Tag Archives: Security

Restricted Admin Mode for Remote Desktop Connections

Security”, it’s always a concern in any computer infrastructure. Most of the time giving the “technology” is not enough to maintain security in infrastructure. It’s depend on the way users, admins apply these tools and practices in their infrastructure.

Now a “hacking” question! If someone wants to hack your infrastructure what is the way to start? What account privileges can do the more damage? Yes it must be domain admin account (well some may not agree, I will be discussing about privileged access management in future posts in detail). But most admin like to keep them secure. If someone trying to login those accounts you may notice quickly. But will you apply same security to your sales computers? Or receptionist? In lot of infrastructure I seen people use company ID as the user name and password most of the time same as they like to keep this simple. So isn’t those easy to get in to your infrastructure rather than through a “server”? So if attacker fill that pc with junk, delete apps etc. the user will call up the admin to help. Most of time support engineers have domain admin privileges for “easy support”. When they RDP to the pc to help the user, the attacker in back ground can harvest the credentials of the admin user because when connect via RDP the credentials of the admin user will transmitting to the pc. The above example is just one way, even it can apply for your servers, cloud VM etc.

So question is what is the secure way then?

Yes Microsoft seen this issue and introduced Restrict Admin mode for RDP connections. This is applies to windows server 2012 R2 and new. Supported desktop OS version are windows 8.1 and new.

What is it?

When this mode is enabled the RDP client will not send plain-text or any other re-usable form of credentials to the remote PC or Server.

Also will not be able to use any other network resources from that pc or server through restricted admin mode connection with out authentication again.

For ex- to daisy chain the RDP connections, Network Drive access
Also it will effect on the applications specially if you use single-sign-on.

Enable Restricted Admin mode in target computer

Before we use restricted admin mode against a server or pc we need to enable it on target. To do that we need to add a registry entry.
To do that,

1)    Log in to server or pc as administrator
2)    Start > Run > regedit

rdp1

3)    Brows to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
4)    Add Registry Key DisableRestrictedAdmin Type: REG_DWORD Value: 0

rdp2

5)    You do not need Reboot to apply the changes

This also can publish via a group policy setting.

rdp3

If above is not done, when you connect to the server with Restricted Admin Mode you will get following error

rdp4

Once changes are made can connect to target with using one of following methods,

rdp5

rdp6

In my testing I am using a member server in domain and I am login in with Domain admin account.
Now in the whoami /groups it shows I am a domain admin and enterprise admin.

rdp7

Now I am trying to connect to another server DCP01 using Server Manager

rdp8

Then it gives access denied error even I am Domain admin.

rdp9
So yes with restrict mode you can’t connect to other network resources as its not passing the credentials.
You can enable Restricted Admin Mode for computers using GPO. So when you use RDP client from those PC by default it will use Restricted Admin mode.

To do that in GPO go to Computer Configurations > Policies > Administrative Templates > System > Credential Delegation
Then Set Restrict Delegation of credential to remote servers to enable

rdp10

Hope this article helps to understand Restricted Admin mode for RDP and way to use it.

If you got any questions feel free to contact me on rebeladm@live.com

Step-by-Step guide to configure MFA (multi-factor authentication) for azure users

MFA, I am sure it’s not a new concept today for IT administrators. Its additional layer of security to confirm the user identity. It can be in form of PIN verify, phone call, smart cards, biometrics etc.

This feature is mainly used in infrastructure when its release, extending its services to “internet face”. There are lot of MFA service providers in market. You can either use it as on-premises service or cloud based service.

When it comes to azure the same security concerns applies. If you integrated it with on-premises active directory security is more concerned as it will extend the security boundaries of the infrastructure.

In this article I will demonstrate how “easily” you can enable multi-factor authentication for azure user.

In my demo I have a windows server 2016 TP4 on-premises AD configured to sync with azure ad. I am going to enable MFA for an azure user account which is sync from on-premises AD.

1)    Log in to your azure portal
2)    Then brows > Active Directory

mfa1

3)    Load your AD directory and go to users

mfa2

4)    For my demo I am using user account “user1”, this user account is sync from local active directory
5)    Select the user account and click on “manage multi-factor authentication

mfa3

6)    Then it will load a new page to manage MFA. As you can see currently for “user1” MFA disabled

mfa4

7)    To enable, click on tick box next to “user1” and click on option ”enable” in right hand panel

mfa5

8)    Then it will open a pop up window with help options. Click on “enable multi-factor auth

mfa6

9)    Now it’s enabled. Let’s try to log in azure portal as the use to see.

mfa7

10)    Then it saying MFA is enabled and it need to setup. Click on “setup now” to proceed

mfa8

mfa9

11)    Then in next page it gives option to select the authentication method.
12)    There is 3 ways to authenticate

Authentication phone – This will send SMS or also can setup to call back to the given number. Please note if you use this option SMS and call charges will be added.

Office Phone – This option is to request contact using office phone specified by admin

Mobile App – With this option you can install mobile application (Azure Authenticator) on your phone and it can set to send notification via app when try to login or to use verification code

mfa10

13)    Once select the option and its settings, click on setup

mfa11

14)    In my demo I used mobile app option. Once its completed the setup (you need to follow different options to setup based on your selection) let’s check the login page again

mfa12

15)     Now it’s asking for the PIN verification before login.

As we can see now MFA is enabled for the selected azure ad user.
In future post I will explain how we can change settings for MFA.

If you have any question feel free to contact me on rebeladm@live.com

Step-by-Step guide to audit active directory changes using “Directory Service Changes” auditing

As Administrator/Engineer it is important to audit the object access on the infrastructure to identify security issues, problems etc. it also helps to troubleshoot this issues.

In windows folder or a file access can audit using audit object access policy. Same way the audit directory service access policy allows to audit access attempts to object in active directory. This is enable by default and configured to audit the “Success Events”. But there are few disadvantages on this.

1)    Difficulties of finding the attribute changes
2)    Impossible to know the old value of an attribute

To overcome this issue windows server 2008 adds an auditing category called “Directory Service Changes”. With this we can simply identify the old and new attributes values.

It is not enabled by default and needs to activate manually.

1)    Log in to the domain controller as Domain admin or Enterprise admin.
2)    Load powershell console with admin rights.
3)    Type auditpol /set /subcategory:"directory service changes" /success:enable and press enter.

audit1

4)    In order to test the auditing, I already have usera and userb added to the Domain admins group. I am going to remove usera from the group and check the auditing.
5)    To check the log entries go to Event viewer > Windows Log > Security
6)    As per below we can see the detail description including,

  • What type of change
  • At what type it was triggered
  • Attribute
  • What is the new value
  • Which group it is

audit2

As we can see it gives great deal of information which can use in troubleshooting, auditing.

If you have any question about the post feel free to contact me on rebeladm@live.com

Configuring Trusts – Part 1

Trusts, simply we can define as a bond between multiple domains, multiple forests. It controls how or what been allowed between domains and forests.

Let’s assume we have a company called Contoso Inc. and its running with domain contoso.com. Company recently merge with another company called XYZ Inc. and its running with domain xyz.com. Management wants to allow their resources to been used by both company users. For ex- A user in contoso.com will required to access a share in xyz.com file server. Company wants to do it with minimum impact or changes. This is where “trusts” comes in to the picture. Using trusts we can control who will be trusted, how it will be and what sort of access users have on resources.

Before we move in to the configurations it is important to understand the concepts of trusts.

Trusting Domain – This will be the domain contains the resources which will need to allow access. As ex- in my domain contoso.com have a file share called “Sales”. I needs to allow sales users from XYZ.com to access it. In here contoso.com act as trusting domain.

Trusted Domain – This will holds the resources which you wish to grant access. As ex- if we take same above example, XYZ.com domain holds the user accounts which will be allow to access resources on contoso.com. So XYZ.com act as trusted domain.

Transitivity – Trust transitivity allows to extend the trust in to child domain level. For example with trust I may need to allow users in child domains of xyz.com also to have access in to contoso.com domain resources.   I can do it with trust transitivity.

We can categorize trusts based on the direction it’s applying to.

Two-Way Trust – This also known as bidirectional trust. This is the trust mostly been used among organizations. In here both sides on the trust work as trusting and trusted domains.

One-way Incoming Trust – In here trust is created in trusted domain and trusted domain can access resources in trusting domain only.

One-way Outgoing Trust – In here resources in remote, specified domain can authenticated in initiating domain.

if any questions about the post feel free to contact me on rebeladm@live.com

How to configure VPN ? Part 1

This article is part 1 for explaining the setup of the VPN on windows server environment. This demo is done using windows 2008 R2 but the theory will be same for windows 2012.

In this set of article i will be doing the following,

1. configure inbound and outbound VPN connections
2. configure remote access policies to control the access of various groups via RRAS
3. configure a RADIUS server to log all accounting
4. monitor remote access

To do the setup it needs the following,
•    A server with windows 2008 / R2 which is connected to the company domain
•    Two NIC configured for local network access and public access
•    IP address allocation
•    Authentication provider ( Network policy server, RADIUS )
•    DHCP relay agent
•    User account with domain administrator privileges.

In this setup I will be using Network Policy Server as the authentication provider. Before start on setup it’s important to know the use of it. According to Microsoft (http://technet.microsoft.com/en-us/library/cc732912.aspx)
Network Policy Server (NPS) allows you to create and enforce organization-wide network access policies for client health, connection request authentication, and connection request authorization. In addition, you can use NPS as a Remote Authentication Dial-In User Service (RADIUS) proxy to forward connection requests to a server running NPS or other RADIUS servers that you configure in remote RADIUS server groups.

NPS allows you to centrally configure and manage network access authentication, authorization, and client health policies with the following three features:

•    RADIUS server . NPS performs centralized authentication, authorization, and accounting for wireless, authenticating switch, remote access dial-up and virtual private network (VPN) connections. When you use NPS as a RADIUS server, you configure network access servers, such as wireless access points and VPN servers, as RADIUS clients in NPS. You also configure network policies that NPS uses to authorize connection requests, and you can configure RADIUS accounting so that NPS logs accounting information to log files on the local hard disk or in a Microsoft SQL Server database.

•    RADIUS proxy . When use NPS as a RADIUS proxy, can configure connection request policies that tell the NPS server which connection requests to forward to other RADIUS servers and to which RADIUS servers you want to forward connection requests. You can also configure NPS to forward accounting data to be logged by one or more computers in a remote RADIUS server group.

•    Network Access Protection (NAP) policy server . When configure NPS as a NAP policy server, NPS evaluates statements of health (SoH) sent by NAP-capable client computers that want to connect to the network. NPS also acts as a RADIUS server when configured with NAP, performing authentication and authorization for connection requests. You can configure NAP policies and settings in NPS, including system health validators (SHVs), health policy, and remediation server groups that allow client computers to update their configuration to become compliant with your organization's network policy.

We can configure NPS with any combination of the preceding features. For example, you can configure one NPS server to act as a NAP policy server using one or more enforcement methods, while also configuring the same NPS server as a RADIUS server for dial-up connections and as a RADIUS proxy to forward some connection requests to members of a remote RADIUS server group for authentication and authorization in another domain.

Let’s move in to the configuration as next step,
For the setup I log in to a server which is connected to the company network. It is running windows 2008 standard version.
 
Before we start for a selected server in domain we need to add 2 nic interfaces. One will be to serve for LAN and other NIC will have a public ip address.

For the server I already add 2 nic and configured the ip address as following,
For LAN Interface
Ip address : 192.168.20.2
Subnet : 255.255.255.0
Default Gateway : none
DNS servers : none

As we know in a same machine we cannot deal with different default gateways. There for we no need to put gateway here.

For Public Interface
Ip address : 10.0.0.2
Subnet : 255.255.255.0
Default Gateway : 10.0.0.1
DNS servers : 8.8.8.8 ( public dns from ISP )

This used public ip info is just for demo purposes and these are not real public ip from ISP. But in real setup you need to fill that info with the details provided by the ISP.

vp1

In the server I have renamed the 2 interfaces according to ip as “private” and “public” for easy identification.

vp2

Install Network Policy and Access Service role

1.    To start the server manager Start > administrative tools > Server Manager

2.    In the Server manager windows right click on the “Roles” and click on “Add Roles”

vp3

3.    Then add doles wizard will appears. Click next to continue.

4.    On the select server roles page, select “Network policy and access services” and click next.

vp4

5.    In “Network policy and access service introduction” page, click Next.

6.    On the select role service page, select the “network policy server” and “routing and remote access services” check boxes and click next.

vp5

7.    On the confirmation page click “Next” to continue.

vp6

8.    On the installation result page, verify the “installation succeeded” appears in the detail pane then click close to complete.

vp7

Configure VPN Server

1.    To start “Routing and Remote Access” mmc, click on start > administrative tools > routing and remote access.

vp8

2.    In the mmc, click on the server name, right click on it and from options click on “Configure and enable routing and remote access”

vp9

3.    Click next on welcome page to continue. On the configuration page, leave default “Remote access (dial-up or VPN) selected and click Next.

vp10

4.    On the remote access page, select the “VPN” check box and click next.

vp11

5.    On the VPN connection page, select the “Public” interface and then click next.

vp12

6.    On the IP address assignment page, select “From a specified range of addresses” and then click next.

vp13

7.    In the address range assignment page, click new and in the “start ip address” box, type the value of 10.0.0.5. in the “number of addresses” box type the value of 75 and click ok, then click next to continue.

vp15

8.    On the managing multiple remote access servers page, leave the default selection “No, use routing and remote access to authenticate connection requests” and click next, and then Finish.

vp16

9.    In the routing and remote access dialog box, click ok.

vp17

10.    In next dialog box about DHCP relay agent click Ok too.

vp18