Windows

Understanding Kerberos Delegation in Windows Server Active Directory

Delegation is used when a server or service account needs to impersonate another user. For example, front-end webservers impersonate users when accessing backend databases, providing seamless access to data users are allowed to view or edit. Active Directory (AD) provides delegation for scenarios like this. Unconstrained Delegation is Risky Microsoft added unconstrained delegation to Active […]
  • 3 min read
  • Dec 16, 2018
Windows

Mystery continues with Microsoft’s unidentified patch KB 3103709

Last Tuesday, Microsoft dropped an enormous number of seemingly innocuous patches -- seven for .Net running on Windows Embedded, plus 40 separate nonsecurity patches. There's a full list on AskWoody.com.The next day poster Opskito complained that he was seeing an update on his PC that wasn't included in the list. Identified as KB 3103709, there was no KB article for the patch (which, alas, isn't uncommon). More perplexing, the patch wasn't mentioned on Microsoft's main Windows Update list.A week later, there's still no KB article and no entry on the Windows Update list. The patch apparently only appears on Windows 8.1 systems and it's Optional, unchecked.Here's where things get weird.On the Microsoft Answers forum, in a post enigmatically titled "Is Update KB 3103709 fake?" poster skepticaluser_2016 reported a transcript of a conversation with "Judy D" at Microsoft Tech Support that includes this enlightening exchange:Skepticaluser_2016: I'm reluctant to install the update since there is no information regarding it on the Microsoft websiteJudy D: Okay… Actually this is a free upgrade to everyone. If you are using win 8.1 now, you are one of the qualified to upgrade your PC to windows 10… To check if the update is already installed, go to the Start screen. If you see a Search button near your account name at the top of the Start screen, you already have the update.Skepticaluser_2016: So this update is the beginning of the install for Windows 10?Judy D: Yes… The update is gradually rolling out to everyone with a PC running Windows 8.1 or Windows RT 8.1 over a period of several weeks. If you get automatic updates but you don't see the update yet, wait a few days and check again.Skepticaluser_2016: Ok, thank you. I'm glad I asked. I already went down that road and had to format my computer because Windows 10 made it effectively unusable.Judy D:That's awesome:)There's some speculation in the thread that skepticaluser_2016 was, in fact, conversing with a bot (maybe AlphaGo moonlighting?), but the possibilities are frightening -- especially for folks who have been rickrolled by the Get Windows 10 juggernaut.There's a German-language post from Spike2 on Borncity that says (auto-translated by Google and edited for legibility):KB 3103709 seems to be an update for Microsoft's Active Directory Services, more precisely "NTDSAI" and "DSPARSE" because it includes changes to Windows 8.1 ntdsai.dll and dsparse.dll… That's what I found out by downloading (without installing) followed by unzipping and viewing the accompanying XML and manifest files.I had one report about a pop-up appearing on some PCs with KB 3103709 (the description was unclear). If there is a pop-up that refers to KB 3103709 floating around, it most certainly is not a Windows patch.That's where the trail ends. Have you seen anything reliable about this patch?
  • 2 min read
  • Mar 22, 2016
Windows

Microsoft Security Bulletins For February 2016

The Microsoft Security Bulletins overview for February 2016 provides you with detailed information about security and non-security patches that Microsoft released for its Windows operating system and other company products since the January 2016 release.The overview begins with an executive summary listing the most important facts. What follows afterwards is the patch distribution across different client and server versions of the Windows operating system, and other Microsoft products.Lists of the security bulletins, advisories, and non-security updates released in February 2016 are listed next. Each offering a short description of the patch or bulletin released, and a link to the Microsoft website for further information.Last but not least, download instructions are provided and options are listed.Microsoft Security Bulletins For February 2016 Executive SummaryMicrosoft released a total of 13 bulletins. 6 bulletins have received the highest severity rating of critical. All Microsoft operating systems, as well as other Microsoft products such as Internet Explorer are affected by security issues. Operating System DistributionAll client versions of Windows are affected by at least two bulletins that have been rated critical. Windows 8.1 and Windows 10 are affected by the most, with Windows 8.1 being affected by four critical and 3 important bulletins, and Windows 10 by 5 critical and 3 important vulnerabilities.As has been the case in the past, the additional critical bulletin is for the Microsoft Edge browser which is a Windows 10 exclusive.Windows Vista: 2 critical, 2 important Windows 7: 2 critical, 3 important Windows 8 and 8.1: 4 critical, 3 important Windows RT and RT 8.1: 2 critical, 2 important Windows 10: 5 critical, 3 important Windows Server 2008: 1 critical, 3 important, 1 moderate Windows Server 2008 R2: 1 critical, 3 important, 1 moderate Windows Server 2012 and 2012 R2: 3 critical, 5 important, 1 moderate Server core: 1 critical, 5 important Other Microsoft ProductsMicrosoft Office 2007, 2010, 2013, 2013 RT, 2016: 1 critical Microsoft Office for Mac: 1 critical Microsoft Office Compatibility Pack Service Pack 3: 1 important Microsoft Excel Viewer and Microsoft Word Viewer: 1 important Microsoft SharePoint Server 2007, 2010 and 2013: 1 important Microsoft Office Web Apps 2010 and 2013: 1 important Microsoft SharePoint Foundation 2013: 1 important Security BulletinsMS16-009 - Cumulative Security Update for Internet Explorer (3134220) - Critical - Remote Code ExecutionThis security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.MS16-011 - Cumulative Security Update for Microsoft Edge (3134225) - Critical - Remote Code ExecutionThis security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge.MS16-012 - Security Update for Microsoft Windows PDF Library to Address Remote Code Execution (3138938) - Critical - Remote Code ExecutionThis security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow remote code execution if Microsoft Windows PDF Library improperly handles application programming interface (API) calls, which could allow an attacker to run arbitrary code on the user’s system.MS16-013 - Security Update for Windows Journal to Address Remote Code Execution (3134811) - Critical - Remote Code ExecutionThis security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted Journal file.MS16-014 - Security Update for Microsoft Windows to Address Remote Code Execution (3134228)- Important - Remote Code ExecutionThis security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker is able to log on to a target system and run a specially crafted application.MS16-015 - Security Update for Microsoft Office to Address Remote Code Execution (3134226) - Critical - Remote Code ExecutionThis security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file.MS16-016 - Security Update for WebDAV to Address Elevation of Privilege (3136041) - Important - Elevation of PrivilegeThis security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker uses the Microsoft Web Distributed Authoring and Versioning (WebDAV) client to send specifically crafted input to a server.MS16-017 - Security Update for Remote Desktop Display Driver to Address Elevation of Privilege (3134700) - Important - Elevation of PrivilegeThis security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an authenticated attacker logs on to the target system using RDP and sends specially crafted data over the connection. By default, RDP is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.MS16-018 - Security Update for Windows Kernel-Mode Drivers to Address Elevation of Privilege (3136082) - Important - Elevation of PrivilegeThis security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.MS16-019 - Security Update for .NET Framework to Address Denial of Service (3137893) - Important - Denial of ServiceThis security update resolves vulnerabilities in Microsoft .NET Framework. The more severe of the vulnerabilities could cause denial of service if an attacker inserts specially crafted XSLT into a client-side XML web part, causing the server to recursively compile XSLT transforms.MS16-020 - Security Update for Active Directory Federation Services to Address Denial of Service (3134222) - Important - Denial of ServiceThis security update resolves a vulnerability in Active Directory Federation Services (ADFS). The vulnerability could allow denial of service if an attacker sends certain input data during forms-based authentication to an ADFS server, causing the server to become nonresponsive.MS16-021 - Security Update for NPS RADIUS Server to Address Denial of Service (3133043) - Important - Denial of ServiceThis security update resolves a vulnerability in Microsoft Windows. The vulnerability could cause denial of service on a Network Policy Server (NPS) if an attacker sends specially crafted username strings to the NPS, which could prevent RADIUS authentication on the NPS.MS16-022 - Security Update for Adobe Flash Player (3135782) - Critical - Remote Code ExecutionThis security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, and Windows 10.Security Advisories and updatesAdvisory 3127909 - Vulnerabilities in ASP.NET Templates Could Allow TamperingNon-security related updatesUpdate for Windows 8.1 and Windows 7 (KB3123862) - Updated capabilities to upgrade Windows 8.1 and Windows 7 Update for Windows 7 (KB2952664) - Compatibility update for upgrading Windows 7 Update for Windows 8.1 and Windows 8 (KB2976978) - Compatibility update for Windows 8.1 and Windows Update for Windows 7 (KB2977759) - Compatibility update for Windows 7 RTM Update for Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2 (KB3135445) - Windows Update Client for Windows 7 and Windows Server 2008 R2: February 2016 Update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 (KB3135449) - Windows Update Client for Windows 8.1 and Windows Server 2012 R2: February 201 Dynamic Update for Windows 10 (KB3124261) - Compatibility update for upgrading to Windows 10 Version 1511: January 27, 2016 Update for Windows 10 (KB3124262) - Cumulative Update for Windows 10 Version 1511: January 27, 2016 Dynamic Update for Windows 10 (KB3136561) - Compatibility update for upgrading to Windows 10 Version 1511: January 27, 2016 Microsoft .NET Framework 4.6.1 for Windows 7 (KB3102433) - The .NET Framework 4.6.1 and its corresponding language packs for Windows 7 SP1 are available on Windows Update Microsoft .NET Framework 4.6.1 for Upgrade Language Packs (KB3102433) Microsoft .NET Framework 4.6.1 for Language Packs (KB3102433) Microsoft .NET Framework 4.6.1 for Windows Server 2012 R2 (KB3102467) - The .NET Framework 4.6.1 for Windows Server 2012 R2 on Windows Update Microsoft .NET Framework 4.6.1 Language Packs for Windows Server 2012 R2 for x64 (KB3102521) - Microsoft .NET Framework 4.6.1 language packs for Windows Server 2012 R2 on Windows Update Update for Windows 8.1, Windows RT 8.1, Windows Server 2012 R2, Windows Server 2012, Windows 7, and Windows Server 2008 R2 (KB3102429) - Update that supports Azerbaijani Manat and Georgian Lari currency symbols in Windows How to download and install the February 2016 security updatesWindows users can install all security patches for their operating system and also optional non-security patches using Windows Update.Windows Update is an automated updating tool that is built-in to Windows to download and install patches that Microsoft releases.Update checks are run frequently but not in real-time. Run a manual check for Windows updates if you want to grab the updates as soon as they are available.You can do so in the following way:Tap on the Windows-key, type Windows Update and hit enter. The Windows Update program opens. Locate and click on "check for updates". This queries Microsoft's server for updates. Depending on how Windows Update is configured, Windows may download these updates automatically, or present them to you only giving you options to select the updates that you want installed on your system.Windows patches are made available on Microsoft's Download Center site as well from where they can be downloaded individually. You may also download a monthly security ISO image that Microsoft releases that contains all patches for all supported operating systems released in that month.Consult our Windows Update guide linked below for additional options and troubleshooting information.Additional resourcesMicrosoft Security Bulletin Summary for January 2016 List of software updates for Microsoft products List of security advisories of 2016 Our in-depth update guide for Windows Windows 10 Update History Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.The post Microsoft Security Bulletins For February 2016 appeared first on gHacks Technology News.
  • 5 min read
  • Feb 20, 2016
Windows

Use PowerShell to Restrict DNS Resource Record Registration

I'm going to start with the PowerShell.Actually, in writing that sentence, I realise I've not started with the PowerShell!#Execute on domain controller to be 'hidden'$DataValue = "Ldap","Gc","DcByGuid","Kdc","Dc","Rfc1510Kdc","GenericGc","Rfc1510UdpKdc","Rfc1510Kpwd","Rfc1510UdpKpwd"New-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesNetlogonParameters" -Name DnsAvoidRegisterRecords -Value $DataValue -PropertyType MultistringRestart-Service -Name NetlogonGot that? Good. No need for me to go on then! What? Oh, alright...Some Context: Minimising Risk During Active Directory UpgradesA few years back, a fellow chap called Glenn LeCheminant published a great blog post on how to perform testing, in production, of a new domain controller running a newer operating system. This was particularly pertinent at the time due to the number of security configuration changes introduced with Windows Server 2008 R2. The post recommended isolating the new DC in a 'hidden' site. This was achieved by controlling the SRV records registered by the DC: domain specific records aren't registered; only site-specific records and those required for replication and normal DNS function are kept. This creates an opeational boundary - the site. Only clients placed in the site can use the DC.Phew!To summarise the steps:create a new siteuse the PowerShell above to prevent the soon-to-be-DC from registering certain SRV recordspromote the new DC to the new site (assumes Schema extension already performed)add a client to the site - it will use the new DCperform testingOf course, restricting DNS resource record registration is not just for domain upgrade testing. You could use it to hide a disaster recovery site, or... well, the world of Active Directory is your proverbial oyster!Some More Context: Background ReadingRestrict the DNS resource records that are updated by NetlogonEnough Context: Get Restricting!In the following example I’m going to ensure that only clients in the same site as my test DC, HALODC02, can access that DC, i.e. there will be only site-specific resource records registered by the DC. The below example shows the location of various DC-specific records to be removed from DNS:Here’s an example of an existing SRV record for the target DC:Here’s what we get when we do a lookup of domain-specific SRV records with PowerShell (two entries returned): Resolve-DnsName -Name _ldap._tcp.dc._msdcs.halo.net -Type SRV -Server halodc01.halo.netNow, to make the change with PowerShell:$DataValue = "Ldap","Gc","DcByGuid","Kdc","Dc","Rfc1510Kdc","GenericGc","Rfc1510UdpKdc","Rfc1510Kpwd","Rfc1510UdpKpwd"New-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesNetlogonParameters" -Name DnsAvoidRegisterRecords -Value $DataValue -PropertyType MultistringHere’s a graphical representation of what the PowerShell does. First, here's the path to the key in the registry on the DC to be hidden:Here’s the Multi-String value to add to the registry:Here’s the value data for the addition:Now, restart Netlogon on the DC in question (or wait up to 15 minutes for Netlogon to auto-refresh):Restart-Service -Name NetlogonThe sample SRV record from earlier has now gone:Here’s what we get when we do a lookup of DCLocator, domain-specific SRV records with PowerShell (only one entry returned):Resolve-DnsName -Name _ldap._tcp.dc._msdcs.halo.net -Type SRV -Server halodc01.halo.netFinally, here's something a little more real-world-ready:#Check to see if the registry entry already existsGet-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesNetlogonParameters" -Name DnsAvoidRegisterRecords -ErrorAction SilentlyContinue#Remove the entry if it already existsif ($?) {Remove-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesNetlogonParameters" -Name DnsAvoidRegisterRecords}#Create the registry key data value$DataValue = "Ldap","Gc","DcByGuid","Kdc","Dc","Rfc1510Kdc","GenericGc","Rfc1510UdpKdc","Rfc1510Kpwd","Rfc1510UdpKpwd"#Set the new registry keyNew-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesNetlogonParameters" -Name DnsAvoidRegisterRecords -Value $DataValue -PropertyType MultiString#Restart the netlogon serviceRestart-Service -Name Netlogon#Test DNSResolve-DnsName -Name _ldap._tcp.dc._msdcs.halo.net -Type SRV -Server halodc01.halo.netI guess I should now create an advanced function or something...
  • 3 min read
  • Feb 08, 2016
Windows

[HOWTO] How to create a custom AADSync Synchronization Rule for attribute flow (transformation flow)

In support we see many cases come through looking to create a customized synchronization rule to adhere to different business rules utilizing the Azure AD Connect (Azure AD Sync Services (AADSync)) Tool. Here, I am creating this blog to provide some guidance on how to create a custom synchronization rule inside of the Azure AD Sync Services (AADSync) tool. This blog is a sample illustration of how to take givenName and sn and flow those values into the displayName attribute.STEPS TO CREATE CUSTOM SYNCHRONIZATION RULE Open the Synchronization Rules Editor Select Inbound Inbound Synchronization Rule: Takes data from Source Connector Space to Metaverse Outbound Synchronization Rule: Takes data from the Metaverse to the Target Connector SpaceClick the Add New Rule button in the upper right Edit Inbound Synchronization Rule Description Page Name: In from AD - Update displayName attribute *NOTE: I like to try and stay in sync with the naming format used in the Synchronization Rules Editor. You can provide any name that you desire here. The key is to remember that you want to understand the purpose of this synchronization rule.Description: Updates the displayName attribute with the values of givenName and sn Connected System: Connected System Object: user Metaverse Object Type: person Link Type: Join Precedence: 93 *NOTE: I chose a lower number so that it would have the higher precedence. Synchronization RuleA Synchronization Rule is a configuration object with a set of attributes flowing when a condition is satisfied. It is also used to describe how an object in a connector space is related to an object in the metaverse, known as join or match. The Synchronization Rules have a precedence indicating how they relate to each other. A Synchronization Rule with a lower numeric value in precedence has a higher precedence and in case of an attribute flow conflict, higher precedence will win the conflict resolution.As an example we will look at the Synchronization Rule “In from AD – User AccountEnabled”. We will mark this line in the SRE and select Edit.A Synchronization Rule has four configuration sections: Description, Scoping filter, Join rules, and Transformations.For the purpose of this custom synchronization rule, we are not going to have any Scoping Filter and/or Join Rules. For more information on these two items, please review the Understanding the default configuration page. Transformations Page Click the Add Transformation button Flow Type: Expression Target Attribute: displayName Source: [givenName]&" "&[sn] Apply Once: Merge Type: UpdateClick the Save ButtonADDITIONAL INFORMATION Understanding the default configuration: https://msdn.microsoft.com/en-us/library/azure/dn800963.aspx AADSync - Configure Filtering - Part 1: http://blogs.technet.com/b/steady/archive/2015/01/08/aadsync-configure-filtering-part-1.aspx AADSync - Configure Filtering - Part 2: http://blogs.technet.com/b/steady/archive/2015/01/09/aadsync-configure-filtering-part-2.aspx
  • 2 min read
  • Feb 08, 2016
Linux

OpenFire Active Directory integration

OpenFire – Formerly known as Wildfire server and Jive Messenger XMPP server(Extendible Messaging and Presence Protocol). Formerly known as the jabber protocol. Is written in Java. Management has a WEB interface. Administrators can connect from any location and create/delete users, create and communicate conference rooms. In this article we will install OpenFire 3.10.2 to FreeBSD 10.1 x64 server and configure witch PostgreSQL database. Also we will use users database from corporate Domain Controller. Before installation and configuration be sure FreeBSD ports are already updated. Install OpenFire from ports:root@dolibarr:~ # cd /usr/ports/net-im/openfireroot@dolibarr:/usr/ports/net-im/openfire # make configroot@dolibarr:/usr/ports/net-im/openfire # make -DBATCH install Install PostgreSQL database from ports:root@frfs:~ # cd /usr/ports/databases/postgresql94-server/root@frfs:/usr/ports/databases/postgresql94-server # make configroot@frfs:/usr/ports/databases/postgresql94-server # make -DBATCH install Add OpenFIRE and PostgreSQL to StartUP:root@frfs:~ # echo ‘postgresql_enable=”YES”‘ >> /etc/rc.confroot@frfs:~ # echo ‘openfire_enable=”YES”‘ >> /etc/rc.conf Initialize PostgreSQL:root@frfs:~ # /usr/local/etc/rc.d/postgresql initdb Delete comment in /usr/local/pgsql/data/postgresql.conf file from the following line:listen_addresses = ‘localhost’ In the /usr/local/pgsql/data/pg_hba.conf file change host all all 127.0.0.1/32 trust line as follows:host all all 127.0.0.1/32 md5 Start the PostgreSQL and OpenFIRE daemons:root@frfs:~ # /usr/local/etc/rc.d/postgresql startroot@frfs:~ # /usr/local/etc/rc.d/openfire start Set the password for pgsql user:root@frfs:~ # passwd pgsqlChanging local password for pgsqlNew Password: passwordRetype New Password: repeat_password Login as pgsql and create user, pass and database for openfire connection:root@frfs:~ # su pgsql$ createuser -sdrP openfireEnter password for new role: passwordEnter it again: repeat_password$ createdb openfire –owner=openfire Exit from console:$ exit Restart the PostgreSQL daemon:root@frfs:~ # service postgresql restart Ready! Open any web browser and go to the http://server_IP:9090/ link. You will see page as follows(Select English and click Continue button): In opened page write domain name as chat.unximen.com, write password for encryption key and click Continue button: Select Standart Database Connection and click Continue button: For connect to database select type PostgreSQL, write database URL, username and password as follows. Then click Continue button: As user database select LDAP(Active Dircetory), and click Continue button: To connect to Active Directory, write Distinguished Name for domain.lan and Distinguished Name for Administrator account with his password. Don’t forget choose LDAP port 3268 and click Test Settings button:DC name: domain.lanGroup name for filter: CN=openfireUsers,OU=OpSO Groups,DC=domain,DC=lanDomain Administrator: CN=Administrator,CN=Users,DC=domain,DC=lan Success result will be as follows: After Status: Success! click Save & Continue button: For group filter click Advanced Settings and write filter syntax for openfireUsers group. This means only users from openfireUsers group can login to our OpenFire server(click Test Settings button):(memberOf=CN=openfireUsers,OU=OpSO Groups,DC=domain,DC=lan) If you will see result as follows this means everything is working: Click to Save & Continue button for continue. Select OpenFire web administrator account from our Active Directory(You can select multiple): Açılacaq şəkildə Administrator LDAP istifadəçi həsabı üçün test düyməsini sıxıb sınaqdan keçiririk: Enter the password for admin user and click test button: Success result will be as follows: Then click Continue button. Installation is already finished, click Login to the admin console button. Enter selected account and his password and click login button(This account selected from DC). For test purpose if you select Users/Groups -> Users, under User Summary you will see the users from Active Directory: For test between users read the article OpenFire Jitsi as Skype(desktop sharing) and Temviewer(remote control). The post OpenFire Active Directory integration appeared first on Unixmen.
  • 3 min read
  • Jan 27, 2016
Tech-Net-Game News

Microsoft to start pushing Windows 10 on more business users

Microsoft is pushing Windows 10 on a group of previously off-limits users as its new operating system nears the six month anniversary of its release. The company revealed Wednesday that users who are running Windows 7 Pro or Windows 8.1 Pro can expect to start seeing the Get Windows 10 app in their taskbar, suggesting that they upgrade to the new OS. The change in policy will only affect devices that are joined to an Active Directory domain and set up to receive updates directly from the Windows Update service. Business users with that setup will start seeing pop-ups from the Get Windows 10 app urging them to update their computers for free. To read this article in full or to leave a comment, please click here
  • 2 min read
  • Jan 14, 2016