Tuesday, October 29, 2024

Network location awareness service - enhancements

I've seen several issues related to this service and other services that depend on it in domain environments. From support cases and our own troubleshooting, there are some changes you can make to help make it more reliable as well as improve the reliability of BITS. 

 1)  HKLM\System\CurrentControlSet\Services\NlaSvc\Parameters.  Create dword AlwaysExpectDomainController = 0x1
2)  HKLM\System\CurrentControlSet\Services\DnsCache\Parameters.  Create dword MaxNegativeCacheTTL = 0x0
3)  HKLM\System\CurrentControlSet\Services\Netlogon\Parameters.  Create dword NegativeCachePeriod = 0x0
4) HKLM\System\CurrentControlSet\Services\NlaSvc.  Edit DependOnService reg_multi_sz to ensure that NSI, RPCSs, TcpIp, Dhcp, Eventlog, and Netlogon are in the list.  If you are running a domain controller that is also a DNS server, I would recommend adding Dns to this list.
5)  HKLM\System\CurrentControlSet\Services\bits.  Edit DependOnService reg_multi_sz to add nlasvc to the list.

These keys will help ensure the machine retries network detection failures and does it in an efficient way by turning off negative result caching.  The dependency addition helps ensure the right services are started first to get a domain network detection (especially the netlogon service).  I've noticed that BITS doesn't seem to recheck the network connection profile information that NLAsvc provides, so it can cause problems if bits starts before nlasvc.  Setting that additional dependency will help ensure bits does start throwing TransientError, "There are currently no active network connections" messages on bits jobs.

Wednesday, March 20, 2024

New-ADComputer : A required attribute is missing

When trying to create a computer with this commandlet and you get this error, it may be a poorly worded exception. This error can come up if you don't have permissions to create computer objects on the OU you provided. If you follow the commandlet examples and provide what is required: samaccountname, name, and path; go check the OU permissions. If you had tried doing it with the older dsadd command, it will give an error that the modification was not permitted for security reasons. Once permissions are fixed, or a different set of properly delegated credentials are passed, it should work fine.

Another permissions related gotcha is when performing the task under run as different user, I have notice the same failure when the user performing the action has sufficient rights via group membership on the target OU.  When directly adding that user to the OU permissions, it allowed the creation of the computer object.  Possibly some run-as activity isn't passing a full access token on the connections and the group membership is ignored?

Sunday, August 20, 2023

Splitting AD integrated reverse DNS zones

If you have an environment with a reverse dns zone that was created with broad network range, you may decided at a later point in time that you want to split the zone. The reasons for this might be: ease of management in terms of loading the zone in the dns management console, easier to find records, requring differences in record age and scavenging control, etc. For a zone that is AD integrated, it will be in one of 3 partitions (domain partion, domaindns partition, or forestdns partition). You can adjust the code to the appropriate distinguishedname of the zone. Distinguishednames can be retrieved using get-dnsserverzone and reading the distinguishedname property on the returned object.

When it comes to splitting the zone, there's a few things to remember with AD integrated DNS. All records are objects under a zone object. Making changes in the dns management console doesn't mean objects in AD will automatically be deleted or migrated for you. You can end up in situations where hidden old records still exist in ldap, but don't show up in the dns management console. This code example below will help guide you in extracting the records you want and putting them in a new ldap dns zone object, along with preserving the data, timestamps, and permissions on the objects.

This example below is splitting of all 10.1.x.x records from a 10.x.x.x reverse zone. Before running your modified code, create your new reverse dns zone, then stop the dns server on the domain controller that you are making this change on.


get-adobject -searchbase "DC=10.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=Contoso,DC=Com" -ldapfilter "(objectclass=dnsnode)" | 
    where {$_.name -match "\.1$"} | 
    move-adobject -targetpath "DC=1.10.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=Contoso,DC=Com"
 

get-adobject -searchbase "DC=1.10.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=Contoso,DC=Com" -ldapfilter "(objectclass=dnsnode)" | 
  where {$_.name -match "\.1$"} | %{

               $newname = $_.name.replace(".1","")
               $_ | rename-adobject -newname $newname
              
  }
Once this completes, start the dns server service to force rereading of ldap information. Dns zone reload is not sufficient. Other domain controllers should not require restart of dns service as they pick up the changes as it replicates. Test this in a lab environment first and run at your own risk.

Tuesday, April 25, 2023

Defender for Identity agent problems

I've run in to a few issues with Azure Advanced Threat Protection Sensor services not starting (aka Defender for Identity). Here are a few tips to work through various issues.

Problem #1, service failing to start due to files not found. The updater service will auto update the agent version. If you look at the program's directory "C:\program files\Azure Advanced Threat Protection Sensor", you will one or more subfolders named with version ID's for the agent. Occasionally the updater fails in some way causing the windows service's registry information to point to a folder version that no longer exists. In these cases, just update the ImagePath registry entry in HKLM\System\CurrentControlSet\Services\AATPSensor and \AATPSensorUpdater to point to the highest version # folder that you have in the program's directory. This should allow the service to start, assuming there is no problem with the contents of that folder. If there is, you can try a different version # if there are others present.

Problem #2, "Error PerformanceCounterLib System.InvalidOperationException: Category does not exist" is showing up in the Microsoft.Tri.sensor.Updater.log file. This is an issue with windows performance counters. You may also see an error showing up if you open the Perfmon tool, and it complains about missing counters there as well. You can try these commands in an administrator cmd prompt to remediate this:

cd c:\windows\system32
lodctr.exe /R
cd c:\windows\syswow64
lodctr.exe /R
lodctr.exe /E:perfdisk
lodctr.exe /E:perfnet
lodctr.exe /E:perfOS
lodctr.exe /E:Tcpip

Start the updater service again to see if it starts.

Problem #3, service won't start, no clear reason why. When uninstalling and reinstalling the software, the program files directory for the application doesn't get created, but the software shows up in add/remove programs. You will not be able to install or uninstall at this point because both processes will complain about the software not being there, or already being installed. To work around this, copy the files from another machine. Manually create the service names using sc.exe. Once that is in place, do the uninstall again. This should trick the installer enough to uninstall the application. You can then try the install process again.

Windows Firewall - network card not detecting the correct connection profile

For people familiar with Windows firewall, there are 3 profiles that you can create rules for: Private, Public, and Domain. The operating system uses the Network Location Awareness service (NLAsvc) to attempt to identify what type of connection each NIC is on. If you machine is domain joined to an Active directory on-prem domain, it will make connection attempts to domain controllers to see if a specific NIC can reach one. For other tests, it will try to connect to websites to see if there internet connectivity. The problem with windows firewall and its domain checks is that you might not have a well enough functioning network connection when the NLAsvc tries to perform its checks. On a domain controller, this is particularly problematic. To work around this you cand modify the service settings in the registry to add some additional service dependencies. This will delay the start up of the NLAsvc process and give the system more time to be ready for the checks. To do this, open regedit and navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NlaSvc. Edit the "DependOnService" REG_MULTI_SZ value. For new entries, you will add one entry per line. The values you will want to add are: NSI, RpcSs, TcpIp, Dhcp, Eventlog, DNS, Netlogon.

There are some additional configurations you will want to push as well:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NlaSvc\Parameters\AlwaysExpectDomainController (REG_DWORD) = 0x1
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Dnscache\Parameters\MaxNegativeCacheTTL (REG_DWORD) = 0x0
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\NegativeCachePeriod (REG_DWORD) = 0x0

These will add some additional stability for NLA.

Thursday, June 23, 2022

PetitPotam Defenses

Protection against coerced authentication on domain controllers:



Print Spooler:


Disable the service via group policy on all DC's

EFS RPC attack:



Create the two RPC filters by putting this in a text file (source):

rpc
filter
add rule layer=um actiontype=block
add condition field=if_uuid matchtype=equal data=c681d488-d850-11d0-8c52-00c04fd90f7e
add filter
add rule layer=um actiontype=block
add condition field=if_uuid matchtype=equal data=df1941c5-fe89-4e79-bf10-463657acf44d
add filter
quit


Save the file and use "netsh -f filename.txt" to apply it


DFS RPC attack:



Create one RPC filter by putting this in a text file (source)

rpc
filter
add rule layer=um actiontype=block
add condition field=if_uuid matchtype=equal data=4fc742e0-4a10-11cf-8273-00aa004ae673
add filter
quit


Save the file and use "netsh -f filename.txt" to apply it

This dfs filter has some impact on creation of new dfs namespaces. Otherwise it doesn't seem to cause other issues that I can tell.


Certificate Authority hardening:


Follow the MS guidance on hardening the CA against NTLM relay. Essentially you configure the web interfaces to allow kerberos only with extended protection. If possible, disable NTLM auth completely on the server. Beyond that, limiting access to client certificates and not allowing user supplied SAN's on them should be done.

Thursday, February 17, 2022

Creating virtual smart card for MIM CM

To use a virtual card on existing profiles that prompt for pin in the certificate manager portal site, use this to create the virtual card:

tpmvscmgr create /name myvsc /pin prompt /adminkey default /generate

When prompted for default admin key, use: 010203040506070801020304050607080102030405060708

When prompted for pin, it will need to be 8 characters long even if it says it can be less than that.