Thursday, April 30, 2009

How do you secure Active Directory and Windows Servers?

Computer security is a big concern these days and securing your Active Directory and Windows Servers is one of the most important things we can do as admins and engineers.

I also see questions come up all the time about people wanting to know how to secure their machines.

Although there is not one answer for every environment there are some good guidelines that have been released by Microsoft and various US Federal agencies that can help out.


In my opinion there are a handful of universal rules that apply to any Active Directory environment.

UNIVERSAL RULE#1:

Limit the number of enterprise and domain administrators. I've seen plenty of organizations lock down their systems and take a lot of good security measures and then you look and there could be 50-100 (or more)domain admins.

Domain admins have control over every aspect of your domain, in fact a domain admin can have control of your entire forest.

It is important to limit these very powerful accounts. Limiting admins also limits the number of inadvertent mistakes that can cause issues

UNIVERSAL RULE#2:

See Rule #1 :)

UNIVERSAL RULE#3:

Don't give your users admin rights to their PCs. This seems like a no brainier but I was involved in a question on one of the boards recently and the admin's boss mandated that he make all the users admins on their machines.

So now you have limited admins and you have a good anti-virus program and are patching your servers with the appropriate patches.

What other guidelines are out there to help an admin secure AD and their servers?

The following is a list of some guides that should get most organizations going in the right direction


  1. NSA Security Guides
    Yes the NSA does more than electronic and their security guides are really in depth
    and have a lot of good information.

  2. DISA Security Checklists
    Defense Information System Agency (DISA) is another US Federal Agency.  These checklists are similar to the NSA guides.  

  3. DISA Active Directory STIG
    STIG's are DISA's Security Technical Implementation Guides and this one is particular to Active Directory.

  4. Microsoft Best Practice Guide for Securing Active Directory
    Microsoft's best practices for securing Active Directory

  5. Microsoft Server 2003 Security Guide
    Microsoft's guide on how to harden Windows Server 2003

  6. Microsoft Windows Server 2008 Security Guide
    Similar to the 2003 guide but for 2008

  7. Federal Dektop Core Configuration (FDCC)
    Although not for servers  FDCC is a mandate for US Federal agencies and these lock downs can help all organizations.



UPDATE via comments from Garrett - Thanks Garrett!!

The Active Directory STIG has been deprecated by the all encompasing Directory Services STIG. While it has sections for specific software (like AD), it also contains overarching security guidlines that trancends all implementations of Directory Services.

http://iase.disa.mil/stigs/stig/directory-services-stig-v1r1.pdf


Those guides are a really good place to start if you want to learn more about securing your Windows Servers and AD Infrastructure.

This all leads me to Universal Rule #4...

UNIVERSAL RULE#4:

Don't just blindly install security templates and don't lock down Active Directory or your servers without testing testing testing.  This may seem like common sense but again I've seen many incidents of servers or AD being hardened and then users may lose functionality or other major problems can arise because the lock downs were not tested.   It is important to be secure but at the end of the day it is also important for our users/customers to be able to function and do their jobs.

You say you don't have a test lab? To address that issue I'll defer to a quote by the great Don Hacherl - you can think of him as the godfather of Active Directory.

"You do, in fact, have a lab environment. What you do not have is a production environment."


These are by no means the only guides for securing AD or your Windows Servers. There are also good books and plenty of blogs and other guides. Please feel free to leave comments about your experiences with seucrity and AD

Friday, April 24, 2009

Force Certain Users to change passwords via Command Line

There was a question that recently came up where the poster wanted to force some of his users whose login name started with B to change their passwords. He wanted to do this using the command line.

This Friday quick hitter post will show two ways to do this (there are other ways also)

What I like for this sort of task are adfind and admod by Joe Richards

The command I used was:

adfind -default -f "&(objectcategory=person)(objectclass=user)(samaccountname=b*)" -dsq | admod pwdLastSet::0



That will set "User must change password at next logon" for logon names that begin with B.

Some notes about this command:


  • Joe puts a lot of safety nets in his tools (good thing).
  • You can use the -unsafe switch with admod if you don't want a safety or you can use the -safety switch and specify how many objects you want to modify (by default the safety kicks in at 10)
  • You can also specify -upto xx if you want it to do xx object mods and then stop...thanks Joe for that one :)


Brandon Shell also came in with a powershell command to do this. If you don't know Brandon check out his blog . Brandon is very knowledgeable but also a really cool guy who is always willing to help and a huge asset to the community.

The powershell command takes advantage of Quest's Active Directory cmdlets. Big thanks to Dmitry Sotnikov and everyone at Quest for those.

The command is

Get-QADUser -SamAccountName b* | Set-QADUser -UserMustChangePassword $true



As you can see both commands worked and met the requirements. I hope you can also see how you can manipulate these commands to set other attributes for example. Comment or contact me for more info.

For those that are more comfortable with the GUI you can run the same LDAP query I used in adfind in Active Directory Users and Computers and find them and highlight them all at once and check the box to force them to change their password.

Hope everyone has a great weekend, spring is finally here on the East Coast of the USA so it should be nice.

Wednesday, April 22, 2009

Lessons Learned from Eric Fleischman

As previously mentioned I attended the Philly.NET users group Code Camp on Saturday 4/18/2009.

I had the great privilege to sit through two sessions from Eric Fleischman.

Who is Eric Fleischman you ask?

Eric is currently the Dev Lead for Virtualization(cloud services) at Microsoft. Eric has also been a lead developer on the AD team for Microsoft. When it comes to those that know AD the best there is no debate...Eric makes that list.

One of Eric's best known projects in the AD community was creating the largest Active Directory known to date.

What I wanted to do is list some of the things I picked up.


    • Always make every DC a GC, assume you can do that unless you can prove that your bandwidth can't handle it. In most environments the DC/GC role will be fine. We already do this where I am but I was glad to hear Eric recommend it.
    • Leave Field Engineering Logging on everywhere. Turning it on won't hurt perf and the info you get from it is very valuable. It will let you know about inefficient and expensive queries in your environment. More info on field engineering can be found here We currently don't have this on but we soon will turn it on.
    • Eric considers Replication and Query Optimization the hardest part of AD. You also have to know that Eric works with very large implementations.
    • Don't ever user eseutil to repair your AD database. Never even tried that one in production and will never try it :)
    • Establish baselines: run SPA from time to time and run Perfmon a lot.
    • Collect Crash dumps and look at your own dumps before asking PSS.
    • The following commands will help with the crash dumps before calling PSS.

      • windbg –z foo.dmp
      • sympath SRV*http://msdl.microsoft.com/download/symbols
      • !analyze -v



That was just a taste of what Eric talked about. If you ever get a chance to go see Eric speak then do it!! Eric lived up to his reputation and in fact he exceeded all expectations.

He could have a great career after Microsoft as a college professor or high school teacher if he wanted to. Very smart but also good at conveying his thoughts and ideas to the audience. I can't imagine anyone not giving him a 5/5 on any evaluation.

Happy Earth Day, Microsoft Style

Today is April 22, 2009 which is Earth Day and while most of us are concerned about our environment and the future of our planet there are some real things that we as admin/engineers can do to help.

What I'm going to talk about today is using the power options with group policy preferences.

I won't go in-depth into the background of group policy preferences. Group Policy MVP Darren Mar-Elia has a great white paper titled Group Policy Preferences Overview I encourage anyone new to preferences to check that out.

As Darren mentions in the paper you may need to install Client Side Extensions (CSEs). You can get those CSEs for various operating systems from Microsoft.

At this point I'm assuming you are ready to go for Group Policy Preferences.

The power options are located in both the computer configuration or user configuration nodes.

If you set the options in both locations then the user setting will win as the user settings are configured after the computer settings.

The computer power options are located in:

Computer Configuration | Preferences | Control Panel Settings | Power Options

The user power options are located in:

User Configuration | Preferences | Control Panel Settings | Power Options


We have now decided to help the planet and setup some user power options. I'll create a new GPO called Happy Earth Day - Power Options

You can set a new Power Options and/or a new Power Scheme by right clicking and selecting New




I'll first go into power options, you can set several options including enabling hibernation.

You can also set the behavior when the power button is pressed.

The power button options for closing the lid of a portable computer/laptop are:

  • Do Nothing
  • Stand by
  • Hibernate


The power button options for pressing the power button or sleep button on a computer are:

  • Do nothing
  • Ask me what to do
  • Stand by
  • Shutdown
  • Hibernate


You can view the power options tab here:



One important thing to note are the green underlines. That indicates that the setting is enabled and will be applied.

The group policy team at Microsoft had a very good series explaining this:

Part one: Red/Green GP Preferences
Part Two: Red/Green Underlining Continued

As you can see in the Group Policy team posts you can use F5, F6, F7, or F8 to configure these settings


  • F5 = Configure all these settings
  • F6 = Configure just this setting - this is an individual setting
  • F7 = Ignore just this setting - this is an individual setting
  • F8 = Ignore all these settings


Here is an example:






The common tab allows to to configure other options including item level targeting




Next we will move on to a new Power Scheme -- this is where we can really make a difference on Earth Day.

With the Power Scheme you can select an action



Those actions include Create, Delete, Replace, and Update



  • Create - Create a newly configured Power Scheme. If a power scheme with the same name as the Power Scheme item exists, then the existing Power Scheme is not modified.

  • Delete - Remove a Power Scheme with the same name as the Power Scheme preference item. The extension performs no action if the Power Scheme does not exist.

  • Replace - Delete and recreate the named power scheme. The net result of the Replace action overwrites all existing settings associated with the power scheme. If the power scheme does not exist, then the Replace action creates a newly configured power scheme.

  • Update - Modify a power scheme. The action differs from Replace in that it updates the settings defined within the preference item. All other settings remain as they were previously configured. If the power scheme does not exist, then the Update action creates a new power scheme.


As you can see you can define when to turn off monitors and disks and when to put the system into standby or hibernate.

So the obvious question is What are some recommended settings?

The EPA recommends setting computers to enter system standby or hibernate after 30 to 60 minutes of inactivity. To save even more, set monitors to enter sleep mode after 5 to 20 minutes of inactivity. Obviously the lower the setting, the more energy you save.

The department of energy has also released EZ GPO for those that may not be using preferences yet.

As with any group policy test it out first in a lab and then pilot users.

It may not seem like this could make a big difference on the environment but think if every admin across the world enabled power saving schemes....again we can all do our part and hopefully help the planet.

HAPPY EARTH DAY 2009 EVERYONE!!!

Tuesday, April 21, 2009

Active Directory Masters Course - Caution Ahead

Last weekend I attended a day long event sponsored by the philly.NET users group

There were a lot of sessions for coders and developers. Laura Hunter put together a really great lineup of speakers (Eric Fleischman, Brandon Shell, Mark Arnold, & Gil Kirkpatrick) for the Active Directory/IT Pro crowd.

After one of the sessions my friend Eric and I were talking to one of the instructors and a guy in class who had just come back from the AD Masters Course/Cert Program

What he told us is that only 10 out of 21 people in his class passed. In the previous track only 1 out of 21 passed. The instructor/MVP also backed the point of the exams being tough. I don't know if those numbers are dead on but even if they are a little off I got the point...not an easy cert to get.

What I think is happening is that the AD Masters course covers so much ground and there are not that many positions that allow someone to work with all the technologies needed to pass the exam. For example in my case ADRMS and ADFS would be big challenges.

I think what needs to happen is a mind set change for those going to take this course and exam. The windows/AD guys/gals have to treat this like Cisco folks treat the CCIE. That means setup a very good lab and just test test test and try to know the stuff cold before you go to the course. So in my case I'd really dig into ADFS and ADRMS and do a lot of brushing up on everything else.

I think it is good that they are making it this challenging. Other Microsoft certs have gotten a bad reputation over the years so it looks like this the masters cert is not going to have the same stigma. Also if in 5 years the Masters takes hold like the CCIE has then that will be very beneficial ($$$) for those that hold this cert/title.

I'm not sure if I'll ever go(it is not cheap) but now I know that I have a lot of work to do if I ever decide to go

Thursday, April 16, 2009

Security Filtering and Group Policy

One of the questions I often see is how do I only apply group policies to certain groups or users or computers.

...for those of you already familiar with group policy you will know this already. This post is for those new to working with group policies. If you were sent here by a question I participated in then feel leave a comment if this helps you out.

This entry will serve to supplement Microsoft's article http://technet.microsoft.com/en-us/library/cc781988.aspx

I will first assume you are using GPMC to manage your group policies.

First thing is that group policies can't be applied directly to groups. You link a group policy at the site, domain, or OU level. The policies apply to either users and/or computers.

So suppose you have a policy that you only want to apply to a subset of users or computers. The first thing is to create a group and place the users or computers you want this policy to apply to into that group (I'll use a global group in this example). We will call that group testgroup1.

In GPMC select your group policy object. In GPMC you will see the Scope tab. Notice that by default the policy will apply to Authenticated Users



You will remove authenticated users. Then you can add your testgroup1. Now the policy will only be applied to your testgroup1




So what really happens in the background when you make that change?

If you go to the delegation tab you will see an Advanced button.






As you can see testgroup1 now has "read" and "Apply Group Policy" set to Allow. So the policy will apply to that group. Read and Apply group policy are both needed in order for the user or computer to receive and process the policy

...at this point some of you may be asking, what if I wanted to "deny" the policy to a group or user. If you instincts tell you to apply set Read & Apply Group Policy to "deny" then you would be correct.

In the following screenshot I've set deny permissions for Read & Apply Group Policy and testgroup1 will not receive the policy.




That is really all there is to security filtering and group policies...not so hard after all. Please feel free to contact me if you have any questions about this.

Thanks

Mike

UGLY & ADGLP what are they?

You will often hear the acronyms UGLY and AGDLP when people are talking about how to apply permissions to resources (usually in the context of files/folders) in an Active Directory environment.

There are three types of security groups in Active Directory they are

• Universal
• Global
• Domain Local

More information on the scope of these groups can be found here:

http://technet.microsoft.com/en-us/library/cc755692.aspx

As you can see you can nest global groups into domain local groups and that is where these acronyms come into play

AGDLP = Accounts into globals, Globals into Domain Locals, assign Permissions

UGLY
= Users into global groups, Global into domain Local groups, You assign permissions

NOTE: You will also hear AGLP refered to as AGDLP

So the question comes up should this method always be used when assigning permissions?

If you are in a single domain forest or if you are using an empty root design then you don’t need to worry about either of these acronyms. You can just use globals or domain locals and add members and apply permissions. Don’t worry about nesting groups.

In a multi-domain forest the thought process behind AGLP and UGLY is that you only ever add members to the global groups. From the link above you can see that
because groups with global scope are not replicated outside their own domain, you can change accounts in a group having global scope frequently without generating replication traffic to the global catalog.


The one issue that can come up is that you may lose some control of who has access to the resources unless you have a good auditing process setup.

Suppose you have a North America, Asia, Europe, & South America domain. Now in the North America domain you have an Accounting folder and you use AGLP/UGLY to apply permissions. If you are only an admin in North America then the admins from all the other domains could be adding members to their global groups that may not really need access.

So as you can see there are pros and cons to the various methods. The final answer here is that there is no set in stone hard and fast answer. You have to look at your organization/structure/environment and decide what is best for you

Tuesday, April 14, 2009

How great are Special Forces!!

Taking a detour from Active Directory.

By now everyone has heard how the Navy Seals rescued Captain Phillips from the pirates off the coast of Africa.

For those that don't know the three Navy Seals parachuted in and watched the boat Captain Phillips was in for several days. Then at one point two of the pirates briefly stuck their head out and two seals took simultaneous shots and killed the two pirates. The third seal at the same time shot at the third pirate inside (there must have been a window). That third shot was sucessful too. Three simultaneous shots...three kills. NBC News had a really great animation of all this but I can't find it on the web. If I do find it I'll post it.

Update from my friend Keith (also an Army Vet)
It was night and they used thermal image scopes that way they could see heat through the fiberglass life boat. 3 shots 3 kills. The forth pirate was aboard the navy ship as a negotiator


Great info Keith!! This is even more impressive.

How bad ass is that? Man oh man these guys are good. Just think if one shot would have been off Captain Phillips would have been a dead man.

I was in the Army but never came anywhere close to doing anything this high speed. You just have to take your hat off to all these guys in Special Forces they are a rare breed and we owe them a lot of thanks!!

Navy Seals, Army Rangers/Green Berets/Delta Force, USMC Force Recon, England’s SAS, Israeli Sayeret, and Germany's KSK.

Thanks to all of you, most of us will never know all the missions and things you all do to keep the world safe because of how Top Secret your missions are but we know you are out there and we know you are doing great things so THANK YOU!!!

Hooooaaahhh!!

Modify User displayName using the command line

A question came up in the forums today about how to modify the displayname of users to Lastname, Firstname

My friend Matt had a very good suggestion and that was to use a tool called ADModify.NET

ADModify is indeed a great tool and will do that job and that is a very good recommendation, but what I'll show here is a command line method using Joe Richard's adfind and admod tools...have I mentioned I'm a big fan of these tools :)

The first thing to know is that in Active Directory the Lastname and Firstname attributes are not stored that way. What they really are in the background is:

Lastname = sn
Firstname = givenName

So for this example what I'll show is the before, the modification, then the after


What I'll run first is just an adfind command to show that the displayName field is not populated



As you can see no displayName

Next I will use adfind and pipe those results into admod...that is what makes these tools very very powerful

The command is (my accounts are in an OU called admodtest)

adfind -b ou=admodtest,dc=mktest,dc=com -f "&(objectcategory=person)(objectclass=user)" sn givenname -adcsv | admod "displayname::{{sn}}, {{givenname}}"

If you have more than 10 to change at once you can use the -unsafe switch in admod (default will change 10...joe puts a lot of safety nets into his tools)





Note: the -adcsv is a switch that joe has put in so that the output can be passed to his other tools (admod in this case)

The command did complete successfully, but now I run the same adfind command to make sure the display name is what I want...and it works as advertised.




There are also other command line methods (dsmod from Microsoft, PowerShell, VBScript, etc...)

This is just one option in addition to ADModify.NET

Monday, April 13, 2009

When were my domains created - quick-hitters

This will be the first post in what I'll call "quick-hitters". Short to the point posts to accomplish a specific task.

So you want to find a quick way to know when the domains in your forest were created.

This is where I really like a tool called ADFIND by Active Directory MVP Joe Richards. Joe is one of my favorite people in the AD world. Really smart but also a cool guy that is always willing to help.

The command is

adfind -gcb -f objectcategory=domain name whencreated -tdcgt



In my example screen shot I only have one domain in that forest in my lab but it works across your forest becasue of the -gcb switch. If you only want to search your domain you can replace -gcb with -default.



Thanks

Mike

Sunday, April 12, 2009

Need AD DSRM Password -- Not So Fast

The situation was that the network team was Re-IPing a subnet and before that was done the IP of the domain controller was not changed. At the time the new subnet could not contact the subnet where the DNS server was located.

There were calls made and eventually I was called on the subject. I was called in order to provide the AD Directory Services Restore Mode (DSRM) password. The plan was apparently to log into the domain controller hit F8 during boot go into DSRM and modify the IP address.

After thinking about it and talking it over with my good friend Eric Jansen[1] we thought that was overkill. The domain controller has a writable copy of AD. In this situation there shouldn't be any problems logging in at the DC, regardless of some peoples' concerns about DNS client side settings.

This of course called for a test and this is very easy to setup in a virtual environment.

In my main domain I have three domain controllers (2 Windows 2003 and 1 Windows 2008). For this test I changed W2K3 DC2 and had it only point to DC1 for DNS. I created a new account and turned off DC1.



As you can see in the screen shot, the DC only has one DNS server configured and that server is off/not responding. This would be a problem if this were a workstation but this test was just for a domain controller. The workstation issue will be explained in a future entry.


The next step was to try and log into the box. As expected the login went fine and I was authenticated and was able to change the IP on the box.

DSRM mode password not needed --- crisis averted.

Thanks

Mike

[1] Out of all the people that I've worked with Eric is the best and my favorite person to work with not only because he is smart but because he really enjoys and has a passion for AD. Watch for Eric's blog on my blog list...when he creates it. Ok sure Eric has a wife and young daughter and in college full time so he may not have as much time as I do....no excuses Eric :)

Saturday, April 11, 2009

My Favorite Commercial of All-Time




Michael Jordan is my favorite athlete of all time. I really loved watching him play and watch that passion he had for the game.

What I really loved about this commercial is that Michael shows us all that even he has failed many many times…but in the end that is why he succeeded.

This is the same with Active Directory. We often try new things or maybe fail to solve the issue at hand in the first try or within the first few minutes….but that is why we succeed.

Odd Title For your Blog – Is AD really fun?

So why would I call my blog “ADisFUN”. There are a lot of things in this world that people consider fun and Active Directory is not often mentioned in that list.

What I really enjoy is that AD fits about any network. From those small businesses that run AD using SBS or to the large companies that span the globe with thousands and thousands of users across multiple continents. That means knowing AD and how it works is needed everywhere.

There is also always something to learn which is probably the most fun I have. If you ever hear anyone tell you that they have completely mastered AD and know everything about it then that person is lying. There are always new features and new versions coming out. Microsoft constantly strives to improve AD and now that they are releasing new features every two years there is always more to learn and know and try to master.

An analogy I use is that I compare Active Directory to the game of golf. Golf can be a humbling game and even someone as great as Tiger Woods knows that he will never truly “master” the game. Tiger comes close but he learns new things about his game and golf all the time. This is the same with Active Directory. There are those in the AD world that I consider the “Tiger Woods of AD” and the great thing is those people will readily admit that they still have things to learn and master.

There are new issues we encounter on a regular basis and solving those issues is what I consider Fun. Learning the new features is what I consider Fun. Working with great people in the AD community (see my blog list for some examples) is what I consider Fun. Helping answer questions in the community and receiving emails or comments from people is very fun and rewarding.

…and yes even going out and getting new certifications every few years is what I consider Fun :)

Hello World

My first post, yeah finally :)

This isn't my first attempt at a blog/website. Four years ago I purchased http://www.diggpodcast.com/

At the time podcasts were not really big and digg.com had just gotten started so I figured that would be a good podcast to start.

The problem there was when I actually recorded a few and heard my voice I really hated it. I know a lot of people hate their voice but I just didn't feel like it was a good podcast.

If you know what Active Directory is then you have come to the right place. I plan on posting Active Directory related topics and from time to time non-technical items too.

I'm active on experts-exchange in the AD forums (mkline71) and I'll try to pick a few questions from there a week and expand on them here in the blog.

I also plan on doing some step by step videos but that will come later.

I hope you all enjoy my blog and hopefully it can help someone out there.