We recently ran a “double-tap” reset of the krbtgt account in our Active Directory and ran into very few problems. We have the default 10 hour Kerberos ticket lifetime configured.
EDIT: The biggest issue was an internal .NET Portal that was federated with ADFS, it needed to be restarted
We ran this first in our test environment and then scheduled the run for our Production environment a week night evening at 10pm to make sure people would be around if there were issues the following morning.
The recommended way to run this script is using the following modes:
Mode 1 – Informational Run Only
Mode 8 – Create bogus krbtgt test account
Mode 2 – Simulation Run to verify replication
Mode 3 – Simuation Run to verify replication and password reset of bogus krbtgt
Mode 4 – Real Run, Modifying Real krbtgt Account
Mode 9 – Cleanup bogus krbtgt test account
We ran Mode 3 and Mode 4 twice, on the second run of Mode 4 you will see some warning text that there could be a major domain impact.
The only major impact that was noticed in our environment was that remote desktop to many of our servers stopped working if using the fully qualified name. A workaround to this would be to use the IP which will use NTLM authentication.
However, after our 10 hour ticket time all machines were back to working as expected.
This script should be run a couple times a year depending on who you ask for only a single-tap reset of the account. I’ve heard recommendations from every 90 days to every 180 days. It should also be run anytime someone who can forge golden tickets leaves the environment (Twice if there is concern).
If you haven’t already forced ADFS to run on TLS 1.2 you are behind the curve. Activating TLS 1.2 on ADFS and turning off all other vulnerable services is relatively easy.
The first step that always goes unsaid is to snapshot your Virtual Machines or get a solid backup state before making any changes to a running production environment. The next unsaid step is to perform these activities on a test/dev environment before taking down Production!
SSL 2.0 and SSL 3.0 should already be disabled, if they are not disable them immediately! The following link from Microsoft provides the registry keys and powershell needed to disable all of these services. Make sure these changes are being made on all Web Application Proxies (WAPs) and ADFS servers.
Disable SSL 2.0
Disable SSL 3.0
Disable TLS 1.0
Disable TLS 1.1
Disable RC4
Enable Strong Authentication for .NET Applications
This value normally has a value of 2 (which means configured), change it back to 1, and this change does not even require a reboot.
Open up Server Manager and launch “Remote Access Manager”, select “Web Application Proxy” and put in the required information to re-establish the trust.
You may need to reboot the WAPs one more time, I had to.
Step 4: Verify SSL Services are Correct
Once all services come back up, it would be a good time to verify that all the services you think you turned off are actually off. A SSL Server Test tool would be great for that, like the one by SSL Labs: https://www.ssllabs.com/ssltest/
Step 5: You may need to correct internal .NET Applications pointing to ADFS
Internal .NET Applications may start failing. If you start to receive error messages like “Authentication failed because the remote party has closed the transport stream”, it just means you are not specifying TLS 1.2.
I currently run this script every hour and I get plenty of overlap for logs. The logs roll relatively quick but not that quick. I’m also logging all allows and I may change that in the future to only log drops.
In order to see dropped traffic outbound you would have to have outgoing firewall rules in place. By default traffic is not blocked going out. You can reference my previous post linked above.
In the example below you can see I’m limiting all TCP/UDP outbound traffic on Non HTTP ports to a certain subset of IP ranges:
If this Domain Controller tries to send any NON-HTTP(s) traffic outside of the organization it will show up in the DC firewall logs.
Example of HTML Report:
If your IT Security group has the hardware firewalls super locked down you may not see much if any traffic being dropped on the local DCs, but it still isn’t a bad idea to have another layer of security around such a high profile service!
**EDIT** If you log into vcenter with an Active Directory account you should be able to modify an already existing Identity Source. I had been logging in with local administrator account.
For reference we already had our linked vCenter talking to Active Directory over LDAPS. However, we are currently in the process of migrating all of our VMs over to new hardware. When we tried to move the main Active Directory server providing authentication to vCenter, lets just say it was not happy.
Upon trying to enter into the Identity Sources and update the server(s) manually on the Identity Source that was already being used we received the following message: “Check the network settings and make sure you have network access to the identity source”.
It was not found until after doing some Googling that you have to remove your current running Identity Source in order to make changes. In other words delete the current identity source and add a “new” one in order to make the changes you want to make.
This just seems bad.
However, after doing a lot of testing in our TEST environment I could not seem to run into any snags. If you login with administrator@vsphere.local and delete and then immediately re-add the identity source back with the same domain name, alias, etc, there does not seem to be any issues. All of your permissions on objects defined with AD groups will remain.
I used the method listed in this VMware KB for grabbing the certificates I needed for both the Primary and Secondary Active Directory Servers. (https://kb.vmware.com/s/article/2041378).
If you want to follow the Security Technical Implementation Guide (STIG) for Active Directory you will come across V-53727, AD.0015, stating that internet access should be restricted. If you ask Microsoft what you should do, they also state internet access should be restricted but provide no clear mechanism to do so.
What is the best way to turn off browsing the internet on Domain Controllers that doesn’t involve contacting your Information Security team? I’m glad you asked. I’m going to walk you through the process I’ve put forward to implement locked down Windows Firewall rules on the Domain Controllers.
There may be criticism here that things could be locked down even more, and I DO NOT disagree with you. This article is more about getting started on locking down your Domain Controllers not the solve-all be-all guide. This write-up is one of many I hope to include in a Domain Controller Hardening Series.
NOTE: These Firewall Rules May Not Work For Your Organization! We are not running DHCP, WINS, or Integrated AD DNS.We also have RPC dynamic ports locked to 1,000 ports.
For changing RPC ports on the Domain Controllers, I followed this article:
Create Group Policy and link it to Domain Controllers OU for Firewall Rules (Set the scope to one DC if you are worried)
In this Group Policy, open it up and edit it and navigate to the following area:
Computer Configuration
Policies
Windows Settings
Security Settings
Windows Firewall with Advanced Security
If you are implementing changes like this in a TEST environment which I highly recommend first and you happen to be connected to one of the DCs to do this work you will want to perform the following things first to prevent being disconnected.
These Domain Controllers should be behind a hardware firewall, so leaving all remote addresses set to ANY while you configure, you should still have protection from your hardware firewall until you can go through rule-by-rule and lock them down. I’m not providing any guidance here as all organizations are different.
Go to Inbound Rules and create your base ruleset.
Rule Name
Protocol
Local Port
Active Directory Web Services
TCP
9389
NetBIOS Session Service
TCP
139
ICMPv4
ICMPv4
ANY
ICMPv6
ICMPv6
ANY
Kerberos
TCP
88
Kerberos
UDP
88
Kerberos Password Change
TCP
464
Kerberos Password Change
UDP
464
LDAP
TCP
389
LDAP
UDP
389
LDAP Global Catalog
TCP
3268
LDAPS
TCP
636
LDAPS Global Catalog
TCP
3269
NetBIOS Name Service
TCP
137
NetBIOS Name Service
UDP
137
NetBIOS Datagram Service
UDP
138
NTP
UDP
123
Remote Desktop Protocol
TCP
3389
Remote Desktop Protocol
UDP
3389
RPC Endpoint Mapper
TCP
135
RPC Dynamically Assigned Ports
TCP
Example: 50000-51000
SMB
TCP
445
Windows Remote Management (WinRM)
TCP
5985-5986
These are created on ALL profiles
Go to Outbound Rules and create your base ruleset.
Rule Name
Remote Address
Protocol
Local Port
Remote Port
Allow ICMPv4, ICMPv6 Outbound
Any
ICMPv4/ICMPv6
ANY
ANY
Allow All Traffic Outbound (TCP)
Any
TCP
ANY
1-79,81-442,444-65535
Allow All Traffic Outbound (UDP)
Any
UDP
ANY
1-79,81-442,444-65535
Allow Outbound Web Traffic Exceptions
<IPs> Crowdstrike, PKI, etc.
TCP
ANY
80, 443
Allow Outbound Web Traffic Exceptions
<IPs> Crowdstrike, PKI, etc.
UDP
ANY
80, 443
These are created on ALL profiles
By default Windows Firewall will allow all traffic outbound. These outbound rules are needed because I’m going to change the behavior to block traffic outbound by default and then put in an exception to most traffic out.
This is done to stop web traffic outbound on ports 80/443, except for the IPs we know are OK (for example Crowdstrike, or PKI services). You could and should argue that outbound traffic should be limited to your workplace but I’m not covering that level of specifics in this guide.
Right-Click “Windows Firewall with Advanced Security – LDAP://…” and click Properties.
Make sure the Firewall State is “On”, and Inbound Connections are set to “Block (default)” and Outbound Connections are set to “Block”. Verify these settings for all three Domain Profiles (Domain, Private, Public).
Next, while still in this dialog box under “Domain Profile” click Customize under Settings. I have turned off displaying a notification when a program is blocked. I have also disallowed rule merging. By turning off Rule Merging you will remove a lot of the “garbage” Microsoft Firewall Rules that are created by default. This will allow you full control of the Windows Firewall.
Next, click “Customize” under Logging, on the Domain Profile tab. Here, I’m using the default log location: %systemroot%\system32\logfiles\firewall\pfirewall.log
I’ve also maximized the firewall log to 32MB, and I’m logging dropped packets and successful connections, this is needed for troubleshooting later.
Once this is complete you should be able to to run “gpupdate /force” on one of your Domain Controllers and launch Windows Firewall. The Windows Firewall current rules that are being enforced are found under “Monitoring -> Firewall”
You should see all of the rules that you setup enforced and you can now begin to lock down things potentially even more-so than the hardware firewall depending on your IT Security team.
This should be enough to get you started on your journey. If you have a close relationship with your IT Security Team, it would also be good to reach out to them and get their rule-set for your Domain Controllers. You may find that you can help IT Security lock down the hardware firewall even more!
I had been watching Twitter all day yesterday and amongst all the #infosecbikini photos filling up InfoSec Twitter there was mention of this critical Windows vulnerability. At first it sounded like the June patches would protect you, then Twitter seemed to lose faith that was the case.
Have you recently setup a Test Active Directory and are using it to test out your scripts but you quickly realized that the alternate UPN suffixes that you forgot you didn’t create aren’t there?
Or.. maybe you just haven’t done this in forever like myself and had to Google how to add a UPN suffix to AD.
Well if either or none of those cases match why you are reading this right now, no need to worry, I’ll tell you anyway.
Adding UPN Suffix to Active Directory
Launch Active Directory Domains and Trusts and right-click on “Active Directory Domains and Trusts [dc.domain] at the top of the left pane and click Properties.
On the next window, add the alternate UPN suffixes you want added.
You will now see these UPNs available in the drop-down menu when you create a new user account, or modify an already existing one.
I have scrubbed and cleaned my next script for GitHub. This one was much easier to scrub and cleanup. This script will monitor the Active Directory Recycle Bin for deleted user objects based on a regex, with an area where you can add exceptions.
If the script finds any accounts it will send an e-mail with the samAccountName of the user accounts that were found.
I’m realizing how much work is involved to clean and sanitize code so it is very simple for someone to just copy and paste it. I’m in the hopefully not forever long process of sharing code that I use in my day job. This process is cleaning up my code so there is a net plus here.
My first script revolves around running Active Directory with an external DNS provider. We had an issue awhile back where one of our Domain Controllers dropped out of DNS and since that incident a script was written to monitor DNS.
I feel like I have a lot of knowledge and scripts to share so stay tuned there is a lot more coming!
