I'm presenting a webinar with Randy Franklin Smith and Netwrix

Presenting a webinar

This Tuesday at 6 PM CEST, I'm presenting a webinar with Randy Franklin Smith's Ultimate Windows Security and Netwrix on ten best practices to securing Active Directory and Azure AD.

About Randy Franklin Smith

Randy Franklin Smith is an internationally recognized expert on the security and control of Windows and Active Directory security who specializes in Windows and Active Directory security. He performs security reviews for clients ranging from small, privately held firms to Fortune 500 companies, national, and international organizations.

Randy Franklin Smith is the CEO of the Monterey Technology Group and a CISA, SSCP and a former Microsoft MVP.

About Ultimate Windows Security

UltimateWindowsSecurity.com is the web property of the Monterey Technology Group, devoted to spreading knowledge and understanding of Windows Security, IT Audit and Compliance with exclusive content from Randy Franklin Smith.

About the webinar

We will be presenting a 90-minute webinar through GoToWebinar:

Best practices for securing Active Directory and Azure AD

Tuesday September 28, 2021, 6 PM CEST

Hybrid Identity, involving both on-premises Active Directory and Azure AD, is one of the most common configurations used by organizations today. Because cybercriminals know this, modern attacks have demonstrated the breadth and depth of understanding threat actors have about Microsoft’s directory services – including the vulnerabilities and insecurities that exist therein – that enable successful attacks on Active Directory.

With data breaches and ransomware attacks both leveraging the same need for accessing Active Directory and Azure AD to empower lateral movement both on-premises and in the cloud, it is imperative that both AD and Azure AD are as secure as humanly possible.

So, what aspects of Active Directory and Azure AD provide the greatest risk and the largest threat surface – therefore, requiring your immediate attention?

In this real-training-for-free session we will discuss the prevalence of modern attacks on Active Directory and Azure AD
and where in an attack kill chain Active Directory and Azure AD actually help threat actors.

We take a deep dive into ten specific and practical best practices you can implement relatively easily to secure AD and Azure AD involving:

  • Protocols in use
  • Methods of authentication
  • Use of privileged accounts
  • Ongoing account hygiene
  • Health and Change Monitoring

Also joining us will be David Metzgar, Solutions Engineer from Netwrix, who will be showing how Netwrix Auditor assists in ensuring Active Directory and Azure AD remain in a secure state.

This real training for free event is jam packed with technical detail and real-world application.

Register today!

Join Randy Franklin Smith, Nick Cavalancia, David Metzgar and me for 90 minutes of Active Directory and Azure AD security goodness. Register here.

Note:
These webinars are offered free of charge, thanks to the sponsoring by Netwrix. By signing up for these webinars you agree to their privacy policy.

About Netwrix

Netwrix logoNetwrix empowers information security and governance professionals to reclaim control over sensitive, regulated and business-critical data, regardless of where it resides.

Over 10,000 organizations worldwide rely on Netwrix solutions to secure sensitive data, realize the full business value of enterprise content, pass compliance audits with less effort and expense, and increase the productivity of IT teams and knowledge workers. Founded in 2006, Netwrix has earned more than 150 industry awards and been named to both the Inc. 5000 and Deloitte Technology Fast 500 lists of the fastest growing companies in the U.S.

Posted on September 25, 2021 by Sander Berkouwer in Active Directory, Azure Active Directory, Community, Microsoft MVP, Personal

0  

Admins that have upgraded to Azure AD Connect v2 are at risk of running out of date and insecure installations

Azure AD Connect

Admins that have bit the bullet on Azure AD Connect v2 are now eating the sour grapes of that decision, as Microsoft doesn't offer Automatic Upgrades on any of the v2 builds released to date.

About Azure AD Connect v2

Azure AD Connect is Microsoft’s free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments and LDAP v3-compatible directories to Azure Active Directory.

Azure AD Connect v2 was introduced on July 20th, 2021. Version 2 brings a lot of enhancements when compared to Azure AD Connect v1: it comes with the latest version of SQL Server Express Edition, it uses TLS 1.2, if offfers connectivity to the v2 endpoint at the side of Azure AD and it allows for synchronizing group memberships up to 250,000 members.

Five Azure AD Connect v2 builds have been releases to date:

  • Azure AD Connect v2.0.3.0 on July 20th, 2021
  • Azure AD Connect v2.0.8.0 on August 10th, 2021
  • Azure AD Connect v2.0.9.0 on August 17th, 2021
  • Azure AD Connect v2.0.10.0 on August 19th, 2021
  • Azure AD Connect v2.0.25.1 on September 14th, 2021

About upgrading to Azure AD Connect v2

On August 31st, 2022, Microsoft plans to halt support for all Azure AD Connect v1 installations. This means that all admins should upgrade their Azure AD Connect v1 installations to v2 before that date.

That's because SQL Server 2012 SP4 reaches end of support on July 12th, 2022 and the Active Directory Authentication Library (ADAL) reaches end of support on June 30th, 2022.

Automatic Upgrades

None of the five released builds of Azure AD Connect v2 to date have been released for the Automatic Upgrades feature. Two of these builds (v2.0.8.0 and v2.0.25.1) fixed security vulnerabilities, but unless admins paid attention, they might not have become aware of these new builds and certainly have not updated their Azure AD Connect v2 installations manually.

This leaves admins who have bit the bullet on upgrading Azure AD Connect to version 2 with the sour grapes of their decisions: Unless Microsoft offers an Azure AD Connect v2 release that supports the Automatic Upgrades feature, they are at the risk of running out of date and insecure installations and need to manually upgrade Azure AD Connect installations manually.

Concluding

One of the common weaknesses found with admins and IT departments is the lack of processes. Without an update process for Azure AD Connect and proper staffing of admin roles, organizations are at risk of runningout of date and insecure Azure AD Connect installations.

I sure hope Microsoft releases an Azure AD Connect v2 build soon that supports the Automatic Upgrades feature for all previous Azure AD Connect v2 builds.

Further reading

Azure AD Connect v2.0.25.1 addresses a security issue and other bugs  
Azure AD Connect v1.x reaches end of support in 1 year  
Azure AD Connect v1.6.13.0 and v2.0.10.0 solve a PHS issue in renamed AD forests 
Azure AD Connect v2.0.9.0 fixes a Password Hash Synchronization bug 
Two new Azure AD Connect versions were released to prevent MitM attacks towards Domain Controllers (CVE-2021-36949)  
Azure AD Connect version 2.0.3.0 is here 

Posted on September 24, 2021 by Sander Berkouwer in Active Directory, Azure Active Directory, Azure AD Connect, Systems Administration

0  

I'm speaking at the Cloud Identity Summit

Cloud Identity Summit '21 banner

On September 30th, 2021, I'll present a 50-minute session on common mistakes with Hybrid Identity at the second Cloud Identity Summit, organized by the Azure Bonn user group.

About the Cloud Identity Summit

The Cloud Identity Summit aims to bring together people from different areas of Identity and Access Management (IAM) and provide an open community platform for collaboration and exchange of ideas.

The Cloud Identity Summit focuses on Cloud Identity Management, various aspects such as identity protection, managing external accounts, passwordless and much more. The Cloud Identity Summit is a free event that focuses on the exchange between the participants. The group of participants is international and comes from different areas and industries.

After the first Cloud Identity Summit 2020, the feedback was very good and that encouraged Thomas Naunheim, Rene dé la Motte, Gregor Reimling and Melanie Eibl to organize an event in 2021, too. The second edition will take place again as an online conference on September 30, 2021.

The Cloud Identity Summit features three tracks:

  1. Lounge (14:00-21:00)
    In the Lounge track, you'll find the Welcome session and the sponsor session from Yubico. During the sessions in the other tracks, you can use the Lounge track to talk to the speakers and other attendees.
  2. Security (15:00-21:00)
    In the Security track, you'll find sessions from Paul Griffiths, Klaus Bierschenk, Eric Berg, Peter Lenzke and me. We'll be focusing on security aspects of Azure AD and Hybrid Identity implementations.
  3. Integration (15:00-21:00)
    In the Integration track, you'll find sessions from Nicki Borell, Sergey Chubarov, Christopher Brumm, Nestori Syynimaa, Dmitry Kulko, Keith Petty and Pinki Patel.

 

About my session

I'll present a 50-minute session on:

From the trenches: Eight common mistakes with Hybrid Identity

Do you wish a seasoned expert would tell you all the mistakes to avoid before you begin your Hybrid Identity journey with AD and Azure AD? Or do you need substantial, real-world proven tips for your current setup of Active Directory and Azure AD?

Then this session is for you!

When you link your on-premises Active Directory Domain Services (AD DS) environment to Azure AD, you create the Hybrid Identity. Colleagues depend on a reliable, yet cost effective deployment of the technologies, trustworthy processes and it’s our jobs as IT Pros to make it happen.
This session covers the eight most common mistakes we see in the field in organizations that have deployed Hybrid Identity. Learn from their mistakes, whether you’ve already deployed Hybrid Identity and want to make your implementation more robust or holding off deploying Hybrid Identity to not step into these pitfalls.

Join us!

The Cloud Identity Summit is an online event for the safety of attendees and speakers. Presentations will be delivered over Microsoft Teams.

Registration is now open via the Azure Bonn Meetup Site. Please feel free to contact us for any questions.

Posted on September 23, 2021 by Sander Berkouwer in Community, Microsoft MVP, Personal

0  

Hardening SMB on Domain Controllers, Step 3: Disabling SMB Null sessions

This entry is part 3 of 3 in the series Hardening SMB on Domain Controllers

Server Message Block

Server Message Block (SMB) is a critical component for any Microsoft-oriented networking environment. That’s why hardening SMB is one of the critical steps in securing Active Directory Domain Controllers.

In the first part of this series, I’ve shown you how to report on incoming SMB connections on your Active Directory Domain Controllers. Now, let’s put the data to work. Let’s disable SMB null sessions.

 

The trouble with SMB null sessions

Active Directory is a technology that offers authentication, authorization and auditing. Access is granted (authorized) after authentication. But what if you can get access to certain resources without authenticating?

That is exactly what a null session can achieve. When an SMB session is set up anonymously, or with a guest account, this is commonly referred to as an SMB null session. Connecting without credentials eats away at everything Active Directory stands for… yet, many pentests will point out clearly that this is what Domain Controllers allow with default Operating System settings.

There’s debate whether null sessions are actually still around with default settings, but for argument’s sake, let’s disable them.

 

Getting rid of SMB null sessions

When we disable SMB null sessions, we might break the functionality other solutions offer to our infrastructure. This is undesirable. Therefore, we report on SMBv1, SMBv2 and SMB null sessions, before we disable any of them.

Disabling SMB null sessions

For Domain Controllers running Windows Server 2016, run the following three lines in an elevated Windows PowerShell session to disable SMB null sessions:

New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name RestrictAnonymous -Value 1 -PropertyType DWORD -Force

New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name RestrictAnonymousSAM -Value 1 -PropertyType DWORD -Force

New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name EveryoneIncludesAnonymous -Value 0 -PropertyType DWORD -Force

 

Concluding

Disabling SMB null sessions on Active Directory Domain Controllers improves the security posture of your Microsoft-oriented networking environment.

Posted on September 22, 2021 by Sander Berkouwer in Active Directory, SMB

0  

VMware fixes 19 vulnerabilities in vCenter Server (VMSA-2021-0020)

VMSA-2021-0014

Today, VMware released an update that addresses nineteen vulnerabilities in vCenter Server. These two vulnerabilities can be used to compromise vCenter Server installations and the ESXi host they manage.

Note:
The vulnerabilities exist in VMware Cloud Foundation, too.

 

About vCenter Server

VMware vCenter Server, formerly known as VirtualCenter, is the centralized management tool for the vSphere suite. vCenter Server allows for the management of multiple ESXi hosts and virtual machines (VMs) from different ESXi hosts through a single console or web application.

 

About the vulnerabilities

The following vCenter Server vulnerabilities are addressed today:

  • CVE-2021-21991 Local privilege escalation vulnerability
  • CVE-2021-21992 XLM parsing Denial of Service vulnerability
  • CVE-2021-21993 SSRF vulnerability
  • CVE-2021-22005 File upload vulnerability Critical
  • CVE-2021-22006 Reverse proxy bypass vulnerability
  • CVE-2021-22007 Local information disclosure vulnerability
  • CVE-2021-22008 Information disclosure vulnerability
  • CVE-2021-22009 VAPI multiple denial of service vulnerabilities
  • CVE-2021-22010 VPXD denial of service vulnerability
  • CVE-2021-22011 Unauthenticated API endpoint vulnerability
  • CVE-2021-22012 Unauthenticated API information disclosure vulnerability
  • CVE-2021-22013 File path traversal vulnerability
  • CVE-2021-22014 Authenticated code execution vulnerability
  • CVE-2021-22015 Improper permission local privilege escalation vulnerabilities
  • CVE-2021-22016 Reflected XSS vulnerability
  • CVE-2021-22017 rhttpproxy Bypass vulnerability
  • CVE-2021-22018 File deletion vulnerability
  • CVE-2021-22019 Denial of Service vulnerability
  • CVE-2021-22020 Analytics service denial of service vulnerability

 

About the fix

VMware addressed the vulnerabilities in the following versions:

  • For vCenter Server 7.0, version 7.0 Update 2d and up is no longer vulnerable.
  • For vCenter Server 6.7, version 6.7 Update 3o and up is no longer vulnerable.
  • For vCenter Server 6.5, version 6.5 Update 3q and up is no longer vulnerable.

 

Concluding

Please install the updates for the version(s) of vCenter Server in use within your organization, as mentioned above and in the advisory for VMSA-2021-0020.

Further reading

VMware updated the patch for CVE-2020-3992 to completely address the Remote Code Execution Vulnerability (Critical, CVSSv3 9.8)
Two vulnerabilities in VMware ESXi may lead to virtual Domain Controller compromise (Critical, VMSA-2020-0026, CVE-2020-4004, CVE-2020-4005)
VMSA-2021-0014 updates for VMware ESXi and vCenter address two security vulnerabilities (CVE-2021-21994, CVE-2021-21995)

Posted on September 21, 2021 by Sander Berkouwer in VMware, VMware vExpert

0  

ProTip! Use USMT GUI to migrate HAADJ to AADJ profiles

Lately, Microsoft is advocating moving away from the Hybrid Azure AD Join model to the Azure AD Join model, leaving the traditional domain-join model behind.

Microsoft feels it’s time to leave ye ol’ Active Directory behind, but a lot of settings, preferences, files and folders are still part of this legacy. They are part of the profile.

How does an organization cope with transitioning that data to make the transition from a traditional domain-joined device or a hybrid Azure AD-joined device to a cloud all-in Azure AD-joined device?

 

About join types

Many organizations are embracing Hybrid Identity, where Active Directory and Azure AD are working together, but where Active Directory remains in the lead. Microsoft is turning the table towards Modernized Identity, where Azure AD fulfills some of the roles typically assigned to Active Directory.

One of these roles is joining of devices. Today, we have four join types:

  • Active Directory domain-join
  • Hybrid Azure AD Join
  • Azure AD Join
  • Register with Azure AD

For organizational devices running Windows 10, only the first three types apply. The latter join type applies to personal devices and devices running iOS and Android.

In the past few years, we’ve seen organizations expand on the traditional domain-join with Hybrid Azure AD Join. This way, AD-joined devices were made known in Azure AD and made aware of Azure AD and its seamless authentication stack towards cloud applications.

Now, Microsoft tells us it’s time to take the Azure AD Join route.

 

The trouble with profiles

When a device performs its Azure AD Join, it creates a new profile and doesn’t reference any existing profile.

This means, a person in your organization starts with a fresh clean profile. Sometimes, this is a good thing. Most of the times, however, people will miss their Start Menu lay-out and choices in desktop backgrounds, mouse cursors and sounds at first glance.

In terms of productivity, they will also miss their browser favorites, stored browser passwords, recently-used lists, Outlook settings, custom spell check settings and other application settings. When data is stored in local profiles, email messages, pictures and documents would go missing, too.

 

Getting a profile across

For typical profile migration purposes, Microsoft long ago introduced the User State Migration Tool (USMT). However, Microsoft has abandoned further development. USMT does not support profiles on Azure AD-joined devices.

To get a profile across from a traditional domain-joined device or a hybrid Azure AD-joined device to an Azure AD-joined device, you can use Thomas Ehler’s USMT GUI.

Thomas is a system specialist from Denmark. He writes tools for IT Pro’s. Originally, he wrote a Graphical User Interface (GUI) for Microsoft’s USMT tool, but he has iterated further. Going beyond the functionality of USMT, his USMT GUI tool can migrate profiles to Azure AD-joined devices.

Unfortunately, the cheapest license that includes USMT GUI’s ‘Migrate local profile to logged in Azure user’ and ‘Restore User profile to logged in Azure user’ options is the Corporate license. It sets your organization back USD 300…

Yet, for many organizations this is a small price to pay to get productivity flowing on newly deployed devices fast.

Posted on September 20, 2021 by Sander Berkouwer in Active Directory, Azure Active Directory, Tools I Use

0  

Azure AD Connect v2.0.25.1 addresses a security issue and other bugs

Azure AD Connect

The lost two months have been a bonanza for Azure AD Connect releases. What started out with the first v2 release on July 20th, led to a security release three weeks later and two bug fix releases another week later. Now, four weeks after that last release, Azure AD Connect v2.0.25.1 sees the light. It squashes another list of bugs, but also fixes a security issue.

Note:
None of the v2 releases mentioned above are released for automatic upgrade. Manual upgrades are required to gain the new functionality and security levels once you're on the Azure AD Connect v2 path.

What's New

Here's what's new in Azure AD Connect version v2.0.25.1:

Soft matching can be disabled (Recommended unless used)

Microsoft added a configuration option to disable the Soft Matching feature in Azure AD Connect. Microsoft advises organizations to disable soft matching unless they need it to take over cloud only accounts. To disable Soft Matching, use the following lines of Windows PowerShell:

Connect-MsolService

Set-MsolDirSyncFeature -Feature BlockSoftMatch -Enable $True

To re-enable Soft Matching, use the following lines of Windows PowerShell:

Connect-MsolService

Set-MsolDirSyncFeature -Feature BlockSoftMatch -Enable $False

Latest versions of the Connectors

Microsoft added the version 1.1.1610.0 of the MIM Connectors, that Azure AD Connect share with Microsoft Identity Manager and ForeFront Identity Manager.

The September 2021 release of these connectors includes an updated SQL Connector, that adds support for query-based export strategies for additional types of data sources.

When using Azure AD Connect with LDAPv3 compatible identity sources, instead of Active Directory Domain Services, these fixes were incorporated in the LDAP connector:

  • An issue is fixed with Kerberos authentication by enabling 3-part service principal name (SPN) authentication for LDAP connections
  • An issue is fixed with a drop-down menu that enables hashing of OpenLDAP passwords
  • LDAP schema classes processing is improved; inherited classes are now processed when parent class is in scope

What's Fixed

Here's what's fixed in Azure AD Connect version v2.0.25.1:

  • A security issue is addressed where an unquoted path was used to point to the Azure AD Connect service. This path is now a quoted path.
  • An import config issue is addressed with writeback enabled when using the existing AD connector account.
  • An issue is addressed in the Set-ADSyncExchangeHybridPermissions and other related cmdlets, which were broken from Azure AD Connect version 1.6 due to an invalid inheritance type.
  • The Set-ADSyncToolsTls12 Windows PowerShell cmdlet had an issue where it overwrites the registry keys, destroying any values that were in them. This issue is addressed by changing the functionality of the cmdlet. Now, the cmdlet only creates new registry keys if they do not already exist. A warning is also added to let admins know the TLS registry changes are not exclusive to Azure AD Connect and may impact other applications on the same Windows Server installation as well.
  • A check is added to enforce automatic upgrades for Azure AD Connect v2 releases to require Windows Server 2016 or newer versions of Windows Server.
  • Active Directory Replicating Directory Changes permissions are added to the permission set configured by the Set-ADSyncBasicReadPermissions Windows PowerShell cmdlet.
  • A change is made to prevent using both the UseExistingDatabase switch and Import configuration funcitonality together, since the combination could contain conflicting configuration settings.
  • A change is made to allow a user with the Application Administrator role in Azure AD to change the App Proxy service configuration.
  • The (Preview) label is removed from the labels of the Import/Export settings functionality. This functionality has been generally available for some time now…
  • Some labels that still refered to Company Administrator have been changed. This role was renamed to Global Administrator in February 2021, but still lingered within Azure AD Connect.
  • New Azure AD Kerberos PowerShell cmdlets *-AADKerberosServer were created to add a Claims Transform rule to the Azure AD Service Principal.

Version information

This is version 2.0.25.1 of Azure AD Connect.
This release in the 2.x branch for Azure AD Connect was made available for download as a 153 MB weighing AzureADConnect.msi on September 14, 2021.

Posted on September 16, 2021 by Sander Berkouwer in Azure AD Connect, What's New

0  

Hardening SMB on Domain Controllers, Step 2: Disabling SMBv1

This entry is part 2 of 3 in the series Hardening SMB on Domain Controllers

Server Message Block (SMB) is a critical component for any Microsoft-oriented networking environment. That’s why hardening SMB is one of the critical steps in securing Active Directory Domain Controllers.

In the first part of this series, I’ve shown you how to report on incoming SMB connections on your Active Directory Domain Controllers. Now, let’s put the data to work. Let’s disable SMB versions that are no longer used or shouldn’t be used anymore throughout your networking environment.

 

The trouble with old versions of SMB

The original Server Message Block (SMB) protocol, known as version 1, is over 30 years old. It was conceived in a world before the Internet and was designed for safe networks. Because of its legacy, it’s underperforming, it doesn’t offer encryption and uses signing based on weak hashing methods. Yet, it was the default version of SMB shipping with Windows until Windows Server 2003. Today, Microsoft urges you to stop using SMBv1.

When comparing to SMBv1, SMB version 2 introduced performance improvements, symbolic links and SHA-256 message signing in 2006 with Windows Vista.

SMBv2 offers a much better alternative than SMBv1, but still SMBv3 is the version you’d want to see negotiated. Especially since SMBv3 offers end-to-end encryption. Yet, this version wasn’t released until Windows 8.1 and Windows Server 2012 R2.

SMBv2 is currently not as problematic as SMBv1 and thus as urgent as disabling SMBv1. In time, though, SMBv2 will also prove to be too insecure to leave around.

 

Why SMBv1 is still around

You’d think that when all devices and servers on the network run supported Operating Systems (OSs), you wouldn’t see any SMBv1 or SMBv2 around. Reality, however, is stubborn. Your networking infrastructure doesn’t merely run Windows. It also features printers that are capable of storing scanned documents onto a file share, virtualization products from different vendors, management solutions, backup solutions, etc.

The SMB1 Product Clearinghouse offers an overview of solutions, services, applications, products and devices still actively requiring SMBv1.

 

Getting rid of SMBv1

When we disable SMBv1, we might break the functionality these other solutions offer to our infrastructure. This is undesirable. Therefore, we report on SMBv1, SMBv2 and SMB null sessions, before we disable any of them.

When you have found SMBv1 connections this way, you have three approaches to get rid of them:

  1. Check the SMB1 Product Clearinghouse for the solution, service, application, product and/or device that still uses SMBv1. If the vendor provides an upgrade path to a version of the solution, service, application, product and/or firmware for the device, apply it.
  2. If the solution, service, application, product and/or device is not listed in the SMB1 Product Clearinghouse, contact a sales representative for the product and ask for a solution. Then, send an email to StillNeedsSMB1@microsoft.com to get the product added to the clearinghouse page.
  3. If the solution, service, application, product and/or device that still uses SMBv1 is older than fifteen years, chuck it. Don’t expect any help. Replace it with a product, service, application and/or device that is not listed in the SMB1 Product Clearinghouse.

 

Disabling SMBv1

Disabling SMBv1 is actually straightforward. For Domain Controllers running Windows Server 2016, run the following three lines in an elevated Windows PowerShell session:

$P = "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters"

New-ItemProperty -Path $P -Name SMB1 –PropertyType DWORD –Value 0 –Force

Remove-WindowsFeature FS-SMB1

 

Concluding

Disabling SMBv1 on Active Directory Domain Controllers improves the security posture of your Microsoft-oriented networking environment.

Posted on September 15, 2021 by Sander Berkouwer in Active Directory, SMB

2  

KnowledgeBase: The Windows Server 2022 Active Directory DFL and FFL do not exist

Windows Server 2022

Just as there are no Windows Server 2019 Forest Functional Level (FFL) or Windows Server 2019 Domain Functional Level (DFL), there are no Windows Server 2022 FFL or DFL either in Microsoft Windows Server’s Active Directory Domain Services (AD DS).

 

Impact

The unavailability of the Windows Server 2022 Forest Functional Level (FFL) and Windows Server 2022 Domain Functional Level (DFL) has the following impact:

  • There are, apparently, no new features in Active Directory Domain Services in Windows Server 2019 or Windows Server 2022, that require a new Domain Functional Level.
  • There are, apparently, no new features in Active Directory Domain Services in Windows Server 2019 or Windows Server 2022, that require a new Forest Functional Level.
  • When upgrading or transitioning Active Directory from Windows Server 2016 to Windows Server 2019 or Windows Server 2022, the Domain Functional Level (DFL) and Forest Functional Level (FFL) do not have to be raised. This eliminates two steps of the process.
  • When upgrading or transitioning Active Directory from Windows Server 2012 or Windows Server 2012 R2 to Windows Server 2019 or Windows Server 2022, the Domain Functional Level (DFL) and Forest Functional Level (FFL) only need to be raised to Windows Server 2016.
  • There is no way to limit the ability for Active Directory admins (for domains in an Active Directory forest) to install Windows Server 2016-based Domain Controllers or Windows Server 2019-based Domain Controllers in an environment with Windows Server 2022-based Domain Controllers. However, since Windows Server 2012, there is a way to limit promotions of Domain Controllers altogether.

Not only are the Windows Server 2022 Forest Functional Level (FFL) and Windows Server 2022 Domain Functional Level (DFL) missing, Windows Server 2022 does not even require a schema update. Active Directory schema version 88 is the latest schema version, and it has been around since Windows Server 2019. When you promote a server to a Domain Controller, however, a Windows Server 2022 installation automatically performs any schema update you may need to become the first Windows Server 2022 Domain Controller.

 

About Active Directory Functional Levels

In previous versions of Active Directory, each Windows Server version was accompanied by a corresponding Forest Functional Level (FFL) and Domain Functional Level (DFL).

When upgrading Domain Controllers to newer versions of Windows Server or transitioning to Domain Controllers running newer versions of Windows Server, the functional levels would unlock new functionality on either the Active Directory forest or Active Directory domain level.

RAISING FUNCTIONAL LEVELS

Only when all Domain Controllers for an Active Directory domain would run the newer version of Windows Server, could an Active Directory admin raise the Domain Functional Level (DFL) to the version corresponding with the version of Windows Server.

Only when all domains for an Active Directory forest would run the newer Domain Functional Level (DFL), could an Active Directory admin raise the Forest Functional Level (FFL) to the version corresponding with the version of the domains.

LOWERING FUNCTIONAL LEVELS

Starting with the Windows Server 2008 levels, you can revert to lower Domain Functional Levels and Forest Functional Levels.

Note:
The lowest levels to return to are the Windows Server 2008 Forest Functional Level (FFL) and the Windows Server 2008 Domain Functional Level (DFL).

Note:
Only when the Active Directory Forest Functional Level (FFL) is lowered to a lower version, can any Active Directory domains be lowered to a lower version of the Active Directory Domain Functional Level (DFL).

Note:
Only when the Active Directory Recycle Bin additional features is not implemented, can the Active Directory Forest Functional Level (FFL) be lowered from the Windows Server 2008 R2 to the Windows Server 2008 Forest Functional Level (FFL).

This paints the following picture:

DFLs&FFLs2019

FURTHER READING

KnowledgeBase: The Windows Server 2019 Active Directory DFL and FFL do not exist
Preventing Domain Controller promotions, cloning and demotions
New features in AD DS in Windows Server 2012, Part 3: New Upgrade Process
How to Revert Back or Lower the Active Directory Forest and Domain Functional Levels
Forest and Domain Functional Levels

Posted on September 14, 2021 by Sander Berkouwer in Active Directory, Microsoft Windows Server 2022

2  

Hornetsecurity’s 365 Threat Monitor: Get rid of unwanted and potentially dangerous messages

HornetSecurity 365 Threat Monitor

Any messaging administrator will tell you that it’s hard to fight against spam. As we read about most cybersecurity incidents starting with (spear)phishing attacks, it also becomes increasingly clear messaging administrators in small and medium-sized business need to work harder or smarter to protect their colleagues.

Messaging in the modern age

Many organizations started their cloud journey by bringing their messaging functionality to the cloud. Organizations that were previously using Microsoft Exchange Server opted to migrate to Business Processes Online Suite (BPOS), rebranded to Office 365 in 2011, and currently referred to as Microsoft 365.

When creating their business cases, many organizations calculated that the technical maintenance of the solution would be on Microsoft’s plate, whereas the functional maintenance of the solution would remain with the organization or a third party. Today, you can ask the question whether fighting spam, phishing and malware is a purely technical issue, a purely functional issue or a little bit of both.

I feel it’s a little bit of both. I feel that’s also the hardest answer, because it begs the follow-up question:

Who does what?

 

Shared responsibilities

Organizations using Exchange Online as part of Microsoft 365 have come to realize that it’s their responsibility to configure:

  1. Sender Policy Framework (SPF) records,
  2. DomainKeys Identified Mail (DKIM) signatures, and
  3. Domain-based Message Authentication, Reporting and Conformance (DMARC).

Microsoft provides the TXT DNS record for SPF from the get-go. DKIM rules can be configured in the Microsoft 365 Security & Compliance portal and Valimail offers a sublime free DMARC reporting tool.

From within the Microsoft 365 platform, Microsoft also provides messaging security features. The default anti-malware policy, anti-phishing policy (augmented with optional tenants allowed or blocked for/from spoofing) and Exchange Online’s default inbound, outbound and connection filter anti-spam policies offer some relief and ways to fight the worst unwanted messages.

While Microsoft is not a pure information security company, they offer solutions beyond the built-in features in the platform. Their Microsoft Defender suite of products and services offer more granular and more robust information security measures. Unfortunately, these solutions are only available to organizations who opted for the most expensive Microsoft cloud licenses and add-ons.

 

Hornetsecurity’s 365 Threat Monitor to the rescue!

To close the gap between what Microsoft offers with Office 365 E3 and what organizations need to do, Hornetsecurity now offers its 365 Threat Monitor service.

Microsoft’s default policies and rules do not offer adequate protection, allowing phishing and spam messages to enter the organization’s mailboxes. 365 Threat Monitor detects any threats that breach the built-in Office 365 security policies. Once it identifies a malicious email, it sends a phone and mail alert to admins so they can instantly delete the suspicious and/or malicious message to prevent any damage in near real time.

Is it a bird? Is it a plane? It’s an app.

365 Threat Monitor is a mobile app that is available for iOS, iPadOS and Android.

The idea of a mobile app is genius and inventive. With Microsoft’s plethora or portals, a portal with important messages can be easily overlooked. Messages via mail run the risk of being intercepted straight after compromise and for most admins I know they lack urgency. I think a mobile device is the only device that an admin has on him or her all the time and where notifications are seldomly missed.

Registering the 365 Threat Monitor service on a mobile device has its challenges, though:

  1. The Threat Monitor App by service principal is easily registered in Azure AD. For many admins, it’s already unclear how some apps integrate with their Azure AD tenants and achieving this level of integration from within a mobile app feels hazardous.
  2. When an admin would create documentation of the registration process, it would consist of a couple of mobile screenshots. Threat Monitor’s API permissions are displayed in the language of the device. In multi-language teams, this language barrier might lead to inadequate understanding of what the service does.
  3. The registration process works even with multi-factor authentication enabled for the entire tenant. However, multi-factor authentication on the same device doesn’t feel as out-of-band when compared to performing MFA when accessing the portal in a desktop browser.

The entire registration process is lightning fast, though.

What happens under the hood when you configure the app

The way 365 Threat Monitor works is by registering an enterprise application in Azure AD and assigning it:

  1. The Cloud App Administrator role in Azure AD
  2. The Reports Reader role in Azure AD
  3. The delegated Sign in and read user profile permission to the Microsoft Graph API
  4. The Read and write all applications application permission to the Microsoft Graph API
  5. The Read directory data application permission to the Microsoft Graph API
  6. The Manage app permission grants and app role assignments application permission to the Microsoft Graph API
  7. The Read and write all directory RBAC settings application permission to the Microsoft Graph API
  8. The Exchange Service Administrator role in Azure AD
  9. The Manage Exchange As Application permission in Exchange Online.

These last two permissions are achieved through a temporary Hornetsecurity Automation service principal. After its work is done, the Hornetsecurity Automation service principal is removed from Azure AD.

The above API permissions require admin consent. This consent is asked when the first admin configures the app. Any additional admin is just added as a user to the Threat Monitor App by enterprise application in Azure AD.

Because 365 Threat Monitor works as an enterprise application, the organization does not need to change MX records in DNS. The flow of inbound and outbound messages does not change, as is the case when you install and use many other third-party solutions.

Filtering and detection

I’ll admit that I was skeptical at first: an organization like Hornetsecurity outperforming Microsoft at the game that Microsoft has been playing since cc:Mail? I must’ve sounded like the typical naysayer before the David vs. Goliath battle. Yet, not long after the initial registration, 365 Threat Monitor issued its first app notification and sent me its first message giving me a heads up on a message flagged as high threat level. Clicking on the app notification took me to the Alerts list within the app. It was indeed a suspicious message that Microsoft 365 did not detect. I deleted it instantly … straight from the mobile app.

Threat statistics and reporting at your fingertips

Before that, I could also see messages in people’s mailboxes flagged with the moderate threat level. The 365 Threat Monitor app started displaying meaningful information and statistics after the initial registration. It helped me get a grip on the current messaging security status of the Microsoft 365 tenant. Its Top targets list is something I was craving for some time, as it’s nearly impossible to educate everybody within the organization on proper message hygiene. I can see how specifically targeting these people with additional messaging on how to cope with suspicious and malicious messages could pay off in a big way in the long run.

The Protection that 365 Threat Monitor delivers

Of course, the proof is in the pudding. Since the configuration of the 365 Threat Monitor app, the app has reported and notified of messages including:

  1. Malware, including ransomware, viruses and spyware,
  2. Phishing,
  3. Spoofed sender identities and content, and
  4. Spam and unwanted advertisements.

Yes, I also encountered some false positives. Currently, the mobile app does not offer a way to flag these messages as false positives, so they’ll remain visible in the Alerts list, as long as the alert fits the selected time frame at the top of the list.

 

Get onboard!

Hornetsecurity offers its 365 Threat Monitor service for free to the first 10,000 Microsoft 365 admins who sign up for the service.

Combined with SPF, DKIM and DMARC, it should help you fight spam, phishing and malware throughout your Microsoft 365 messaging infrastructure.

365 Threat Monitor and 365 Total Protection

Hornetsecurity’s 365 Threat Monitor is part of the larger 365 Total Protection packages, starting at USD 2 per user per month. While 365 Threat Monitor is a free tool, it is also limited. The ability to delete messages from user’s mailboxes is limited. Whenever you delete a message, a pop-up informs you of the number of allowed deletes left. Of course, the pop-up windows provides an Upgrade now! button for your convenience.

Posted on September 13, 2021 by Sander Berkouwer in Microsoft Graph API, Microsoft Office, Recommended Practices, Systems Administration, Tools I Use

0