 'Inefficient Search Results Threshold'
Remove-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Services\NTDS\Parameters' -Name 'Search Time Threshold (msecs)'

Friday, March 2, 2018

List all or specified SPNs that are assigned to an AD object

Find a specified SPN using PowerShell with ADSI:

$SPNName = Read-Host "Enter SPN"
$search = New-Object DirectoryServices.DirectorySearcher([ADSI]"")
$search.filter = "(servicePrincipalName=*$SPNName*)"
$results = $search.Findall()
foreach($result in $results)
{
       $UserEntry = $result.GetDirectoryEntry()
       Write-host "Object Name = " $UserEntry.name -backgroundcolor "green" -foregroundcolor "black"
       Write-host "DN      =      " $UserEntry.distinguishedName
       Write-host "Object Cat. = " $UserEntry.objectCategory
       Write-host "servicePrincipalNames"
       $i=
       foreach($SPN in $UserEntry.servicePrincipalName)
       {
           Write-host "SPN(" $i ")   =      " $SPN       $i+=1
       }
       Write-host ""
}

Find all SPNs using PowerShell with ADSI:

$SPNName = "*"
$search = New-Object DirectoryServices.DirectorySearcher([ADSI]"")
$search.filter = "(servicePrincipalName=$SPNName)"
$results = $search.Findall()
foreach($result in $results)
{
       $UserEntry = $result.GetDirectoryEntry()
       Write-host "Object Name = " $UserEntry.name -backgroundcolor "green" -foregroundcolor "black"
       Write-host "DN      =      " $UserEntry.distinguishedName
       Write-host "Object Cat. = " $UserEntry.objectCategory
       Write-host "servicePrincipalNames"
       $i=
       foreach($SPN in $UserEntry.servicePrincipalName)
       {
           Write-host "SPN(" $i ")   =      " $SPN       $i+=1
       }
       Write-host ""
}

Using a LDAP Query, just replace spnname:

(&(objectCategory=person)(ServicePrincipalName=*spnname*))

To search all you can use this query:
(&(objectCategory=person)(ServicePrincipalName=*))

Wednesday, April 6, 2016

Export all Terminal Server User CALs from your AD Domain using Powershell

You can checkout my script on technet:
https://gallery.technet.microsoft.com/Export-all-Terminal-Server-234c95e1

Thursday, March 3, 2016

Check AD User Credentials based on entered username using Powershell

This script is to verify credentials for a specified user.

After you run this script you have to enter the username and password.

Find attached a screenshot how the outputs should look like ->

Download the script

If you want to verify multiple AD user accounts you can use my other script.

Monday, February 29, 2016

Powershell Active Directory Excel Report

This script reports information about your Active Directory infrastructure and save it in an Excel file.
It´s using Powershell in combination of the Acitve Directory module. If you want to run this script, RSAT must be installed.
The following information will be saved into the Excel file.

users that was created in the last 24 hrs
users with the flag password never expires set
disabled users
users that never changed there passwords
computers that have not logged on for more then 90 days
disabled computers
all DCs in your domain
all DHCP servers in your Forest
all Subnets with the associated Site and Location name in your Forest
FSMO role holders in your Forest
FSMO role holders in your Domain
DOMAINNAME PW Policy
DOMAINNAME GPOs
DOMAINNAME OUs

After the script finished the report will popup.

DOWNLOAD the script

Wednesday, November 4, 2015

LDAP Queries for Users, Computers, Groups and Service Connection Points v2

Find attached a lot of ldap queries. An example how to use this queries using ADUC, see this post.

Computer accounts

Computer accounts starting with WS
(objectcategory=computer)(samaccountname=WS*)

Computer accounts with "COP" in the attribute "description"
(&(objectCategory=computer)(description=*COP*))
or
(&(objectCategory=computer)(description=*COP)) -->for only COP in the description

Computer accounts with MS-SQL installed
(&(objectCategory=computer)(servicePrincipalName=MSSQLSvc*))

Computer accounts with a Server OS
(&(objectCategory=computer)(operatingsystem=*server*))

Find all Computers that do not have a Description
(objectCategory=computer)(!description=*)

Find all computer accounts for whom a manager is specified
(&(&(objectCategory=computer)(objectClass=computer))
(managedBy=*))

Find All Workstations
(sAMAccountType=805306369)
or
(&(objectCategory=computer)(objectClass=computer))

Find all 2003 Servers Non-DCs
(&(&(&(samAccountType=805306369)(!(primaryGroupId=516)))(objectCategory=computer)(operatingSystem=Windows Server 2003*)))

Find all 2003 Servers – DCs
(&(&(&(samAccountType=805306369)(primaryGroupID=516)(objectCategory=computer)(operatingSystem=Windows Server 2003*))))

Find all Server 2008
(&(&(&(&(samAccountType=805306369)(!(primaryGroupId=516)))(objectCategory=computer)(operatingSystem=Windows Server 2008*))))

Find all 2008 Servers – DCs
(&(&(&(&(primaryGroupID=516)(objectCategory=computer)(operatingSystem=Windows Server* 2008*)))))

Disabled Computer Acounts
(&(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=2)))

Enabled Computer Acounts
(&(&(&(objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2))))

SQL Servers any Windows Server OS
(&(objectCategory=computer)(servicePrincipalName=MSSQLSvc*)(operatingSystem=Windows Server*))

Exchange Servers any Windows Server OS
(&(objectCategory=computer)(servicePrincipalName=exchangeMDB*)(operatingSystem=Windows Server*))

Find all Windows XP SP3 computers
(&(&(&(&(&(&(&(objectCategory=Computer)(operatingSystem=Windows XP Professional)(operatingSystemServicePack=Service Pack 3))))))))

Find all Windows Vista SP1 computers
(&(objectCategory=computer)(operatingSystem=Windows Vista*)(operatingSystemServicePack=Service Pack 1))

Find all Windows Server 2008 Enterprise computers
(&(objectCategory=computer)(operatingSystem=Windows Server® 2008 Enterprise)(operatingSystemServicePack=Service Pack 1))

Find all Windows Server 2008 (all versions) computers
(&(objectCategory=computer)(operatingSystem=Windows Server® 2008*))

Find all Windows 8.0 (all versions) computers

(&(objectCategory=computer)(operatingSystem=Windows 8*)(operatingSystemVersion=6.2 (9200)))

Find all Windows 8.1 (all versions) computers

(&(objectCategory=computer)(operatingSystem=Windows 8.1*))

Find all Windows Server 2012 (all versions) computers
(&(objectCategory=computer)(operatingSystem=Windows Server 2012*))

Find all Windows Server 2012 no R2 (all versions) computers
(&(objectCategory=computer)(operatingSystem=Windows Server 2012*)(operatingSystemVersion=6.2 (9200)))

Find all Windows Server 2012 R2 (all versions) computers

(&(objectCategory=computer)(operatingSystem=Windows Server 2012 R2*))

Find all Windows 10 (all versions) computers

(&(objectCategory=computer)(operatingSystem=Windows 10*))

User accounts

Find all user accounts
(&(objectCategory=person)(objectClass=user))

Find all user accounts for whom a password is not required
(&(&(objectCategory=person)(objectClass=user))
(UserAccountControl:1.2.840.113556.1.4.803:=32))

Find all user accounts that do not require a SmartCard for logon
(&(&(objectCategory=person)(objectClass=user))
(!(UserAccountControl:1.2.840.113556.1.4.803:=262144)))

Find users that have non-expiring passwords
(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)

To find all user accounts that have the name “Mueller” in them
(objectcategory=person)(samaccountname=*Mueller*)

Locked out user accounts
(&(objectCategory=person)(objectClass=user)(lockoutTime>=1))

Useraccounts starting with "A" in the Attribute "Common Name"
(&(objectCategory=user)(cn=A*))

Diabled user accounts
(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))

Useraccounts without an value in Attribute "Mail"
(&(objectCategory=person)(objectClass=user)(!mail=*))

Useraccounts with Mail Enabled
(objectClass=user)(mail=*)

Useraccounts that have never logged on
(&(objectCategory=person)(objectClass=user))(|(lastLogon=0)(!(lastLogon=*)))

Users that have been given dial-in permissions
(objectCategory=user)(msNPAllowDialin=TRUE)

Users find who have admin in description field
(objectcategory=person)(description=*admin*)

Find user accounts with no log on script
(objectcategory=person)(!scriptPath=*)

Find user accounts with no profile path
(objectcategory=person)(!profilepath=*)

Find non disabled accounts that must change their password at next logon
(objectCategory=person)(objectClass=user)(pwdLastSet=0)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)

Find all Users that need to change password on next login
(&(objectCategory=user)(pwdLastSet=0))

Finds all locked out accounts
(objectCategory=person)(objectClass=user)(useraccountcontrol:1.2.840.113556.1.4.803:=16)

Finds all Users with Email Address set
(objectcategory=person)(mail=*)

Finds all Users with no Email Address
(objectcategory=person)(!mail=*)

Find all Users with Dial-In permissions
(objectCategory=user)(msNPAllowDialin=TRUE)

Finds all disabled accounts in active directory
(objectCategory=person)(objectClass=user)(useraccountcontrol:1.2.840.113556.1.4.803:=2)

Find all Users that are almost Locked-Out
Notice the “>=” that means “Greater than or equal to”.
(objectCategory=user)(badPwdCount>=2)

Find all mail-enabled groups hidden from the Global Address list (GAL)
(&(&(objectCategory=group)(objectClass=group))
(&(mailnickname=*)(msExchHideFromAddressLists=TRUE)))

Find all mail-enabled security groups
(&(&(objectCategory=group)(groupType:1.2.840.113556.1.4.804:=2147483648))
(mailnickname=*))

Find all mailbox-enabled accounts
(&(&(objectCategory=person)(objectClass=user))
(&(mailnickname=*)(|(msExchhomeServerName=*)(homeMDB=*))))

Find all mailbox-enabled accounts with Outlook Web Access (OWA) disabled
(&(&(objectCategory=person)(objectClass=user))
(&(mailnickname=*)(|(msExchhomeServerName=*)(homeMDB=*))
(|(protocolSettings=*HTTP§0*)(protocolSettings=*OWA§0*))))

Find all users with Hidden Mailboxes
(&(objectCategory=person)(objectClass=user)(msExchHideFromAddressLists=TRUE))

(&(&(objectCategory=person)(objectClass=user))(lastLogon>=129772445240000000))

Groups

To find all groups that have no members
(objectCategory=group)(!member=*)

Find Groups that contains the word admin
(objectcategory=group)(samaccountname=*admin*)

Find all Universal Groups
(groupType:1.2.840.113556.1.4.803:=8)

Find all global security groups
(&(objectCategory=group)
(groupType:1.2.840.113556.1.4.803:=2147483650))

Finds Domain Local Groups
(groupType:1.2.840.113556.1.4.803:=4)

Find all distribution groups
(&(|(&(objectCategory=Group)(objectClass=Group)(|(groupType=8)(groupType=4)(groupType=2)))(objectCategory=ms-Exch-Dynamic-Distribution-List)(objectClass=msExchDynamicDistributionList)))

List all groups with sec- prefix convention
(&(objectCategory=group)(name=*sec-*))

Find all security groups with members
(&(objectCategory=group)
(groupType:1.2.840.113556.1.4.804:=2147483648)(member=*))

Service connection Points

Find all service connection points
(objectCategory=serviceConnectionPoint)

Find all service connection points that do not have service bindings specified
(&(objectCategory=serviceConnectionPoint)(!(serviceBindingInformation=*)))

Find all service connection points that do not have a service DNS name specified
(&(objectCategory=serviceConnectionPoint)(!(serviceDNSName=*)))

Wednesday, December 17, 2014

LDAP Queries for Users, Computers, Groups and Service Connection Points