Security Focus: Get Mail Enabled Admin Users

Browsing the internet with an admin account is a very, very bad thing to do. Using an admin account to send / receive email is also a very, very bad thing. Why? Well you expose the credentials to a high risk of being stolen and used to compromise your enterprise. Want do to some checks against Active…

1

Security Focus: Enable / Disable MFA on Azure AD Admin Account

Last week I presented a little function that I use to reset my Azure AD admin account passwords. This week I want to show how to enable / disable Multi Factor Authentication on an Azure AD account.   Enable $St = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement $St.RelyingParty = “*” $Sta = @($St) Set-MsolUser -UserPrincipalName ifarr@contoso.com -StrongAuthenticationRequirements $Sta…

2

Security Focus: Update Azure AD Admin Account Password

Got to love this cmdlet – Update-AzureADSignedInUserPassword ! I use it to update admin credentials on Azure AD instances that I only occasionally use. This avoids expiry aches and pains.   Want to take a look? First up, go get yourself a copy of the AzureAD module from PSGallery… Find-Module -Name AzureAD Install-Module -Name AzureAD -Verbose   Now, I…

1

Security Focus: Set ConstrainedLanguage Mode on My Machine

Whilst doing some research, for a presentation on Security and PowerShell, I came across this cheeky one-liner: [Environment]::SetEnvironmentVariable(‘__PSLockdownPolicy’, ‘4’, ‘Machine’)   After running it, look what happens when I try and start PowerShell. Damn, my profile script won’t run… but, what’s this? I can’t do other stuff, too? Damn!   If you’ve never come across…

0

Security Focus: Check Credential Guard Status with PowerShell

In Windows 10 Enterprise and Windows Server 2016, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes and Kerberos Ticket Granting…

0

One-Liner: Use PowerShell to Verify Domain Controller Location

It’s generally a bad thing if a domain controller isn’t in the domain controllers OU. For example, the default domain controllers policy may not be applied. Here’s a cheeky one-liner to check you’re good:   Get-ADDomainController -Filter * | ForEach-Object { if ($_.ComputerObjectDN -notmatch “CN=$($_.Name),OU=Domain COntrollers,$($_.DefaultPartition)”) { Write-Output “$($_.Name) computer object DN set to $($_.ComputerObjectDN)” }…

1

Security Focus: Use PowerShell to List Authentication Policy Silo Members

A while back, I wrote a couple of posts on implementing Authentication Policies and Authentication Policy Silos. Authentication Policy Silos   We can use an Authentication Policy Silo to restrict the authentication scope of high privileged users, e.g. user A can only authenticate against server A and server B… if they try and logon somewhere else,…

0

Security Focus One Liner: AD Privileged User and Password Doesn’t Expire

I get to perform security assessments against Active Directory. It’s always fascinating. There’s a check that lists privileged users that are configured to not expire their password. Now, a proportion of flagged accounts are Service Accounts, but, there’s sometimes human-associated administrative accounts listed. This poor administrative practice still happens… after all these years of Active Directory, and after all these…

0

Security Focus: AD Objects Configured as AdminCount -eq 1

Let’s go! In Active Directory, AdminSDHolder is an object in each domain partition’s system container. It has a security descriptor that is stamped hourly on any AD object marked as AdminCount -eq 1. This ‘fix up’ is performed by a process called SDProp on the PDCe. The security descriptor / ACL can be thought of as a template and is a…

0

Security Focus: Check the AdminSDHolder ACL – Part 2

Two weeks ago we used PowerShell to report on the AdminSDHolder ACL. We ended up with a CSV file of security principals from the ACL and a more detailed XML report. This week, I’ll show you how to quickly compare the CSV files, to see if the AdminSDHolder ACL has changed. And, here you go: $ref is the content…

0