Category Archives: Active Directory

Lock down your Active Directory Domain Controllers internet access! (Part of my Active Directory Hardening Series)

If you want to follow the Security Technical Implementation Guide (STIG) for Active Directory you will come across V-53727, AD.0015, stating that internet access should be restricted. If you ask Microsoft what you should do, they also state internet access should be restricted but provide no clear mechanism to do so.

(https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/securing-domain-controllers-against-attack#blocking-internet-access-for-domain-controllers)

What is the best way to turn off browsing the internet on Domain Controllers that doesn’t involve contacting your Information Security team? I’m glad you asked. I’m going to walk you through the process I’ve put forward to implement locked down Windows Firewall rules on the Domain Controllers.

There may be criticism here that things could be locked down even more, and I DO NOT disagree with you. This article is more about getting started on locking down your Domain Controllers not the solve-all be-all guide. This write-up is one of many I hope to include in a Domain Controller Hardening Series.

NOTE: These Firewall Rules May Not Work For Your Organization! We are not running DHCP, WINS, or Integrated AD DNS. We also have RPC dynamic ports locked to 1,000 ports.

For changing RPC ports on the Domain Controllers, I followed this article:

https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-rpc-dynamic-port-allocation-with-firewalls

Create Group Policy and link it to Domain Controllers OU for Firewall Rules
(Set the scope to one DC if you are worried)

In this Group Policy, open it up and edit it and navigate to the following area:

  1. Computer Configuration
  2. Policies
  3. Windows Settings
  4. Security Settings
  5. Windows Firewall with Advanced Security

If you are implementing changes like this in a TEST environment which I highly recommend first and you happen to be connected to one of the DCs to do this work you will want to perform the following things first to prevent being disconnected.

These Domain Controllers should be behind a hardware firewall, so leaving all remote addresses set to ANY while you configure, you should still have protection from your hardware firewall until you can go through rule-by-rule and lock them down. I’m not providing any guidance here as all organizations are different.

Go to Inbound Rules and create your base ruleset.

Rule NameProtocolLocal Port
Active Directory Web ServicesTCP9389
NetBIOS Session ServiceTCP139
ICMPv4ICMPv4ANY
ICMPv6ICMPv6ANY
KerberosTCP88
KerberosUDP88
Kerberos Password ChangeTCP464
Kerberos Password ChangeUDP464
LDAPTCP389
LDAPUDP389
LDAP Global CatalogTCP3268
LDAPSTCP636
LDAPS Global CatalogTCP3269
NetBIOS Name ServiceTCP137
NetBIOS Name ServiceUDP137
NetBIOS Datagram ServiceUDP138
NTPUDP123
Remote Desktop ProtocolTCP3389
Remote Desktop ProtocolUDP3389
RPC Endpoint MapperTCP135
RPC Dynamically Assigned PortsTCP Example: 50000-51000
SMBTCP445
Windows Remote Management (WinRM)TCP5985-5986
These are created on ALL profiles

Go to Outbound Rules and create your base ruleset.

Rule NameRemote AddressProtocolLocal PortRemote Port
Allow ICMPv4, ICMPv6 OutboundAnyICMPv4/ICMPv6ANYANY
Allow All Traffic Outbound (TCP)AnyTCPANY1-79,81-442,444-65535
Allow All Traffic Outbound (UDP)AnyUDPANY1-79,81-442,444-65535
Allow Outbound Web Traffic Exceptions<IPs> Crowdstrike, PKI, etc.TCPANY80, 443
Allow Outbound Web Traffic Exceptions<IPs> Crowdstrike, PKI, etc.UDPANY80, 443
These are created on ALL profiles

By default Windows Firewall will allow all traffic outbound. These outbound rules are needed because I’m going to change the behavior to block traffic outbound by default and then put in an exception to most traffic out.

This is done to stop web traffic outbound on ports 80/443, except for the IPs we know are OK (for example Crowdstrike, or PKI services). You could and should argue that outbound traffic should be limited to your workplace but I’m not covering that level of specifics in this guide.

Right-Click “Windows Firewall with Advanced Security – LDAP://…” and click Properties.

Make sure the Firewall State is “On”, and Inbound Connections are set to “Block (default)” and Outbound Connections are set to “Block”. Verify these settings for all three Domain Profiles (Domain, Private, Public).

Next, while still in this dialog box under “Domain Profile” click Customize under Settings. I have turned off displaying a notification when a program is blocked. I have also disallowed rule merging. By turning off Rule Merging you will remove a lot of the “garbage” Microsoft Firewall Rules that are created by default. This will allow you full control of the Windows Firewall.

Next, click “Customize” under Logging, on the Domain Profile tab. Here, I’m using the default log location:
%systemroot%\system32\logfiles\firewall\pfirewall.log

I’ve also maximized the firewall log to 32MB, and I’m logging dropped packets and successful connections, this is needed for troubleshooting later.

Once this is complete you should be able to to run “gpupdate /force” on one of your Domain Controllers and launch Windows Firewall. The Windows Firewall current rules that are being enforced are found under “Monitoring -> Firewall”

You should see all of the rules that you setup enforced and you can now begin to lock down things potentially even more-so than the hardware firewall depending on your IT Security team.

This should be enough to get you started on your journey. If you have a close relationship with your IT Security Team, it would also be good to reach out to them and get their rule-set for your Domain Controllers. You may find that you can help IT Security lock down the hardware firewall even more!

PrintNightmare – [0Day] Windows Critical Vulnerability

I had been watching Twitter all day yesterday and amongst all the #infosecbikini photos filling up InfoSec Twitter there was mention of this critical Windows vulnerability. At first it sounded like the June patches would protect you, then Twitter seemed to lose faith that was the case.

The US Cybersecurity & Infrastructure Security Agency (CISA) released the following notice the evening of June 30, 2021. (https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability)

It has been recommended to disable the Windows Print spooler service on Domain Controllers and any systems that do not print.

EDIT: As of writing this entry the best workaround I have been able to find if you need to keep print services running is here: https://blog.truesec.com/2021/06/30/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available/

EDIT 2: Microsoft has finally responded: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

EDIT 3: CISA put out emergency directive: https://cyber.dhs.gov/ed/21-04/

For your meme viewing pleasure:

Adding a UPN Suffix to Active Directory

Have you recently setup a Test Active Directory and are using it to test out your scripts but you quickly realized that the alternate UPN suffixes that you forgot you didn’t create aren’t there?

Or.. maybe you just haven’t done this in forever like myself and had to Google how to add a UPN suffix to AD.

Well if either or none of those cases match why you are reading this right now, no need to worry, I’ll tell you anyway.

Adding UPN Suffix to Active Directory

Launch Active Directory Domains and Trusts and right-click on “Active Directory Domains and Trusts [dc.domain] at the top of the left pane and click Properties.

On the next window, add the alternate UPN suffixes you want added.

You will now see these UPNs available in the drop-down menu when you create a new user account, or modify an already existing one.

Powershell: Check for deleted user accounts in AD

I have scrubbed and cleaned my next script for GitHub. This one was much easier to scrub and cleanup. This script will monitor the Active Directory Recycle Bin for deleted user objects based on a regex, with an area where you can add exceptions.

If the script finds any accounts it will send an e-mail with the samAccountName of the user accounts that were found.

The script can be found here: https://github.com/paularquette/Active-Directory/blob/main/AD_Check_For_Deleted_AccessID_User_Accounts.ps1

Monitor Active Directory Domain Controller DNS Records

I’m realizing how much work is involved to clean and sanitize code so it is very simple for someone to just copy and paste it. I’m in the hopefully not forever long process of sharing code that I use in my day job. This process is cleaning up my code so there is a net plus here.

My first script revolves around running Active Directory with an external DNS provider. We had an issue awhile back where one of our Domain Controllers dropped out of DNS and since that incident a script was written to monitor DNS.

I feel like I have a lot of knowledge and scripts to share so stay tuned there is a lot more coming!

Link to script: https://github.com/paularquette/Active-Directory/blob/main/AD_Check_DNS_For_Domain_Controllers.ps1