A Complete Guide on Active Directory Certificate Services in Windows Server 2008 R2

Windows Server 2008 R2 includes a built-in Certificate Authority (CA) technology that is known as Active Directory Certificate Services (AD CS). The first iteration of AD CS emerged with Windows Server 2008, though previous versions of the technology were simply known as Certificate Services. AD CS can be used to create certificates and subsequently manage them; it is responsible for ensuring their validity. AD CS is often used in Windows Server 2008 R2 if there is no particular need to have a third-party verify an organization’s certificates. It is common practice to set up a standalone CA for network encryption that requires certificates only for internal parties. Third-party certificate authorities such as VeriSign are also extensively used but require an investment in individual certificates.
Note

Although the term Active Directory has been incorporated into the name of the Windows Certificate Services function, it should be understood that AD CS does not necessarily require integration with an existing Active Directory Domain Services (AD DS) forest environment. Although this is commonly the case, it is important to understand that AD CS has independence over AD DS forest design.
Windows Server 2008 R2 introduced a few additions to AD CS features, including the following:

Certificate Enrollment Web Service and Certificate Enrollment Policy Web Service— This is the most significant improvement, essentially allowing certificates to be enrolled directly over HTTP, enabling non-domain or Internet-connected clients to connect and request certificates from a CA server.

Improved support for high-volume CAs used for NAP— AD CS in Windows Server 2008 R2 improves the database performance when high-volume scenarios such as NAP are utilized.

Support for cross-forest certificate enrollment— AD CS in Windows Server 2008 R2 allows for CA consolidation across multiple forests.

Continue reading

Step-By-Step Guide on Configuring Applocker in the Domain…

As a systems admin, you might have probably wanted to deny your users to use a particular software application. This is pretty common since using some applications in some network environments is illegal.

In order to block an application, we can make user of a great feature called AppLocker available in Windows 7 and Windows Server 2008 R2. Here is a step by step guide on how to configure AppLocker in the domain or on computers in a special OU or site.

Let’s assume in this exercise you want to block the Chess game on all the computers in your domain.

First of all, on your DC you need to go to Administrative Tools and open up Group Policy Management console and then right click on the Default Domain Policy and click Edit to open Group Policy Management Editor.

Then here, under Computer Configuration go to Windows Settings -> Security Settings -> Application Control Policies -> AppLocker

Before anything right-click on AppLocker and click on Properties and then under Executable Rules, click on Configured and choose Enforce rules:

And then as shown in the below photo right click on Executable Rules and choose Create New Rule:

Once you click on Create New Rule, this window will open up and you just need to click on Next:

On the next Window, you will need to select which users or groups this rule applies to and whether you want the rule to allow users or deny them to use that application. Once Configured, click Next:

On the next window choose File Hash and then click Next:

On the next windows click on Browse Files and choose the program file and then click Next:

Give the new rule a name and then click Create:

Now the new rule must have been added under Executable Rules as shown below:

Now if anyone in the domain tries to open Chess from their computer, they will receive this message, meaning that Chess game has been blocked by a policy:

You want to learn more? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book:

To get more information about the book click on the book below:

1

Good luck for the weekend

Cheers

Possible Attacks on Windows and Countermeasures – Part 1

It’s been a great week with so much news in the world of security. Of course Security both in the real world and the virtual world. Today I decided to begin writing a series of articles about possible attacks and their countermeasures on Windows operating systems whether client or server including the latest ones such as Windows 7 and Windows Server 2008 R2.

In this series I will try to put a little bit of my experiences into words and in easy words explain to you different types of hacking techniques used by attackers to penetrate into your network. I will try to get it started with the most common ones to the most advanced like those causing millions of dollars loss; and then I will dig into different ways of defense against such hacking techniques and will show you how to keep your network services and servers secure against them.

Password Cracking Attacks:

This is one of the most common types of attacks used at least once by every attacker. It always seems the dummiest but honestly this has shown to be one of the most effective way to find a way into somebody’s computer if not protected against such attacks.

This type of cracking has a pretty long history and I really cannot count the number of softwares developed to crack password by different hacking groups or even security companies. The only difference between these two is that the second one believe their software is only purposed for a so-called act of Ethical Hacking but who knows what is being done by those tools and softwares.

There are different ways to perform password cracking among which Brute Force attacks are the most popular. Brute Forcing is simply finding a computer’s password by trying different combinations of letters, numbers and even characters. The time required for it to work depends on the complexity of passwords. However more complex the password, the longer it takes to be cracked.

A single computer can try from one to fifteen million passwords per second against a password hash (That is true) for weaker algorithms like DES (Which is very commonly used nowadays) using a fairly good password cracking tool and if let’s say you choose an 8-character password of letters (both cases), numbers and symbols, we could say that it would take something like 16 minutes for it to be cracked. So you feel pretty unsafe.. huh???

Attackers nowadays could easily find pre-computed password hashes for different algorithms stored in database files called Rainbow Tables and it would take a matter of minutes to crack almost any passwords in a network.

There are other techniques used as well such as dictionary or words-list attacks that are usually tried before the Brute Force to kind of guess the user’s password if the user has used common dictionary words or things like 123456 or anything like that as passwords.

L0pht Crack:

One of the most famous password cracking tools is l0pht Crack developed by a famous group of expert hackers called l0pht who officially joined @stake which itself was later on announced to be an acquisition of Symantec corporation. You can download the latest version of L0pht Crack from their website. Below is a screenshot of this tool:

Any operating system could be the target of this tool even Windows Server 2008 R2 and could really well work on almost any operating system to target the other hosts on the network. You can get more information on their website.

John the Ripper:

John the Ripper is another well-known name among password cracking tools. This is a tool firstly developed to be run on Unix-based operating system but now it supports Windows as well. You can download this tool from their website.

John the Ripper truly is one of the fastest password cracking tools I have ever seen. It is being used by a lot of penetration testers and of course hackers every day.

Countermeasures:

Protecting your network against password cracking is completely dependent on the policies on your network and your servers and clients. Whether you have a very small environment and operating a workgroup of computers or you have a big domain network you should have policies and more specifically account and password policies.

Password policies can be defined in Group Policies in Windows and Active Directory. So if you open up the Group Policy Editor either locally (By typing gpedit.msc in thr Run) or on the domain using the Group Policy Management console, you need to go to:

Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy

Below you can see a screenshot of the password policies settings:

Now let’s go one by one with what they mean:

Enforce Password History: You can set how many passwords for each user is stored in the history. If we set this number to 10, it means the user is not able to choose any of the past 10 passwords for his new password.

Maximum Password Age: The maximum time a user can keep a password and after it comes to an end, they should change it.You could use it to force the users to change their passwords every now and then.

Minimum Password Age: The minimum time a password must be used before a user changes that. You can use it to stop users from changing their passwords every hour.

Minimum Password Length: The number of characters that a user must have in a password. Do not let it be less than 8.

Password must meet complexity requirements: You can decide whether or not you want to force the user to choose a password including letters (Both cases), numbers and symbols. You must definitely enable it.

Store passwords using reversible encryption: Let it be disabled as it is used by some protocols rarely used and enabling it is equal to storing the passwords plain-text.

The other settings that you need to configure is Account Lockout policies which are more important if you want to protect against the brute force attacks:

So in order to access the policies you need to open the Group Policy Editor and go to this address:

Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Account Lockout Policies

Account Lockout Duration: How long do you want the account to be locked out after a number of invalid logon attempts.

Account Lockout Threshold: How many invalid logon attempts are needed to lock the account. If you set it to a number, then the password cracking tools can not try millions of passwords on your computer since the account is going to get locked.

Reset Account Lockout Counter After: If you set it to 30 minutes for example, in 30 minutes if there are more than 4 invalid logon attempts are made, then the account gets locked. If it takes more than 30 minutes for the number of invalid logon attempts specified in the previous settings, then the account does not get locked and the policy will not apply so you must be really careful when defining your policies.

Usually 30 minutes will be the best since it can block all kinds of password cracking tools even the slowest ones.

Here we come to the end of this first article and I hope you liked it. If you had any question, please leave me a comment and I will answer that almost in no time.

You want to learn more? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book: 

To get more information about the book click on the book below:

1

Cheers

Improve Security by Monitoring Changes in Active Directory

One of the problems that network administrators have in an enterprise with a pretty large AD infrastructure is auditing of Active Directory. Auditing is specially needed when there are more than one admins in the AD environment and you want to know who has exactly made what changes in the AD and if it were anything wrong, you would easily catch him red-handed and slap him at the face. (haha… jus’ kiddin’, there are always better ways)

Active Directory Change Reporter by NetWrix is a great tool you can use to improve the security by monitoring changes in AD. You can download it from this link and after installing it on a Windows XP/Vista/7 machine you can easily make use of it. It also allows you to produce output reports of the changes made and those who have made them.

Cheers

Esmaeil

Active Directory Domain Services in the Perimeter Network – Part 2

Let’s start this post with a question about RODCs (Read-Only Domain Controllers) because this post is all dedicated to placing an RODC in the DMZ (perimeter network):

Notes: From now on I will use the term DMZ instead of the perimeter network just to help my laziness.

Q: What are the benefits of RODCs in the DMZ?

Reducing the attack surface by placing an RODC instead of a writable domain controller.

-Giving directory service to applications that require access to Active Directory and are located in the perimeter network

Decrease the type of the traffic passing from the DMZ to the LAN and vice versa


You have to keep in mind that the clients and member server running in the perimeter network need to be Windows Vista and Windows Server 2008 and above, Otherwise a hotfix called RODC compatibility pack needs to be applied to them. You can download the hotfix from here. However you might not need to have the hotfix even but just to be on the safe side, do patch the clients and member servers using the hotfix.

Other recommendations about placing RODCs in the DMZ:

-Promote the server to an RODC on a Server Core edition of Windows Server 2008 R2

-If you have IPSec policies in your environment, make sure those IPSec policies are applied to the RODC so that it will be able to communicate with the rest of the members in the DMZ. There is something very important about IPSec policies on a DC:

Since all the member servers and possibly clients are going to communicate with the RODC using IPSec, bear in mind that the type of authentication used between the clients or servers and the RODC must not be Kerberos. There is one reason for that becasue the kerberos authentication is verified by the Domain Controller and if the client or server is not allowed to talk to the Domain Controller in the first place, how is it going to approve its authentication request? 

Therefore we need to use pre-shared keys or make use of Certificates (We need a CA Server) in order to authenticate the client. The use of certificates is preferable and is more secure than the pre-shared key.

-There is another question that comes up here and that’s if we have clients or serves that require dynamic updates on the DNS Zones in the DMZ, how are we going to handle that since we do not have a writable Domain Controller?

First of all apparently we hardly ever place a client in the perimeter network and if we do, the best security practice is to do a manual DNS update on the DNZ zone inside the LAN and then have it replicated to the RODC in the DMZ and you also need to disable dynamic updates on the client and servers in the DMZ.

Ports to be open on the firewalls:

Ports to be open on the firewall between the RODC in the perimeter network and the writable Domain Controller in the LAN:

Port Type of traffic
TCP 57344 DRSUAPI, LsaRpc, NetLgonR
TCP Static 53248 FrsRpc
TCP 135 EPM
TCP 389 LDAP
TCP 3268 GC, LDAP
TCP 445 DFS, LsaRpc, NbtSS, NetLogonR, SamR, SMB, SrvSvc
TCP 53 DNS
TCP 88 Kerberos
UDP 123 NTP
UDP 389 C-LDAP
UDP 53 DNS
TCP and UDP 464 Kerberos Change/Set Password

Ports to be open on any host or network firewall between a member server in the perimeter network and the RODC in the perimeter network:

Port Type of traffic
TCP 135 EPM
TCP 389 LDAP
TCP 445 DFS, LsaRpc, NbtSS, NetLogonR, SamR, SMB, SrvSvc
TCP 88 Kerberos
TCP Dynamic DNS, DRSUAPI, NetLogonR, SamR
UDP 389 C-LDAP
UDP 53 DNS

That’s it for today with RODCs. I just tried to put things in a nutshell so that you can get the main points.

You want to learn more about this topic? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book:

To get more information about the book click on the book below:

1

Cheers

Group Policy Processing Order and Its Complications

For this topic I’d really like to go straight to the point so I could avoid any misunderstandings and complications. Generally group policies are those specific settings created by the administrator to apply a set of configurations to a number of computers and users in a domain environment.

The settings configured are not only applied at the domain level but can be configured on Sites and OUs as well as the local computer. Now the question is, if the computer or the user account is placed in an OU and there are group policy settings applied to that OU, is the account going to inherit those settings or the settings from the other GPOs applied at the domain or site levels?

The answer is as follows:

1- First of all the Local GPO settings are applied.

2-Then those GPOs linked to the site will be applied. These settings will override the settings of the local GPO.

3- Then the GPOs linked to the domain will be applied which again override the GPO settings applied at the site and local levels.

4- At last the GPOs linked to the OU will be applied overriding all the other GPOs that are applied at the local, domain or site levels.

There are some very important points here that deserve a mention:

-If there is a policy setting configured as Enabled or Disabled at the domain level and there is the same policy setting at the OU level set as Not Configured, the settings from the domain will take precedence.

-If there is a policy setting configured as Enabled or Disabled at the domain level and there is the same policy setting at the OU level set as Enabled or Disabled, then the settings from the OU will take precedence.

-If any of the policy settings from the domain is set to Not Configured, it will not be inherited.

-If there are two policy settings, one applied from the domain and one from the OU, both are applied as long as they are both compatible. For example, if the domain policy setting causes a folder to be placed on the desktop and the OU’s policy settings call for an additional folder, then the users in the OU are going to have both the folders on their desktops.

I just wanted to give answers to some of those questions in your head and remove those problems and complications that you had in mind regarding the Group Policy inheritance.

Hope it would be helpful

You want to learn about security on Windows Server platforms? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book: 

To get more information about the book click on the book below:

1

Cheers

Disabling USB Ports in the domain

If you are a network admin you sure have ever been tired of the risks that USB memories bring to your network. There are so many viruses and trojans spreading around the network using flash disks and there is only one simple way to stop them all (Or one of the most effective ways at least) and that’s to disable USB ports on specific or all the computers of the domain.

To do this, we need to make use of the Group Policies and by default there is not such a setting in Active Directory Group Policy, therefore we need to create these policies by importing administrative templates to the group policy settings.

So what you need to do is to create a file with .adm suffix and then copying the script below and pasting it into the file and then what you need to do is to import the file into the computer configuration settings of the group policy and then under the Custom Policy Settings you will have all the new settings added. Using the settings not only can you disable USB ports but some other removable media as well that you can check out after importing the template.

CLASS MACHINE
CATEGORY !!category
CATEGORY !!categoryname
POLICY !!policynameusb
KEYNAME “SYSTEMCurrentControlSetServicesUSBSTOR”
EXPLAIN !!explaintextusb
PART !!labeltextusb DROPDOWNLIST REQUIRED

VALUENAME “Start”
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !!policynamecd
KEYNAME “SYSTEMCurrentControlSetServicesCdrom”
EXPLAIN !!explaintextcd
PART !!labeltextcd DROPDOWNLIST REQUIRED

VALUENAME “Start”
ITEMLIST
NAME !!Disabled VALUE NUMERIC 1 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !!policynameflpy
KEYNAME “SYSTEMCurrentControlSetServicesFlpydisk”
EXPLAIN !!explaintextflpy
PART !!labeltextflpy DROPDOWNLIST REQUIRED

VALUENAME “Start”
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !!policynamels120
KEYNAME “SYSTEMCurrentControlSetServicesSfloppy”
EXPLAIN !!explaintextls120
PART !!labeltextls120 DROPDOWNLIST REQUIRED

VALUENAME “Start”
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
END CATEGORY
END CATEGORY

[strings]
category=”Custom Policy Settings”
categoryname=”Restrict Drives”
policynameusb=”Disable USB”
policynamecd=”Disable CD-ROM”
policynameflpy=”Disable Floppy”
policynamels120=”Disable High Capacity Floppy”
explaintextusb=”Disables the computers USB ports by disabling the usbstor.sys driver”
explaintextcd=”Disables the computers CD-ROM Drive by disabling the cdrom.sys driver”
explaintextflpy=”Disables the computers Floppy Drive by disabling the flpydisk.sys driver”
explaintextls120=”Disables the computers High Capacity Floppy Drive by disabling the sfloppy.sys driver”
labeltextusb=”Disable USB Ports”
labeltextcd=”Disable CD-ROM Drive”
labeltextflpy=”Disable Floppy Drive”
labeltextls120=”Disable High Capacity Floppy Drive”
Enabled=”Enabled”
Disabled=”Disabled”

 

Cheers