joeware - never stop exploring... :)

I posted about this about a decade ago but going through email this morning I found at least 8 or 9 questions from people in some way shape or form related to it so I figured I would re-post and maybe it will show up search engines more or perhaps people will realize it still works…

Q: Every time I look at a network trace from AdFind I see something like:

This is called LDAP Sealing. You can disable this by disabling Client Signing/Sealing. Once disabled the traffic should look like:

The current Client Signing setting is maintained in the registry (of course) in the key

HKLM\System\CurrentControlSet\Services\LDAP under the value LDAPClientIntegrity.

There are three possible values

0
No signing/sealing

1
Negotiate signing/sealing

2
Require signing/sealing

You will likely see it set to 1 if it is set to anything. If it isn’t set, the default internally is 1 anyway… So if you switch this to 0, you will *generally* start seeing the LDAP traffic in the clear and it should work with most LDAP API based apps. If you are trying to do this for another app and it isn’t work then the issue could very well be that the application itself is forcing the information to be “encrypted” anyway like the AdFind -kerbenc switch does. At that point you have no choice but to use Insight for AD[1] which hooks the LDAP calls prior to being encoded.

You can see the current value of the setting with:

reg query HKLM\System\CurrentControlSet\Services\LDAP /v LDAPClientIntegrity

You will see something like:

[Sat 07/07/2018 16:46:32.47]
E:\>reg query HKLM\System\CurrentControlSet\Services\LDAP /v LDAPClientIntegrity

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP
    LDAPClientIntegrity    REG_DWORD    0x1

If you want to quickly set it to 0 you can use the following command:

reg add HKLM\System\CurrentControlSet\Services\LDAP /v LDAPClientIntegrity /t REG_DWORD /d 0x00 /f

You will see something like:

[Sat 07/07/2018 16:46:43.63]
E:\>reg add HKLM\System\CurrentControlSet\Services\LDAP /v LDAPClientIntegrity /t REG_DWORD /d 0x00 /f
The operation completed successfully.

Note that this can also be set through Group Policy so you may find that you set it to 0 and then later it goes back to 1 or even possibly 2. If that happens a GPO was configured to define a value for Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options | Network Security: LDAP client signing requirements.

     joe

[1] Insight for Active Directory (AD) is an old tool from SysInternals that used to absolutely rock. It hooked the LDAP API calls so every single call that came through you had visibility into what it was doing. At some point this tool broke hard and was worthless and was absolutely worthless for x64. However SysInternals eventually released a new version V1.2 which worked again but I personally have found it to be very hit and miss. Try it, if it helps you and you like it, awesome. Keep in mind that at least I have found this latest version to be quite sporadic on x64 Windows 10 missing calls as well as crashing outright. https://docs.microsoft.com/en-us/sysinternals/downloads/adinsight

Forest/Domain Mode = WinThreshold??

Really MSFT?

Come on… Sloppy.

-ForestMode

Specifies the forest functional level for the new forest. Supported values for this parameter can be either a valid integer or a corresponding enumerated string value. For example, to set the forest mode level to Windows Server 2008 R2, you can specify either a value of 4 or Win2008R2.

The acceptable values for this parameter are:

• Windows Server 2003: 2 or Win2003
• Windows Server 2008: 3 or Win2008
• Windows Server 2008 R2: 4 or Win2008R2
• Windows Server 2012: 5 or Win2012
• Windows Server 2012 R2: 6 or Win2012R2
• Windows Server 2016: 7 or WinThreshold

The default forest functional level in Windows Server is typically the same as the version you are running. However, the default forest functional level in Windows Server 2008 R2 when you create a new forest is Windows Server 2003 or 2.

Type:
ForestMode

Parameter Sets:
Win2008, Win2008R2, Win2012, Win2012R2, WinThreshold, Default

Position:
Named

Default value:
Windows2008R2

Accept pipeline input:
False

Accept wildcard characters:
False

.

..

…

….

.

..

Or if you prefer

|

/

–

\

|

/

errr….

So back a while back (http://blog.joeware.net/2017/10/31/5801/) I pulled AdMod into the garage…It is still there. I am working on it when I can. It is slow going, much slower going than AdFind goes because the code is much more involved and a lot less forgiving of mistakes. If I screw up you may screw something in your directory up and while that would be entirely your fault, I would still not be happy about it. So it necessarily goes a little slower. On top of that work has been very busy and involved and life in general has been also.

Work has been a lot of “hey we needed this two months ago!” combined with scraping the floors and trying to sort out exactly how many subfloors have been stacked on top of each other… or if you prefer a roofing analogy how many times they have shingled over the roof versus a desperately needed complete tear off. The answer so far is a lot. A bunch of sorta so so implemented standards etc. It is tough to blame people though because the environment is so large (way too large in many ways and I *can* blame people for those decisions that caused that) and the security tools in place that make working painful and terribly inefficient (do not EVER use Symantec DCS on domain controllers please) and the priorities are so fluid and shifting often on a daily basis it is tough to stick to something and see it through. I mean you still have to do it as that is your job as a professional despite what management thinks the priorities are, it is just tougher than in smaller more static environments. So many weird / interesting issues that have been encountered that I need to find time to write up and post. Everything from “Are you f’ing kidding me POS hardware manufacturer?” to “Are you f’ing kidding me Microsoft?” to “Are you f’ing kidding me Apple?” to all sorts of stuff. So much that most of it is just a blur. That is part of the reason for fluid and shifting priorities and we need this changed immediately.

And ironically, diametrically opposed in fact, to fluid and shifting priorities and we need this changed immediately there is a lot of dependence on things being static and not changing… You all know that as secret code as people *&^$(*&$#$ hardcoding applications and application configurations. And by the way… Load Balancers and VIPS in front of Domain Controllers is STILL an unsupported and truly bad idea and if you say “well at least we aren’t hard coding the applications” you really still are, you just have an extra layer of obfuscation there…. You are hardcoding one app that is hardcoded to domain controllers. Stop. Smack your developers and tell them do it right, it is time. It is actually well past the time. More, A TON MORE, on that later as another thing I have been working on is a blog post about stupid and/or lazy devs not properly finding domain controllers. At last peek it was > 6000 words or roughly 12 8.5×11 pages printed and needed to be chopped up into a blog series versus a single post. I thought for a second of selling it to some eZine or tech site or magazine or something because it is good stuff but it really needs to be read so I want it to be very freely available and reblogged and pointed at by every admin in the world to their devs and vendors. I like money, strike that – really like money, but I would rather give this for free if it somehow helps the industry get better. Don’t ever say I didn’t sacrifice myself for all y’all.

Anyway back to AdMod… it is still being worked on and has a ton of new functionality in it, especially around Security Descriptors. I do a massive amount of testing every time I make a change so that if I do break something I don’t have to roll back a bunch of complicated code to find what specifically caused it. 

Oh and also at the same time I have submitted something like 40 BUGBUGs and an additional 40 or so DCRs to myself for the next version of AdFind.

So please hold tight, just like Christmas, but hopefully sooner, AdMod is coming…

   joe

[Updated: 2018/07/07]

There are a series of control access rights (CARs) that are specifically tied to granting permissions for returning “Replicated Changes” which are changes to the Directory Service (DS) that would be (and are if everything is working properly) replicated to other Directory Service Agents (aka DSAs / domain controllers or ADLDS instances). There isn’t a lot of documentation for these and quite a bit of confusion. I know I was confused by it for a while myself thinking this doesn’t seem right and so I looked at the Windows Source code to get the authoritative answer.

These permissions are granted to the DSAs and can also be granted to other security principals (groups/users/computers) to allow them to pull the changes via the LDAP DIRSYNC control and/or the RPC based DRSGetNCChanges. A common example of an application that has these permissions granted is FIM or MIM for syncing changes from Active Directory. An even more common example is Azure Active Directory Connector which ties your on premises Active Directory to your Azure Active Directory, note that it is simply (at the time of this writing) a specialized version of FIM/MIM. SharePoint is another app like that likes to do things with this functionality.

I am writing this post because there is regularly confusion over what the different versions of the permissions are and what has to be applied for something to work at all.

So to start, here are the specific Control Access Rights we are talking about:

[Thu 05/24/2018 22:44:20.45]
E:\>adfind -hh k16tst-dc1.k16tst.test.loc -config -f displayname=*replicating* rightsguid name displayname -nodn -jtsv2
1131f6aa-9c07-11d1-f79f-00c04fc2dcd2    DS-Replication-Get-Changes      Replicating Directory Changes
1131f6ad-9c07-11d1-f79f-00c04fc2dcd2    DS-Replication-Get-Changes-All  Replicating Directory Changes All
89e95b76-444d-4c62-991a-0facbeda640c    DS-Replication-Get-Changes-In-Filtered-Set      Replicating Directory Changes In Filtered Set

The permissions in Active Directory should all be at the ROOT of the naming context and do not have to (and shouldn’t be configured to) be inherited down to the rest of the directory. They are CAR permissions so you need the Control Access (represented as CR in SDDL strings and CTL in AdFind enhanced Security Descriptor output) permission granted and not a ReadProp/WriteProp kind of thing. The permissions in a standard configuration will look something like:

[Thu 05/24/2018 22:45:19.41]
E:\>adfind -hh k16tst-dc1.k16tst.test.loc -s base -jsdenl ;;;replicating

AdFind V01.51.00cpp Joe Richards (support@joeware.net) October 2017

Using server: K16TST-DC1.k16tst.test.loc:389
Directory: Windows Server 2016
Base DN: DC=k16tst,DC=test,DC=loc

dn:DC=k16tst,DC=test,DC=loc
[DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes;;K16TST\Enterprise Read-only Domain Controllers
[DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes All;;K16TST\Domain Controllers
[DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes In Filtered Set;;BUILTIN\Administrators
[DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes;;BUILTIN\Administrators
[DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes All;;BUILTIN\Administrators
[DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes In Filtered Set;;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
[DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes;;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS

1 Objects returned

So what do they do? We will start with the most powerful and work our way back…

“Replicating Directory Changes All”  – This permission allows you to replicate ANYTHING. Secrets (like password hashes), Filtered Attributes (RODC FAS), and any other attribute/object you want to check out. Note that from what I have so far been able to ascertain, you cannot get the secrets via the LDAP interface; it requires using the RPC interface. I could be wrong here, if you know for sure, please let me know.

“Replicating Directory Changes In Filtered Set” – This permission allows you to replicate things in the RODC FAS but NOT secrets like password hashes etc.

“Replicating Directory Changes” – This is the lowest level permission HOWEVER you need this to use the RPC and LDAP DIRSYNC replicating changes mechanisms period. I.E. if you don’t have this you don’t have anything[1].

You might think I’m crazy… err no… You might think (and it makes it nice and clean for delegation models) that you could just set “Replicating Directory Changes All” and be done with it but no, the way the code is written, you must also have the base level “Replicating Directory Changes” as well. Basically the functional flow is something like:

1. Do you have “Replicating Directory Changes” permissions on the NC Head object you are using these special mechanisms with?
    A. No – Get out, here is your ERROR_DS_DRA_ACCESS_DENIED (error 8453) for your troubles.
2. Are you asking for any RODC FAS attributes?
    A. Yes.
       I. Do you have “Replicating Directory Changes In Filtered Set”?
          a. No.
             i. Do you have “Replicating Directory Changes All”?
                1. No – Get out, here is your ERROR_DS_DRA_ACCESS_DENIED (error 8453) for your troubles.
3. Are you asking for Secrets (like password hash) and do you have “Replicating Directory Changes All”?
    A. No – Get out, here is your ERROR_DS_DRA_ACCESS_DENIED (error 8453) for your troubles.
4. [This bit is a guess based on testing so far] Are you using LDAP DIRSYNC and asking for Secrets
    A. Yes. You get your output but secrets (like password) will come through blank.
5. Yay, you have access, here is the output for your request.   

Again if I had written this I very likely (depends on the actual requirements documentation) would have checked for “Replicating Directory Changes All” first and then if that was there just return TRUE for the function. Next check for “Replicating Directory Changes in Filtered Set” and if they weren’t asking for Secrets return TRUE for the function. And finally if those failed check the base level “Replicating Directory Changes” and if they weren’t asking for FAS/Secret stuff return TRUE for the function. Written my way the delegation is simpler. You need the one Grant ACE to do what you need to do, not two. 

    joe

[1] There is an exception for DIRSYNC called “Per Object” mode to access DIRSYNC without needing the Replicating* permissions. There is little to no documentation that I have found regarding this functionality. Perhaps at some point I will tackle it. If you are aware of any good documentation, let me know and I will check it out and likely share it.

The reg key hklm\system\currentcontrolset\services\lanmanserver\parameters has a specific value you can set under it called EnableECP.

There is some confusion on whether or not that key is case sensitive.

I can say that no, it is not case sensitive. I looked it up in the source code. The ZwOpenKey ObjectAttributes parameter is being initialized via InitializeObjectAttributes with OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE.

‘nuff said.

   joe

This is the magic reg key if you use Outlook 2016 for POP3/IMAP and other want to not have to re-do all of your settings…

Computer\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles

So annoying….

reg add HKCU\Software\Microsoft\Office\16.0\Common\Graphics /t REG_DWORD /v DisableAnimations /d 1 /f