Archive for March, 2019


NDES is the Microsoft Implementation of SCEP:

NDES installation and operations:

http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-service-ndes-in-active-directory-certificate-services-ad-cs.aspx

https://gsecse.wordpress.com/2015/10/06/ndes-deployment-and-troubleshooting/

https://docs.microsoft.com/en-us/intune/certificates-scep-configure

 

(NDES) Frequently Asked Questions (FAQ): http://social.technet.microsoft.com/wiki/contents/articles/12610.network-device-enrollment-services-ndes-frequently-asked-questions-faq.aspx

 

Configuring Network Device Enrollment Service for Windows Server 2008 with Custom Certificates: http://blogs.technet.com/b/askds/archive/2008/04/28/configuring-network-device-enrollment-service-for-windows-server-2008-with-custom-certificates.aspx

 

NDES enrollment process:

1) Generate a key pair and install it on your device by using procedures provided by your device vendor.

2) Request a password by using the NDES admin site. The default URL is http://<computer_name>/certsrv/mscep_admin.

3) Establish trust between the device and the CA by downloading the CA certificate using the GetCACert operation and procedures provided by your device vendor. The default NDES URL for calling GetCACert is http://<computer_name>/certsrv/mscep?operation=getcacert&message=.

4) Submit the password and certificate request from the device to NDES by using procedures provided by your vendor.

5) NDES uses the request from the device to generate a certificate request and submit it to the configured CA.

6) If NDES certificate requests do not require certificate manager approval, the certificate is immediately returned to the device as part of the NDES response message.

7) If NDES certificate requests require certificate manager approval, the certificate request is held on the CA until it is reviewed by a certificate manager. Check the request status from the device using procedures provided by your vendor until NDES responds with the certificate.

Apple iPads and NDES:http://blogs.technet.com/b/pki/archive/2012/02/27/ndes-and-ipads.aspx

1) The device connects to a deployment wireless network (isolated) while connected via USB to the Mobile Device Management Software (MDM). In this example, the IPad is connected to the Iphone Configuration Utility.

2) The device Administrator connects to the Network Device Enrollment Service (NDES) to obtain a temporary password which is entered in the Mobile Device Management (MDM) as the device’s profile.

3) The Mobile Device Management (MDM) software pushes the profile configuration to the device.

4) The device creates the private/public pair key and sends a request to the Network Device Enrollment Service (NDES)to request a certificate

5) The Network Device Enrollment Service (NDES) sends an RA request to the Certification Authority (CA)

6) The Certification Authority (CA) sends the certificate to the Network Device Enrollment Service (NDES)

7) The Network Device Enrollment Service (NDES) sends the certificate to Device which in turn installs it

8) The Device connects to the corporate network using 802.1X

NDES Operations 101:

– On the Ndes server verify if IIS is running and if NDES application pool is started

– backup IIS and export the HKLM\software\microsoft\cryptography\NDES registry key

– on the Ndes server, on Certificate Computer Store, check if the RA certificates has not been expired (else renew NDES Service Certificates): http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-service-ndes-in-active-directory-certificate-services-ad-cs.aspx#Renewing_Service_Certificates

Configuring NDES with custom certificates: https://blogs.technet.microsoft.com/askds/2008/04/28/configuring-network-device-enrollment-service-for-windows-server-2008-with-custom-certificates/

 

– verify if the issuing CA is responding

Advertisements

Collection of Web resources about dig usage:

http://www.danesparza.net/2011/05/using-the-dig-dns-tool-on-windows-7/

http://anouar.adlani.com/2011/12/useful-dig-command-to-troubleshot-your-domains.html

https://library.linode.com/linux-tools/common-commands/dig

Download dig (part of Bind):

http://www.isc.org/downloads/

Some commands:

What is the website’s IP address ?

dig +short amazon.com

How to identify the name servers associated with a domain ?

dig NS +short anouar.im

What does the delegation path to my zone look like ?

dig google.com +trace

Which Mail Server is responsible for a domain ?

dig MX adlani.com

Which value is in cache in a given resolver ?

dig google.com @8.8.8.8

Which domain name is this IP associated with ?

dig +short -x 8.8.8.8

Which are the name servers of a TLD ?

dig +short NS nl.

When will the cache of an answer expire ?

dig google.com +noall +answer

Is the zone synchronized to all my NS ?

dig google.com +nssearch

Is a zone existing on this name server ?

dig SOA google.nl @ns1.nic.nl.

Using Dig to Retrieve Different Record Types?

dig srv _jabber._tcp.example.com

How to Troubleshoot Active Directory Replication Issues

In the previous article: https://itworldjd.wordpress.com/2018/04/02/troubleshooting-ad-replications/

we explained all the methodology to troubleshoot AD replication:

This second article will deep dive with the most well known and out of the box AD utility called REPADMIN.exe

This utility recommended to run as Domain Administrator or Enterprise Administrator.

repadmin /replsummary /bydest

above command summarizes the replication status for all domain controllers based on the replication destination. This parameter does not display the source domain controller.

repadmin /replsummary /bysrc

above command summarizes the replication status for all domain controllers based on the replication source. This parameter does not display the destination domain controller.

repadmin /showrepl serverdc1.mydomain.com

above command shows the replication partners for serverdc1.mydomain.comand the status of last sync attempt.

repadmin /showrepl /errorsonly

above command will list down the replication partners which have replication errors (last sync attempt failed)

we also can view results in CSV format.

repadmin /showrepl /csv

repadmin /syncall serverdc1 dc=mydomain,dc=com

above command initiates domain directory partition synchronization with all replication partners of serverdc1.

It will also indicate if there were any issues by doing it.

repadmin /queue

above command shows if there are any unprocessed inbound replications requests. If system keep que requests it can be due to high number of AD changes, System resource issue or too many replication partners.

repadmin /showchanges serverpdc1 e4f89917-5fff-40a8-scc2-b148b60d9359 dc=mydomain,dc=com

above command list down the changes which are not replicated between server serverpdc1 and serverdc1. In here serverdc1 is the source server and it is listed with object GUID.
  
repadmin /replicate serverdc1 serverpdc1 dc=mydomain,dc=com

above command initiate immediate directory partition replication from serverpdc1 to serverdc1.

Apart from the repadmin, there are certain PowerShell cmdlets which we can use to troubleshoot replication issues. Get-ADReplicationFailure cmdlet is one of those which can collect data about replication failures.

Get-ADReplicationFailure -Target serverdc1

Above command will collect information about replication failures associated with serverdc1.
This also can do with multiple servers.

Get-ADReplicationFailure -Target serverdc1,serverpdc1

Further we can target all the domain controllers in the domain.

Get-ADReplicationFailure -Target “mydomain.com” -Scope Domain

Or even entire forest

Get-ADReplicationFailure -Target “mydomain.com” -Scope Forest

Get-ADReplicationConnection cmdlet can list down replication partner details for the given domain controller.

Get-ADReplicationConnection -Filter *

Above command will list down all replication connection for the domain controller you logged in.

We also can filter the replication connections based on the attributes.

Get-ADReplicationConnection -Filter {ReplicateToDirectoryServer -eq “serverdc1”}

Above command will list down the replication connections with destination server as serverdc1.
We also can force sync object between domain controllers.

Sync-ADObject -object “foo” -source serverdc1 -destination serverpdc1

Above command will sync user object foo from serverdc1 to serverpdc1

Best practices for DNS forwarding:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754941%28v%3dws.10%29

https://www.petri.com/best-practices-for-dns-forwarding

To create a conditional forwarder zone in powershell:

read this reference doc: https://docs.microsoft.com/en-us/powershell/module/dnsserver/add-dnsserverconditionalforwarderzone?view=win10-ps

Examples:

To create a conditional forwarder zone (stored in the registry of the DNS Server):

Add-DnsServerConditionalForwarderZone -Name “contoso.com” -MasterServers 2001:4898:7020:f100:458f:e6a2:fcaf:698c,172.23.90.124 -PassThru

ZoneName                            ZoneType        IsAutoCreated   IsDsIntegrated  IsReverseLookupZone  IsSigned

——–                            ——–        ————-   ————–  ——————-  ——–

contoso.com                         Forwarder       False           False           False

 

This command creates an Active Directory-integrated conditional forwarder zone for contoso.com:

Add-DnsServerConditionalForwarderZone -Name “contoso.com” -ReplicationScope “Forest” -MasterServers 2001:4898:7020:f100:458f:e6a2:fcaf:698c,172.23.90.124

 

To change an existing conditional forwarder zone, use the cmdlet:

Set-DnsServerConditionalForwarderZone

Good articles to explain the differences and how to merge the S&C Sensitivity labels and AIP labels,

https://www.itpromentor.com/aip-vs-365-labels/

https://www.petri.com/unifying-office-365-sensitivity-labels

 

MS technet:

S&C labels: https://docs.microsoft.com/en-us/Office365/SecurityCompliance/sensitivity-labels

AIP labels: https://docs.microsoft.com/en-us/azure/information-protection/configure-policy-protection

 

 

https://docs.microsoft.com/en-gb/office365/admin/manage/release-options-in-office-365

Azure Cloud shell

Overview:

https://docs.microsoft.com/en-us/azure/cloud-shell/overview

URL: https://shell.azure.com

On first launch Cloud Shell prompts to create a resource group, storage account, and Azure Files share on your behalf. This is a one-time step and will be automatically attached for all sessions. A single file share can be mapped and will be used by both Bash and PowerShell in Cloud Shell.

Read more to learn how to mount a new or existing storage account.

  • Cloud Shell runs on a temporary host provided on a per-session, per-user basis
  • Cloud Shell times out after 20 minutes without interactive activity
  • Cloud Shell requires an Azure file share to be mounted
  • Cloud Shell uses the same Azure file share for both Bash and PowerShell
  • Cloud Shell is assigned one machine per user account
  • Cloud Shell persists $HOME using a 5-GB image held in your file share
  • Permissions are set as a regular Linux user in Bash

Learn more about features in Bash in Cloud Shell and PowerShell in Cloud Shell.

Azure cloud shell limitations:

https://docs.microsoft.com/en-us/azure/cloud-shell/limitations

Troubleshooting:

https://docs.microsoft.com/en-us/azure/cloud-shell/troubleshooting

 

How to access Azure cloud shell from Visual Studio Code ?

http://espacenuagic.com/2018/08/17/utiliser-azure-cloud-shell-depuis-visual-studio-code/

On a windows computer

Install VS code: https://code.visualstudio.com/download

then install NodeJS: https://nodejs.org/en/

then on VS Code install the extension “Azure Account

 

 

Azure DevOps

Azure DevOps Services provides development collaboration tools including high-performance pipelines, free private Git repositories, configurable Kanban boards, and extensive automated and continuous testing capabilities. For the on-premises platform, Azure DevOps Server (previously named Visual Studio Team Foundation Server), see Azure DevOps Server Documentation.

Main portal:

https://dev.azure.com

Azure devOps and AzureAD groups (security of O365groups):

https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/manage-azure-active-directory-groups?view=azure-devops

 

Devops and identities management:

https://docs.microsoft.com/en-us/azure/devops/organizations/security/about-security-identity?view=azure-devops

https://docs.microsoft.com/es-es/azure/devops/organizations/accounts/add-users-to-azure-ad?view=azure-devops

https://docs.microsoft.com/es-es/azure/devops/organizations/accounts/add-external-user?view=azure-devops&viewFallbackFrom=vsts

https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/invite-outside-users?view=azure-devops

 

Azure Sentinel

https://docs.microsoft.com/en-us/azure/sentinel/

Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution.

Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.

Azure Sentinel comes with a number of connectors for Microsoft solutions, available out of the box and providing real-time integration, including Microsoft Threat Protection solutions, and Microsoft 365 sources, including Office 365, Azure AD, Azure ATP, and Microsoft Cloud App Security, and more.

In addition, there are built-in connectors to the broader security ecosystem for non-Microsoft solutions. You can also use common event format, Syslog or REST-API to connect your data sources with Azure Sentinel as well.