Tag Archives: GPO

Remote Credential Guard combined with LAPS and JiT

This is the third and last part about RDP, protecting credentials and delegation models.
This time it’s about Remote Credential Guard, pros and cons and how to model this with LAPS and Just in Time Admin Access.
I haven’t had much time to write this so I will keep it short and simple with a few examples.

Remote Credential Guard

Remote Credential Guard (RCG) was introduced in Windows Server 2016 and Windows 10 version 1607. It’s a new way to protect your RDP session from credential thefts like Pass the Hash, some Pass the Ticket and other LSASS dumps on the target computer. It provides SSO and your credentials is never exposed on the remote machine. This helps in a way that if a admin of any level connects to a compromised machine, his domain credentials won’t be exposed on the target machine preventing lateral movement in that way.
It relies on Kerberos and all service ticket requests in the RDP session on the server is routed to the client. Continue reading

Implementing LAPS – My way

Local Administrator Password Solution (LAPS) has been around for a while and last year it became an official supported tool by Microsoft (don’t know if my tweaks are though) and there is a lot of articles about implementing LAPS, which is a no brainer and it works great.

Since there are so many articles about it, I would like to share my tweaks. Consider this article more about having fun and exploring the possibilities.

If your new to it and want to read more about LAPS, you can go here: Microsoft Security Advisory 3062591 and here: Security Thoughts: Microsoft Local Administrator Password Solution (LAPS, KB3062591)

And a mini threat model by Jessica Payne: Local Administrator Password Solution (LAPS) Implementation Hints and Security Nerd Commentary (including mini threat model)

Here’s my view on it. Continue reading

Delegate DHCP Admins in the domain

This is a simple guide delegating DHCP Admins in the domain.
This guide is built on a Windows Server 2012R2 environment.

If you have a lot of DHCP servers and want to delegate the administration in your domain it’s quite easy, and a good thing to do if you don’t want to grant people Domain Admin access unnecessarily. But, there is a few differences you need to know depending on How and Where you install the DHCP Server Role.

If we start with the most common way installing the DHCP Server Role service which is an easy task. Continue reading

Too much permissions on the domain root

This is an interesting question that I would like to share my view of here.

The question: What are the security implications of someone being able to modify permissions protecting the domain root object?

Let’s start with some basics:

  • All Objects in AD are securable
  • Securable Objects has a Security Descriptor (SD)
  • The SDs contains Owner SID, Group SID, DACL, SACL (known as ACLs) and the header with control flags
  • The ACLs contain ACEs
  • ACEs contains a set of access rights and a security identifier (SID) that identifies a trustee for whom the rights are allowed, denied, or audited

This topic focuses on the Write_DAC or Modify Permissions. If a Security Principal (User, Sec group, Computer) has the Write_DAC he is allowed to modify the Security Descriptor guarding the object.

So what are the implications of someone having the permission to modify the SD on the Domain Root? Continue reading

What’s new in admx templates for Windows 10 Version 1511

Today Microsoft released new Administrative Templates for Windows 10 Version 201511 which can be found here.

New admx files:

AppPrivacy.admx
CloudContent.admx
FeedbackNotifications.admx
WindowsStore.admx
WinMaps.admx

Updated admx files:

AVSValidationGP.admx
Biometrics.admx
ControlPanelDisplay.admx
CredentialProviders.admx
DeviceGuard.admx
ErrorReporting.admx
Explorer.admx
LanmanServer.admx
LanmanWorkstation.admx
MicrosoftEdge.admx
Passport.admx
SearchOCR.admx
SettingSync.admx
StartMenu.admx
TerminalServer.admx
VolumeEncryption.admx
W32Time.admx
Windows.admx
WindowsUpdate.admx
wlansvc.admx

A selection of interesting updates:

Continue reading