AD – Securing Domain Controllers / hardening Windows domain and computers

Reference articles to secure a Windows domain: Les 4 piliers de la sécurité Active Directory https://www.cert.ssi.gouv.fr/uploads/guide-ad.html https://github.com/PaulSec/awesome-windows-domain-hardening Pingcastle: to audit an AD domain https://www.pingcastle.com/ AD explorer (sysinternals): https://www.blackhillsinfosec.com/domain-goodness-learned-love-ad-explorer Microsoft audit Policy settings and recommendations: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations Sysinternals sysmon: to audit and control changes https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow On ADsecurity.org: Beyond domain admins: https://adsecurity.org/?p=3700 Gathering AD data with PowerShell: https://adsecurity.org/?p=3719Continue reading “AD – Securing Domain Controllers / hardening Windows domain and computers”

Kerberos is not used when you connect to SMB shares by using IP address

When you connect to remote Server Message Block (SMB) services shares by using \\192.x.y.z\share name, Kerberos is not used, and the Internet Protocol (IP) SMB file share access does not use Kerberos. A network trace shows the following Kerberos error in the KRB_ERROR: Server not found in Kerberos database Cause: By default, Microsoft Windows ServerContinue reading “Kerberos is not used when you connect to SMB shares by using IP address”

How to update group membership without logoff / logon /restart

This might be very useful for certain situations where you want to update a user’s or computer’s group membership without the need to re-logon / restart. The whole magic is behind the issued kerberos tickets after you logged on to a machine or a machine has been started. The tool “klist.exe” cannot only be usedContinue reading “How to update group membership without logoff / logon /restart”

Unix interoperability (SSSD) with a Microsoft Domain

SSSD principle: SSSD for SuSE (sles): https://www.suse.com/support/kb/doc/?id=7022002 http://www.novell.com/support/kb/doc.php?id=7014572 RHEL: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/index https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Introduction.html Troubleshooting SSSD: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Troubleshooting.html Resolution:   id  <userid> ; getent passwd <userid> Authentication: ssh <userid>@localhost   In addition to redhat guide, there are tones of interesting links: http://thornelabs.net/2014/01/30/authenticate-rhel-5-and-6-against-active-directory-on-windows-server-2008-r2-with-sssd-using-kerberos-and-ldap.html http://www.chriscowley.me.uk/blog/2013/12/16/integrating-rhel-with-active-directory/

Kerberos – duplicate SPNs

Reference article: https://technet.microsoft.com/en-us/library/cc759300(v=ws.10).aspx Kerberos uses SPNs extensively. When a Kerberos client uses its TGT to request a service ticket for a specific service, the service is actually identified by its SPN.  The KDC will grant the client a service ticket that is encrypted in part with a shared secret that the service account as identified by theContinue reading “Kerberos – duplicate SPNs”

IIS and Kerberos authentication

To configure IIS with Kerberos, It is explained in the technet blog: http://blog.snuxoll.com/post/82358808839/kerberos-authentication-with-load-balanced-iis https://blogs.msdn.microsoft.com/chiranth/2014/04/17/setting-up-kerberos-authentication-for-a-website-in-iis/ In short, you must follow the Technet blog, you  must configure your IIS to use Kerberos authentication (IIS manager option) and for constrained delegation (remove the default applicationpool where your web service is running) create a specific technical domain account ie.Continue reading “IIS and Kerberos authentication”

What is OAuth? OAuth versus Kerberos ! ADFS and OAuth !

Introduction: When Kerberos was chosen to be AD’s authentication protocol in the mid- to late-1990s, the World Wide Web was a shadow of what the Internet offers today. Although the Kerberos ticket contained an encrypted password hash that could be attacked, there wasn’t any substantial requirement to provide support outside the highly protected corporate firewall.Continue reading “What is OAuth? OAuth versus Kerberos ! ADFS and OAuth !”

ADFS Authentication Failure (HTTP error 400) .. due To Token Size

    Introduction 400 error is seen by the end user when trying to access a IIS web site that has Windows Authentication enabled.  Not all users see this behavior.  The user might be a member of several Active Directory groups. Cause When a user logs into a workstation on the domain, a kerberos authenticationContinue reading “ADFS Authentication Failure (HTTP error 400) .. due To Token Size”

In Windows 7 and Server 2008 R2, the DES encryption types for the Kerberos authentication protocol are disabled by default.

In Windows 7 and Server 2008 R2, the DES encryption types for the Kerberos authentication protocol are disabled by default. This can cause compatibility problems if one of your legacy applications is hard-coded for only DES encryption or if the Windows account that runs a service (the service account) is configured to use only DESContinue reading “In Windows 7 and Server 2008 R2, the DES encryption types for the Kerberos authentication protocol are disabled by default.”