Category: Active Directory


Reference articles to secure a Windows domain:

https://github.com/PaulSec/awesome-windows-domain-hardening

Microsoft audit Policy settings and recommendations:

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations

Sysinternals sysmon:

https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow

On ADsecurity.org:

Beyond domain admins: https://adsecurity.org/?p=3700

Gathering AD data with PowerShell: https://adsecurity.org/?p=3719

Hardening Windows computers, secure Baseline check list: https://adsecurity.org/?p=3299

Hardening Windows domain, secure Baseline check list:

Securing Domain Controllers to Improve Active Directory Security

Domain hardening in general:

  • Implement 2 or 3 tier model against Pass the Hash threat
  • FGPP implementation
  • LAPS Implementation
  • Process for proper cleanup of unused AD accounts
  • Reset of krbtgt account,domain admins account,IT administrators account
  • Setting Up Jump servers for Tier0,1,2 users
  • Domain joining of all windows boxes
  • Proper account Management Based on privileges
  • Usage of service accounts to run application instead of local system accounts
  • Review of existing AD accounts/Deletion of Unnecessary Accounts/ Review Ou structuring/GPO etc
  • HoneyToken Account Creation in Local boxes as well domain
  • GPO changes for disabling guest accounts across system,restricted RDP mode,Password Policy changes,disabling internet in member servers
  • GPO for Jump server implementation based on PAW GPO settings
  • Rename existing builtin Administrator account and lockdown
  • Sysmon deployment and WEF setup (WEC for symon events)
  • Use Pingcastle www.pingcastle.com  review to assess the AD security
  • Use Bloodhound (https://github.com/BloodHoundAD/BloodHound) to assess the AD security
  • Use ADTimeline to assess the AD security

 

Some interesting sites:

Windows hardening: https://wp.me/p15Zft-Mr

Privilege admin workstation: https://wp.me/p15Zft-Mr

Delegate WMI access to domain controllers:

This post originally came about after several customers asked how to remove users accounts from Domain Admins and the Administrators group in the domain. These accounts are needed to monitor the systems, so we needed to find a way to get them to read the instrumentation of the system with non-elevated privilege.

https://blogs.technet.microsoft.com/askpfeplat/2018/04/30/delegate-wmi-access-to-domain-controllers/

 

https://adsecurity.org/wp-content/uploads/2019/08/2019-BlackHat-US-Metcalf-Morowczynski-AttackingAndDefendingTheMicrosoftCloud.pdf

Azure AD custom extensions

How to work with custom extensions:

Reference:

https://docs.microsoft.com/en-us/powershell/azure/active-directory/using-extension-attributes-sample?view=azureadps-2.0

 

 

Examples:

 

# Connect to Azure AD with Global Administrator

Connect-AzureAD  

# Get a User and Read Extension Properties

$aadUser = Get-AzureADUser -ObjectId <youruser> $aadUser | Select -ExpandProperty ExtensionProperty  

# Serialize User Object to JSON

$aadUser.ToJson()  

# Explore Object Properties

$aadUser | Get-Member  

# How to: Add Extension Properties

# PS! Can only write to Cloud homed users

$aadUser = Get-AzureADUser ObjectId <yourclouduser>@mydomain.onmicrosoft.com
$extensionProp = New-Object System.Collections.Generic.Dictionary2[System.String,System.String]
$extensionProp.Add(extension_<YourTenantSchemaExtensionAppId>_msDS_ExtensionAttr1,ENTERPRISEPACK)
$extensionProp.Add(extension_<YourTenantSchemaExtensionAppId>_msDS_ExtensionAttr2,EMSPREMIUM)
Set-AzureADUser ObjectId $aadUser.ObjectId ExtensionProperty $extensionProp

# Check added Extension Properties

Get-AzureADUser -ObjectId <yourclouduser>@mydomain.onmicrosoft.com | Select -ExpandProperty ExtensionProperty

 #region List all users with Extension Properties

$aadUsers = Get-AzureADUser | Select DisplayName, ObjectId
$aadUsersExt = @()
ForEach ($aadUser in $aadUsers) {
    $user = Get-AzureADUser ObjectId $aadUser.ObjectId | Select ObjectId, DisplayName
    $userDetail = Get-AzureADUser ObjectId $aadUser.ObjectId | Select ExpandProperty ExtensionProperty
        foreach ($key in $userDetail.Keys)
        {
            if($key -like extension_<YourTenantSchemaExtensionAppId>_msDS_ExtensionAttr1)
            {
                $ext1 = $userDetail.$key
            }
            elseif($key -like extension_<YourTenantSchemaExtensionAppId>_msDS_ExtensionAttr2)
            {
                $ext2 = $userDetail.$key
            }
            else { $ext1 = ; $ext2 = }
        }
    $obj = [pscustomobject]@{DisplayName=$user.DisplayName; ObjectId=$user.ObjectId; Ext1=$ext1; Ext2=$ext2}
    $aadUsersExt += $obj
    }

# List only users with values for extension attributes

$aadUsersExt | Where {$_.Ext1 -or $_.Ext2} | FT  

# List all users

$aadUsersExt  

# Serialize users and extension attributes to JSON

$aadUsersExt | ConvertTo-Json

Compare self-managed Active Directory Domain Services, Azure Active Directory, and managed Azure Active Directory Domain Services: To provide applications, services, or devices access to a central identity, there are three common ways to use Active Directory-based services in Azure. This choice in identity solutions gives you the flexibility to use the most appropriate directory for your organization’s needs. For example, if you mostly manage cloud-only users that run mobile devices, it may not make sense to build and run your own Active Directory Domain Services identity solution. Instead, you could just use Azure Active Directory

https://blogs.technet.microsoft.com/cbernier/2018/01/16/microsoft-flow-and-azure-ad-lets-automate/

 

 

Reference article:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/hh994558(v=ws.10)

 

 

To configure Intune to enroll devices with internal PKI certificates and with SCCM in co-management mode read first the articles below:

https://docs.microsoft.com/en-us/intune/certificates-configure

https://docs.microsoft.com/en-us/intune/certificates-scep-configure

https://support.microsoft.com/en-us/help/4459540/troubleshoot-ndes-configuration-for-use-with-intune

https://howtomanagedevices.com/intune/258/intune-certificate-deployment-guide/

https://blogs.technet.microsoft.com/tune_in_to_windows_intune/2015/02/25/part-4-protecting-ndes-with-azure-ad-application-proxy/

https://blogs.technet.microsoft.com/tune_in_to_windows_intune/2014/04/25/part-2-scep-certificate-enrolling-using-configmgr-2012-crp-ndes-and-windows-intune/

 

NDES troubleshooting articles:

https://gsecse.wordpress.com/2015/10/06/ndes-deployment-and-troubleshooting/

https://docs.microsoft.com/en-us/intune/certficates-pfx-configure

https://blogs.technet.microsoft.com/askds/2008/04/28/configuring-network-device-enrollment-service-for-windows-server-2008-with-custom-certificates/

https://blog.hosebei.ch/2016/11/28/configmgr-ndes-certificate-deployment-fails-due-to-network-device-enrollment-service-failure/

https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Configuring-and-Troubleshooting-PFX-PKCS/ba-p/516450

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-add-on-premises-application

Note : a GitHub script to validate the NDES configuration: Validate-NDESConfiguration.ps1.

https://github.com/microsoftgraph/powershell-intune-samples/tree/master/CertificationAuthority

 

 

Azure AD password protection is now generally available:

https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Azure-AD-Password-Protection-is-now-generally-available/ba-p/377487

 

Azure AD password protection – how to eliminate bad passwords:

Architecture (to cover also onprem AD domain controllers):

 

Deployment:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-deploy

 

Eliminate bad passwords in your organization:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad#license-requirements

 

Azure AD Password protection monitoring:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-monitor

 

Azure AD password protection troubleshooting:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-troubleshoot

 

 

Microsoft has recently announced the public preview of Azure Active Directory’s passwordless login. This new capability enables your employees to use external security keys to sign into their Azure Active Directory-Joined Windows 10 machines (running version 1809 or higher) and get single sign-on to their cloud resources. They can also sign into Azure AD-connected apps on supported browsers including the latest versions of Microsoft Edge and Mozilla Firefox.

You can learn more about how it works here: https://aka.ms/fido2securitykeys

To help get you started, MS partners are offering promotions so you can try out their solutions:

  1. For a limited time, Yubico is offering complimentary YubiKey Starter Kits to organizations with Microsoft 365 customers who are interested in beginning their passwordless journey. The starter kit includes the YubiKey 5 NFC and YubiKey 5C. You can learn more about Yubico’s promotion here: https://www.yubico.com/passwordlessoffer.
  2. FEITIAN is offering the first 500 Microsoft referred clients limited-time promotional discounts of more than 30% for Fingerprint Biometric Passwordless Security Keys. Visit  http://www.FTSafe.com/AzurePublicPreview.
  3. HID Global will take 10% off the manufacturer’s suggested retail price (MSRP) for orders above 500 Crescendo C2300 cards or the Crescendo Key, until August 16, 2019. Learn more at https://www.hidglobal.com

 

TechNet article how-to:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-enable#enable-new-passwordless-authentication-methods