I’m a 2020 Veeam Vanguard

Veeam Vanguard

Today, I received an e-mail from Nikola Pejková from Veeam congratulating me with being selected for the 2020 Veeam Vanguard Program by the Veeam Vanguard team.

For me, it means I successfully renewed my previous four Veeam Vanguard Awards, dating back to 2016 and can celebrate my first lustrum as a Veeam Vanguard.

I feel honored.

Thank you! Thumbs up

  

About Veeam Vanguards

The Vanguard program is led by the Veeam Technical Product Marketing & Evangelism team and supported by the entire company. It’s a program around the community of Veeam experts that truly get Veeam’s message, understand Veeam’s products and are Veeam’s closest peers in IT.

Veeam Vanguard represent Veeam’s brand to the highest level in many of the different technology communities. These individuals are chosen for their acumen, engagement and style in their activities on and offline.

The full list of Veeam Vanguards will be available shortly here.

Further Reading

I am a 2019 Veeam Vanguard
I am a 2018 Veeam Vanguard
I am a 2017 Veeam Vanguard
I am a 2016 Veeam Vanguard

0  

Explained: User Hard Matching and Soft Matching in Azure AD Connect

Azure AD Connect

In Hybrid Identity implementations, where objects and their attributes are synchronized between on-premises Active Directory environments and Azure AD tenants, integrity is key; When user objects on both sides have different attributes, or exist multiple times at one side, information security drops to critical levels fast.

To avoid this situation, Azure AD Connect matches user objects from the on-premises Active Directory to Azure AD.

Upon provisioning an object from on-premises Active Directory to Azure AD, Azure AD performs additional actions one time, when compared to updating a user object. These two action are named:

  1. Hard Matching
  2. Soft Matching

The actions are performed in the above sequence; Hard matching is attempted, before soft matching is attempted. If there’s no match, a new user object is created in Azure AD to correspond to the user object in the on-premises Active Directory environment.

 

Hard Matching

To definitively match an on-premises Active Directory user object to an Azure AD user object, Azure AD Connect looks at the sourceanchor attribute.

During normal synchronization cycles, this attribute is already used to provide the end-to-end connection between the on-premises Active Directory user object and the Azure AD user object through Azure AD Connect’s connector spaces and metaverse, so it’s an ideal way to match.

The Azure Active Directory Connect wizard, used to configure Azure AD Connect installations provides options to choose the sourceanchor attribute:

Azure AD Connect's Uniquely identifying your users page (click for original screenshot)

The above screenshot is a screenshot of a recent versions of Azure AD Connect. It provides the default option to Let Azure AD manage the source anchor and a list of available attributes to use as an alternative through the Choose a specific attribute option.

Let Azure AD manage the source anchor

When the Let Azure AD manage the source anchor option is selected, Azure AD Connect checks if there is a previous (older) Azure AD Connect installation connected to the Azure AD tenant. If there is, it will default to the objectGUID attribute . If this is the first Azure AD Connect installations, or all other Azure AD Connect installations have already been migrated to use mS-DS-ConsistencyGUID as the sourceanchor attribute for user objects, the mS-DS-ConsistencyGUID attribute is automatically selected as the sourceanchor attribute.

Choose a specific attribute

When you Choose a specific attribute it is important to choose an attribute that:

  1. Does not exceed 60 characters in length
  2. Does not contain special characters like \ ! # $ % & * + / = ?  and ^
  3. Is globally unique throughout your organization
  4. Is either a string, integer or binary

A good sourceanchor attribute is not based on a person’s name, because this may change, however some organizations still choose to do so, based on the mail attribute…

Note:
The sourceanchor attribute chosen is stored in the configuration of the Azure AD tenant.

Note:
When upgrading or changing settings, Azure AD Connect reports that the Azure AD Connect installation for this tenant still uses objectGUID to synchronize user objects.

Hard matching occurs, based on the following data:

Azure AD Connect Hard Matching Table

An example for writing the immutableID attribute to an Azure AD object, based on an Active Directory user’s objectGUID attribute using Windows PowerShell is:

$user = jos.haarbos@domain.tld

$guid = [guid]((Get-ADUser -Identity $user)).objectGuid)

$immutableId = [System.Convert]::ToBase64String($guid.ToByteArray())

Connect-AzureAD

Set-AzureADUser -UserPrincipalName $user -ImmutableId $immutableID

 

When hard matching provides a match, soft matching is not attempted. However, the non-matching rules still apply.

 

Soft Matching

When hard matching doesn’t provide a match, soft matching is attempted. Soft matching is little more straight-forward than hard matching as it’s based on the following data:

Azure AD Connect Soft Matching Table

Through soft matching, anon-premises Active Directory user object is matched to an Azure AD user object, when:

  1. The userPrincipalName attributes match
  2. The userPrincipalName attribute for the on-premises user object matches with any of the e-mail addresses in the Azure AD user object’s proxyAddresses attribute
  3. The primary SMTP address (denoted with SMTP: in the proxyAddresses attribute matches the userPrincipalName or any of the e-mail addresses in the Azure AD user object’s proxyAddresses attribute

When soft matching provides a match, hard matching is established at the first synchronization cycle by setting the immutableID attribute for the Azure AD user object, based on the sourceanchor configuration. This is done for disaster recovery purposes: When the (only) Azure AD Connect installation fails, a replacement Azure AD Connect installation can pick up synchronization for end users by accurate hard matching.

 

Non-matching

To avoid information security-related incidents, like the one pointed out by Dirk-Jan Mollema at Troopers 19, Azure AD Connect no longer attempts to hard match or soft match Active Directory user accounts to Azure AD-based user objects with privileged roles, like the Global Administrator role.

 

Caveats

Now, the above explanation is straight-forward. There are a couple of caveats, though, that you should take into account:

  1. When you delete an object in Azure AD and then synchronize an object from on-premises to Azure AD within 30 days, hard matching and soft matching may not be triggered. Instead the previously deleted object is matched and reanimated. This is because the object was deleted, but not purged from the Azure AD Recycle Bin. Perform the following steps to get the result you want: Delete the object, purge the object, perform a sync cycle.
  2. In environments without existing Exchange Online-deployments, when you really don’t want an object in Azure AD to be matched with an on-premises AD object, assign the Azure AD object the tenant-specific userPrincipalName suffix (@*.onmicrosoft.com) and clear the immutableID attribute.
  3. When the Azure AD Connect installation fails and a replacement Azure AD Connect installation takes over, synchronized user objects in Active Directory matched to Azure AD privileged roles will not be matched. For this scenario:
    1. Make sure at least one non-synchronized Global Admin account exists with the @*.onmicrosoft.com userPrincipalName suffix
    2. Make sure you have Password Hash Synchronization (PHS) deployed

 

Concluding

Hard matching is useful in both on-premises and cloud migration scenarios and to pinpoint a specific on-premises user object to an Azure AD object.

When things are slightly less difficult, soft matching provides the right amount of flexibility and speed to finish an Azure AD Connect implementation as part of a Hybrid Identity project within the allotted time.

Just remember you can’t synchronize admins anymore…

Further reading

Azure AD Connect: When you have an existent tenant
Soft (SMTP) vs. Hard (immutableID) matching with Azure AD Connect
How to use SMTP matching to match on-premises accounts to Office 365 accounts
Azure AD Connect soft- vs. hard matching explained

0  

Announced: Azure AD to offer more 3rd Party MFA features

Azure Active Directory

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft announced a plan for change regarding Azure MFA.

 

What’s announced

Microsoft is planning to replace the current Custom controls (preview) in Conditional Access with an approach that allows partner-provided authentication capabilities to work seamlessly with the Azure Active Directory administrator and end user experiences.

 

What’s the experience today

Custom controls in Conditional Access are in Public Preview since December 17, 2018. This functionality gives organizations the ability to integrate 3rd-party services as controls in Conditional Access, including MFA services from RSA, Duo Security, Trusona and SecureAuth:

Add a Custom Control in Azure AD Conditional Access

Today, 3rd-party MFA solutions face the following limitations:

  • They work only after a password has been entered
  • They don’t serve as MFA for step-up authentication in other key scenarios
  • They don’t integrate with end user or administrative credential management functions

Today, 3rd-party MFA partner integration is a feature that requires Azure AD Premium P1 subscription licenses.

 

What’s New

The new implementation will allow partner-provided authentication factors to work alongside built-in factors for key scenarios, including:

  • Registration
  • Usage
  • MFA claims
  • Step-up authentication
  • Reporting
  • Logging

Custom controls will continue to be supported in Public Preview alongside the new design until the new design reaches General Availability. At that point, Microsoft will give organizations time to migrate to the new design.

 

What this means

Starting with this announced preview, organizations can use their existing 3rd-party MFA investments with Azure Active Directory. When the functionality reaches General Availability, they can use 3rd-party MFA in production for far more scenario’s than they can currently.

There is currently no information on changes in licensing for the functionality. During the preview phase, it is safe to assume the license requirements remain the same.

Further reading

Custom controls (preview)
Azure AD conditional access custom controls are in public preview
Azure AD + 3rd party MFA = Azure AD Custom Controls

0  

A closer look at Azure AD Connect’s Service Connection Point

Azure AD Connect

Recent versions of Azure AD Connect deploy a Service Connection Point (SCP) into your Active Directory Domain Services (AD DS) environment(s). Let’s look a bit closer to what this SCP looks like, what it does by default and how you can use and tweak it to your advantage.

 

About Service Connection Points

Active Directory allows for a specific object that points to specific services. This way, an application, system and/or service administrator can provide guidance on where to find the (nearest) instance of his/her application, system and/or service to domain-joined devices and LDAP-enabled devices.

Many Microsoft and 3rd party applications and services have embraced the concept of service connection points in Active Directory in the past. Microsoft Exchange, Microsoft System Center Configuration Manager (SCCM) and Active Directory Rights Management Services are the ones that come to mind.

 

About Azure AD Connect’s SCPs

Azure AD Connect’s Service Connection Point includes information on the following items in its Keywords attribute:

  1. azureADId; The Azure Active Directory tenant ID
  2. azureADName; The Azure Active Directory tenant’s verified custom DNS domain name, or the *.onmicrosoft.com DNS domain name if no verified custom DNS domain name exists for the Azure AD tenant

Azure AD Connect’s Service Connection Point exists as:

CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=domain,DC=tld

The Service Connection Point needs to be available to all domains in the Active Directory forest that contains computer objects.

 

When is the Service Connection Point created?

Azure AD Connect creates the Service Connection Point in Active Directory, when:

  1. You install and configure Azure AD Connect with Express Settings, or;
  2. You install and configure Azure AD Connect. Then, you enable Hybrid Azure AD Join while supplying Enterprise Admin credentials, or
  3. You install and configure Azure AD Connect. Then, you enable Hybrid Azure AD Join, and use the ConfigureSCP.ps1 script to create the Service Connection Point manually.

 

Inspecting the keywords

You can easily get the information in the Keywords attribute using the following lines of Windows PowerShell:

$scp = New-Object System.DirectoryServices.DirectoryEntry

$scp.Path = “LDAP://CN=62a0ff2e-97b9-4513-943f-0d221bd30080,`
CN=Device Registration Configuration,CN=Services,CN=Configuration,`
DC=
domain,DC=tld

$scp.Keywords

 

When is the information used?

The information in the Service Connection Point is used by domain-joined devices during their Hybrid Azure AD Join to discover Azure AD tenant information through an LDAP query. The device performs Home Realm Discovery (HRD) based on the azureADName keyword.

 

Situations with multiple Azure AD tenants

Microsoft’s vision scope for Hybrid Azure AD Join and Device WriteBack is one Active Directory forest connected to one Azure AD tenant. However, for complex organizations, this is not feasible. For these organizations, an alternative to the Service Connection Point point to one Azure AD tenant is available as client-side registry settings.

 

Clear the Service Connection Point

To use this method, clear Azure AD Connect’s Service Connection Point object first:

  1. Launch ADSI Edit (adsiedit.msc) with an account that is a member of the Enterprise Admins group in Active Directory.
  2. Connect to the Configuration Naming Context of your domain.
  3. Browse to CN=Configuration,DC=domain,DC=tld, then CN=Services and finally CN=Device Registration Configuration.
  4. Right click CN=62a0ff2e-97b9-4513-943f-0d221bd30080 and select Properties from the context menu.
    1. Select Keywords from the Attribute Editor window and click Edit.
    2. Select the values of azureADId and azureADName (one at a time) and click Remove.
  5. Repeat steps 2-4 for each domain in the Active Directory forest.
  6. Close ADSI Edit.

 

Create client-side registry settings

Use the following example to create a Group Policy Object (GPO) to deploy a registry setting configuring a Service Connection Point entry in the registry of devices in scope:

  1. Open the Group Policy Management console (gpmc.msc)
  2. Create a new Group Policy Object where you want to Service Connection Point information to propagate to.
  3. Edit the Group Policy Object.
  4. Navigate to  Computer Configuration > Preferences > Windows Settings > Registry.
  5. Right-click on the Registry node and select New > Registry Item.
  6. On the General tab, configure the following:
    1. Action: Update
    2. Hive: HKEY_LOCAL_MACHINE
    3. Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AAD
    4. Value name: TenantId
    5. Value type: REG_SZ
    6. Value data: The GUID or Directory ID of your Azure AD instance (This value can be found in the Azure portal > Azure Active Directory > Properties > Directory ID)
  7. Click OK to save the Registry item.
  8. Right-click on the Registry and select New > Registry Item again.
  9. On the General tab, configure the following
    1. Action: Update
    2. Hive: HKEY_LOCAL_MACHINE
    3. Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AAD
    4. Value name: TenantName
    5. Value type: REG_SZ
    6. Value data: Your verified domain name if you are using federated environment such as AD FS. Your verified domain name or your onmicrosoft.com domain name for example, contoso.onmicrosoft.com if you are using managed environment
  10. Click OK to save the Registry item.
  11. Close the Group Policy editor window.
  12. Link the newly created group policy object to the desired Organizational Unit (OU) containing domain-joined computers.
  13. Close the Group Policy Management console.

 

How the information can be abused

The information in the Service Connection Point can be abused. The Network Service Scanning technique in the MITRE ATT&CK framework (T1046) specifically hints at the way the information can be abused:

With cloud environment, adversaries may attempt to discover services running on other cloud hosts or cloud services enabled within the environment. Additionally, if the cloud environment is connection to an on-premises environment, adversaries may be able to identity services running on non-cloud systems.

 

Concluding

Azure AD Connect’s Service Connection Point allows for domain-joined devices to perform Home Realm Discovery (HRD). In complex environments and for staged rollouts, client-side registry settings can be used to achieve the same goal.

Further reading

Tutorial: Configure hybrid Azure Active Directory join for managed domains
Tutorial: Configure hybrid Azure Active Directory joined devices manually
Post configuration tasks for Hybrid Azure AD join
Step-by-Step guide to connect down-level devices to Azure AD (in hybrid environment)
How can I locate Service Connection Point for Azure AD connect?
Azure AD Connect: Enabling device writeback

0  

TODO: Enable Modern Authentication

Modern Authentiction

Microsoft is in the process of deprecating basic authentication to its cloud services. While their announcements feel far away, I feel this is the best time to act, if you were one of the earlier adopters of Office 365 and Azure Active Directory.

 

What Microsoft is saying

Microsoft is communicating clearly on the upcoming changes in regards to Basic Authentication:

Note:
These announcements do not affect SMTP AUTH and Microsoft continues to support Basic Authentication for it in Exchange Online.

      

… But, these changes feel far away.

The timelines above stem from the support lifecycles, service level agreements Microsoft offers and the corporate responsibility guidelines that Microsoft follows.

Politically, I’ve used this trick a couple of times at customers to reduce resistance to less popular changes, just to get a ‘go’. “We’ll cross that bridge when we get there”-people are onboarded more easily that way, is my experience.

  

Yes, but please act now

However, these changes do not mean that as an organization you can just lean back. Several situations might create some urgency. If you are a large enterprise that runs Office 2010 Professional Plus throughout your organization, then upgrading to a more recent version of Office  should be high on your priority list.

Wouldn’t it be sad if you had to touch people’s Outlook profiles twice within the next six months? Because, that’s the direction I think a lot of early adopters of Office 365 are heading.

My tip for today is to check your tenant’s Modern Authentication settings, before migrating from Office 2010 Professional Plus, or Office 2013 Professional Plus installations without the specific registry settings.

There’s two good reasons for it:

For tenants created before August 1, 2017, modern authentication is turned off, by default.

Now, many of the Microsoft pages I link to above, feature PowerShell scripts to change that behavior, but it’s actually an option box in the Microsoft 365 admin portal, these days.

The second reason has a bit more background, and I recommend reading up. Alex Weinert, Director of Identity Security at Microsoft, regularly shares and confirms many alarming facts on Basic Authentication and Modern Authentication:

It is time to get on this band wagon.

    

How to enable Modern Authentication

Perform these actions in a web browser:

  1. Navigate to https://admin.microsoft.com/.
  2. Sign on with an account in your tenant that has the Global administrator role assigned to it.
    Perform multi-factor authentication when prompted. Elevate through Azure AD Privileged Identity Management (PIM) if you need to.
  3. In the left navigation bar, click Settings.
    The Settings menu unfolds beneath it.
  4. Click Settings in the Settings menu.
  5. In the main pane, click Modern Authentication.
  6. In the Modern Authentication blade that appears check the Enable Modern authentication option.
  7. Click Save changes at the bottom of the blade.
  8. Close the Modern Authentication blade by clicking on the X in the top right corner of the blade.
  9. Sign out by clicking the icon for your account in the top right corner of the Microsoft 365 admin center and clicking the Sign out link.

  

Why now?

I recommend organizations to enable the Modern Authentication features in their tenants before onboarding people to versions of Outlook that support Modern Authentication. This way, when a person gets the new version of Outlook, modern authentication is enabled and used, by default.

If modern authentication is not available at this time, the Outlook profile for the person needs to be reset around October 13th, 2020, to switch to modern authentication…

That would be a shame, if you ask me.

0  

KnowledgeBase: You receive error ‘AADSTS5000812: The SAML 1.1 credential must contain exactly one or zero claims of type ImmutableID’ when signing into Azure AD-integrated resources

KnowledgeBase

In Hybrid Identity implementations, Active Directory Domain Services (AD DS), Active Directory Federation Services (AD FS) and Azure AD work together to authenticate people in your organization, so that they can work with Azure AD-integrated resources like Office 365.

Sometimes, the constellation fails and you get an error page, instead of reaching the desired application, system or service.

  

The situation

The organization has been enjoying Hybrid Identity with AD FS for several years already. They hit some snags in recent months, but no major incidents.

The organization uses multiple Active Directory forests due to recent mergers and acquisitions. They are consolidating these forests into a single Active Directory forest. All forests are in scope for Azure AD Connect. The mail attribute is used as alternative login ID.

The most recent version of Azure AD Connect is used.

  

The issue

Some people in the organization receive an error “AADSTS5000812: The SAML 1.1 credential must contain exactly one or zero claims of type ‘http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID.” instead of reaching the desired application, system or service.:

ErrorAADSTS5000812

When we use the SAML-Tracer plug-in and inspect the SAML token, we can clearly see that AD FS sign-in was successful, but that a SAML token was posted to Azure AD that, indeed, contained two values for the ImmutableID claim type.

 

The cause

The error is caused by faulty claims issuance rules.

The default rules build an ImmutableID claim type and then issue it following this process:

  1. The default rule (named ‘Query objectguid and msdsconsistencyguid for custom immutableid claim’, the second rule in the default rule set) checks if objectGUID or mS-DS-ConsistencyGUID is present.
  2. The third default rule (named ‘Check for the existence of msdsconsistencyguid’) checks if mS-DS-ConsistencyGUID is present.
  3. The fourth and fifth default rules (‘Issue msdsconsistencyguid as Immutable ID if it exists’ and ‘Issue objectGuidRule if msdsConsistencyGuid rule does not exist’) determine which value to send as Immutable ID.
  4. The sixth default rule actually sends it.

These default rules don’t take into account the mail attribute for the Immutable ID claim type. 

To remedy another device-related issue, the AD FS admin had added an additional rule. This rule added another Immutable ID value for people who were recently migrated to the new Active Directory forest:

c:[Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname”]

=> issue(store = “Active Directory”, types = (“http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID”), query = “samAccountName={0};objectGUID;{1}”, param = regexreplace(c.Value, “(?<domain>[^\\]+)\\(?<user>.+)”, “${user}”), param = c.Value);

         

The solution

We removed the additionally added rule. This made authentication work again.
Then, we built new AD FS claims issuance rules for the ‘Microsoft Office 365 Identity Platform’ Relying Party Trust (RPT) using adfshelp.microsoft.com and implemented them.

  

Concluding

I have a sneaking suspicion that upgrading Azure AD Connect in an environment with AD FS and Alternative Login ID doesn’t consistently upgrade the AD FS rules, based on the settings in Azure AD Connect.

Further reading

Pro Tip! Use the claim rules from ADFSHelp for your ‘Office 365 Identity Platform’ Relying Party Trust 
HOWTO: Enable Auditing and Logging for AD FS Servers and the AD FS Farm 
Creating the ‘Microsoft Office 365 Identity Platform’ Relying Party Trust manually

0  

Mentoring, the step I needed in my career

Mentoring

As a consultant, trainer, blogger and author, I feel it’s my responsibility to help people who are ambitious like I am. It’s mutually beneficial to help people to achieve more, as it helps me identify the steps I didn’t take, the shortcuts I took, the views I lacked and any privileges I enjoyed.

At a certain point in my career, I acknowledged that the most effective way for me to learn more, was to teach more. I became a Microsoft-certified trainer (MCT) and have taught courses to various groups of people throughout the years, including colleagues, people at customers and people from the competition. It helped me improve my understanding, as different ways of consuming knowledge resulted in different questions that had me thinking of the products, technologies and strategies differently, too. It increases the value of my career.

Fifteen years ago, in a tactical role, I started mentoring people.

 

Dave Stork

Steve DorkI guess you all remember Dave Stork (or his alter ego; Steve Dork) He attended one of my trainings on Microsoft Exchange 2003 and just couldn’t get a passing grade for the exam. While training another group of colleagues, I asked him to setup Exchange Server, and then I tore it down in several ways, including opening the Exchange database with Notepad and replacing several characters half way with my name, then saving it and rebooting the box. He passed his third time around.

Jokingly, I started referring to Dave as ‘the colleague with the most experience in the Microsoft Exchange Server exam’. It prompted his Exchange Server Pro career, he started blogging here, became a Microsoft MVP on July 1st, 2014 and published a book.

I’ve moved on to different employers since then.

Barbara Forbes

Barbara ForbesSome time ago, I was contacted by another one of my former colleagues: Barbara Forbes. Barbara was part of an earlier training course I ran to make people pass the Microsoft Certified Systems Administrator (MCSA) exams. She reached a tipping point in her career as a consultant and trainer and wanted to achieve more.

We onboarded her to SCCT a year ago, where I started pushing her outside of her comfort zone every now and then. She started blogging. She started presenting. She was awarded Microsoft MVP on March 1st, 2020.

I deliberately didn’t nominate Barbara for the MVP award, as I feel it affects my personal integrity. Instead, many others nominated and re-nominated her for the MVP award. She has earned it, although it was never our end goal to get this award; It’s a means to get the feedback we all need to improve further and to increase the value of our careers.

To me, mentoring is about building a safe environment to step out of comfort zones, building a consistent flow of positive experiences and honest feedback. I started mentoring not knowing how to do it, and sometimes I still feel I have no theoretical clue. Perhaps following my gut instincts while mentoring makes it worthwhile for everybody.

Early in my career I was mentored by Thijs ‘ebbo’ Ebbers and Matthijs ‘kers’ Kerssemakers. When I needed kicks in the butt, I got them from Eward Driehuis.

John Craddock, Andy Malone, Brian Svidergol, Deji Akomolafe and other people I looked up to as my heroes are good friend now with whom I can have in-depth discussions with. These days, Raymond Comvalius, Carlo ‘knabbel’ Schaeffer, Harro ‘babbel’ Borghardt, and Bas Arkesteijn are my go-to people for inspiration and feedback.

0  

The recording and slides of the Active Directory Best Practices webinar is now available

Veeam Active Directory Best Practices

Last week, I presented two webinars with Veeam’s Andrey Zhelezko, technical product analyst at Veeam Software, on Active Directory Best Practices in terms of administration and disaster recovery.

With 1849 and 2217 registered attendees for the European and North American webinar, respectively, these GoToWebinar sessions were solid Active Directory knowledge transfer successes.

The recording and slides of this webinar are now available here.
The duration of the recording is 1:03:15.

Microsoft Active Directory is the basis for every Microsoft‑oriented networking environment. However, it’s not always a solid basis. With thousands of network environments under their belts, Sander Berkouwer (Microsoft MVP) and Veeam’s Andrey Zhelezko know their Active Directory.

This webinar included the following best practices:

  • Protecting and (automatically) expiring passwords
  • Leveraging the Protected Users group and other protections
  • Using the Active Directory Recycle Bin
  • Putting Veeam Backup & Replication™ to good use

After watching this webinar, you’ll know about the nitty gritty details of the new security features in the past years for Active Directory, the exact line where the Active Directory Recycle Bin stops and how Veeam provides better backups and restores.

0  

On-premises Identity updates & fixes for February 2020

Windows Server

Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016 and Windows Server 2019 still receive updates. These are the updates and fixes we saw for February 2020:

Windows Server 2016

We observed the following updates for Windows Server 2016:

KB4537764 February 11, 2020

The February 11 update for Windows Server 2016 (KB4537764), updating the OS build number to 14393.3504 is a security update.

It addresses an Active Directory Elevation of Privilege vulnerability (CVE-2020-0665), reported by Dirk-Jan Mollema. The discovered vulnerability exists in the way Active Directory handles information for domains in a transitively trusted forest. To exploit this vulnerability, an attacker would first need to compromise a transitively trusted Active Directory forest. An attacker who successfully exploited this vulnerability could obtain administrative rights on a computer in a domain which trusts the Active Directory forest under the attacker’s control. This update addresses the vulnerability by correcting how Active Directory handles information for domains in transitively trusted forests.

This update also contains a fix for a Windows Hyper-V Denial of Service Vulnerability (CVE-2020-0661). From within a virtual machine, an attacker with a privileged account on that guest operating system, could run a specially crafted application that causes a Hyper-V host to crash. As many Domain Controllers run virtually, this could possibly take down the entire networking environment.

 

KB4537806 February 25, 2020

The February 25 update for Windows Server 2016 (KB4537806), updating the OS build number to 14393.3542 is a quality update. It includes the following identity-related improvements:

  • It addresses an issue that generates an “unknown username or bad password” error when attempting to sign in. This occurs in an environment that has a Windows Server 2003-based Domain Controller and a Windows Server 2016 or later Domain Controller.
  • It addresses an issue that causes Transport Layer Security (TLS) sessions to fail with the error, “The request was aborted: Could not create SSL/TLS secure Channel.
  • It addresses an issue that prevents the Network Policy Server (NPS) accounting feature from functioning. This occurs when NPS is configured to use SQL for accounting with the new OLE (compound document) database driver (MSOLEDBSQL.dll) after switching to TLS 1.2.
  • It addresses an issue that causes Security Assertion Markup Language (SAML) errors and loss of access to third-party apps for users who do not have multi-factor authentication (MFA) enabled.
  • It addresses an issue that intermittently generates Online Certificate Status Protocol (OSCP) Responder audit events ( Event ID 5125) to indicate that a request was submitted to the OCSP Responder Service. However, there is no reference to the serial number or the domain name (DN) of the issuer of the request.
  • It addresses an issue with certificate validation that causes Internet Explorer mode in Microsoft Edge to fail.

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB4532619 February 11, 2020

The February 11 update for Windows Server 2019 (KB4532619), updating the OS build number to 17763.1039 is a security update.

It addresses an Active Directory Elevation of Privilege vulnerability (CVE-2020-0665), reported by Dirk-Jan Mollema. The discovered vulnerability exists in the way Active Directory handles information for domains in a transitively trusted forest. To exploit this vulnerability, an attacker would first need to compromise a transitively trusted Active Directory forest. An attacker who successfully exploited this vulnerability could obtain administrative rights on a computer in a domain which trusts the Active Directory forest under the attacker’s control. This update addresses the vulnerability by correcting how Active Directory handles information for domains in transitively trusted forests.

This update also contains a fix for a Windows Hyper-V Denial of Service Vulnerability (CVE-2020-0661). From within a virtual machine, an attacker with a privileged account on that guest operating system, could run a specially crafted application that causes a Hyper-V host to crash. As many Domain Controllers run virtually, this could possibly take down the entire networking environment.

KB4537818 February 25, 2020

The February 25 update for Windows Server 2019 (KB4537818), updating the OS build number to 17763.1075 is a quality update. It includes the following identity-related improvements:

  • It improves the accuracy of Windows Hello face authentication.
  • It addresses an issue that generates an “unknown username or bad password” error when attempting to sign in. This occurs in an environment that has a Windows Server 2003-based Domain Controller and a Windows Server 2016 or later Domain Controller.
  • It addresses an issue with sign in scripts that fail to run when a user signs in or signs out.
  • It addresses an issue that might cause Direct Access servers to use a large amount of non-paged pool memory (pooltag: NDnd).
  • It addresses an issue that prevents you from removing some local users from local built-in groups. For example, you cannot remove “Guest” from the “Guests” local group.
  • It addresses an issue that causes the Local Security Authority Subsystem Service (LSASS) to stop working and triggers a restart of the system. This issue occurs when invalid restart data is sent with a non-critical paged search control.
  • It addresses an issue that causes queries against large keys on Ntds.dit to fail with the error, “MAPI_E_NOT_ENOUGH_RESOURCES.” This issue might cause users to see limited meeting room availability because the Exchange Messaging Application Programming Interface (MAPI) cannot allocate additional memory for the meeting requests.
  • It addresses an issue that intermittently generates Online Certificate Status Protocol (OSCP) Responder audit events ( Event ID 5125) to indicate that a request was submitted to the OCSP Responder Service. However, there is no reference to the serial number or the domain name (DN) of the issuer of the request.
  • It addresses an issue with certificate validation that causes Internet Explorer mode in Microsoft Edge to fail.
0  

Pictures of Azure Saturday Belgrade

Azure Saturday Belgrade 2020

On this year’s leap day, I was invited to present a session on Azure Saturday in Belgrade, Serbia. My good friends Vladimir Stefanovic, Aleksandar Nikolic and Mustafa Toroman invited me over as one of the foreign speakers to complement the local speakers and their workshops on February 28th.

On Friday, I did some work for one of my customers. I worked  from home to finish a design. I was brought to Rotterdam Central Station and took the express train that would take me in 26 minutes to Schiphol airport in time for my Air Serbia flight to Belgrade. After un uneventful, yet full of face masks flight, I arrived safely in Belgrade and took a cab to the Belgrade Inn hotel.

The next morning, I choose to be at breakfast the earliest opportunity I had. This would allow me to meet and chat with all my friends before the event started. Surely, everybody walked in and the hotel restaurant was soon filled with chatter and laughter.

Room 208 at the Belgrade Inn (click for larger photo)Coffee at Breakfast to start the day (click for original photo)

After a short walk to the venue, we continued our discussions in the speakers room, where we prepared for the keynote and our sessions.

Azure Saturday Belgrade Speaker Badge (click for larger photo)
SuperAdmin-sponsored Badges (click for larger photo by organization)In the Speaker Room with Aleksandar Nikolic and Rolf McLaughlin (click for larger photo by organization)

At 3:45 PM, I started my 45-minute session on six of the Hybrid Identity mismangement horror stories I’ve encountered over the past couple of years. It was fun to talk about organizational challenges ranging from Azure MFA Server to FIDO2 technologies and from budgeting to security challenges.

Nooo, did he just say that?! (click for larger photo, by organization)Presenting at Azure Saturday Belgrade (click for larger photo by organization)

After my session I attended Rolf McLoughlin’s session, before we rounded up the event with a PowerShell-supported prize raffle and Thank Yous to all the attendees.

Azure Saturday Belgrade 2020's Speakers (click for larger photo by organization)
Suvobor Restaurant in downtown Belgrade (click for larger photo)Serbia, Meat Country! :-) (click for larger photo)

Then, we headed back to the hotel to freshen up and head to the Sovubar restaurant to have dinner with all the speakers and their entourages. We had some more fun discussions and drinks, before returning to the hotel.

Coffee at Kafeterija (click for larger photo)

The next morning , we headed out for coffee at Kafeterija with a smaller group of people, including Mustafa, Sasha, Aleksandar, Vladimir, Nenad and Rolf.

After that, it was time to check out and get a cab to the airport. After lunch in the lounge, I flew back and landed on Schiphol Airport in time for dinner with my family.

Serbian Flag outside Hotel Belgrade Inn (click for larger photo)Brutalist-style buildings across Belgrade (click for larger photo)Cloudy Alps on my way home (click for larger photo)

Thank you! Thumbs up

Thank you to the Azure Saturday Belgrade organization for having me as a speaker. Thank you to the sponsors of the event and the Azure Saturday global organization. And of course, a big thank you to all the attendees, especially the ones who were in my session.

0