Removing Extended Rights delegation on AdminSDHolder

Description:

You have Active Directory and Exchange servers running in your environment. One day, the Security team told you that they encounter an account with excessive access on AdminSDHolder container. The Account was "DomainName\Exchange Servers" and has Extended Rights permission of Replication Synchronization. Yow want to remove this excessive access.

First, you try to remove it through the GUI. Open AD User and Computer console, go to System, go to AdminSDHolder container. Right click, open Properties, open Security, and click Advanced. You try to search the "DomainName\Exchange Servers" with permission Replication Synchronization, but couldn't find it.

Second, you try to confirm the existence of the extended rights by running the following command:

DSACLS "CN=AdminSDHolder, CN=System, DC=DomainName, DC=Local"

And you can confirmed the existence of the permission as per below picture:

Third, your try to remove it using Exchange Management Shell, and run the following PowerShell command:

Remove-ADPermission -Identity "CN=AdminSDHolder, CN=System, DC=DomainName, DC=Local" -User "DomainName\Exchange Servers" -ExtendedRights "Replication Synchronization"

However it fails with access denied error.

Resolution:

We can remove the Extended Rights in AdminSDHolder container with the help of LDP.exe

1. Open LDP.exe
2. Go to Connection > Click Connect > Click OK
3. Go to Connection again > Click Bind > Click OK
4. Click View > Click Tree
5. Enter the Base DN "DC=DomainName ,DC=Local". Click OK
6. On the left, double click Domainname, double click "CN=System, DC=DomainName, DC=Local", right click AdminSDHolder container.
7. Click Advanced > Click Security Descriptor
   
   
   
8. Check the SACL box > Click OK
9. Scroll Down until you find the Rights that you want to remove 
   
   
   
10. Click Delete ACE > Select Yes
11. Click Update to commit the changes
12. Close the LDP.exe

Note:

Be careful when removing this "Rights" as it may affect your Exchange Servers behavior. Prior testing is required.

Prerequisites and Best Practices for Changing ADFS Account

Description:

You have ADFS farm and you want to change the existing ADFS service account. You already have the step by step and the PowerShell module for changing the service account as written at other article in this blog.. However you want to know if there any pre-requisites or problem that you might encounter during the process

Resolution:

The prerequisites for changing the ADFS service account are:

1. On each machine of the ADFS farm, install the following:
• Visual C++ Redistributable for Visual Studio 2017
• ODBC Drive 17 for SQL Server
• SQLCMD.exe from Microsoft command line utilities for Microsoft SQL Server 2019
2. Enable AD & AD LDS PowerShell tool from Server Manager on all ADFS server
3. Domain Admin Account

Best practices:

1. Run the command to change the service account using Domain Admin Account. Logon Interactively on the ADFS server using Domain Admin, avoid using "Run As".
2. ADFS services will be restarted during the process. Plan the maintenance time carefully.

Recover Active Directory after Ransomware Attack if you only have VM Snapshot

Description:

You have a security incident in Active Directory where a ransomware attack encrypt your VCenter infrastructure. All you have left is a backup from a month before the attack.

Resolution:

Although it's not recommended to use VM Snapshot as your Active Directory backup method, in this situation, you can use what you have at the moment.

You can follow the following high-level guidance.

1. Choose the snapshot from time where the malware or malicious file hasn't entered your production environment.

2. Choose to recover only single Domain Controller from the snapshot. Preferable the one who doesn't hold the Flexible Single Master Operation (FSMO) role. The rest of the DC will be build manually from fresh using AD replication.

3. Perform recovery at isolated network.

4. Make sure the Active Directory recover successfully. Make sure SYSVOL and NETLOGON are shared properly. 

5. Seize FSMO to the recovered Domain Controller. Perform metadata cleanup of the rest of DCs.

6. Increase RID pool number.

7. Reset all High Privilege account password twice.

8. Update security patches and Antivirus.

9. Connect new Domain Controller to the production network.

10. Re-create Users or Re-join Computer as needed.

11. Continue building new Domain Controller from clean machine as needed.

Note*:

The guidance assume you are able to get the snapshot from the time before the attack occur. Sometimes this attack could start many months in advance which make recovering from snapshot have less benefit.

 

Point Client Machine or Member Server to a Specific Domain Controller

There maybe times when you want to restrict client machine or member server authentication to a specific Domain Controller only. One possible reasons is that you're doing security hardening to Domain Controller or Active Directory and want to test the impact to a limited production system before going company wide.

To restrict the client or member server authentication to specific DC only, please do the following:

1. Open Active Directory Sites and Services Console.

• Create a new Site.
• Assign a proper subnet to that site.
• Move the Specific Domain Controller to that site.

2. Open Registry Editor on the client or member server.

• In Registry Editor, navigate to the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
• Add the following multistring value (REG_MULTI_SZ) Value Name: SiteName
• For Value Data: TheNewSitename

3. Restart the client or member server to get the new setting. If you cannot restart the machine, you can run the following command:

nltest /dsgetdc:domainname /force 

Integrating Dahua CCTV with Hikvision NVR

Description:

You have Hikvision IP POE NVR up and running. You want to add Dahua CCTV camera to the Hikvision NVR.

Resolution:

1. Change the Dahua CCTV IP Address to the IP Address within the Hikvision NVR existing scope. Make sure there's no IP conflict.

2. Enable ONVIF at Hikvision NVR. 

Go to Maintenance > ONVIF > Enable ONVIF

3. Add the Dahua CCTV to the Hikvision NVR

Go to Camera > Click the Camera Channel that connected to Dahua CCTV > click Edit

Choose Manual, Enter the correct IP Address, Select ONVIF as the protocol, Select 80 as the Management Port, enter the Dahua CCTV Default username and password, Click OK.