What's New in Microsoft Defender for Identity in November 2022

Microsoft Defender for Identity

Microsoft Defender for Identity helps Active Directory admins defend against advanced persistent threats (APTs) targeting their Active Directory Domain Services infrastructures.

It is a cloud-based service, where agents on Domain Controllers provide signals to Microsoft's Machine Learning (ML) algorithms to detect and report on attacks. Its dashboard allows Active Directory admins to investigate and remediate (potential) breaches related to advanced threats, compromised identities and malicious insider actions.

Microsoft Defender for Identity was formerly known as Azure Advanced Threat Protection (Azure ATP) and Advanced Threat Analytics (ATA).

 

What’s New

In October 2022, one new version of Microsoft Defender for Identity was released: Version 2.194. This version was released on November 10, 2022.

This release introduced the following functionality:

 

New Health Alert

Just like with version 2.192 (October 23, 2022), a new health alert was introduced. As Defender for Identity relies on healthy sensors on all Domain Controllers, health alerts help keep an eye on sensor health.

When Directory Services Advanced Auditing is not configured correctly, an health alert is shown on the Sensors settings page in the Microsoft 365 Defender portal with Medium severity. Admins should reconfigure the Advanced Auditing settings to remediate this issue. Microsoft's documentation on this advices to configure these settings using changes to the Default Domain Controllers Policy in Group Policy Management, but my recommendations would be to:

  • Configure the required settings in a separate Group Policy object and target it at the Domain Controllers OU. This way, the Default Domain Controllers Policy can be reset when needed without impacting Microsoft Defender for Identity.
  • Configure the required preferences in a separate Group Policy object and target it at the Domain Controllers OU. This way, settings and preferences are not stored in one Group Policy object and do not impact the speed with which Group Policy is applied.

 

Honeytoken issues resolved

Microsoft Defender for Identity offers the ability to define honeytoken accounts, which are used as traps for malicious actors. Any authentication associated with these honeytoken accounts (normally dormant), triggers a honeytoken activity (external ID 2014) alert.

Starting with Defender for Identity version 2.191, any LDAP or SAMR query against these honeytoken accounts will trigger an alert. In addition, if event 5136 is audited, an alert will be triggered when one of the attributes of the honeytoken was changed or if the group membership of the honeytoken was changed.

However, some of these changes were not enabled properly. Those issues have been resolved now.

 

Defender for Endpoint integration no longer supported

Previously, the forwarding of Defender for Identity alerts to Defender for Endpoint required separate actions. This integration between Defender for Endpoint and Defender for Identity provides the flexibility of conducting cyber security investigation across activities and identities. Per December 2022, the integration with Microsoft Defender for Endpoint from Defender for Identity is no longer supported .

Microsoft highly recommends using the Microsoft 365 Defender portal which has the integration built-in.

Improvements and bug fixes

Version 2.193 includes improvements and bug fixes for the internal sensor infrastructure.

0  

What's New in Azure Active Directory for November 2022

Azure Active Directory

Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for November 2022:

 

What’s Planned

IPv6 coming to Azure AD Public Preview

Service category: Identity Protection
Product capability: Platform

With the growing adoption and support of IPv6 across enterprise networks, service providers, and devices, many customers are wondering if their users can continue to access their services and applications from IPv6 clients and networks. This month, Microsoft is excited to announce their plan to bring IPv6 support to Azure AD. This will allow organizations to reach the Azure AD services over both IPv4 and IPv6 network protocols (dual stack).

Note:
For most organizations, IPv4 won't completely disappear from their digital landscape, so Microsoft isn’t planning to require IPv6 or to de-prioritize IPv4 in any Azure AD features or services.

Microsoft will begin introducing IPv6 support into Azure AD services in a phased approach, beginning March 31, 2023.

 

What’s New

Workload Identity Federation for Managed Identities Public Preview

Service category: Managed identities for Azure resources
Product capability: Developer Experience

Developers can now use Managed Identities (MIs) for their software workloads running anywhere, and for accessing Azure resources, without needing secrets. Key scenarios include:

  • Accessing Azure resources from Kubernetes pods running on-premises or in any cloud.
  • GitHub workflows to deploy to Azure, no secrets necessary.
  • Accessing Azure resources from other cloud platforms that support OIDC, such as Google Cloud.

 

Dynamic Group pause functionality Public Preview

Service category: Group Management
Product capability: Directory

Admins can now pause, and resume, the processing of individual dynamic groups in the Entra Admin Center.

 

Enabling customization capabilities for the Self-Service Password Reset (SSPR) hyperlinks, footer hyperlinks and browser icons in Company Branding Public Preview

Service category: Directory Management
Product capability: Directory

This feature updates the company branding functionality on the Azure AD and Microsoft 365 sign in experience to allow customizing Self Service Password Reset (SSPR) hyperlinks, footer hyperlinks and browser icon.

 

Enabling extended customization capabilities for sign-in and sign-up pages in Company Branding capabilities Public Preview

Service category: Authentications (Logins)
Product capability: User Authentication

This feature updates the Azure AD and Microsoft 365 sign in experience with new company branding capabilities. Admins can apply the organization’s brand guidance to authentication experiences with pre-defined templates.

 

Authenticator on iOS is FIPS 140 compliant General Availability

Service category: Microsoft Authenticator App
Product capability: User Authentication

Authenticator version 6.6.8, and higher, on iOS is FIPS 140 compliant for all Azure AD authentications using push multi-factor authentications (MFA), Password-less Phone Sign-In (PSI), and time-based one-time pass-codes (TOTP). No changes in configuration are required in the Authenticator app or Azure portal to enable this capability.

 

Soft Delete for Administrative Units General Availability

Service category: Directory Management
Product capability: Directory

Administrative Units (AUs) now support soft deletion. Admins can now list, view properties of, or restore deleted AUs using the Microsoft Graph. This functionality restores all configuration for the AU when restored from soft delete, including memberships, admin roles, processing rules, and processing rules state.

This functionality greatly enhances recoverability and resilience when using AUs. Now, when an AU is accidentally deleted it can be restored quickly to the same state it was at time of deletion-removing uncertainty around how things were configured and making restoration quick and easy.

 

New provisioning connectors in the Azure AD Application Gallery

Service category: App Provisioning
Product capability: 3rd Party Integration

We've added the following new applications in our App gallery with Provisioning support. You can now automate creating, updating, and deleting of user accounts for these newly integrated apps:

 

New Federated Apps available in Azure AD Application gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In November 2022, Microsoft has added the following 22 new applications to the Azure AD App gallery with Federation support:

 

What’s Changed

Use Web Sign-in on Windows for password-less recovery with Temporary Access Pass General Availability

Service category: N/A
Product capability: User Authentication

For users who don't know or use a password, the Temporary Access Pass (TAP) can now be used to recover Azure AD-joined devices when the EnableWebSignIn policy is enabled on the device.

0  

On-premises Identity-related updates and fixes for November 2022

Windows Server

Even though Microsoft’s Identity focus moves towards the cloud, Windows Server 2016, Windows Server 2019 and Windows Server 2022 still receive updates to improve the experiences and security of Microsoft’s on-premises powerhouses.

This is the list of Identity-related updates and fixes we saw for November 2022:

 

Windows Server 2016

We observed the following updates for Windows Server 2016:

KB5019964 November 8, 2022

The November 8, 2022, update for Windows Server 2016 (KB5019964) updating the OS build number to 14393.5501, is a monthly cumulative update that includes the following Identity-related improvements:

  • It provides Kerberos protocol changes to address CVE-2022-37966, a Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability
  • It provides Kerberos protocol changes to address CVE-2022-37967, a Windows Kerberos Elevation of Privilege Vulnerability
  • It provides Netlogon protocol changes to address CVE-2022-38023, a Netlogon RPC Elevation of Privilege Vulnerability
  • It addresses an issue that affects Distributed Component Object Model (DCOM) authentication hardening. Microsoft will automatically raise the authentication level for all non-anonymous activation requests from DCOM clients to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY. This occurs if the authentication level is below Packet Integrity.
  • It addresses an issue that affects the Microsoft Azure Active Directory Application Proxy connector. It cannot retrieve a Kerberos ticket on behalf of the user. The error message is:

The handle specified is invalid (0x80090301)

  • It addresses an issue that affects the Forest Trust creation process. It fails to add the Domain Name System (DNS) name suffixes to the trust information attributes. This occurs after you install the January 11, 2022, or later updates.
  • It addresses an issue that affects Domain Controllers. The Domain Controller writes an event with Event ID 21 and source Key Distribution Center (KDC) in the System event log. This occurs when the KDC successfully processes a Kerberos Public Key Cryptography for Initial Authentication (PKINIT) authentication request using a self-signed certificate for key trust scenarios. This includes Windows Hello for Business and Device Authentication.
  • It addresses an issue that affects the Microsoft Visual C++ Redistributable Runtime. It does not load into the Local Security Authority Server Service (LSASS) when you enable Protected Process Light (PPL).

Note:
After installing this or later updates on Domain Controllers, you might experience a memory leak with Local Security Authority Subsystem Service (LSASS.exe). Depending on the workload of the Domain Controllers and the amount of time since the last restart of the server, LSASS might continually increase memory usage with the up time of the server. The server might become unresponsive or automatically restart.

 

KB502165 November 17, 2022 Out of Band

The November 17, 2022, update for Windows Server 2016 (KB5021654) updating the OS build number to 14393.5502, is an out-of-band update that addresses a known issue that affects Windows Servers that have the Domain Controller role. They might have Kerberos authentication issues.

 

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB5019966 November 8, 2022

The November 8, 2022, update for Windows Server 2019 (KB5019966) updating the OS build number to 17763.3650, is a monthly cumulative update that includes the following Identity-related improvements:

  • It provides Kerberos protocol changes to address CVE-2022-37966, a Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability
  • It provides Kerberos protocol changes to address CVE-2022-37967, a Windows Kerberos Elevation of Privilege Vulnerability
  • It provides Netlogon protocol changes to address CVE-2022-38023, a Netlogon RPC Elevation of Privilege Vulnerability
  • It addresses an issue that affects Distributed Component Object Model (DCOM) authentication hardening. Microsoft will automatically raise the authentication level for all non-anonymous activation requests from DCOM clients to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY. This occurs if the authentication level is below Packet Integrity.
  • It addresses a DCOM issue that affects the Remote Procedure Call Service (rpcss.exe). It raises the authentication level to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY instead of RPC_C_AUTHN_LEVEL_CONNECT if RPC_C_AUTHN_LEVEL_NONE is specified.
  • It address an issue that affects the Microsoft Azure Active Directory Application Proxy connector. It cannot retrieve a Kerberos ticket on behalf of the user. The error message is:

The handle specified is invalid (0x80090301)

  • It addresses an issue that affects focus order. This issue occurs when you tab from the password field on a credentials page.
  • It addresses an issue that affects the Forest Trust creation process. It fails to add the Domain Name System (DNS) name suffixes to the trust information attributes. This occurs after you install the January 11, 2022, or later updates.

Note:
After installing this or later updates on Domain Controllers, you might experience a memory leak with Local Security Authority Subsystem Service (LSASS.exe). Depending on the workload of the Domain Controllers and the amount of time since the last restart of the server, LSASS might continually increase memory usage with the up time of the server. The server might become unresponsive or automatically restart.

 

KB5021655 November 17, 2022 Out of Band

The November 17, 2022, update for Windows Server 2019 (KB5021655) updating the OS build number to 17763.3653, is an out-of-band update that addresses a known issue that affects Windows Servers that have the Domain Controller role. They might have Kerberos authentication issues.

 

Windows Server 2022

We observed the following updates for Windows Server 2022:

KB5019081 November 8, 2022

The October 11, 2022, update for Windows Server 2022 (KB5019081) updating the OS build number to 20348.1249, is a monthly cumulative update that includes the following Identity-related improvements:

  • It provides Kerberos protocol changes to address CVE-2022-37966, a Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability
  • It provides Kerberos protocol changes to address CVE-2022-37967, a Windows Kerberos Elevation of Privilege Vulnerability
  • It provides Netlogon protocol changes to address CVE-2022-38023, a Netlogon RPC Elevation of Privilege Vulnerability
  • It addresses an issue that affects Distributed Component Object Model (DCOM) authentication hardening. It automatically raises the authentication level for all non-anonymous activation requests from DCOM clients to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY. This occurs if the authentication level is below Packet Integrity.
  • It addresses a DCOM issue that affects the Remote Procedure Call Service (rpcss.exe). It raises the authentication level to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY instead of RPC_C_AUTHN_LEVEL_CONNECT if RPC_C_AUTHN_LEVEL_NONE is specified.
  • It addresses an issue that affects the Microsoft Azure Active Directory (AAD) Application Proxy connector. It cannot retrieve a Kerberos ticket on behalf of the user. The error message is:

The handle specified is invalid (0x80090301)

  • It improves Active Directory replication performance in large environments.
  • It addresses an issue that affects the Forest Trust creation process. It fails to place the domain name system (DNS) name suffixes in the trust attributes. This issue occurs on devices that install January 11, 2022, or later updates.
  • It addresses an issue that affects certificate mapping. When it fails, lsass.exe might stop working in schannel.dll.

Note:
After installing this or later updates on Domain Controllers, you might experience a memory leak with Local Security Authority Subsystem Service (LSASS.exe). Depending on the workload of the Domain Controllers and the amount of time since the last restart of the server, LSASS might continually increase memory usage with the up time of the server. The server might become unresponsive or automatically restart.

 

KB5021656 November 17, 2022 Out of Band

The November 17, 2022, update for Windows Server 2022 (KB5021656) updating the OS build number to 20348.1251, is an out-of-band update that addresses a known issue that affects Windows Servers that have the Domain Controller role. They might have Kerberos authentication issues.

 

KB5020032 November 22, 2022 Preview

The November 22, 2022, update for Windows Server 2022 (KB5020032) updating the OS build number to 20238.1311 is a preview update that includes one following identity-related improvements: It addresses an issue that affects cluster name objects (CNO) or virtual computer objects (VCO). Password reset fails. The error message is:

There was an error resetting the AD password… // 0x80070005

0  

Domain Controllers running the latest updates may encounter LSASS memory leaks and unexpected restarts, unless…

After installing the most recent Updates on their Domain Controllers, some readers have reported in the comments that they experienced that the Local Security Authority Subsystem Service (LSASS) process on their Domain Controllers continually increases memory usage making their Domain Controllers become unresponsive and even automatically restart…

 

The cause

Many Active Directory admins experienced issues with the Kerberos hardening settings to address CVE-2022-37966. However, this issue is contributed to the Kerberos protocol changes addressing CVE-2022-37967, introduced with the November 8, 2022, cumulative updates (2022.B11). These changes are described in KB5020805.

These changes are not applied with the update, but need to be manually enabled. However, the changes will be automatically enabled with the June 2023 updates.

After applying the November 2022 updates to all Domain Controllers, all Domain Controllers will have signatures added to the Kerberos PAC Buffer. It now seems that this added functionality and the automatic enablement of the feature is causing problems in some environments.

 

The solution

There are two main solutions:

Upgrade Domain Controllers to Windows Server 2022

If you ever wonder on what systems Microsoft testers tests their updates, then this issue provides the answer. On Windows Server 2022, this problem is not caused by the Kerberos protocol changes.

Note:
However, you might experience the same issues on Windows Server 2022-based Domain Controllers with third party software solutions. Use the information in Microsoft’s How to troubleshoot high Lsass.exe CPU utilization on Active Directory Domain Controllers doc to troubleshoot it.

 

Rollback the KrbtgtFullPacSignature protocol changes

If you are not running Microsoft’s latest and greatest and are experiencing that the LSASS process on your Domain Controllers continually increases memory usage making your Domain Controllers become unresponsive and even automatically restart, then Microsoft advices to rollback the changes that add signatures to the Kerberos PAC buffer.

To do so, use the following line of Windows PowerShell on all Domain Controllers:

New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\KDC" -Name KrbtgtFullPacSignature -Value 0 -PropertyType DWORD -Force

 

Note:
The above line of PowerShell removes the Kerberos protocol changes addressing CVE-2022-37967. An authenticated attacker could leverage cryptographic protocol vulnerabilities in Windows Kerberos. If the attacker gains control on the service that is allowed for delegation, they can modify the Kerberos PAC to elevate their privileges.

Note:
For the December 13, 2022 cumulative updates and later updates, Microsoft plans to change the value for the above registry key to 2 on Domain Controllers. When you change the above registry key, you may need to change it again…

Note:
Microsoft intends to remove the ability to disable PAC signature addition with the April 11, 2023 cumulative updates. The above solution will no longer work. It is likely that Microsoft provides a solution for the LSASS memory leakage before this time.

 

Concluding

Running Microsoft’s latest and greatest as the Windows Server Operating System on the Domain Controllers saved my bacon with the Kerberos protocol changes addressing CVE-2022-37967.

0  

I’m speaking at the European SharePoint, Office 365 and Azure Conference (ESPC22)

European SharePoint, Office 365 and Azure Conference (ESPC22)

I’m happy to announce that I am returning as a speaker for the European SharePoint, Office 365 and Azure Conference (ESPC) 2022 from November 28th to December 1st, 2022.

 

About ESPC22

The European SharePoint, Office 365 & Azure Conference (ESPC) provides Microsoft 365 and Azure professionals with the expert content and connections to help them achieve professional success through an independent, market-leading annual conference.

ESPC22 returns live and in-person in Copenhagen from November 28th to December 1st, 2022. The ESPC22 Program consists of 4 Microsoft Keynotes, 9 Tutorials and 120 Sessions to leverage Microsoft Teams, Microsoft 365, Azure, Power Platform, SharePoint and more to their greatest ability.

 

About my session

I’ll present a 45-minute session on:

Properly Securing Azure AD Connect and Azure AD Connect Cloud Sync

Thursday, December 1st, 2022, TH18, Level 300

You’ve probably heard of the ways to hack Azure AD Connect’s database. Running Azure AD Connect and Azure AD Connect Cloud Sync in a highly secure networking environment with proxies and high-availability requirements is hard.

Join this session to learn how to implement Azure AD Connect Sync or Azure AD Connect Cloud Sync in a secure way and how to monitor and audit it for proper security. Even when you’re not a security professional, you’ll find that the demos in this session make perfect sense.

Benefits of Attending this Session:

  • Learn how Azure AD Connect fits in the Administrative Tier Model
  • See how to secure Azure AD Connect in action
  • Be ready to start securing Azure AD Connect today

 

Join us!

Join us at the European SharePoint, Office 365 & Azure Conference. Learn, connect and be inspired at Europe’s largest Independent Conference on Microsoft Technologies.

Register here!

0  

HOWTO: Install the most recent Updates on your Domain Controllers

To address a known issue that affects Windows Servers that have the Domain Controller role, Microsoft has released an out-of-band update. After installing the November 2022 cumulative updates on Domain Controllers, you might experience Kerberos authentication issues due to the way Microsoft addressed CVE-2022-37966.

 

Microsoft Windows 2022

Regardless of having installed the November 8, 2022 update for Windows Server 2022 (KB5019081) or not, download the 313 MB weighing November 17, 2022 update for Windows Server 2022 (KB5021656) manually from the Microsoft Update Catalog and install it on the Domain Controllers. Reboot each Domain Controller after installation.

 

Microsoft Windows 2019

Regardless of having installed the November 8, 2022 update for Windows Server 2019 (KB5019966) or not, download the 594 MB weighing November 17, 2022 update for Windows Server 2019 (KB5021655) manually from the Microsoft Update Catalog and install it on the Domain Controllers. Reboot each Domain Controller after installation.

 

Microsoft Windows 2016

Regardless of having installed the November 8, 2022 update for Windows Server 2016 (KB5019964) or not, download the 1553 MB weighing November 17, 2022 update for Windows Server 2016 (KB5021654) manually from the Microsoft Update Catalog and install it on the Domain Controllers. Reboot each Domain Controller after installation.

 

Microsoft Windows 2012 R2

On each Domain Controller running Microsoft Windows 2012 R2, perform these steps:

Install the November 8, 2022 Monthly Rollup update for Windows Server 2012 R2 (KB5020023) or install the November 8, 2022 Security-only update for Windows Server 2012 R2 (KB5020010). Restart the Domain Controller.

Download the 36 MB weighing Out-of-band update for Windows Server 2012 R2: November 17, 2022 (KB5021653) manually from the Microsoft Update Catalog. Install it and restart the Domain Controller afterward.

 

Microsoft Windows 2012

On each Domain Controller running Microsoft Windows 2012, perform these steps:

Install the November 8, 2022 Monthly Rollup update for Windows Server 2012 (KB5020009) or install the November 8, 2022 Security-only update for Windows Server 2012 (KB5020003). Restart the Domain Controller.

Download the 35 MB weighing Out-of-band update for Windows Server 2012 (KB5021652) manually from the Microsoft Update Catalog. Install it and restart the Domain Controller afterward.

 

Microsoft Windows 2008 R2

On each Domain Controller running Microsoft Windows 2008 R2 with Service Pack 1, perform these steps:

Install the November 8, 2022 Monthly Rollup update for Windows Server 2008 R2 (KB5020000) or install the November 8, 2022 Security-only update for Windows Server 2008 R2 (KB5020010). Restart the Domain Controller.

Download the 38 MB weighing Out-of-band update for Windows Server 2008 R2: November 18, 2022 (KB5021651) manually from the Microsoft Update Catalog. Install it and restart the Domain Controller afterward.

 

Microsoft Windows 2008

On each Domain Controller running Microsoft Windows 2008 with Service Pack 2, perform these steps:

Install the November 8, 2022 Monthly Rollup update for Windows Server 2008 (KB5020019) or install the November 8, 2022 Security-only update for Windows Server 2008 (KB5020005). Restart the Domain Controller.

Download the 35 MB weighing Out-of-band update for Windows Server 2008 (KB5021657) manually from the Microsoft Update Catalog. Install it and restart the Domain Controller afterward.

7  

Domain Controller Monitoring Checklist

Domain Controller Monitoring

Last month, I provided some context for how I feel about Active Directory Monitoring and Domain Controller Monitoring. I wrote that monitoring solutions should not treat Domain Controllers as mere ‘application servers’ or ‘nodes’, as many Active Directory Monitoring solutions, like SolarWinds’ do.

However, organizations may have varying requirements towards potential Domain Controller Monitoring solutions. Some organizations already have certain functionality as part of another solution. Some organizations accept certain risks when it comes to (some of) their Domain Controllers.

As a follow-up, I decided to provide a checklist of functionality a great Domain Controller Monitoring solution should provide and why every piece of functionality is essential to make sure that Domain Controllers meet the organization’s confidentiality, integrity and availability (CIA) needs. These areas of monitoring should be checked against a baseline in the solution:

 

checkbox Monitoring the Domain Controllers’ core services

Any respectable Domain Controller Monitoring solution should monitor the status of the services that any Domain Controller requires to run. These include:

    • Active Directory Domain Services
    • AD Web Services
    • DFS Replication
    • DHCP client
    • DNS Client
    • DNS Server
    • Intersite messaging
    • Kerberos Key Distribution center
    • Netlogon
    • Remote call procedure
    • server
    • Windows Event log
    • Windows Time, Workstation

When one or more of the above services stop, a notification should be sent. The DS Role Service, in this regard, is an interesting service. Active Directory admins can choose to stop and disable this service and change its permissions so only members of the Enterprise Admins security group can demote Domain Controllers. A good Domain Controller Monitoring solution should be able to detect and properly display this information as part of the Domain Controller baseline. Of course, an alert when this particular service is started would be a great addition, in this case. Having a graph that displays the status of Domain Controllers' core services over time is a pré.

Note:
Notifications through email should be a basic requirement. However, attackers may delete or modify public DNS records. Email notifications may not be delivered in these situations. Multiple notification methods is something monitoring solutions should offer today. These may be in the form of text messages and web hooks.

checkbox Monitoring generic metrics

Domain Controllers provide lots of metrics. Basic metrics can be compared against the performance baseline for the Domain Controller to detect anomalous performance behavior.  Removing any bottlenecks may lead to higher Active Directory performance.

    • Processor(s)
      Processor utilization across all CPUs and cores is important to monitor. Domain Controllers would not have high percentages in normal situations. Typical situations where you may expect high processor utilization would be when applying Windows Updates, building indices, performing anti-malware scans, performing backups and/or restores. When creating the baseline for processor utilization, special care is advised towards the Domain Controller holding the PDC Emulator FSMO role. This Domain Controller may display overall higher processor utilization. The FSMO role can be transferred to another Domain Controller. Good Domain Controller monitoring solutions have logic to detect the role and apply the specific baseline. In large environment, the Domain Controller holding the PDC Emulator FSMO role may be overburdened. The Processor Queue length provides information on the threads that are waiting on the processors. If the queue is long (at times with high processor utilization), the processor is a bottleneck and may hinder replication of password changes, Group Policy settings and reliable time.
    • Memory
      When a Domain Controller reads and/or writes memory to disk, it means its 'memory swapping'. Each Domain Controller tries to cache the entire Active Directory database in memory to be able to perform its tasks without needing IO to the (slower) disk(s). When a Domain Controller is memory swapping, it means it's incapable of offering the best performance towards end-users and applications. Memory swapping can occur when applying Windows Updates, building indices, performing anti-malware scans, performing backups and/or restores, but should not happen all the time. If it does, upgrade memory for the Domain Controller. You may not have a memory bottleneck just yet. However, as a base monitoring area, the available memory should be monitored. Good Domain Controller solutions are able to display the available memory in a graph over time, so trends can be discovered and proactively remediated. Great solution can filter on the Active Directory-specific process (lsass) and report on sudden memory increases, specifically.
    • Disk(s)
      Next to memory swapping, disk performance impacts Domain Controllers' performance in other ways, too. Slow disks can be discovered through the (average) disk queue length. When the disk queue length is long, the disk is trying to catch up on read and/or write requests. The disks' idle time provide information over time whether the Domain Controllers burst on their disks or if the disk is busy full-time.
    • Network interface(s)
      When a Domain Controller processes a lot of Active Directory queries, it may send and/or receive large amounts of data over the network, next to having high processor utilization. Network congestion may ultimately lead to people no longer being able to sign in. Avoid this situation by monitoring the throughput and comparing it to the maximum throughput available. Here, too, graphs of historic network activity may lead to trend discoveries and proactive remediation.

 

checkbox Monitoring Active Directory-specific metrics

On top of these generic performance metrics, a good Domain Controller Monitoring solution supports Active Directory-specific metrics.

    • Authentications
      The number of Kerberos authentications and NTLM authentications per sec provide information on the overall use a Domain Controller is getting. The number of Kerberos authentication vs. NTLM authentications is useful as a graph to provide information on how far the organization is on leaving NTLM behind, and should be offered by any good Domain Controller monitoring solutions. Great solutions would be able to provide information on NTLMv1 vs. NTLMv2 authentications, drill down specifically at KDC AS requests and KDC TGS requests (useful when changing ticket lifetimes) for Kerberos and provide information on the Kerberos encryption types used. Synthetic authentications might also add value on performance of authentications.
    • LDAP applications
      Two typical metrics to monitor LDAP performance is to monitor LDAP searches/sec, LDAP client sessions. These metrics provide information on the use a Domain Controller is getting from applications. The metrics should be fairly uniform across all Domain Controllers. If it's not, it may mean that Domain Controllers are specifically targeted based on hostname or IP address instead of the domain name, that in certain Active Directory sites Domain Controllers are getting piled on with LDAP traffic, or that LDAP is no longer functioning and clients are failing over to other Domain Controllers. Synthetic LDAP queries might also add value on performance of application authentications.
    • Replication
      To monitor replication, the network traffic for the directory replication agent (DRA) can be monitored as the traffic flows indicate the amount of replication data flowing between Domain Controllers inside their Active Directory site and between Active Directory sites (compressed). Sudden changes in these metrics indicate a replication topology change or significant changes in Active Directory. Great Domain Controller monitoring solutions would use synthetic replications to measure replication performance, but might also be able to interpret the output of built-in tools like repadmin.exe and nltest.exe.

 

checkbox Monitoring Active Directory logs

The event logs on Domain Controllers provide a wealth of information on Active Directory and Domain Controller health. Good Domain Controller monitoring solutions would check for replication errors and sudden increases in errors in the specific Active Directory logs. Great solutions, however, would be able to provide a graph for Active Directory database whitespace over time, based on the daily events in the log.

 

checkbox Domain Controller registry (changes)

Many of the Domain Controller behavior are controlled by registry keys in HKLM:\SYSTEM\CurrentControlSet\Control\Lsa and the KDC, NTDS and Netlogon keys underneath HKLM:\System\CurrentControlSet\Services\.  There is also a lot of information to be gained from these registry locations, for instance when the Domain Controller was last restored from backup, or was successfully cloned or not.

Being able to monitor changes to these registry keys, while the Domain Controller runs but especially while the Domain Controllers starts is essential to pinpointing changes to Domain Controller configurations. Great Domain Controller solutions will provide this information and notify admins when there is a significant change.

 

checkbox Networking monitoring

When you monitor for network congestion (see above) you can go the next step and monitor the availability of services at certain network ports. We all know that LDAP(S) uses TCP389 and TCP636. Good Domain Controller monitoring solutions will monitor these ports, as well as the other common Domain Controller network ports. It's not that hard. Great monitoring solutions will query the port to determine whether the right service is actually listening and perform these checks from all Domain Controllers to all Domain Controllers regularly. That way, potential attackers can be stopped in their tracks and changes in firewall rules can be detected fast and remediated.

 

checkbox DNS Server and DNS Record monitoring

To locate Domain Controllers, domain-joined devices use DNS. Domain Controllers register SRV records in DNS for this purpose. The netlogon.dns file on each Domain Controller specifies the records for it to register. By monitoring the DNS Server configuration per Domain Controller, the availability of the configured DNS Servers and the records the Domain Controller registers, situations where Domain Controllers are accidentally multi-homed, isolated or otherwise borked in the DNS arena, are detected fast and remediated. Great Domain Controller solutions know what SRV records each Domain Controller would register based on the location of the domain in the forest and the FSMO roles for the Domain Controller and can report on any deviations.

 

checkbox Domain Controller Backup verification

Monitoring is merely the first part of an organization's disaster recovery strategy. It avoids cascading events that would eventually lead to a disaster. Backup of Domain Controllers is another big disaster recovery measure. Good Domain Controller monitoring solutions need to be able to report on this over time. Great solutions might even integrate with backup solutions to provide insights. Veeam's SureBackup feature comes to mind here, as it allows backups to be checked for consistency. Flowing back this information into the one Domain Controller monitoring console provides perfect insights in the status of Domain Controller backups. (However, further steps are required to assure complete Active Directory forest restores.)

 

checkbox Domain Controller drivers and firmware

Drivers and firmware are essential to have Domain Controllers utilize the available (virtual) hardware. For virtual Domain Controllers on top of VMware, for instance, for performance it is essential that the right virtual network interface and the most recent stable VMware Tools are installed. With recent Virtualization-based Security (VBS) investments, it is also a good idea to monitor the firmware versions of TPM chips and other security-related hardware. Any changes should be reported on and a good Domain Controller monitoring solution offers this functionality.

 

checkbox Time monitoring

Another networking aspect that Domain Controllers are involved in is accurate time. By default, Domain Controllers offer a time hierarchy that is used by domain-joined hosts to gather accurate time. The Domain Controller holding the PDC Emulator FSMO role is the only Domain Controller that synchronizes time from a reliable outside time source and functions at the peak of the Active Directory time hierarchy. By monitoring time and time differences between Domain Controllers, situations can be avoided where 'last write wins' scenarios don't end up in overruling some other admin's or application's changes.

 

Concluding

There are differences between good and great Domain Controller monitoring solutions. Use the above list to determine whether advertised monitoring solutions offer the functionality your Active Directory admins need to perform their jobs.

1  

Veeam Backup & Replication v11a supports VMware vSphere 8.0


Hot on the heels of VMware Explore Europe, Veeam announced its support for VMware vSphere 8.0.

 

About VMware vSphere 8.0

vSphere is VMware’s advanced server virtualization solution, consisting of ESXi (the core virtualization product that is installed on host machines – a type 1 hypervisor) and vCenter Server (the solution to manage multiple ESXi hosts as a platform).

vSphere 8.0 is currently the most recent version of vSphere. VMware announced this version on August 30th, 2022, to supersede its troubled v7.0 releases. This release was 6 weeks ahead of VMware’s end or support for both vSphere 6.5 and vSphere 6,7, offering organizations a choice again between two versions.

 

About Veeam support

But alas, this choice was not a realistic choice, as a new release of one infrastructure component might negatively affect other components. To be in a supported state, the entire organizational ecosystem surrounding the virtualization platform should consist of supported components.

Up to Veeam’s communications this Friday, Veeam Backup & Replication didn’t officially support VMware vSphere 8.0.  Veeam shared that their goal is to support new versions of hypervisors within 90 days of General Availability. Veeam made their announcement after only 73 days.

 

Veeam Backup and Replication v11a supports Vmware vSphere 8

Veeam's Research and Development team has performed extensive testing with version 11a P20220302 (build 11.0.1.1261 P20220302) of Veeam Backup & Replication.

Testing and has determined that this version is functional with vSphere 8.0.

Limitations

However, in Veeam Backup and Replication v11a, the following limitations apply:

Full support

Full support for VMware vSphere 8.0 will be available with a future Veeam Backup & Replication release.

 

Concluding

A supported Disaster and Recovery solution for vSphere 8 workloads means that at least one box can be checked on the path to adopting vSphere 8 for many organizations.

0  

Azure AD Connect v2.1.20.0 offers to synchronize to Azure AD’s employeeLeaveDateTime attribute

Azure AD Connect

With Microsoft introducing the Lifecycle Workflows functionality Public Preview at its Microsoft Ignite event last month, some things are definitely changing… Azure AD is now poised to become the leading identity management plane and Active Directory to become a mere authentication store.However, to make that dream work, Azure AD Connect needs to offer additional functionality (at least temporarily) to accommodate both that future world and the current world. The current temporary situation seems to be managing groups in Azure AD and writing them back but managing users in Active Directory and synchronizing them up, unless its cloud-only users. These can now be provisioned and deprovisioned automatically using the new Lifecycle Workflows.

Azure AD Connect v2.1.19.0 and v2.1.20.0 now introduce functionality to make synchronized user objects and cloud-only objects to play nicely.

 

What’s New

Synchronizing employeeLeaveDateTime

Microsoft added the functionality to synchronize an attribute from the on-premises Active Directory to a new attribute in Azure AD. The value for the attribute you decide on in Active Directory is used as the value for the employeeLeaveDateTime attribute in Azure AD.

This allows for consistency going forward between cloud objects that are provisioned (and deprovisioned) through Lifecycle Workflows and on-premises objects that are synchronized using Azure AD Connect. Through Lifecycle Workflows, currently in Public Preview, the built-in offboarding process for a user object can be triggered based on the value of the employeeLeaveDateTime attribute in Azure AD. By synchronizing a date and time into this attribute, based on an on-premises attribute for the user object in Active Directory, admins now have a way to have on-premises account expiration work in Azure AD, too.

As EmployeeHireDate and EmployeeLeaveDateTime attributes do not exist in the Active Directory schema, an attribute in Active Directory of your choosing need to be used.

Note:
When using one of the built-in Human Resourcing (HR) applications with Lifecycle Workflows, this attribute must be a string and be in a specific time and date format, depending on the Human Resourcing (HR) application that acts as the source for cloud objects.

Note:
The feature to synchronize to the the employeeLeaveDateTime attribute was introduced with Azure AD Connect v2.1.19.0, but this version contains an issue that caused the new employeeLeaveDateTime attribute to not synchronize correctly. This issue was addressed in v2.1.20.0

Note:
If the incorrect attribute was already used in a synchronization rule, then the rule must be updated with the new attribute and any objects in the Azure AD Connector Space that have the incorrect attribute must be removed with the Remove-ADSyncCSObject PowerShell cmdlet, and then a full synchronization cycle must be run.

 

What’s Fixed

Issue that caused Password Writeback to stop functioning

Microsoft addressed an issue that caused Azure AD Connect’s Password Writeback feature to stop functioning. The error code is:

SSPR_0029 ERROR_ACCESS_DENIED

 

Version information

Version 2.1.20.0 of Azure AD Connect was made available for download as a 144 MB weighing AzureADConnect.msi on November 9th, 2022.

You can download the latest version of Azure AD Connect here.

0  

KnowledgeBase: You experience errors with Event ID 14 and source Kerberos-Key-Distribution-Center on Domain Controllers

To continually increase the information security of on-premises Domain Controllers, Microsoft provides new functionality to Windows Server and Active Directory. Sometimes, the new security measures affect the efforts of admins to get their Active Directory environments to a safer state, ahead of the curve. In this knowledgebase article, I’ll discuss such a measure.

 

The situation

You run Active Directory with Domain Controllers on one or more of the below Windows Server Operating Systems:

  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server 2022

You have configured domain-joined systems and objects in Active Directory to no longer allow RC4_HMAC_MD5 for Kerberos session key encryption.

 

The issue

Suddenly, you start experiencing errors in the System log of your Domain Controllers. These errors have Event ID 14 and source Kerberos-Key-Distribution-Center:

While processing an AS request for target service krbtgt, the account … did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes were: …. The accounts available etypes were 23 18 17. Changing or resetting the password of … will generate a proper key.

End users in the environment and/or group Managed Service Accounts (gMSAs) experience issues signing in. They are requested to lock the device and sign in with the latest password or smart card. Any services that run with the credentials of domain user objects and/or gMSAs experience issues.

 

The cause

These errors occur because the November 2022 or newer cumulative updates for Windows Server are installed on Domain Controllers. These updates address the vulnerability known as CVE-2022-37966 and introduce changes to the Kerberos protocol. These changes are described in KB5021131.

Since the November 2022 updates, the Advanced Encryption Standard (AES) is configured as the default encryption type for session keys on user objects that are not marked with a default encryption type. However, for objects that are configured with an encryption type, the RC4 bit being used as a signal of whether it should use a preferred cipher list or a legacy interoperability list in a specific section of code in Windows.

Only organizations that have configured domain-joined systems and objects in Active Directory to no longer use RC4 for Kerberos encryption, run into the above issues.

The absence of RC4 in the list of supported Kerberos key encryption types in specifically configured situations causes the issues, as the domain-joined device mistakenly thinks it does not have a valid Kerberos ticket encryption type available.

 

The solution

To solve these issues, perform the following steps:

Step 1

Uninstall the most recent Windows update from the Domain Controllers.

While this is not a recommended practice, it allows communications again. As the solution lies in communications with Active Directory and through Group Policy, these communications need to be restored first.

Step 2

Locate any Group Policy objects (GPOs) that configure the Network Security: Configure encryption types allowed for Kerberos Group Policy setting. Remove this setting from the scope of the devices that are affected by the issues, or change the setting to Not Configured as advised by Microsoft.

Push the new configuration from Group Policy Management (gpmc.msc) to affected domain-joined devices, restart these devices or allow up to 120 minutes to have the new Group Policy settings be applied through background Group Policy refreshes.

Step 3

Locate any object in Active Directory that is configured with values for the msDS-supportedEncryptionTypes attribute:

Get-ADObject -Filter "msDS-supportedEncryptionTypes -bor 0x18 -and -not msDS-supportedEncryptionTypes -bor 0x7"

 

Depending on the security requirements within your organization, configure the supported Kerberos key encryption types to either the ones that were mentioned in the event, or remove any specifically configured attributes that:

  • Filter out RC4_HMAC_MD5 encryption type (bit 3, represented by the decimal value 4 or the hexadecimal value 0x4)
    and
  • Do not filter in the AES256_HMAC_SHA1_SK encryption type that is introduced with the November 2022 updates ((bit 6, represented by the decimal value 32 or the hexadecimal value 0x20).

The msDS-supportedEncryptionTypes attribute is provided in HEX format, instead of decimal format. Common values represent the following selections:

Common Kerberos Encryption Types and their values

Step 4

Reinstall the most recent Windows update from the Domain Controllers.

18