Category: Security


Description

Today AD FS is made highly available by setting up an AD FS farm. Some organizations would like a way to have a single server AD FS deployment, eliminating the need for multiple AD FS servers and network load balancing infrastructure, while still having some assurance that service can be restored quickly if there is a problem. The new AD FS Rapid Restore tool provides a way to restore AD FS data without requiring a full backup and restore of the operating system or system state. You can use the new tool to export AD FS configuration either to Azure or to an on-premises location. Then you can apply the exported data to a fresh AD FS installation, re-creating or duplicating the AD FS environment.

Scenarios

The AD FS Rapid Restore tool can be used in the following scenarios:
1.Quickly restore AD FS functionality after a problem•Use the tool to create a cold standby installation of AD FS that can be quickly deployed in place of the online AD FS server

2.Deploy identical test and production environments•Use the tool to quickly create an accurate copy of the production AD FS in a test environment, or to quickly deploy a validated test configuration to production

What is backed up

The tool backs up the following AD FS configuration
•AD FS configuration database (SQL or WID)
•Configuration file (located in AD FS folder)
•Automatically generated token signing and decrypting certificates and private keys (from the Active Directory DKM container)
•SSL certificate and any externally enrolled certificates (token signing, token decryption and service communication) and corresponding private keys (note: private keys must be exportable and the user running the script must have permissions to access them)
•A list of the custom authentication providers, attribute stores, and local claims provider trusts that are installed.

Download and usage

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/ad-fs-rapid-restore-tool

 

To detect lateral movement on Windows infrastructure I recommend to collect the following events:

It’s based on events (4648 + 4672 from member servers, 8004 from DCs) + network traffic (AS/TGS).

Regarding both event 4648 (A logon was attempted using explicit credentials) and event 4672 (Special privileges assigned to new logon):
=> Collect events and send to a SIEM (splunk, logrythm …) or even Windows Event collector (WEF)

 

Disabling SMB v1 (lanmanserver “server service only”) on windows computers/servers:

Full version: https://blogs.technet.microsoft.com/staysafe/2017/05/17/disable-smb-v1-in-managed-environments-with-ad-group-policy/

 

My recommendation:

a) for domain-based computers: use GPO “group policy object” to deploy the registry key to disable SMBv1 (server-side only) protocol on all systems (A reboot is required to take effect)

 

b) for isolated computer or non/domain joined computers: use the following command line to modify the lanmanserver registry key properly

 

Implementation – Technical details:

 

a) for domain-based computers, create a GPO or modify an existing GPO applied to computers only, to add the following registry key:

 

for domain-based computers, to create the GPO setting to disable SMB v1, use GPMC, Computer configuration, preferences, windows settings, registry, right-click, new registry item,

 

keep: Update,

Select the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

 

Value: SMB1

Data: REG_DWORD 0

 

Note: To re-enable it

REG_DWORD: 1 = Enabled

Default: 1 = Enabled

 

 

b) for isolated computer or non/domain joined computers:

 

b.1) For Windows 8 and Windows server 2012 or greater (Note: not supported on Windows 7):

To obtain the current state of the SMB server protocol configuration, run the following cmdlet:

 

Get-SmbServerConfiguration | Select EnableSMB1Protocol

 

To disable SMBv1 on the SMB server, run the following cmdlet:

 

Set-SmbServerConfiguration -EnableSMB1Protocol $false

 

b.2) For Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008

 

To enable or disable SMB protocols on an SMB Server that is running Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server

2008, use Windows PowerShell or Registry Editor.

 

To disable SMBv1 on the SMB server, run the following cmdlet:

 

Set-ItemProperty –Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 –Force

 

To assess the impact:

 

This article contain a table to understand what version you will end up, depending on what Windows version is running as the SMB client and what version of Windows is running as the SMB server.

https://blogs.technet.microsoft.com/josebda/2012/06/06/windows-server-2012-which-version-of-the-smb-protocol-smb-1-0-smb-2-0-smb-2-1-or-smb-3-0-are-you-using-on-your-file-server/

 

Analysis Technical details:

https://www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis

 

CERT articles:

http://www.cert.ssi.gouv.fr/site/CERTFR-2017-ALE-010.pdf

https://www.us-cert.gov/ncas/alerts/TA17-132A

https://kc.mcafee.com/corporate/index?page=content&id=KB89335

 

Attaching the latest recommendations by Microsoft:

Customer Guidance for WannaCrypt attacks:

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

 

WannaCrypt ransomware worm targets out-of-date systems:

https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/

 

A patch that was released in March protects your organization from “WannaCry” and similar variants, you should immediately deploy it if you haven’t: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

“Additionally, we are taking the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003”

View story at Medium.com

Some interesting sites:

 

Reference articles to secure a Windows domain:

https://github.com/PaulSec/awesome-windows-domain-hardening

Sysinternals sysmon:

https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow

On ADsecurity.org:

Securing Domain Controllers to Improve Active Directory Security

 

Download sysmon:

NEW: Sysmon 6.02 is available ! : https://technet.microsoft.com/en-us/sysinternals/sysmon  and how to use it:

Installation and usage:

List of web resources concerning Sysmon: https://github.com/MHaggis/sysmon-dfir

Mark russinovitch’s RSA conference: https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow

Sysmon config files explained:

https://github.com/SwiftOnSecurity/sysmon-config

https://github.com/ion-storm/sysmon-config/blob/master/sysmonconfig-export.xml

https://www.bsk-consulting.de/2015/02/04/sysmon-example-config-xml/

View story at Medium.com

Else other install guides:

Sysinternals Sysmon unleashed

http://www.darkoperator.com/blog/2014/8/8/sysinternals-sysmon

 

Detecting APT with Sysmon:

https://www.rsaconference.com/writable/presentations/file_upload/hta-w05-tracking_hackers_on_your_network_with_sysinternals_sysmon.pdf

 

https://www.root9b.com/sites/default/files/whitepapers/R9B_blog_005_whitepaper_01.pdf

Sysmon with Splunk:

http://blogs.splunk.com/2014/11/24/monitoring-network-traffic-with-sysmon-and-splunk/

https://securitylogs.org/tag/sysmon/

Sysmon log analyzer/parsing sysmon event log:

https://github.com/CrowdStrike/Forensics/blob/master/sysmon_parse.cmd

https://digital-forensics.sans.org/blog/2014/08/12/sysmon-in-malware-analysis-lab

https://github.com/JamesHabben/sysmon-queries

http://blog.crowdstrike.com/sysmon-2/

logparser: http://www.microsoft.com/en-us/download/confirmation.aspx?id=24659

logparser GUI: http://lizard-labs.com/log_parser_lizard.aspx

Web article:

https://technet.microsoft.com/en-us/library/cc784450(v=ws.10).aspx

 

How to test SSL/TLS:

You can easily see what SSL protocol a server supports (and even grab the certificate from there) example below with openSSL:

openssl s_client -connect myserver.mydomain.local:636 -ssl3
openssl s_client -connect myserver.mydomain.local:636 -tls1
openssl s_client -connect myserver.mydomain.local:636 -tls1_1
openssl s_client -connect myserver.mydomain.local:636 -tls1_2

All those reports successfull connection SSL handshake and present the proper server certificate.

And it is very easy anyway for a client to get supported SSL protocols on a remote server, it is how client <==> server handshake works to
select an agreed protocol supported on both sides.

I suggest you check on application side …

# nmap –script ssl-enum-ciphers -p 636 myserver.mydomain.local

Starting Nmap 6.46 ( http://nmap.org ) at 2017-02-16 18:22 CET
Nmap scan report for myserver.mydomain.local (172.19.133.64)
Host is up (0.025s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| ssl-enum-ciphers:
| SSLv3:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA – strong
| TLS_RSA_WITH_RC4_128_MD5 – strong
| TLS_RSA_WITH_RC4_128_SHA – strong
| compressors:
| NULL
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA – strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA – strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA – strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA – strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA – strong
| TLS_RSA_WITH_AES_128_CBC_SHA – strong

 

The administrator receives email notifications that identify which certificates are set to expire on the specified day.

https://blogs.technet.microsoft.com/nexthop/2011/11/17/certificate-expiration-alerting/

https://www.corelan.be/index.php/2009/04/10/free-tool-windows-2008-certificate-authority-certificate-list-utility-for-pending-requests-and-about-to-expire-certificates/

https://www.shellandco.net/monitor-certificate-expiration/

https://gallery.technet.microsoft.com/scriptcenter/Monitor-certificate-9d7a2141

 

SSL certificate checker:

https://www.quora.com/What-is-the-best-tool-to-automatically-inspect-expiration-dates-for-SSL-certificates-and-alert-you-before-they-expire

 

third-party:

https://www.keyon.ch/en/Produkte-Loesungen/Microsoft-PKI/index.php   ; true-Xtender certificate expiration service

http://www.venafi.com

 

If there are multiple valid certificates available in the local computer store, Schannel the Microsoft SSL provider, selects the first valid certificate that it finds store. The LDAP bind may fail if Schannel selects the wrong certificate.

Loading the requested server certificate into the NTDS/Personal certificate store will ensure that the correct server certificate is used for LDAPS

IMPORTANT NOTE:

  • Automatic certificate enrollment (auto-enrollment) cannot be utilized to populate NTDS\Personal certificate store
  • Command line tools are not able to manage certificates in the NTDS\Personal certificate store
  • Certificates should be imported into the NTDS\Personal store and not moved through drag-and-drop in the Certificates snap-in
  • The import process must be conducted on each domain controller

LDAP over SSL (LDAPS) Certificate (MS TechNet)

When exporting the certificate:

  • When prompted, select “Yes, export the private key”
  • Select the “Personal Information Exchange – PKCS #12(.pfx)” format
  • Do not select “Include all certificates in the certificate path” or “Delete the private key if the export is successful”
  • Select “Export all extended properties”