Posts Tagged ‘domain controller’

Meraki’s Advice to enable AD authentication for VPN is to create the Service account as …. Domain Administrator

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Active_Directory_Integration

This is big security no no ( Incase the account gets compromised then the whole domain gets compromised ) 

You can set this account as Domain User which will give the access

  • Query the user database via LDAP
  • Query group membership via LDAP

You can then assign the WMI permissions for : Query the domain controller via WMI 

by doing the below on the domain controller 

To set the WMI user access permissions

  1. Select Start > Run.
  2. On the Run dialog, type wmimgmt.msc in the Open field.
  3. Click OK to display the Windows Management Infrastructure (WMI) Control Panel.
  4. In the left pane of the WMI Control Panel, highlight the WMI Control (local) entry, right-click, and select the Properties menu option. This displays the WMI Control (Local) Properties dialog box.
  5. Select the Security tab in the WMI Control (Local) Properties dialog box.
  6. In the namespace tree within the Security tab, expand the Root folder. This action lists the available WMI name spaces.
  7. Click the CIMV2 namespace to highlight it.
  8. Click Security to display the Security for ROOT\CIMV2 dialog box.
  9. Click Add in the Security for ROOT\CIMV2 dialog box to display the Select Users or Groups dialog box.
  10. Add the domain user account that will be used as your proxy data collection user account. This should be a domain account (not a local computer account), but it does not need to be an account with administrative access.
  11. Click OK to close the Select Users or Groups dialog box and return to the Security for ROOT\CIMV2 dialog box. The user account you selected should now be listed in the Name list at the top of the dialog box.
  12. Select the newly added user (if it is not already selected) and enable the following permissions:
    • Enable Account
    • Remote Enable
      Enable the permissions by clicking the Allow box, if it is not already checked for that permission. The Enable Account permission should already be selected, but the Remote Enable permission will need to be selected.
  13. Click OK to close the Security for ROOT\CIMV2 dialog box.
    The permissions should now be properly set for the proxy data collection user account.
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

To Recreate SysVol Share

  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate the following subkey in Registry Editor:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
  3. In the details pane, right-click the SysvolReady flag, and then click Modify.
  4. In the Value data box, type 0, and then click OK.
  5. Again in the details pane, right-click the SysvolReady flag, and then click Modify.
  6. In the Value data box, type 1, and then click OK.

The NetLogon Share is actually the Scripts folder that sits in this Folder , so is this Sysvol folder is still blank if means your replication is not working

In the Event Log : Applications and Services Logs/DFS Replication in Event Viewer:

Check for Event ID’s 2010 or 4114 ,

 

set msDFSR-Enabled to FALSE

DFSRDIAG POLLAD 

set msDFSR-Enabled to TRUE

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Edit the Group Policy that is applying to your domain controllers

Server 2003

Computer Configuration->Policies->Windows Settings->Security Settings->Local Policies->Audit Policy 

-> Enable Audit Directory Access Service

Server 2008 or Above

Computer Configuration->Policies->Windows Settings->Security Settings->Local Policies->Security Options->Audit: Force audit policy subcategory settings

Computer Configuration->Policies->Windows Settings->Security Settings->Advanced Audit Policy Configuration->Audit Policies->DS Access

14

 

 

Target OU or Whole Domain

Right-click on where you want to enable Auditing and bring up the properties.  Under Extensions you will see the Security tab.  From there select Advanced and then choose the Auditing tab.  If you want to be comprehensive, I would select the Everyone security principal, set Type to Success and Applies to: This object and all descendant objects.  For the permissions, again if you want to be comprehensive, set the following:

  • Write all properties
  • Delete
  • Delete subtree
  • Modify permissions
  • Modify owner
  • All validated writes
  • All extended writes
  • Create all child objects
  • Delete all child objects

Open Event viewer and filter Security log to find event id’s (Windows Server 2003/2008-2012):
– 631, 635, 648, 653, 658, 663/4727, 4731, 4754 , 4759, 4744, 4749 – Group created
– 632, 636, 650, 655, 660, 665/4728, 4732, 4756 , 4761, 4746, 4751 – Member added to a group
– 633, 637, 651, 656, 661, 666/4729, 4733, 4757, 4762, 4747, 4752 – Member removed from a group
– 634, 638, 652, 662, 667, 657/4730, 4734, 4758, 4748, 4753, 4763 – Group deleted
– 639, 641, 649, 654, 659, 664/4735, 4737, 4745, 4750, 4755, 4760 – Group changed
– 566/4662 – An operation was performed on an object(OU Changes) (Type: Directory Service Access).

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

solarwinds-inc-logo[1]Solarwinds has an Application Monitoring Template for Domain Controllers.

The permission usually recommended is to give the account Local Administrator on the computer , however on a domain controller this means Domain Administrator which means if the account gets compromised it has all the access!

These are the minimum permissions you need via Script : 

  1. Give the Solarwinds Polling account WMI Access to these services. You will need to Change the SID 
    S-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXX
    To the one of your polling account. You can use this 
wmic useraccount get name,sid

Replacing Useraccount to your solarwinds account

Then save this as a BAT file and Run As Administrator

Sc sdset scmanager D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:
 
(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) ::Makes All Users Access to SC Manager
 
Sc sdset  DNS D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLOCRRC;;;IU)
 
(A;;CCLCSWRPLOCRRC;;;SU)(A;;CR;;;AU)(A;;LC;;;S-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXX)S:
 
(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) ::Gives Goldcorp_CA\SVC_SLWWMIAccess access to DNS Service
 
Sc sdset  DFSR D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLOCRRC;;;IU)
 
(A;;CCLCSWRPLOCRRC;;;SU)(A;;CR;;;AU)(A;;LC;;;S-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXX)S:
 
(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) ::Gives Goldcorp_CA\SVC_SLWWMIAccess access to DFSR Service
 
 
Sc sdset  IsmServ D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLOCRRC;;;IU)
 
(A;;CCLCSWRPLOCRRC;;;SU)(A;;CR;;;AU)(A;;LC;;;S-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXX)S:
 
(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) ::Gives Goldcorp_CA\SVC_SLWWMIAccess access to IsmServ Service
 
Sc sdset  W32Time D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLOCRRC;;;IU)
 
(A;;CCLCSWRPLOCRRC;;;SU)(A;;CR;;;AU)(A;;LC;;;S-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXX)S:
 
(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) ::Gives Goldcorp_CA\SVC_SLWWMIAccess access to W32Time Service
 
Sc sdset  LanmanServer D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLOCRRC;;;IU)
 
(A;;CCLCSWRPLOCRRC;;;SU)(A;;CR;;;AU)(A;;LC;;;S-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXX)S:
 
(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) ::Gives Goldcorp_CA\SVC_SLWWMIAccess access to LanmanServer Service
 
Sc sdset  LanmanWorkstation D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLOCRRC;;;IU)
 
(A;;CCLCSWRPLOCRRC;;;SU)(A;;CR;;;AU)(A;;LC;;;S-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXX)S:
 
(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) ::Gives Goldcorp_CA\SVC_SLWWMIAccess access to LanmanWorkstation Service
 
Sc sdset  Netlogon D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLOCRRC;;;IU)
 
(A;;CCLCSWRPLOCRRC;;;SU)(A;;CR;;;AU)(A;;LC;;;S-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXX)S:
 
(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) ::Gives Goldcorp_CA\SVC_SLWWMIAccess access to Netlogon Service
 
Sc sdset  NTDS D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLOCRRC;;;IU)
 
(A;;CCLCSWRPLOCRRC;;;SU)(A;;CR;;;AU)(A;;LC;;;S-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXX)S:
 
(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) ::Gives Goldcorp_CA\SVC_SLWWMIAccess access to NTDS Service
 
Sc sdset  ADWS D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLOCRRC;;;IU)
 
(A;;CCLCSWRPLOCRRC;;;SU)(A;;CR;;;AU)(A;;LC;;;S-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXX)S:
 
(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) ::Gives Goldcorp_CA\SVC_SLWWMIAccess access to ADWS Service

 

 

 

2) Use this modified PowerShell Script from Palo Alto( Changed $ace.AceFlags to 2 for to inherit Permissions to subcontainers ) to add the account WMI access

Save as .ps1 and run as administrator with this

.\name_of_powershellfile.ps1 root add Domain\Svc_serviceaccountname Enable,RemoteAccess

 

# Copyright (c) Microsoft Corporation.  All rights reserved. 
# For personal use only.  Provided AS IS and WITH ALL FAULTS.
 
# Set-WmiNamespaceSecurity.ps1
# Example: Set-WmiNamespaceSecurity root/cimv2 add steve Enable,RemoteAccess
 
Param ( [parameter(Mandatory=$true,Position=0)][string] $namespace,
    [parameter(Mandatory=$true,Position=1)][string] $operation,
    [parameter(Mandatory=$true,Position=2)][string] $account,
    [parameter(Position=3)][string[]] $permissions = $null,
    [bool] $allowInherit = $false,
    [bool] $deny = $false,
    [string] $computerName = ".",
    [System.Management.Automation.PSCredential] $credential = $null)
 
Process {
    $ErrorActionPreference = "Stop"
 
    Function Get-AccessMaskFromPermission($permissions) {
        $WBEM_ENABLE            = 1
                $WBEM_METHOD_EXECUTE = 2
                $WBEM_FULL_WRITE_REP   = 4
                $WBEM_PARTIAL_WRITE_REP              = 8
                $WBEM_WRITE_PROVIDER   = 0x10
                $WBEM_REMOTE_ACCESS    = 0x20
                $WBEM_RIGHT_SUBSCRIBE = 0x40
                $WBEM_RIGHT_PUBLISH      = 0x80
        $READ_CONTROL = 0x20000
        $WRITE_DAC = 0x40000
 
        $WBEM_RIGHTS_FLAGS = $WBEM_ENABLE,$WBEM_METHOD_EXECUTE,$WBEM_FULL_WRITE_REP,`
            $WBEM_PARTIAL_WRITE_REP,$WBEM_WRITE_PROVIDER,$WBEM_REMOTE_ACCESS,`
            $READ_CONTROL,$WRITE_DAC
        $WBEM_RIGHTS_STRINGS = "Enable","MethodExecute","FullWrite","PartialWrite",`
            "ProviderWrite","RemoteAccess","ReadSecurity","WriteSecurity"
 
        $permissionTable = @{}
 
        for ($i = 0; $i -lt $WBEM_RIGHTS_FLAGS.Length; $i++) {
            $permissionTable.Add($WBEM_RIGHTS_STRINGS[$i].ToLower(), $WBEM_RIGHTS_FLAGS[$i])
        }
 
        $accessMask = 0
 
        foreach ($permission in $permissions) {
            if (-not $permissionTable.ContainsKey($permission.ToLower())) {
                throw "Unknown permission: $permission`nValid permissions: $($permissionTable.Keys)"
            }
            $accessMask += $permissionTable[$permission.ToLower()]
        }
 
        $accessMask
    }
 
    if ($PSBoundParameters.ContainsKey("Credential")) {
        $remoteparams = @{ComputerName=$computer;Credential=$credential}
    } else {
        $remoteparams = @{ComputerName=$computerName}
    }
 
    $invokeparams = @{Namespace=$namespace;Path="[email protected]"} + $remoteParams
 
    $output = Invoke-WmiMethod @invokeparams -Name GetSecurityDescriptor
    if ($output.ReturnValue -ne 0) {
        throw "GetSecurityDescriptor failed: $($output.ReturnValue)"
    }
 
    $acl = $output.Descriptor
    $OBJECT_INHERIT_ACE_FLAG = 0x1
    $CONTAINER_INHERIT_ACE_FLAG = 0x2
 
    $computerName = (Get-WmiObject @remoteparams Win32_ComputerSystem).Name
 
    if ($account.Contains('\')) {
        $domainaccount = $account.Split('\')
        $domain = $domainaccount[0]
        if (($domain -eq ".") -or ($domain -eq "BUILTIN")) {
            $domain = $computerName
        }
        $accountname = $domainaccount[1]
    } elseif ($account.Contains('@')) {
        $domainaccount = $account.Split('@')
        $domain = $domainaccount[1].Split('.')[0]
        $accountname = $domainaccount[0]
    } else {
        $domain = $computerName
        $accountname = $account
    }
 
    $getparams = @{Class="Win32_Account";Filter="Domain='$domain' and Name='$accountname'"}
 
    $win32account = Get-WmiObject @getparams
 
    if ($win32account -eq $null) {
        throw "Account was not found: $account"
    }
 
    switch ($operation) {
        "add" {
            if ($permissions -eq $null) {
                throw "-Permissions must be specified for an add operation"
            }
            $accessMask = Get-AccessMaskFromPermission($permissions)
 
            $ace = (New-Object System.Management.ManagementClass("win32_Ace")).CreateInstance()
            $ace.AccessMask = $accessMask
            if ($allowInherit) {
                $ace.AceFlags = $OBJECT_INHERIT_ACE_FLAG + $CONTAINER_INHERIT_ACE_FLAG
            } else {
                $ace.AceFlags = 2
            }
 
            $trustee = (New-Object System.Management.ManagementClass("win32_Trustee")).CreateInstance()
            $trustee.SidString = $win32account.Sid
            $ace.Trustee = $trustee
 
            $ACCESS_ALLOWED_ACE_TYPE = 0x0
            $ACCESS_DENIED_ACE_TYPE = 0x1
 
            if ($deny) {
                $ace.AceType = $ACCESS_DENIED_ACE_TYPE
            } else {
                $ace.AceType = $ACCESS_ALLOWED_ACE_TYPE
            }
 
            $acl.DACL += $ace.psobject.immediateBaseObject
        }
 
        "delete" {
            if ($permissions -ne $null) {
                throw "Permissions cannot be specified for a delete operation"
            }
 
            [System.Management.ManagementBaseObject[]]$newDACL = @()
            foreach ($ace in $acl.DACL) {
                if ($ace.Trustee.SidString -ne $win32account.Sid) {
                    $newDACL += $ace.psobject.immediateBaseObject
                }
            }
 
            $acl.DACL = $newDACL.psobject.immediateBaseObject
        }
 
        default {
            throw "Unknown operation: $operation`nAllowed operations: add delete"
        }
    }
 
    $setparams = @{Name="SetSecurityDescriptor";ArgumentList=$acl.psobject.immediateBaseObject} + $invokeParams
 
    $output = Invoke-WmiMethod @setparams
    if ($output.ReturnValue -ne 0) {
        throw "SetSecurityDescriptor failed: $($output.ReturnValue)"
    }
}

 

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)