In many Active Directory Domain Services environments, LDAP is a common protocol to provide access to objects and their attributes in the directory. The Lightweight Directory Access Protocol (LDAP) is an open protocol for use with various directory services, including Active Directory. Over the years, Microsoft has been made aware about vulnerabilities in the way … Continue reading "TODO: Test your exposure to Microsoft’s 2020 LDAP Channel Binding and Signing changes"
Windows Hello for Business is awesome technology, that allows for multi-factor authenticated sign-in on Windows 10 devices. About Windows Hello for Business In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to … Continue reading "Requirements per Windows Hello for Business Deployment Type"
Sometimes, Microsoft products have a way of their own. The Domain Naming System (DNS) service since Windows Server 2003, too, has a nice little quirk that I ran into the other day, that I’d like to share with you. About DNS debug logging When you suspect problems with the Domain Naming System (DNS) Service, … Continue reading "Knowledgebase: When you enable DNS debug logging to removable media, the DNS Service no longer starts"
Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. These components have requirements of Active Directory Domain Services (AD DS) in terms of the schema, the Windows Server versions on the Domain Controllers an organization runs, the Domain Functional Level (DFL) and the … Continue reading "Hybrid Identity features per Active Directory Domain Services Domain Controller Operating System, Domain Functional Level, Forest Functional Level and Schema version"
Today, for its March 2017 Patch Tuesday, Microsoft released an important security update for Active Directory Federation Services (AD FS). The security update addresses a vulnerability that could allow information disclosure if an attacker sends a specially crafted request to an ADFS server, allowing the attacker to read sensitive information about the target system.. … Continue reading "Important Update for Active Directory Federation Services (MS17-019, KB4010320, CVE-2017-0043)"
Today, for its March 2017 Patch Tuesday, Microsoft released a security update for supported versions of Windows Server offering File Sharing services using the Server Message Block (SMB) version 1.0 protocol. The security update addresses the vulnerabilities by correcting how SMBv1 handles specially crafted requests. About the vulnerabilities The vulnerabilities that are fixed with … Continue reading "Critical Flaw in SMB1 could allow remote code execution on Active Directory Domain Controllers (MS17-010, KB4013389)"
When organizations embrace new versions of software in a structured way, they end up with checklists, much like the ones I wrote for Windows 7 and Windows 8. Migrating end-user device Operating Systems (OSs), however, is different to embracing a new version of the Windows Server Operating System (OS). From an information security point of … Continue reading "An entirely new Management Pack for Active Directory on Windows Server 2016 is now available"
I received a message from Microsoft Serbia on an opportunity to speak at its yearly Sinergija event at the Crowne Plaza hotel and conference center in Belgrade on October 17th and October 18th 2016; An event, a Microsoft subsidiary and a country with an extensive legacy and rich heritage. Readers of my blog in this … Continue reading "I'll be presenting at Microsoft Sinergija 16"
Yesterday, during its August Patch Tuesday, Microsoft released security update KB3178465 for Windows Authentication Methods, among other security-related updates. This update addresses two vulnerabilities in Microsofts implementation of its authentication methods in Active Directory scenarios: CVE-2016-3237 and CVE-2016-3300. About the vulnerabilities Microsoft Kerberos Elevation of Privilege Vulnerability (CVE-2016-3237) A security feature bypass vulnerability exists … Continue reading "Security Thoughts: Update for Windows Authentication Methods (KB3178465, MS16-101, CVE-2016-3237, CVE-2016-3300, Important)"
Yesterday, Microsoft released update 3160352 as part of its June 2016 Patch Tuesday to address an important vulnerability in Active Directory, allowing denial of service. This security update is rated Important for all supported editions of Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 About the vulnerability A vulnerability has been … Continue reading "Security Thoughts: Vulnerability in Active Directory could allow denial of service (MS16-081, KB3160352, CVE-2016-3226)"