John Policelli's Blog

Covering Identity and Access Solutions, Unified Communications, Collaboration, and Infrastructure

Category Archives: AD DS

Security Compliance Manager (SCM) 2.5 Beta Released

Security Compliance Manager (SCM) is a free tool from the Microsoft Solution Accelerators team that enables you to quickly configure and manage your computers, traditional datacenter, and private cloud using Group Policy and Microsoft System Center Configuration Manager. SCM provides ready-to-deploy policies and DCM configuration packs that are tested and fully supported. Product baselines are based on Microsoft Security Guide recommendations and industry best practices, allowing you to manage configuration drift, address compliance requirements, and reduce security threats.

 

According to a post on the Ask the Directory Services Team Blog, SCM 2.5 includes several new features, such as:

  • Integration with the System Center 2012 IT GRC Process Pack for Service Manager-Beta: Product baseline configurations are integrated into the IT GRC Process Pack to provide oversight and reporting of your compliance activities.
  • Gold master support: Import and take advantage of your existing Group Policy or create a snapshot of a reference machine to kick-start your project.
  • Configure stand-alone machines: Deploy your configurations to non-domain joined computers using the new GPO Pack feature.
  • Updated security guidance: Take advantage of the deep security expertise and best practices in the updated security guides, and the attack surface reference workbooks to help reduce the security risks that you consider to be the most important.
  • Compare against industry best practices: Analyze your configurations against prebuilt baselines for the latest Windows client and server operating systems.
  • NEW baselines include:
    • Exchange Server 2007 SP3 Security Baseline
    • Exchange Server 2010 SP2 Security Baseline
  • Updated client product baselines include:
    • Windows 7 SP1 Security Compliance Baseline
    • Windows Vista SP2 Security Compliance Baseline
    • Windows XP SP3 Security Compliance Baseline
    • Office 2010 SP1 Security Baseline
    • Internet Explorer 8 Security Compliance Baseline

SCM 2.5 Beta can be found on Microsoft Connect.

Sneak Peek: Using the Active Directory Administrative Center to Restore Deleted AD Objects in Windows Server 8

Active Directory Domain Services (AD DS) in Windows Server 8 includes several management enhancements. One of which, is the ability to use the Active Directory Administrative Center to restore objects in the Recycle Bin. What follows is a sneak peak at using the Active Directory Administrative Center in the Developer Preview of Windows Server 8 to restore objects that reside in the Recycle Bin.

Continue reading

Sneak Peek: Installing Active Directory Domain Services on the Developer Preview of Windows Server 8

As you may already know, Microsoft released a Developer Preview for Windows Server 8. Although the Developer Preview is not feature complete, there are several changes and new features. In terms of Active Directory Domain Services (AD DS), the way in which AD DS is installed has also changed (for the better). Some examples of the changes to the installation include:

  • Ability to remotely install the AD DS role (as with all other roles) on multiple servers from a single Server Manager session.
  • DCPROMO is now integrated into Server Manager.

What follows is a step-by-step guide to installing AD DS using the Developer Preview of Windows Server 8.

Continue reading

Active Directory Monitoring Pack Updated

Microsoft has released an update to the Active Directory Monitoring Pack for System Center Operations Manager.

This release focuses fixing problems reported by customers. The accompanying guide mentions:

  • Event-ID 333 is logged incorrectly on systems with Active Directory databases larger than 4GB.
  • 20% of the alerts are not triggered on Windows Server 2008 and Windows Server 2008 R2 Domain Controllers due to wrong event ID mapping, due to changes in the event sources for several events.
  • Performance data is not collected due to wrong event ID mapping on Windows Server 2008 Domain Controllers.
  • Performance counter selected by default is wrong, preventing Replication Latency Performance data from appearing.
  • Time skew alert is not triggered due to script defect.
  • Operation master monitor is broken due to script defect.
  • Frequent operation master alert description misspelled.

The update can be found here.

Hotfix Released to Improve Group Policy Preferences Targeting by Computer Group Membership

As discussed in detail in a post on the AskDS team blog, using security groups for Group Policy preferences (GPP) targeting was a really bad idea. So much so that it would typically result in a long domain logon time in Windows 7 or in Windows Server 2008 R2 after you deploy GPP to the computer. Microsoft recently released a hotfix that addresses this issue by changing how the Security Group Targeting item calculates computer group membership.

If you are using, or plan to use, computer group membership for GPP targeting, you’ll want to install this hotfix. Information pertaining to the hotfix can be found in the Microsoft Knowledgebase article 2561285. Additional information on the issue can be found here. Additional information on the resolution can be found here.

Comprehensive List of Well-Known Security Identifiers

Microsoft recently updated a KB that lists the well-known security Identifiers (SIDs). The revised KB can be found here.

I’ve said many times that a default installation of Active Directory is not secure. There are several reasons for this, and I do not consider this to be a design flaw. However, there are several built-in features that enable you to secure AD according to your specific requirements.

One of the most common “mitigation” you read is to rename built-in accounts, such as the Administrator account. I’ve never been a fan of this recommendation simply because anyone really looking to exploit your AD environment will be able to determine the renamed account in a matter of seconds. This has to do with well-known SIDs.

Microsoft defines well-known SIDs as:

A group of SIDs that identify generic users or generic groups. Their values remain constant across all operating systems.

And, the built-in Administrator account is a well-known SID. Therefore, anyone can find the renamed Administrator account simply by knowing the SID. Again, since this is a built-in account, the SID is going to be the same regardless of the environment. All you need to find out is the domain SID, which isn’t difficult. (The Administrator account has a SID of S-1-5-21domain-501, where domain is the domain’s SID).

IMO, renaming built-in accounts may ward off the novice hacker, but it won’t save you from the ones looking to cause real damage. Nonetheless, you should always look at the risks that apply to your environment, and mitigate them accordingly.

Getting the Effective Audit Policy in Windows 7 and 2008 R2

There’s a great post on the Ask the Directory Services Team blog that explains how to get the effective audit policy in Windows 7 and Windows Server 2008 R2. Although this sounds like a fairly straightforward thing to do, it’s a little more complex than you may think. This relates to the different ways auditing can be applied – legacy auditing (think pre-Windows Server 2008), granular auditing (Windows Vista/Windows Server 2008) and Advanced Audit Policy Configuration (Windows 7 and Windows Server 2008 R2) – coupled with the fact that auditing can be applied at various levels – domain policy, local policy, multiple-local policy, per-user, or using command-line tools. The post can be read here.

Active Directory Troubleshooting Survival Guide

I came across a post on the Active Directory Documentation Team blog, which may be quite useful. According to the post, they are:

pulling together resources that will hopefully become a central location to help people troubleshoot Active Directory issues in the Active Directory Troubleshooting Survival Guide

The Active Directory Survival Guide, which is a Microsoft TechNet Wiki, can be found here: http://social.technet.microsoft.com/wiki/contents/articles/active-directory-troubleshooting-survival-guide.aspx

User State Migration Tool 4.0 Update to Support Office 2010

Microsoft recently released an update for the User State Migration Tool (USMT) 4.0 that includes fixes and support for migration scenarios for when the source or destination computer have Microsoft Office 2010 installed. The update can be downloaded from here. Additional information on the hotfix can be found by going to http://support.microsoft.com/kb/2023591.

Continue reading

Useful Articles on LDAP over SSL

I was recently looking into an LDAP over SSL issue, and I found some very useful articles online…here they are:

Updated Description of Password Complexity

Microsoft has updated/corrected the description of the rules for password complexity for Active Directory. The updated description can be found at http://technet.microsoft.com/en-us/library/cc786468(WS.10).aspx. Here’s a snippet:

This security setting determines whether passwords must meet complexity requirements. Complexity requirements are enforced when passwords are changed or created.

If this policy is enabled, passwords must meet the following minimum requirements when they are changed or created:

  • Passwords must not contain the user’s entire samAccountName (Account Name) value or entire displayName (Full Name) value. Both checks are not case sensitive:
    • The samAccountName is checked in its entirety only to determine whether it is part of the password. If the samAccountName is less than three characters long, this check is skipped.
    • The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed not to be included in the password. Tokens that are less than three characters in length are ignored, and substrings of the tokens are not checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin," "M," and "Hagens." Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "erin" or "hagens" as a substring anywhere in the password.
  • Passwords must contain characters from three of the following five categories:
    • Uppercase characters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
    • Lowercase characters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
    • Base 10 digits (0 through 9)
    • Nonalphanumeric characters: ~!@#$%^&*_-+=`|\(){}[]:;"’<>,.?/
    • Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.

Bridgehead Server Selection Improvements in Windows Server 2008 and Windows Server 2008 R2

Windows Server 2008 and Windows Server 2008 R2 include improvements to bridgehead server selection, which are not very well known. In fact, Microsoft only recently published an article on TechNet to explain the improvements to bridgehead server selection in Windows Server 2008 R2. What follows is an in-depth look at these improvements.

Continue reading

Newly Released Windows Time Service Technical Reference

If you’ve had to get technical information on the Windows Time Service, you probably found yourself digging through several KB articles, which contained conflicting information. Microsoft recently centralized this information into the Windows Time Service Technical Reference, and updated it to include Windows Server 2008 R2 and Windows 7.

The Windows Time Service Technical Reference can be found here: Windows Time Service Technical Reference.