A Crash Course in Active Directory

Contents

Basics

Uses DNS for name resolution

WINS and NetBios aren’t needed unless a legacy app requires it

AD’s Tree is called the ‘Directory Information Tree’ (DIT)

It is based on the ‘Extensible Storage Engine’ (ESE)

AD Consists of two types of objects. Containers and non-containers (or leaf nodes)

All objects have a ‘Globally Unique Identifier’ (GUID)

Hierarchical paths in AD are known as ‘ADsPaths’

ADsPaths are normally referred to using LDAP standards

 Starts with a 'programmatic identifier' (progID)  followed by ://  separate each part with a comma  prefix each part with dc= (dc stands for domain name component)    prl.pbb.local becomes  LDAP://dc=pbb,dc=pbb,dc=local

A distinguished name (DN) is used to reference an object in a DIT

A relative distinguished name (RDN) is used to reference an object within its parent container

 To reference Alice's object in prl_biz ou within the prl ou it would look like this.  LDAP://cn=albin,ou=prl_biz,ou=prl,dc=pbb,dc=pbb,dc=local

The available DN’s are as follows

 CN = Common Name  L  = Locality  ST = Street of Province Name  O  = Organization Name  OU = Organization Unit  C  = County  STREET = Street address  DC = Domain Component  UID = User ID

domains and domain trees

A domain controller (DC) can be authoritative for one and only one domain.

Containers (the object type) may contain other container objects as well as leaf nodes.

An OU is the other type of container and can have group policies applied to it, and a container (the object) can not.

Each forest has a child container called ‘Configuration’ which has a child container called ‘Schema’

Global Catalog (GC)

Used to perform forest wide searches

Accessed via LDAP on port 3268

Uses progID of GC://

The GC is read-only and can not be directly updated

Objects available in the GC are members of the PAS (Partial Attributes Set)

To add/remove attributes use the AD Schema snap-in for mmc

Flexible Single Master of Operations (FSMO – pronounced fizmo)

Certain actions in the forest/domain will only be done by the FSMO regardless of how many other DC’s you have.

 Schema Master (forest-wide)    Only machine allowed to make schema changes.  Changes made on other DCs will be refered to the FSMO    Domain Naming Master (forest-wide)    PDC Emulator (domain-wide)    PW synching and PDC legacy compatibility.  Browser Master    RID Master (domain-wide)    Relative ID Master, All security principals have a Security Identifier (SID).    Infrastructure Master (domain-wide)    Maintains cross-domain object references (phantom references).  User is in domainA but a member of a group in domain B

 NTDSUTIL:   howto: [1]  download: support pack [2]  Allows transfer of FSMO roles to other DCs.  If the FSMO server dies you can ungracefully force the role to another dc -- known as 'seizing' the role. [3]

Groups

3 scopes…

 Domain Local: membership available only within domain.  May contain other groups (admin group)

 Domain Global: membership available only within domain.  Used to define roles (enterprise admin, backup admin, exchange admins, sql admins, ect.)

 Universal: Forest Wide

2 types…

 distribution: generally used as messaging lists for email and im (exchange distro lists)

 security: sid is passed to as auth token

The type of a group may be converted at any time.

Naming Contexts (NC) and Application Partitions

Breaks up replication of DCs. can be based on political, geographic or bw related things.

Consists of 3 predefined naming contexts, each represents a different aspect of AD data.

 Configuration NC: (forest) holds data pertaining to LDAP, Exchange, subnets

 Schema NC: (forest) defines types of data AD can store

 Domain NC: (domain) domain specific, users, groups, computers, ect.

 Application Partitions: User defined NCs.  Can not contain security principals

To retrieve a list of NCs you query the RootDSE entry.

 LDAP util  how to: [4]  download: support tools [5]   LDAP util can be used to view the RootDSE entry.  Connection -> Connection -> enter name of DC

… incomplete

Schema

The schema is located under the configuration container. It is the blueprint for datastorage in ad. each object has a corresponding class. IE user class, user object type.

 Active Directory Service Interfaces (ADSIEdit)  how to: [6]  download: support tools [7]   Can be viewed using and AD viewer such as ADSIEdit (MMC snap-in) or LDP

Schema is made of two types of ad objects…

classes:
attributes:

… Very Incomplete

Replication

Note: details regarding cross-domain replication omitted.

Connection Objects define what DCs replicate with each other and how often. Generally managed by the DC

Knowledge Consistency Checker (KCC) is what generates the connection objects.

 RepAdmin  how to: [8]   Command line tool for admining replication
ReplMon  how to: [9]  Graphical util for managing and monitoring replication

Each DC maintains its own separate ‘Update Sequence Number’ (USN). It is a 64bit value assigned to each update transication. Each update increments the USN value. Like the serial number in DNS.

Each DC maintains its highest combined USN for all NCs in the highestCommittedUSN value of the RootDSE. The values are always different from DC to DC for a given replication.

If time is off by 5minutes or more on a DC it will not be able to replicate.

Originating Update (write)  The point of origin for an update (on which DC was this update made)
Replicated Update (write)  A change that did not originate on the DC in question.

Each DC has a GUID called the DSA GUID. It is used to uniquely identify a DC and is the objectGUID of the NTDS settings object for the DC in the configuration container.

The High-WaterMark Vector (HWMV) is a table maintained independently by each DC. Keeps info on where a DC last left off when replicating the NC with a specific partner.

The up-to-dateness vector (UTDV) is a table maintained independently by each DC. It is used for replication dampening to reduce traffic and endless replication.

An example of how an object is modified during replication…

1.  A user is created on serverA.  2.  The object (user) is replicated to serverB.  3.  The object is subsequently modified on serverB.  4.  The new changes are replicated back to serverA.
1.  Creation of the object on ServerA    1. values are set to defaults defined for user creation    2. users USN is set to 1000 (the USN of this transaction)    3. version number is set to 1.    4. timestamp is set to the time of creation    5. originating-server GUID is set to the GUID of the server    6. originating-server USN is set to 1000 (USN of this transaction)
2.  Replication of the object to serverB    serverB adds a copy of the object as a replicated write.  USN 2500 is assigned to the object.  This value is written to the USNCreated and USNChanged attributes of the object.
3.  Password changed for user on serverB.    1. Password value is set    2. passwords USN is set to 3777 (USN for this transaction)    3. users version number is set to 2.    4. timestamp is updated    5. originating-server GUID is set to the GUID of serverB    6. originating-server USN is set to 3777 (USN of this transaction)
4.  Password change replication to serverA    serverA generates a transaction USN of 1333.  USNChanged is set to 1333.  Originating-server GUID is set to that of serverB

… Incomplete (missing conflict resolution section)

AD and DNS

DC Locator

Resource Records used to AD

Delegation Options

… incomplete (duh)

Profiles

A profile is created on each computer a user logs into. It is %systemDrive%\Documents and Settings\%userName%

It creates various data files including NTUSER.DAT. This file contains the user portion of the registry. This includes the screen saver, wallpaper, myDocuments location, etc.

Settings specific to the computer in question are also applied to the user via the AllUsers\NTUSER.DAT on the given machine.

You use the ADUC (Active Directory Users and Computers) tool to set the roaming profile info for a given user.

To have the profile deleted from the local machine upon logout set the following key on the computer (computer and teaching labs!)…

 HKLMSOFTWAREMicrosoftWindowsNTCurrentVersionWinlogonDeleteRoamingCache

With a server based default user profile you can add icons to desktop, bookmarks, ect. It should exist under the NETLOGON share.

Group Policy

Group Policies are referred to GPOs or group policy objects. they contain a large amount of configuration info that is applied to all users automatically.

 Group Policy Management Console (GPMC)  howto: [10]  Allows for editing, viewing resultant set of policies (RSOP) and runing reports.

Three states a policy item can exist in are enabled, disabled or un-configured. unconfigured is the default for everything.

The structure of the templates in the editor looks like…

User Configuration    Software Settings    Windows Settings    Administrative Templates    Computer Configuration    Software Settings    Windows Settings    Administrative Templates

These are generated from the Administrative Template (ADM) files in the system volume.

By default workstations and member servers refresh GPOs every 90 minutes and DCs every 5.

On non DCs 1 to 30 minutes (randomly generated) will be added to the refresh time to avoid everyone checking in at once.

GPOs allow admin to remote deploy applications to users OR computers. MSI is the only way this works.

MSIs can be modified for the environment. This process is known as creating a ‘transform’.

You can set an MSI to auto-install when someone attempts to open a file with an extension that an MSI app can read.

If an install is assigned to the user portion of the GPO it will install when the user logs into a machine and uninstall upon log off. If its installed to the computer it is available to any user who logs into it.

MS Windows Installer  howto: [11]   Used to generate MSI files
Install Shield  site: [12]  The best tools in the installer maker.  3rd party
Installer Design Studio (scriptlogic)  site: [13]  The one scriptlogic makes.  Looks very easy to use and is fairly inexpensive.
Group Policy Settings Reference (document) : [14]
Group Policy Homepage : [15]
MSN docs for Group Policy : [16]

Backup, Recovery and Maintenance

Backup up AD

Restoring a DC

Restoring AD

FSMO recovery

DIT Maintenance

… Incomplete (duh)

Exchange Integration

… incomplete (duh)

Links

Common admin tasks: [17]

Remote Administration: [18]

All information gleaned from…

Active Directory 3d Edition, O’Reilly Publishing By: Joe Richards, Robbie Allen & Alistair G. Lowe-Norris

CEH (Certified Ethical Hacker) Training

I spent last week in a training class for the Certified Ethical Hacker (CEH) exam. The first day of class they issued me an EC-Council backpack that contained two text books (1,800 pages worth), one lab manual and one t-shirt. It’s heavy as hell and I can see why they provide the (fairly nice) bag to lug it all around in.

I went into the class expecting to only learn the corporate developed ‘best practices’ for penetration testing and hacking. I walked out of the class believing that anyone could benefit from its teachings. Even a seasoned pentester is bound to learn something.

It teaches a best practices methodology to approaching a penetration test. Just about any category of tool that would be useful in a pentest is covered. Far too many, in some cases. Although, I think it is great to get exposure to more tools than one would generally exposure themselves to.

My pentest toolkit is now stocked with only the best tools and separated into the logical categories that the CEH teaches. It just makes sense.

In a near future post I will be explaining my toolkit, what it contains, how it is organized and how to make your own.

I also end up with some CPE (Continued Professional Education) points to keep my CISSP certification current.

Microsoft offers Apple security advice?

Fresh after the article from security firm Sophos entitled “Sophos recommends Macs for security“, A member of Microsoft’s security team blasts Apple for not having a “security czar” and not communicating with users about security vulnerabilities.

By contrast, he points to Microsoft as a prime example of how to respond to threats, providing well-documented communications and prescriptive “how-to” guidance with alerts that are delivered through email, RSS and deployment tools.

This whole paragraph is absolutely laughable. Lets flash back for a second to Microsoft security bulletin 912840 and my rant regarding it. And now lets re-read that happy little Microsoft fud. Something doesn’t add up, does it?

If that isn’t enough to convince you, lets look at yet another reason why no software vendor should ever adopt Microsoft’s security practices. Two words; Patch Tuesday. Holy god is that a bad model. No matter how bad a vulnerability is, they will sit on the patch (leaving everyone exposed) till the next patch Tuesday. Just because its more convenient for admins.

I, as an admin, would much rather patch frequently, than sit on hands while blatantly exposed to a threat.

Once they work these things out, then (maybe) they can blast other software vendors. Until that time though, they should sit back, shut up and stop making themselves look foolish.

GroupWise Open Relay Crap

I started testing my GroupWise 7 server and found that I received a bounce back while trying to send to domains that block mail from servers in the ORDB (Open Relay DataBase).

Upon receiving this, one Saturday, I sent out a quick email scolding my tech who set up the gwia (GroupWise internet agent) and drove into work to fix it. I pulled up the area in ConsoleOne that contains the relay information and found a check in the box that reads “disable open relay”. Hmmm, you can’t get much clearer than that.

I quickly whipped up a web app that will attempt to relay mail off the server. No luck. So I went into my office and submitted the IP to ordb.org again for re-scan.

I was assuming that it was scanned while it was initially being set up, and that they had caught it in an open relay state.

A while later I received an email stating that it is still blocked by ORDB, because they still think its an open relay.

Puzzled I hit ordb.org faq to come with this…

My Novell GroupWise is not an open relay!

We’re sorry to say that it is. We are aware that GroupWise does not filter until after receiving the mail, but our test-method requires that at least one of our probes be delivered to its final destination before addition to the database occurs. Your server will not be added to the database just because it accepts the probe for later processing. Please see the section on securing your open relay for information on the latest patches for GroupWise. Additionally, please refer to this link for information about claims that ORDBs way of testing is flawed, when testing GroupWise and friends.
Additionally, a user has provided information that at least Groupwise6 (and possibly Groupwise5.x as well) may be vulnerable to various relaying exploits unless sufficiently patched. The patch you need to download is called fgwia63a.exe, and is so far only provided as a beta quality patch by Novell.

So, that wasn’t very helpful. I am running GroupWise 7 so that fits the “at least Groupwise6” requirement and I am running it on Suse Linux Enterprise Server so its safe to say that an exe patch isn’t going to work.

I could ask Novell about it, but support requests cost $500/, purchased in minimum quantities of 5.

On a number of forums I heard talk of a mysterios patch, but was unable to find any mention of it on the novell download site. I also read that Novell acknowledges that its a stupid way to handle relay attempts and that it would be fixed in GW6. Well, I’m on 7 and its not fixed.

The best ways I came up with to fix this are to use a incoming/outgoing relay host. Something free like exim or postfix. This also provides you with the ability to run antivirus and antispam on this host. Set up GroupWise to allow incoming and force outgoing relays through this host.

Or you can do what I did; purchase a Barracuda 300 from barracuda networks and use the same configuration as above.

My barracuda has gone through its initial testing very well and I’m quite fond of the web interface.

But its also very sad that GroupWise forces admins to do something like this. Its almost as if they intentionaly included this inadequacy in the hopes that you will have no choice, but to go to one of their channel partners for a fix… and spend more money.

Fix: ssh client timeouts in OS X

Using OS X and getting a lot of this?

Read from remote host blah.bligityblah.com: Connection reset by peer
Connection to blah.bligityblah.com closed.

So was I. At first I assumed it had to be Comcast, because Comcast falls into the auto scape goat category the same as Microsoft and the Bush Administration.

Before I became all accusatory and call and complain I did my home work.

The man page for ssh_config has the following to say.

TCPKeepAlive
Specifies whether the system should send TCP keepalive messages
to the other side. If they are sent, death of the connection or
crash of one of the machines will be properly noticed. However,
this means that connections will die if the route is down tempo-
rarily, and some people find it annoying.

The default is “yes” (to send TCP keepalive messages), and the
client will notice if the network goes down or the remote host
dies. This is important in scripts, and many users want it too.

To disable TCP keepalive messages, the value should be set to
“no”.

Sounds like that could be the problem. Issuing the following command as root will add the directive to the bottom of the ssh_config file and you should be good to go.

echo “TCPKeepAlive no” >> /etc/ssh_config

UPDATE: At least I thought you should be good to go. After running like that for a while I still lost my connection. Does anyone else have any insight into why this may be happening? I suspect Comcast, again. 🙂

The Value of Privacy

Last week, revelation of yet another NSA surveillance effort against the American people has rekindled the privacy debate. Those in favor of these programs have trotted out the same rhetorical question we hear every time privacy advocates oppose ID checks, video cameras, massive databases, data mining, and other wholesale surveillance measures: “If you aren’t doing anything wrong, what do you have to hide?”

Some clever answers: “If I’m not doing anything wrong, then you have no cause to watch me.” “Because the government gets to define what’s wrong, and they keep changing the definition.” “Because you might do something wrong with my information.” My problem with quips like these — as right as they are — is that they accept the premise that privacy is about hiding a wrong. It’s not. Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect.

Two proverbs say it best: Quis custodiet custodes ipsos? (“Who watches the watchers?”) and “Absolute power corrupts absolutely.”
From Bruce Schneier’s blog

Lenovo Banned by U.S. State Department

In one of the least thought out and dumbest moves made by our government in recent weeks… Assistant Secretary of State Richard Griffin said the department would alter its procurement process to ebsure no Lenovo PC’s are allowed inside secured U.S. networks.

This is dumb for a number of reasons.

1. Any software backdoor and ‘phone home’ keylogger would be wiped out when the machine is re-imaged. If they don’t re-image machines that come from hardware vendors than the brand is the least of our worries.

2. Any hardware spying mechanism that would remain after an imaging would still need a way to ‘phone home’ to China for them to obtain the data. Any ‘secured U.S. network’ should have egress firewalling. So not only would ‘phone home’ attempts be blocked, but also logged and provide REAL evidence that we should be concerned.

I believe this just boils down to yet another case of someone being uninformed and uneducated making big decisions that they are not qualified to do. Either that or its a more sinister attempt to curve the amount of Chinese goods purchased by the U.S. Either case doesn’t win our government any more brownie points.

Things Apple needs to make…

1. Another PDA
They where far ahead of their time when they initially introduced the Apple Newton and for that reason I don’t think people where ready for the PDA yet. If they came out with a Newton2 I think it would sell like hot cakes

2. Multi Function Phone
I have heard rumors of an iPhone that will be a combination cell phone/iPod but they need to include blackberry or palm like functionality.

3. A tablet macbook pro.
I have a number friends who are die hard mac advocates that have recently purchased tablet PCs because they are just down right cool and useful. In fact Gryphn carries both her powerbook and her tablet pc with her. Once again, rumor has it that these will be released in about a year.

4. OS X for normal PCs
I know they wont do this anytime soon, so if they could just make a Darwin type OS that runs mac/intel bins… I think that would hold me over.

X-mas in April!

Last week great geeks in Cupertino, CA shipped me two new shiny Macs. My new Quad G5 that replaced our fallen friend. (Dead but not forgotten, brotha.) And my new MacBook Pro. The G5 arrived first and held my attention intently for all of two days. It was by far the fastest mac I have ever had the pleasure of using. It was unfortunate that both the RAM and 2nd video card from dual G5 wouldn’t work in it. Someplace between the dual and the quad they upgraded all of the ports in it to pci express and made the jump to DDR2 RAM. WaHoo! I have another 2 gigs of RAM on order (bringing me to 4) and am down to two of my three monitors until I figure something out.

It has 1 pcix 16x port, 1 8x and 2 4x. I have never seen video cards in anything but 16x, so.. like… what gives?

My MacBook Pro arrived Wednesday. This machine has surprised the hell out of me. I believe it to be faster than my quad G5. This is by no means a benchmark comparison, but it simply ‘feels’ faster. Snappier for opening apps, even non universal binary apps like PhotoShop CS and DreamWeaver.

Another -BIG- reason why I upgraded from powerbook to the macbook pro was the ability to easily run other operating systems. The first thing I did when I received it was update tiger, upgrade my firmware and install boot camp/xp pro. This is a big deal to me. It allows me to run Novell ConsoleOne and Client as well as all of the good forensic and security software that only comes on windows.

I have also installed Fedora on a Parallels virtual machine. I am pretty impressed with parallels so far. It’s fast, far easier and more elegant than virtual pc and vmware and allows for nice full screen, full speed OS ‘switching’.

I have run into a few odd… I dunno… bugs? I’m still working on trouble shooting them down to their source, but as soon as I know what’s up I will post my findings.

NoNav: Automated Norton and Symantec AntiVirus Removal Tool

It seems all too often that when uninstalling Symantec Antivirus you are stuck with a partially uninstalled product. In some cases bits linger in add/remove programs, in other cases MS Word stops working. Whenever it happens its a big pain to fix.

A colleague of mine has received this tool direct from the Symantec technicians. Here are some details of it from its PDF documentation.

Proposal
Symantec Enterprise customers have expressed a need for a way to uninstall Norton AntiVirus Corporate Edition (NAVCE) or Symantec AntiVirus Corporate Edition (SAVCE) when normal uninstall procedures do not work.

Solution
Symantec Enterprise Support has created a standalone application / utility to fill this need. This utility will uninstall NAVCE or SAVCE Parent Servers and Clients through registry and file system deletions.

You may download this tool here:

noNAV-removal-tool.zip
md5 : afcb66d3db289a4c63434e829a9a1689