Category Archives: Windows Server 2016

Microsoft Advanced Threat Analytics (ATA) – Part 02

In previous part of this blog post I have explain what is ATA and what it is capable of. If you not read it yet you can find it in here http://www.rebeladmin.com/2017/05/microsoft-advanced-threat-analytics-ata-part-01/

In this part of the post I am going to demonstrate how we can setup ATA. Before we start I like to explain about the demo environment we going to use.

  • This deployment is going to use AD environment which running AD DS 2016 with Forest and Domain functional levels set to Windows Server 2016.
  •  All the servers used in the demo is running with windows server 2016 with latest updates.
  • The Server which is going to use as ATA center has two IP addresses assigned which is 192.168.0.190 and 192.168.0.191
  • In demo, we are going to use ATA Lightweight Gateway, which will be installed on domain controller directly. There for no port mirroring or separate gateway server required.
  • All the SSL used in deployment are self-signed certificates.
  • We will be using separate service account to connect ATA center with Domain Controller.

First Step of the setup is to get ATA center setup,

Deploying ATA Center

1) Log in to the server which is planned to use as ATA center as domain and or enterprise administrator.

2) Download ATA Center Installation files. It is allowing to use 90 days’ trial as well. 

3) Then run Microsoft ATA Center Setup.exe as Administrator

4) Then In the first window select the relevant language and click Next.

5) In next window, it shows license terms. Read and click on Next to continue

6) Then it asks how you like to know about updates. It is recommended to use Microdot Updates for that. Choose option Use Microsoft Update when I check for updates and then click Next.

7) Then in next window we can define application installation paths, database path, center service IP address and port, SSL certificates, Console IP address. After changes, click on Install to begin the installation. 

ata1

8) Once installation finished, it will give option to launch the ATA center. 

9) After launch ATA center, log in to it using the account used to install ATA center. If you need later you can add additional administrator accounts. 

10) As soon as login, it gives window to provide account and domain info to connect to Active directory. Type the service account info you going to use for this. This account is just a typical user account and no additional permission needed (except read permission for all AD objects). once account details entered, click on test connection option to verify the connection and then click on Save

 ata2

Deploying ATA Lightweight Gateway

1) Log in to the Domain Controller as Domain Admin or Enterprise Admin. 

2) Launch IE and connect to ATA Center URL. It is via the console IP we specify during the ATA center installation. 

3) Log in to ATA center as an Administrator. 

4) In initial page, it will look like following. Click on link Download gateway setup and install the first Gateway

ata3

5) In next page, it gives option to download the Gateway Setup files. Click on the download button to download the installation files. 

ata4

6) After download completes, extract the file and run the Microsoft ATA Gateway Setup.exe 

7) In language page, select the relevant language and click Next to continue.  

8) Then, it will give the confirmation about deployment type. By default, it detects the type as Lightweight Gateway. Click Next to proceed with the deployment.

ata5

9) In next window, we can specify the installation path, SSL certificate information and account details to register the gateway with the ATA center. This account should be a member of ATA administrator group. once all typed in, click on Install to begin the installation. 

ata6

10) Once it completed, log in to ATA center and verify if you can see it is successfully registered. 

ata7

 ATA Testing

 The easiest way to test the ATA functions is to simulate a DNS reconnaissance attack. In order to do that,

1) Log in to a Domain Computer

2) Open the command prompt and type, nslookup – REBE-PDC01.therebeladmin.com and press enter. The server name can be replaced by any available domain controller FQDN. 

3) The type ls msn.com

4) Then log in to ATA center and check the timeline. There we can see the detected event. 

ata8

In here it is only display it as a time line entry, but ATA also allows to send events as email alerts. This configuration can be done using ATA Center > Configuration > Mail Server Settings and Notification Settings

ata9

Then, once an event is raised it will sent out an email alert too.

ata10

This completes the ATA deployment. If you have any questions feel free to contact me on rebeladm@live.com

Just Enough Administration (JEA)

I was off from blogging for few months as I had to spend my free time on another task which will help all of you more. Stay tuned! More info will share soon. Anyway, I am back on blogging!

JEA was first introduced in 2014 and it was the first approach towards the privilege access management comes with windows server 2016. JEA allows to provides role based privileges instead of full administrative privileges.

Peter is working in 2nd line support. Every month he needs to run script against helpdesk system to create custom report which indicates monthly support tickets progress. In order to do that he log in to helpdesk server and run the script. This script needs to run as administrator of the server. there for he is member of administrator group. However, this is the only task he run on that server with such privileges. Administrator of a server has privileges to do almost anything on the server. if someone else got access to peter’s account, nothing will prevent from changing entire helpdesk system. Using JEA, we can assign just enough privileges for peter to run the scripts from helpdesk host instead of giving administrator privileges. Privileges assigned for peter is only valid for helpdesk server and he cannot run same script from another server.

There are few limitations with JEA,

  • This is fully worked with PowerShell. Not everyone uses PowerShell.
  •  Not supported with each and every management tasks. If you working with script which works with multiple hosts it will difficult to use JEA.
  • Not every third-party application support to work with JEA.

If above limitations stopping you, most suitable solution with be the privileged access management with windows server 2016. Privileged access management will be covered in later blog post.

There are two components in JEA,

PowerShell Session Configuration file

This allows to map users to the hosts. Using it we can map users, groups to specific management roles. It also allows to configure global settings such as virtual accounts and transcription policies. PowerShell Session Configuration file is system specific. There for, configuration settings can apply per-host basis.

Role Capability files

These configuration files specify what actions can perform by the users. It can be a running a script, running a service, running cmdlets or running a program. These tasks can group in to roles and share it with other users. 

Configuration

In this demo, I am using a system with windows server 2016 with latest updates.

In order to install JEA, we need to log in to the system as local administrator and open the PowerShell.

1. Then run command, Install-Module xJEA. It will ask few questions before it import some modules. Provide appropriate answers to install them.

jea1

2. Once its completed we can confirm it using Find-Module –Name xJEA

jea2

3. Once JEA module installed and next step is to prepare the environment. It can be done using a script which comes with JEA module. it is located at, C:\Program Files\WindowsPowerShell\Modules\xJea\0.2.16.6\Examples\SetupJEA.ps1

This script will,

·         Removes all existing endpoint configuration from the host

·         Configure the DSC Local Configuration Manager to apply changes, then checks every 30 minutes to make sure the configuration has not altered

·         Enables Debug mode

To run the file, navigate to folder C:\Program Files\WindowsPowerShell\Modules\xJea\0.2.16.6\Examples\ and run .\SetupJEA.ps1

jea3

That’s it! we done the installation and initial configuration. 

Testing!

JEA installation comes with 3 demo endpoint configurations which we can use as reference to create endpoint. These demo files are located in C:\Program Files\WindowsPowerShell\Modules\xJea\0.2.16.6\Examples

Demo1.ps1

cls

 

configuration Demo1

{

    Import-DscResource -module xjea

    xJeaToolKit Process

    {

        Name         = 'Process'

        CommandSpecs = @"

Name,Parameter,ValidateSet,ValidatePattern

Get-Process

Get-Service

Stop-Process,Name,calc;notepad

Restart-Service,Name,,^A

"@

    }

    xJeaEndPoint Demo1EP

    {

        Name                   = 'Demo1EP'

        Toolkit                = 'Process'

        SecurityDescriptorSddl = 'O:NSG:BAD:P(A;;GX;;;WD)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)'                                 

        DependsOn              = '[xJeaToolKit]Process'

    }

}

Demo1 -OutputPath C:\JeaDemo

 

Start-DscConfiguration -Path C:\JeaDemo -ComputerName localhost -Verbose -wait -debug -ErrorAction SilentlyContinue -ErrorVariable errors

if($errors | ? FullyQualifiedErrorId -ne 'HRESULT 0x803381fa')

{

    $errors | Write-Error     

}

 

start-sleep -Seconds 30 #Wait for WINRM to restart

 

$s = New-PSSession -cn . -ConfigurationName Demo1EP

Invoke-command $s {get-command} |out-string

Invoke-Command $s {get-command stop-process -Syntax}

# Enter-pssession $s

 

Remove-PSSession $s

#EOF

As per the above it only allowed to use following cmdlets.

  • Default JEA configuration
  • Get-Process
  • Get-Service
  • Stop-Process,Name,calc;notepad
  • Restart-Service,Name

According to above Stop-Process cmdlet only can use to stop calculator and notepad process. But it allows to use Restart-Service, Get-Process, Get-Service cmdlets.

In order to run the demo config, navigate to C:\Program Files\WindowsPowerShell\Modules\xJea\0.2.16.6\Examples and run .\Demo1.ps1

jea4

Once its successfully execute, we can verify the new PowerShell session configuration using,

Get-PSSessionConfiguration

jea5

In order to test, now we need to connect to new endpoint. It can be done using

Enter-PSSession –ComputerName localhost –ConfigurationName demo1ep

In above –ConfigurationName defines the endpoint name.

As soon as I run the command, its connect to the endpoint and change the path to C:\Users\JSA-Demo1EP\Documents

jea6

in the backend JEA commands execute using JEA local administrator account. This login details no need to know by end users and its password been reset on daily basis automatically. This user is setup as part of the installation process by JEA.

jea7

jea8

Once session is connected, we can test it with an allowed command first. According to configuration we allowed to run Get-Service command without any limits.

jea9

The use I logged in to this computer is a local administrator. So, I have enough privileges to restart the computer using Restart-Computer cmdlet. But now I am connected to endpoint. According to endpoint config it should not allow me to do so.

jea10

Voila! It is working as expected. there are lot of channel9 videos, articles out there which discuss about JEA capabilities. I encourage you to go through them and get more understanding on this great tool. Also through the GitHub you can find lot of sample endpoint configurations.

Hope this post was helpful and if you have any question contact me on rebeladm@live.com

Time Based Group Membership – AD DS 2016

In new AD DS 2016 allows administrators to assign temporally group membership which is expressed by TTL (Time-To-Live) value. This value will add to the Kerberos ticket. This also called as “Expiring-Link” feature. When user assign to a temporally group membership, his login Kerberos ticket granting ticket (TGT) life time will be equal to lowest TTL value he has. 

This feature is not enabled by default. The reason for that is, to use this feature the forest function level must be windows server 2016. Also, once this feature is enabled, it cannot be disabled. 

Let’s see how it works

Enable-ADOptionalFeature ‘Privileged Access Management Feature’ -Scope ForestOrConfigurationSet -Target rebeladmin.com

tg2

Rebeladmin.com can be replaced with your FQDN.

I have a user called Peter which I need to assign Domain Admin group membership for 15 minutes.

Get-ADGroupMember “Domain Admins” will list the current member of domain admin group. 

tg1

Next step is to add the peter to the domain admin group for 15 minutes.

Add-ADGroupMember -Identity ‘Domain Admins’ -Members ‘peter’ -MemberTimeToLive (New-TimeSpan -Minutes 15)

tg3

Once its run, we can verify the TTL value remaining for the group membership using,

Get-ADGroup ‘Domain Admins’ -Property member -ShowMemberTimeToLive

tg4

Once I log in as the user and list the Kerberos ticket it shows the renew time with less than 15 minutes as I log in as user after few minutes of granting.

tg5

Once the TGT renewal come the user will no longer be member of domain admin group. 

hope this was useful and if you have any questions feel free to contact me on rebeladm@live.com

Step-by-Step guide to migrate active directory FSMO roles from windows server 2012 R2 to windows server 2016

Windows server 2016 was released for public (GA) on mid oct 2016. Its exciting time as businesses are already working on migrating their services in to new windows server 2016 infrastructures. In this post, I am going to explain how you can migrate from active directory running on windows server 2012 R2 to windows server 2016 active directory. The same steps are valid for migrating from windows server 2012, windows server 2008 R2 and windows server 2008.

In my demo setup, I have a windows server 2012 R2 domain controller as PDC. I setup windows server 2016 and already added to the existing domain.

updc1

Current domain and forest functional level of the domain is windows server 2012 R2.

updc2

So, let’s start with the migrate process. 

Install Active Directory on windows server 2016
 
1. Log in to windows server 2016 as domain administrator or enterprise administrator
2. Check the IP address details and put the local host IP address as the primary DNS and another AD server as secondary DNS. This is because after AD install, server itself will act as DNS server
3. Run servermanager.exe form PowerShell to open server manager (there is many ways to open it) 
updc3
 
4. Then click on Add Roles and Features
updc4
 
5. It will open up the wizard, click next to continue
updc5
 
6. In next window keep the default and click next
updc6
 
7. Roles will be installed on same server, so leave the default selection and click next to continue
updc7
 
8. Under the server roles tick on Active Directory Domain Services, then it will prompt with the features needs for the role. Click on add features. Then click next to proceed
updc8
updc9
updc10
 
9. On the features windows keep the default and click next
updc11
 
10. In next window, it will give brief description about AD DS, click next to proceed 
updc12
 
11. Then in next window it will give brief description about configuration and click on install to start the role installation process. 
updc13
updc14
 
12. Once installation completed, click on promote this server to a domain controller option
updc15
 
13. It will open up the Active Directory Domain Service configuration wizard, leave the option Add a domain controller to existing domain selected and click next.
updc16
 
14. In next window define a DSRM password and click next
updc17
 
15. In next window click on next to proceed
updc18
 
16. In next windows, it asks from where to replicate domain information. You can select the specific server or leave it default. Once done click next to proceed. 
updc19
 
17. Then it shows the paths for AD DS database, log files and SYSVOL folder. You can change the paths or leave default. In demo, I will keep default and click next to continue
updc20
 
18. In next windows, it will explain about preparation options. Since this is first windows server 2016 AD on the domain it will run forest and domain preparation task as part of the configuration process. Click next to proceed.
updc21
 
19. In next window, it will list down the options we selected. Click next to proceed. 
updc22
 
20. Then it will run prerequisite check, if all good click on install to start the configuration process.
updc23
 
21. Once the installation completes it will restart the server. 
updc24
 
Migrate FSMO Roles to windows server 2016 AD
 
I assume by now you have idea what is FSMO roles. If not search my blog and you will find article explaining those roles. 
There are 2 ways to move the FSMO roles from one AD server to another. One is using GUI and other one is using command line. I had already written articles about GUI method before so I am going to use PowerShell this time to move FSMO roles. If you like to use GUI mode search my blog and you will find articles on it. 
 
1) Log in to windows server 2016 AD as enterprise administrator
2) Open up the Powershell as administrator. Then type netdom query fsmo. This will list down the FSMO roles and its current owner. 
updc25
 
3) In my demo, the windows server 2012 R2 DC server holds all 5 fsmo roles. Now to move fsmo roles over, type Move-ADDirectoryServerOperationMasterRole -Identity REBELTEST-PDC01 -OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster, InfrastructureMaster and press enter
 
In here REBELTEST-PDC01 is the windows server 2016 DC. If FSMO roles are placed on different servers, you can migrate each and every FSMO roles to different servers. 
updc26
 
4) Once its completed, type netdom query fsmo again and you can see now its windows server 2016 DC is the new FSMO roles owner. 
updc27

 
Uninstall AD role from windows server 2012 R2
 
Now we moved FSMO roles but we still running system on windows 2012 R2 domain and forest functional levels. In order to upgrade it, first we need to decommission AD roles from existing windows server 2012 R2 servers. 
 
1) Log in to windows 2012 R2 domain server as enterprise administrator
2) Open the PowerShell as administrator
3) Then type Uninstall-ADDSDomainController -DemoteOperationMasterRole -RemoveApplicationPartition and press enter. It will ask for local administrator password. provide new password for local administrator and press enter.
updc28
updc29
updc30
 
4) Once its completed it will restart the server.
 
Upgrade the forest and domain functional levels to windows server 2016
 
Now we have the windows server 2012 R2 domain controllers demoted, next step is to upgrade domain and forest functional levels. 
 
1) Log in to windows server 2016 DC as enterprise administrator 
2) Open PowerShell as administrator
3) Then type Set-ADDomainMode –identity rebeladmin.net -DomainMode Windows2016Domain to upgrade domain functional level to windows server 2016.  In here rebeladmin.net is the domain name. 
updc31
 
4) Then type Set-ADForestMode -Identity rebeladmin.net -ForestMode Windows2016Forest to upgrade forest functional level.
updc32
 
5) Once done you can run Get-ADDomain | fl Name,DomainMode and Get-ADForest | fl Name,ForestMode to confirm new domain and functional level 
updc33
 
Hope this post was useful and if you got any questions feel free to contact me on rebeladm@live.com


Step-by-Step guide to setup Active Directory on Windows Server 2016

Long wait is over for windows server 2016 and its available for public from Oct 12, 2016. So most looking for upgrade paths or at least start testing in their lab environments. (if it wasn’t brave enough to try with technical previews :) ). 

What is new in Active Directory? 

There are interesting new features such as time based group membership, privileged access management etc. but in this post I am not going to discuss those as I am going to write separate articles to provide more info about those new features. But still you can find more details https://technet.microsoft.com/en-us/windows-server-docs/identity/whats-new-active-directory-domain-services

In this post I am going to demonstrate how to install active directory on windows server 2016. 

Before the AD install it is important to understand what is the minimum requirement to install windows server 2016. This information can find in https://technet.microsoft.com/en-us/windows-server-docs/get-started/system-requirements–and-installation

Processor

1.4 GHz 64-bit processor

Compatible with x64 instruction set

Supports NX and DEP

Supports CMPXCHG16b, LAHF/SAHF, and PrefetchW

Supports Second Level Address Translation (EPT or NPT)

Coreinfo is a tool you can use to confirm which of these capabilities you CPU has.

RAM

512 MB (2 GB for Server with Desktop Experience installation option)

ECC (Error Correcting Code) type or similar technology

Storage controller and disk space requirements

Computers that run Windows Server 2016 must include a storage adapter that is compliant with the PCI Express architecture specification. Persistent storage devices on servers classified as hard disk drives must not be PATA. Windows Server 2016 does not allow ATA/PATA/IDE/EIDE for boot, page, or data drives.

The following are the estimated minimum disk space requirements for the system partition.

Minimum: 32 GB

Network adapter requirements

Minimum:

An Ethernet adapter capable of at least gigabit throughput

Compliant with the PCI Express architecture specification.

Supports Pre-boot Execution Environment (PXE).

A network adapter that supports network debugging (KDNet) is useful, but not a minimum requirement.

So in my demo I am using a virtual server with windows server 2016 datacenter. In order to setup active directory we need to log in as local administrator. First thing to check is IP address configuration. 

1) Once Active directory setup on the server, it also going to act as DNS server. There for change the DNS settings in network interface and set the server IP address (or local host IP 127.0.0.1) as the primary DNS server.

2016AD1

2) Then open the server manager. Go to PowerShell (as administrator) and type ServerManager.exe and press enter.

2016AD2

3) Then on server manager click on add roles and features

2016AD3

4) Then it opens the add roles and features wizard. Click on next to proceed. 

2016AD4

5) Then in next window keep the default and click next

2016AD5

6) Since its going to be local server, in next window keep the default selection. 

2016AD6

7) In next window from the roles put tick box for active directory domain services. Then it will prompt to show you what are the associated features for the role. Click on add features to add those. Then click next to continue.

2016AD7

2016AD8

2016AD9

8) The features page, keep it default and click on next to proceed. 

2016AD10

9) In next windows it gives brief description about AD DS service. Click next to proceed.

2016AD11

10) Then it will give the confirmation about install, click on install to start the role installation process. 

2016AD12

11) Once done, it will start the installation process

2016AD13

12) Once installation completes, click on option promote this server to a domain controller.

2016AD14

13) Then it will open the active directory configuration wizard. In my demo I am going to setup new forest. But if you adding this to existing domain you can choose relevant option. (I am going to write separate article to cover how you can upgrade from older version of Active Directory). Select the option to add new forest and type FQDN for the domain. Then click next.

2016AD15

14) In next page you can select the domain and forest functional levels. I am going to set it up with latest. Then type a password for DSRM. Then click next

2016AD16

15) For the DNS options, this going to be the first DNS server in new forest. So no need any modifications. Click next to proceed. 

2016AD17

16) For the NETBIOS name keep the default and click next 

2016AD18

17) Next page is to define the NTDS, SYSVOL and LOG file folders. You can keep default or define different path for these. In demo I will be keeping default. Once changes are done, click next to continue

2016AD19

18) Next page will give option to review the configuration changes. If everything okay you can click next to proceed or otherwise can go back and change the settings. 

2016AD20

19) In next windows it will do prerequisite check. If it’s all good it will enable option to install. Click on install to begin installation process. 

2016AD21

20) Then it will start the installation process. 

2016AD22

21) After the installation system will restart automatically. Once it comes back log in to the server as domain admin.

2016AD23

22) Once log in open the powershell (as administrator) and type dsac.exe and press enter. It will open up the active directory administrative center. There you can start managing the resources. 

2016AD24

2016AD25

23) Also you can use Get-ADDomain | fl Name,DomainMode and Get-ADForest | fl Name,ForestMode from powershell to confirm domain and forest functional levels

2016AD26

Hope this was helpful and if you have any questions feel free to contact me on rebeladm@live.com