ADFS – Troubleshooting claims

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-claims-issuance https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-claims-rules https://nzpcmad.blogspot.com/search/label/IdentityServer https://stackoverflow.com/questions/51643645/adding-custom-claims-to-adfs-from-sql-server https://docs.microsoft.com/en-us/archive/blogs/askds/ad-fs-2-0-claims-rule-language-primer https://docs.microsoft.com/en-us/archive/blogs/askds/ad-fs-2-0-claims-rule-language-part-2

Azure and Office365 resources

Here are resources about Azure and Office365, let me summarize: Office365 : is an offer of MS services and hosted applications – Saas ; in clear you pay for a service (sharepoint,exchange,office…) and you don’t manage the infra behind (like CPU,RAM,Storage,Security) Azure: is a cloud (private/public) offer – paas/Iaas ; compared to Office365, MS provideContinue reading “Azure and Office365 resources”

msExchRecipientTypeDetails

Integrating an on-premise Active Directory and Exchange organization with Microsoft Cloud Services will require attention to new elements and details. As an example the list of object attributes in the on-premises Active Directory schema differs from the attributes in the Azure and Office 365 services directory platforms. An example is three critical values that areContinue reading “msExchRecipientTypeDetails”

How to deploy latest Windows GPO ?

The Central Store. To take advantage of the benefits of .admx files, you must create a Central Store in the SYSVOL folder on a Windows domain controller. The Central Store is a file location that is checked by the Group Policy tools by default. The Group Policy tools use all .admx files that are inContinue reading “How to deploy latest Windows GPO ?”

Azure AD Resources

Azure AD availability: https://azure.microsoft.com/en-us/blog/advancing-azure-active-directory-availability/ Azure AD blog: https://techcommunity.microsoft.com/t5/azure-active-directory-identity/bg-p/Identity Domains FAQ: https://docs.microsoft.com/en-us/office365/admin/setup/domains-faq Domain take over: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/domains-admin-takeover Azure tips and tricks: https://azure.microsoft.com/en-us/blog/azure-tips-and-tricks-become-more-productive-with-azure/ Azure subscription and naming convention: https://blogs.technet.microsoft.com/dsilva/2017/11/10/azure-subscription-governance-resource-group-and-naming-convention-strategies/ Azure RBAC: https://docs.microsoft.com/en-us/azure/role-based-access-control/overview Manage VM: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/ Main: http://www.windowsazure.com Azure cost calculator: https://azure.microsoft.com/en-us/pricing/calculator/?scenario=full White papers: http://aka.ms/livresblancs Azure health status: https://status.azure.com/en-us/status Choose the right authentication method: https://docs.microsoft.com/en-us/azure/security/fundamentals/choose-ad-authn AzureAD connect: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history OtherContinue reading “Azure AD Resources”

Security baseline for Windows Operating system

Security baseline reference article: Download the latest version: https://www.microsoft.com/en-us/download/details.aspx?id=55319 Introduction: Download the content. As usual, the content includes GPO backups, GPO reports, scripts to apply settings to local GPO, Policy Analyzer rules files for each baseline and for the full set, and spreadsheets documenting all available GPOs and our recommended settings, settings that are new toContinue reading “Security baseline for Windows Operating system”

Hacking and Securing Active Directory

Hacking techniques for AD: “state of the art” (but scary!) with possible mitigation (when possible) + a few new methods… https://leonjza.github.io/blog/2016/01/09/kerberos-kerberoast-and-golden-tickets/ https://adsecurity.org/wp-content/uploads/2015/08/DEFCON23-2015-Metcalf-RedvsBlue-ADAttackAndDefense-Final.pdf https://github.com/infosecn1nja/AD-Attack-Defense https://specterops.io/resources/research-and-development https://github.com/wavestone-cdt/AD-security-workshop https://www.labofapenetrationtester.com/ https://github.com/fireeye/commando-vm For GPO Audit : https://github.com/l0ss/Grouper2 Spraykatz: https://www.slideshare.net/sylvaincortes/spraykatz-installation-basic-usage https://github.com/aas-n/spraykatz ReverseTCP shell: https://www.youtube.com/watch?v=T9qb4DIAXTg&feature=youtu.be https://github.com/ZHacker13/ReverseTCPShell Securing AD: AD Explorer: https://www.blackhillsinfosec.com/domain-goodness-learned-love-ad-explorer https://digital-forensics.sans.org/blog/2013/06/20/overview-of-microsofts-best-practices-for-securing-active-directory http://video.ch9.ms/sessions/teched/na/2014/DCIM-B213.pptx https://www.pingcastle.com/ AD Authentication silos and more: https://www.sstic.org/user/abordes MS white-paper bestContinue reading “Hacking and Securing Active Directory”

PowerShell – DNS – Create conditional forwarder zone

Best practices for DNS forwarding: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754941%28v%3dws.10%29 https://www.petri.com/best-practices-for-dns-forwarding To export conditional forwarder zones: Conditional forwarders are in the same registry key as the zones. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DNS Server\Zones Export the key then you can import it to the other server. To export global forwarders settings: Global forwarders are setup in the following key. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters Forwarders key ExportContinue reading “PowerShell – DNS – Create conditional forwarder zone”

Azure AD – Securing Identity platform

Reference article: https://docs.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity Doc to disable the user consent: https://docs.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity#restrict-user-consent-operations Best practices: There are many aspects to a secure Identity infrastructure, but this five-step checklist will help you quickly accomplish a safer and secure identity infrastructure: Strengthen your credentials. Reduce your attack surface area. Automate threat response. Increase your awareness of auditing and monitoring. EnableContinue reading “Azure AD – Securing Identity platform”