Introducing Project Sauron – Centralised Storage of Windows Events – Domain Controller Edition

(Nearly) every customer I visit is lacking comprehensive security auditing in their downlevel DEV and UAT environments and sometimes even in their production environment. This scenario exists for a number of reasons. For some larger customers, the security logs roll so quickly that it’s considered “too hard” to even bother trying to archive them without…

10

Creating Custom Secure LDAP Certificates for Domain Controllers with Auto Renewal

Working with customers each week on securing their Active Directories, there are some procedures you end up doing regularly. Installing and configuring custom certificates onto Domain Controllers to enable LDAP over TLS for me is one of them. The primary reason for enabling this functionality is to allow third-party applications that aren’t capable of performing secure binds…

12

Understanding and Remediating “PASSWD_NOTREQD”

In my previous post on querying the userAccountControl attribute, I noted one of the flags I want to ensure you understood was the PASSWD_NOTREQD or “Password Not Required” flag. As the name suggests, this flag allows you to have a fully functioning account with a blank password (even with a valid domain password policy in place). In my time…

10

Creating Custom Windows Event Forwarding Logs

You may have noticed recently that *we* Microsoft security people have kind of fallen in love with Windows Event Forwarding (WEF). Why? Its built into Windows itself, easily configurable and can collect a very large amount of course or finely filtered events (including existing events) from any domain joined machine with less then 30 minutes of…

10

CRL Freshness PowerShell cmdlet

 Overview One of the critical functions of running a healthy PKI is ensuring that certificate revocation data is always available and always fresh. Nearly every customer I work with has experienced some form of application or system outage due to CRL’s not being fresh or available. Most PKI administrators overcome the availability issue by either including multiple…

6

Querying UserAccountControl Configurations

One of the checks we perform as part of our AD security assessments is looking for security principals that have certain security configurations. A number of these settings are stored as a bitwise value on both user and computer objects as part of the userAccountControl attribute. Full details of all the settings for this attribute are located in this MSDN article. Some…

0

Identifying Clear Text LDAP binds to your DC’s

If I told you that there was a 90% plus chance that your Domain Controllers allowed receiving credentials in clear text over your network, you would probably wouldn’t believe me. If I went a step further and told you that nearly half of the customers I visit for AD security assessments not only allowed them, but had extremely privileged…

3