joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...

12/15/2017

Active Directory… 18 Years Old… But Do Your App Vendors and Developers Even Know How To Use It Properly?

by @ 8:55 am. Filed under general, tech

Windows 2000 Active Directory was released to manufacturing 18 years ago on December 15, 1999. It now has to register for the draft. Happy Birthday Active Directory!

You would think in that 18 years and the broad acceptance of Windows that every single software vendor and every application developer everywhere in the world would have been able to have figured out how to work with Active Directory. Sadly this is not true. Nearly every single week (sometimes day) I encounter applications from developers and vendors that write code to interact with AD but have absolutely no clue how to properly find domain controllers or properly use them once they find them. This results in a lot of applications that are far worse than they need to be if the developer/vendors would only spend a little time figuring out some basic items and properly coding to use the system. This isn’t just in house developers and small vendors, this includes very large vendors and sometimes even Microsoft itself. No… Just because Microsoft made Active Directory doesn’t mean that every group inside of Microsoft knows how to properly use it. I have helped many companies over the years with issues with how they use Active Directory, by far the company I have most helped is Microsoft themselves.

A big part of the issue are end user companies buying the products that allow vendors and developers to continue to write software that doesn’t work properly. Especially when a vendor labels something as Active Directory compatible or Active Directory integrated and yet the application is barely LDAP enabled and customers don’t look at them and say “This isn’t good enough.”[1]

I think every large company that writes code that works with Active Directory, especially if they are selling the products to other companies, should be hiring one or a few people who are very good with Active Directory, who understand it, understand the underlying components, how to use it, etc. The quality of AD integration that I have seen out of a variety of products could increase orders of magnitude if they did that. I was recently looking at a product from a random major well known Storage company and some folks in the company I work for by day were trying to get it to work with AD and were telling me “It has to be in an OU called XYZ and that OU has to be at the root of the domain and we have to be Domain Admins to do the work to join it”. Eventually we figured out that none of that was true but the documentation and defaults were so bad the folks doing the work (including the consultants from the vendor) all thought that was the case and could only get it to work by eating up a bunch of time on one of the smallest most critical support teams in the company. If random major well known Storage company wants to do stuff with AD they are big enough to hire some AD people that can help do what they want to with AD correctly. The defaults and the documentation should all be simple least privilege basic “how do you want us to fit into your structure” and not, “We don’t want to spend the time documenting and writing this so it is done the best way, just do what we want and we will allow you to continue to pay outrageous amounts of money for our products.”

So what are the low bars for an application to be properly Active Directory Integrated?

Finding Domain Controllers

Does your application have you configure a connection to Active Directory by specifying one or more domain controllers? I.E. Hard coding? While this is a nice option for an application to have to assist with troubleshooting, it should NOT be the primary and default method of configuration. This configuration setting is a very low bar for a vendor/developer to reach if they want to say they are Active Directory compatible/integrated. This also comes up in conversations when someone is asking for a load balancer or VIP (Virtual IP) to point at for AD/LDAP operations. If someone says they want or need a load balancer for accessing Active Directory for good redundancy that is a blood red screaming sign of improper AD compatibility / integration.

Generally speaking[2] there is no good valid reason for hard coding to specific domain controllers. It actually makes an application more likely to break and doesn’t leverage the built-in redundancy that is innate to the Active Directory design.

Admin and/or Operator and/or Local System Security Context

Does your application require you to be Domain Admin, or Administrator or be a member of one of the Operator groups or does it require to run as “local system” on a domain controller? Why? If you don’t know why, you better figure it out. Most likely it is due to lazy or uninformed developers/vendors. Any company that has a clue about AD Security isn’t just going to give someone any of that access just so they can add a device or run an application. If they are willing to do it or alternately willing to run some random application on your behalf then you need to start questioning the security and stability of your corporate Active Directory.

I want to call out Microsoft particularly over this one as they have historically completely and utterly sucked in this space. If you follow the MSFT documentation strictly for all of their products you will end up with a ton of people with no need to be Domain Admins with that level of access. This may be fine in a shop with 20 servers and 500 clients but when you have thousands of servers and hundreds of thousands of clients it makes no sense. If Microsoft did it correctly they would determine the actual minimal amount of permissions necessary to do anything for the various functions of their tools/programs and document that and then say but if you want… you can just use domain administrator. Microsoft has in very great part caused the “too many people have too much access in too many environments problem” that so many companies are regularly getting busted for in security audits (for good reason).

Applications and application support people should be able to function properly with AD Delegation; that is why there is AD Delegation. This is yet another very low bar to meet. No requirement to be in any specific group, especially Domain Admins or anything else that is built into the core OS. Applications should know exactly what access rights they need so when you need to deploy them you know exactly what needs to be granted so the application runs properly. If a developer/vendor cannot quickly and immediately tell you exactly what granular rights and delegation are needed you need to read that as a big blood red warning sign. Look for another product.

Application Must Run on a Domain Controller

Does your application have to run on a Domain Controller? Why? If you don’t know why, you better figure it out. Most likely it is due to lazy or uninformed developers/vendors. Sound familiar? I say that a lot because it happens a lot. Too often I see vendor products out there that they are charging thousands or even millions of dollars for that don’t even reach the quality bar that my free stuff hits. As a general rule Domain Controllers should be Domain Controllers, period. Don’t put other applications on DCs, they don’t belong there. Domain Controllers are or at least should be some of your most secure boxes on your network. That means the attack surface should be made as small as is absolutely possible. This means no additional software running on them. Every additional piece of code and every single port opened that an additional application is listening on is another piece of code and port that could have a potential vulnerability that someone could compromise. Again, even Microsoft is bad at this and saying this or that service should be run on domain controllers. When you see it just say no, tell them to fix it. I have done this many many times and if enough people say it strongly enough they correct the problem.

A quick side bar point here is also that there should be as few domains and domain controllers as possible to support your service. Every domain, every domain controller adds to the attack surface and offers an opportunity to make a mistake and or miss something that allows someone else to hurt you. There really needs to be very high bar amazing reasons to have multiple domains and especially multiple forests.

GC Knowledge

Does your application understand the concept and proper use of Global Catalogs? If not, the application is not AD Integrated. If the application understands and used Global Catalogs it will be specifically called out, you won’t have to plug in a Global Catalog server and port in the LDAP URL and hope it works.

Bind IDs

Does your application only allow full DNs for the bind ID instead of allowing the other allowed formats such as (not an inclusive list) the legacy Windows ID format (domain\user) or User Principal Name (user@domain.com)? If so, it is not AD integrated.

More to come on these topics.

   joe

[1] Or for the less PC folks… “What the *&^$%* is this $#*#*?”

[2] There can be some possible reasons for hard coding in the case of applications that synchronize data to/from Active Directory.

Rating 4.60 out of 5

Happy Birthday Active Directory

by @ 8:53 am. Filed under general, tech

Active Directory is now an adult. It RTM’ed 18 years ago today, December 15th 1999.

Rating 4.33 out of 5

11/12/2017

AdMod

by @ 2:27 pm. Filed under general

As I find myself digging through the AdMod source code adding functionality and fixing small bugs here and there I realize that someone much smarter than I wrote the original version. And paradoxically I am the only one who has ever seen, let alone touch, this source code…

Back when writing a lot of this code I got to spend 4-5 hours a night for weeks on end working on it so I could become one with the code. That is much more difficult now as I have moved up the in responsibility for work and added additional home tasks.

All in all… It is quite amazing what the ability to focus on something for an extended time can do for your intelligence level regarding that something.

I am kind of in awe of the power I put into the tool if you really are familiar with the switches etc. Especially all of the CSV/Variable Expansion stuff. It is so rare that I even use it to the full level that it is capable.

  joe

Rating 4.60 out of 5

11/11/2017

Enabling AD Recycle Bin the easy way…

by @ 9:46 pm. Filed under general

AdMod work is coming along nicely…

E:\DEV\cpp\vs\AdMod\Debug>adfind -hh . -partitions -s base -alldc

AdFind V01.51.00cpp Joe Richards (support@joeware.net) October 2017

Using server: elitebook:389
Directory: Windows Server 2016 ADLDS
Base DN: CN=Partitions,CN=Configuration,CN={8B255D0C-7730-457D-9A5E-82920B5A0B85}

dn:CN=Partitions,CN=Configuration,CN={8B255D0C-7730-457D-9A5E-82920B5A0B85}
> objectClass: top
> objectClass: crossRefContainer
> cn: Partitions
> distinguishedName: CN=Partitions,CN=Configuration,CN={8B255D0C-7730-457D-9A5E-82920B5A0B85}
> instanceType: 4 [WRITABLE(4)]
> whenCreated: 2017/02/05-15:56:25 Eastern Standard Time
> whenChanged: 2017/11/11-20:37:43 Eastern Standard Time
> uSNCreated: 4112
> uSNChanged: 94236
> showInAdvancedViewOnly: TRUE
> name: Partitions
> objectGUID: {9F28B3F2-2E0A-4814-B94A-E0D0825DE4CC}
> fSMORoleOwner: CN=NTDS Settings,CN=ELITEBOOK$BASIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,CN={8B255D0C-7730-457D-9A5E-82920B5A0B85}
> systemFlags: -2147483648 [NO_DELETE(2147483648)]
> objectCategory: CN=Cross-Ref-Container,CN=Schema,CN=Configuration,CN={8B255D0C-7730-457D-9A5E-82920B5A0B85}
> dSCorePropagationData: 1601/01/01-00:00:00 UTC
> msDS-Behavior-Version: 3 [Windows Server 2008 Mode]

1 Objects returned

[Sat 11/11/2017 20:40:27.31]
E:\DEV\cpp\vs\AdMod\Debug>adfind -hh . -partitions -s base -dsq | admod -hh . msDS-Behavior-Version::7 -exterr
Visual Leak Detector read settings from: E:\DEV\cpp\vs\AdMod\Debug\vld.ini

AdMod V01.20.00cpp **BETA** Joe Richards (support@joeware.net) November 2017

DN Count: 1
Using server: elitebook:389
Directory: Windows Server 2016 ADLDS

Modifying specified objects…
   DN: CN=Partitions,CN=Configuration,CN={8B255D0C-7730-457D-9A5E-82920B5A0B85}…

The command completed successfully

[Sat 11/11/2017 20:40:39.19]
E:\DEV\cpp\vs\AdMod\Debug>adfind -hh . -partitions -s base -alldc

AdFind V01.51.00cpp Joe Richards (support@joeware.net) October 2017

Using server: elitebook:389
Directory: Windows Server 2016 ADLDS
Base DN: CN=Partitions,CN=Configuration,CN={8B255D0C-7730-457D-9A5E-82920B5A0B85}

dn:CN=Partitions,CN=Configuration,CN={8B255D0C-7730-457D-9A5E-82920B5A0B85}
> objectClass: top
> objectClass: crossRefContainer
> cn: Partitions
> distinguishedName: CN=Partitions,CN=Configuration,CN={8B255D0C-7730-457D-9A5E-82920B5A0B85}
> instanceType: 4 [WRITABLE(4)]
> whenCreated: 2017/02/05-15:56:25 Eastern Standard Time
> whenChanged: 2017/11/11-20:40:38 Eastern Standard Time
> uSNCreated: 4112
> uSNChanged: 94237
> showInAdvancedViewOnly: TRUE
> name: Partitions
> objectGUID: {9F28B3F2-2E0A-4814-B94A-E0D0825DE4CC}
> fSMORoleOwner: CN=NTDS Settings,CN=ELITEBOOK$BASIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,CN={8B255D0C-7730-457D-9A5E-82920B5A0B85}
> systemFlags: -2147483648 [NO_DELETE(2147483648)]
> objectCategory: CN=Cross-Ref-Container,CN=Schema,CN=Configuration,CN={8B255D0C-7730-457D-9A5E-82920B5A0B85}
> dSCorePropagationData: 1601/01/01-00:00:00 UTC
> msDS-Behavior-Version: 7 [Windows Server 2016 Mode]

1 Objects returned

[Sat 11/11/2017 20:40:41.18]
E:\DEV\cpp\vs\AdMod\Debug>admod -hh . -sc enablerecyclebin
Visual Leak Detector read settings from: E:\DEV\cpp\vs\AdMod\Debug\vld.ini

AdMod V01.20.00cpp **BETA** Joe Richards (support@joeware.net) November 2017

Modifying ROOTDSE…
DN Count: 1
Using server: elitebook:389
Directory: Windows Server 2016 ADLDS

Modifying specified objects…
   DN: ROOTDSE…

The command completed successfully

[Sat 11/11/2017 20:41:14.03]
E:\DEV\cpp\vs\AdMod\Debug>adfind -hh . -partitions -s base -alldc

AdFind V01.51.00cpp Joe Richards (support@joeware.net) October 2017

Using server: elitebook:389
Directory: Windows Server 2016 ADLDS
Base DN: CN=Partitions,CN=Configuration,CN={8B255D0C-7730-457D-9A5E-82920B5A0B85}

dn:CN=Partitions,CN=Configuration,CN={8B255D0C-7730-457D-9A5E-82920B5A0B85}
> objectClass: top
> objectClass: crossRefContainer
> cn: Partitions
> distinguishedName: CN=Partitions,CN=Configuration,CN={8B255D0C-7730-457D-9A5E-82920B5A0B85}
> instanceType: 4 [WRITABLE(4)]
> whenCreated: 2017/02/05-15:56:25 Eastern Standard Time
> whenChanged: 2017/11/11-20:41:13 Eastern Standard Time
> uSNCreated: 4112
> uSNChanged: 94239
> showInAdvancedViewOnly: TRUE
> name: Partitions
> objectGUID: {9F28B3F2-2E0A-4814-B94A-E0D0825DE4CC}
> fSMORoleOwner: CN=NTDS Settings,CN=ELITEBOOK$BASIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,CN={8B255D0C-7730-457D-9A5E-82920B5A0B85}
> systemFlags: -2147483648 [NO_DELETE(2147483648)]
> objectCategory: CN=Cross-Ref-Container,CN=Schema,CN=Configuration,CN={8B255D0C-7730-457D-9A5E-82920B5A0B85}
> dSCorePropagationData: 1601/01/01-00:00:00 UTC
>msDS-Behavior-Version: 7 [Windows Server 2016 Mode]
> msDS-EnabledFeature: CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,CN={8B255D0C-7730-457D-9A5E-82920B5A0B85}

1 Objects returned

Rating 4.50 out of 5

11/2/2017

Holy crap…

by @ 9:43 pm. Filed under general

…AdMod just compiled start to finish under Visual Studio 2017…

Only 3 evenings of fixing compiler errors and linker errors!

I mean the code base is a lot smaller than AdFind (I like it smaller because it is doing more critical things, naming changing stuff in AD), but still I expected at least a full week of evenings before a successful compile. Smile 

   joe

Rating 4.60 out of 5

10/31/2017

This should be interesting… AdMod is in the garage…

by @ 10:43 pm. Filed under general

Started the port of AdMod from C++ Builder to Visual Studio 2017… This will be much more difficult and involved than AdFind, no room for mistakes in AdMod since it actually changes things. I need to get this done though, using DSACLS to update security descriptors in AD pisses me off every single time I do it which is way too much right now.

//*  V01.20.00   2017.10.31  10/31  o Started port to Visual Studio         *

Rating 4.50 out of 5

AdFind V01.51.00 Released–Happy Halloween! :)

by @ 1:00 am. Tags:
Filed under general, updates

I have released AdFind V01.51.00.

This release has a group of bug fixes and memory leaks that I found over the last couple of months related to the port/conversion to Visual Studio C++.

In addition I have added quite a few attributes to the list of decoded attributes including wellKnownObjects, dSASignature, several Exchange attributes, and msDS-TrustForestTrustInfo which I previously reported helped me find a bug in NETDOM.

I have worked to squeeze some more speed out of it for larger directory queries and around SID resolution which seems to be especially noticeable over slow VPN connections. If you ever resolve the SIDs in the tokengroups attribute you should find a considerable increase in performance. Using this daily I have seen very large tokengroups lists go from taking a couple of minutes to resolve over VPN to taking only seconds.

Kind of a funny item that I “fixed” that I never expected to get the email volume I have received was for the main ICON for the application. When I switched to Visual Studio the main ICON that was used for the executable in the past changed from the previous ICON (auto inserted by C++ Builder) to a generic application ICON. I have dug the main ICON out of V01.49.00 and added it to the application again so please no more emails about the missing ICON. Open-mouthed smile 

I have added several new switches including:

-ametanl, –vmetanl  : metadata switches to control how the output looks

-metamvcsv, -metamvcsva, –metamvcsvv  : switches to further control metadata output allowing you to specify which fields and outputs in MV CSV format.

-jsd, -jsdnl, -jsde, –jsdenl, -sddl+++/-sddc+++, –sddl3 : Security Descriptor decode switches.

-adminrootdse : Additional rootdse attributes that are only available to admins.

Added several shortcuts including:

cexplaces,caclnoinherit: Security Descriptor shortcuts (guess what I have been doing a lot of lately?)

structdmp/dump : Best effort dump of general AD container structure.

fgpps/psos : Dump Password Settings Objects

Get AdFind V01.51.00 at http://www.joeware.net/freetools/tools/adfind

   joe

Rating 4.60 out of 5

10/29/2017

Coming soon to a joeware.net website near you…

by @ 2:11 pm. Filed under general

…AdFind V01.51.00.

Rating 4.00 out of 5

9/23/2017

Visual Studio 2017 and Visual Leak Detector

by @ 6:21 pm. Filed under tech

Visual Leak Detector is very cool. Great open source project. It is on CodePlex (https://vld.codeplex.com/) but since that is shutting down it appears to have moved to GIT (https://github.com/developkits/VisualLeakDetector).

The latest version (2.5.1) didn’t originally work fully with Visual Studio. BY default it only listed offsets versus full function names and line numbers.

Luckily I found a real useful post on CodePlex that explained how to “fix” it at https://vld.codeplex.com/discussions/662076.

Basically you need to copy the new VS2017 dbghelp.dll files to the proper folders.

Specifically look in the folder

%ProgramFiles(x86)%\Microsoft Visual Studio\2017\<VERSION>\Common7\IDE\CommonExtensions\Microsoft\TestWindow\Extensions\CppUnitFramework

for dbghelp.dll (32 bit version) and x64\dbghelp.dll (64 bit version)

and copy them to

%ProgramFiles(x86)%\Visual Leak Detector\bin\Win32 (32 bit version)

and

%ProgramFiles(x86)%\Visual Leak Detector\bin\Win64 (64 bit version)

Rating 4.50 out of 5

9/22/2017

Using Restricted Groups GPO for Domain Groups

by @ 11:22 pm. Filed under tech

DO NOT DO IT!

JUST STOP!

DON’T!!!

NO!!!

It is such a bad idea and it isn’t security. You want security, clean up access rights so the wrong people can’t modify the groups in the first place. If you don’t trust your admins, you need to fire them and get admins you do trust.

Here is what Microsoft has to say about it:

Managing membership of Domain Groups by using Restricted Groups

Microsoft does not support using Restricted Groups in this scenario. Restricted Groups is a client configuration means and cannot be used with Domain Groups. Restricted Groups is designed specifically to work with Local Groups. Domain objects have to be managed within traditional AD tools. Therefore, we do not plan currently to add or support using Restricted Groups as a way to manage Domain Groups.

https://support.microsoft.com/en-us/help/279301/description-of-group-policy-restricted-groups

Seriously… Don’t do it.

   joe

Rating 4.33 out of 5

[joeware – never stop exploring… :) is proudly powered by WordPress.]