PFX Encryption Security Feature Bypass Vulnerability (CVE-2021-1731, Important)

Today, for its February 2021 Patch Tuesday, Microsoft released an important security update for certificates in Windows and Windows Server. This vulnerability is known as CVE-2021-1731 and rated with CVSSv3.0 scores of 5.5/4.8.

When glancing over the vulnerability, it might not be a particularly important vulnerability, but its implications are wide and deep; This PFX encryption security feature bypass vulnerability might require you to reissue or request your certificates with new private keys, because the keys may not be properly secured in transit.

When you have a certificate with a private key, you can export the certificate with the private key into a *.pfx file. When exporting the certificate, you need to decide between providing a Password or providing a Group or usernames (recommended) for access to the certificate:

You cannot export the certificate with the private key without providing one or both security measures.

Now, when you use the Group or usernames (recommended) option, keys encrypted using AES are not properly protected.

There are two things to notice:

  1. The Group or usernames (recommended) option is labeled as the recommended method to secure a *.pfx file.
  2. By default, the TripleDES-SHA1 method is used to encrypt the contents of the *.pfx file. The AES256-SHA256 encryption option is not the default option, but should be the preferred option, as 3DES and SHA1 are deprecated encryption protocols and should not be used for production purposes.

 

Affected Operating Systems

The following Operating Systems (OSs) are affected:

  • Windows 10, version 1803
  • Windows 10, version 1809
  • Windows 10, version 2004
  • Windows 10, version 20H2
  • Windows Server 2019
  • Windows Server, version 1909
  • Windows Server, version 2004

The above list suggests that the vulnerability was introduced recently and does not affect other supported Operating Systems, like Windows Server 2012 and Windows Server 2016.

 

Recommendation

If your organization stores recent certificates to disk, in e-mail or in other intra-organization communication exchanges that are secured with the Group or usernames (recommended) option and use AES256-SHA256 as encryption method, these certificates should be imported on a Windows or Windows Server installation with the February 2021 update installed and then exported.

The Group or usernames (recommended) option is not suitable for exchanging certificates to third parties. In these scenarios, the Password option is probably used. Certificates shared and stored this way are not susceptible to the vulnerability. They are, however, susceptible to brute-forcing…

Certificates that use the TripleDES-SHA1 method for key encryption are also not susceptible to the vulnerability. They are, however, susceptible to collision attacks…

Posted on February 9, 2021 by Sander Berkouwer in Active Directory Certificate Services, Microsoft Windows 10, Microsoft Windows Server 2019, Security Updates

1  

I’m Speaking at Azure Saturday Belgrade

Azure Saturday Belgrade

I’m proud to share that I’ll be returning as a speaker for Azure Saturday Belgrade. This year, the event is hosted virtually on Saturday February 20th 2021.

About Azure Saturday Belgrade

As part of AzureDays.org events, Azure Saturday Belgrade is a community-driven event to share knowledge and experiences about Microsoft Azure. In their part of the world, Azure Saturday is the biggest Azure-focused event.

The event is organized by Azure User Group Serbia. Again, Azure Saturday will bring together Azure experts and professionals from the region and the rest of Europe, with the same goal; learn  and have fun.

About my session

I’ll present a 45-minute session on:

Increasing the security of on-premises Active Directory with Azure AD

Saturday February 20th, 2021 12 PM – 12:45 PM

Would you believe a networking infrastructure can become more secure by adding cloud to it? In this session, I’ll share my real-world experience with how Azure AD-based technologies make the on-premises environments of my customers more secure.

Air-gapping and the accompanying immense challenges for updating, activating and monitoring for admins are truly referred back to the 80s in this session. I’ve met a lot of old-fashioned CISOs the last couple of years that truly believed air-gapping their environments and requiring multi-multi-multi-factor authentication for access off-premises was the way to go.

In this session I’ll show how organizations can:

  • Require multi-factor authentication only when needed because of risk
  • Get notified of leaked credentials
  • Ban bad passwords
  • Manage fragile Domain Controllers better
  • Get back on top of the millions of events that currently burden down their current SIEM solution

I’ve built a couple of exciting demos to showcase the strengths of Azure AD, Azure AD Connect Health to really blow your minds!

Join us!

The plus for virtual events is that there are virtually unlimited seats. Last year, the event has sold out, but for this year’s Azure Saturday Belgrade event, you can still get your free tickets. Register here.

Posted on February 8, 2021 by Sander Berkouwer in Community, Microsoft MVP, Personal

0  

Introducing IT Bro’s: The New Dutch Microsoft-oriented IT Pro podcast

IT Bro's

This month, Raymond Comvalius and I are introducing a new initiative: the IT Bro’s podcast.

Our goal is to provide a weekly update to Dutch IT professionals who work with Microsoft products and technologies. We will be talking in Dutch primarily, but will switch to English when we have non-Dutch guests joining us.

Our focus is on helping our fellow IT Pros with tips, tricks, news and announcements that help them perform their jobs more effectively. Our topics range from Windows and Windows Server to Edge and Microsoft 365.

As Microsoft Most Valuable Professionals (MVPs) and Microsoft Certified Trainers (MCTs), we are in close contact with several product teams in Redmond and have befriended many familiar faces in the global Microsoft community.

We originate from two different communities originally. We often have different viewpoints on topics and know different people. We think this will make for appealing podcasts.

 

You’re invited!

We invite you to join our podcast adventure. We will announce new podcast episodes on ITBros.nl with accompanying links. You can listen to us on Spotify and iTunes.

Posted on February 5, 2021 by Sander Berkouwer in Community, Microsoft MVP, Personal

1  

Five Things of Notice in the ‘State of Apps by Microsoft Identity 2020’ Report

Report

Microsoft issued a 19-page report, titled ‘The state of apps by Microsoft identity 2020’. In this document, Microsoft shares it analysis of enterprise cloud app usage. It shows how and what applications organizations are securing with Azure AD. It also shares insights into how app usage shifted in 2020 compared to the years prior.

Note:
In its analysis, Microsoft looked at organizations’ application usage within the Azure AD App Gallery, excluding Microsoft applications such as Azure, Dynamics, Office 365, and Teams. The report includes data from December 31st, 2018 to December 31st, 2020.

About the Azure AD App Gallery

Microsoft’s Azure AD App Gallery enables organizations to quickly secure and manage apps of all types. It includes thousands of pre-integrated apps. Microsoft sees organizations of all sizes integrate all their apps with Azure AD to give their workforce a more convenient and secure experience.

Organizations adopt cloud apps

2020 has changed the way people work. People rely more heavily on cloud apps to get work done. This is a longer term change, and you may expect this trend to continue past 2020. Organizations cite security and remote work as the main reasons for cloud adoption.

Organizations are increasingly using Azure AD to connect with apps

The number of monthly active users of Azure AD App Gallery apps has increased 109% year-over-year in 2020; It more than doubled on the number of people authenticating through Azure AD to third-party applications.

Okta still holds the crown when it comes to ease of onboarding apps. It’s safe to say that Azure AD has made it sufficiently easy to connect apps to Azure AD, whether these apps are feature-federated (federated with provisioning), federated or merely password-vaulted.

As an added benefit, organizations using Azure AD this way find themselves well on the 2021 path of zero trust.

More organizations now use Multi-Factor Authentication

The pandemic has both accelerated digital transformation timelines and increased the need for advanced security that organizations can rely on to provide secure access to their users wherever they may be working.

Azure AD offers its own built-in multi-factor authentication service (Azure MFA), but also allows organizations to use third party multi-factor services, like RSA, DUO and Trusona. Organizations using AD FS to redirect Azure AD authentication requests to their own implementations may also use their own multi-factor authentication implementation.

There's a multi-factor authentication solution for virtually every organization scenario. No wonder the use of multi-factor authentication (MFA) with Azure AD has grown 150% year-over-year.

Microsoft is a team player

Looking at the top 15 apps, it is apparent that Microsoft is a team player in the cloud. Google Cloud / Google Workspace (Rising to position 2 from position 3 in 2019 and 2018), Zoom (Position 5, with no ranking in previous years) and Salesforce (Position 8, previously on positions 5 and 6) may all be considered rivals to Microsoft in certain ways. However, everything is done to make sure Azure AD acts as the unified identity gateway for organizations.

ServiceNow continues to lead in monthly active users for the third year in a row.

Comparing the most popular apps by monthly active users with the most popular apps by number of organizations shows a similar picture. In this case, Zoom ranks on position 1 due to the increased video conferencing needs organizations have since 2020. Travel expense app SAP Concur, on the other hand, now no longer ranks as part of the Top 15 apps by number of organizations, mostly due to 2020’s travel restrictions.

Many organizations didn’t even bother anymore setting up and/or exposing their AD FS implementations during the first lockdowns in March 2020. When on-premises apps can be published with Azure AD using the Azure AD Application Proxy (up 100% year-over-year) or any of the third-party solutions (Citrix ADC, Palo Alto Networks Prisma Access, and Zscaler Private Access), why would they?

Microsoft has a lot of data on its customers

While all the information in the report is pseudonymized, the staggering amount of information shared shows how much data Microsoft has on its customers. Even when Azure AD merely acts as an identity broker (the setup where an organization redirects authentication requests from Azure AD to its own federation implementation), its cloud services know what identity data we exchange with the apps we use. When organizations use Azure AD as their identity provider, Microsoft knows all.

Organizations might want to review Active Directory, AD FS and Azure AD in terms of Data Privacy and update their data privacy impact assessments (DPIAs) accordingly.

Posted on February 3, 2021 by Sander Berkouwer in Azure Active Directory

0  

On-premises Identity-related updates and fixes for January 2021

Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016 and Windows Server 2019 still receive updates.

These are the Identity-related updates and fixes we saw for January 2021:

 

Windows Server 2016

We observed the following update for Windows Server 2016:

KB4598243 January 12, 2021

The January 12, 2021 update for Windows Server 2016 (KB4598243), updating the OS build number to 14393.4169 is a security update that includes quality improvements. For the security-related part of this update, please refer to KB4598230 below.

This update includes the following improvements:

  • This update adds the ability to set a Group Policy to show only the domain and username when a user signs in.
  • It addresses an issue that delays authentication traffic because of Netlogon scalability issues.
  • It addresses an issue in which a principal in a trusted MIT realm fails to obtain a Kerberos service ticket from Active Directory Domain Controllers. This occurs on devices that have installed Windows Updates that contain CVE-2020-17049 protections and have configured the PerfomTicketSignature registry setting to 1 or higher. Ticket acquisition also fails with the following error, if callers submit a PAC-less Ticket Granting Ticket (TGT) as an evidence ticket without providing the USER_NO_AUTH_DATA_REQUIRED flag:

KRB_GENERIC_ERROR

 

Windows Server 2019

We observed the following update for Windows Server 2019:

KB4598230 January 12, 2021

The January 12, 2021 update for Windows Server 2019 (KB4598230), updating the OS build number to 17763.1697 is a security update.

For organizations leveraging Microsoft Defender as their anti-malware solution, the most critical vulnerability addressed during this Patch Tuesday is the zero-day Microsoft Defender remote code execution (RCE) vulnerability, known as CVE-2021-1647. Microsoft Defender engine version 1.1.17700.4 addresses the vulnerability.

The NTLM security feature bypass vulnerability, known as CVE-2021-1678, describes a vulnerability that exists in the way the Printer Remote Procedure Call (RPC) binding handles authentication for the remote Winspool interface. The January 2021 cumulative update addresses this important vulnerability in combination with the RpcAuthnLevelPrivacyEnabled Registry key on print servers to enforce to increase the RPC authentication level.

CVE-2021-1679 describes an important Denial of Service (DoS) vulnerability in the Windows CryptoAPI that can be performed over the network.

CVE-2021-1676 describes an important information disclosure vulnerability in the NTLM datagram receiver driver.

CVE-2021-1637 describes an important information disclosure vulnerability in the Windows DNS Query. An attacker who successfully exploited this vulnerability can view uninitialized memory. The attack can only be leveraged locally.

KB4598269 January 21, 2021

The January 21, 2021 update for Windows Server 2019 (KB4598296), updating the OS build number to 17763.1728 is a non-security update that includes the following identity-related improvements:

  • It addresses an issue that occurs when the Mandatory Profile check box is selected when you copy a user profile.
  • It addresses an issue that displays a blank lock screen after a device wakes up from Hibernate.
  • It addresses an issue that causes an unexpected system restart because of exception code 0xc0000005 (Access Violation) in lsass.exe. the faulting module is webio.dll.
  • It addresses an issue that cause the lsass.exe process to leak memory on a server that is under a heavy authentication load when Kerberos Armoring (Flexible Authentication Secure Tunneling (FAST)) is enabled.
  • It addresses an issue that causes lsass.exe to stop working because of a race condition that results in a double free error in Schannel. The exception code is c0000374, and the Event Log displays Schannel event 36888, fatal error code 20, and error state 960. This issue occurs after installing Windows updates from September 2020 and later.
  • It addresses a memory leak on Windows Server installations that are configured as Active Directory Domain Controllers. This issue occurs when the Key Distribution Center (KDC) attempts to fetch the Service for User (S4U) client name during certificate authentication.
  • It addresses an issue in which a principal in a trusted MIT realm fails to obtain a Kerberos service ticket from Active Directory Domain Controllers. This occurs on devices that have installed Windows Updates that contain CVE-2020-17049 protections and have configured the PerfomTicketSignature registry setting to 1 or higher. Ticket acquisition also fails with the following error, if callers submit a PAC-less Ticket Granting Ticket (TGT) as an evidence ticket without providing the USER_NO_AUTH_DATA_REQUIRED flag:

KRB_GENERIC_ERROR

  • It addresses an issue with web applications that use cross-origin resource sharing (CORS) pre-flighting against Active Directory Federation Services (AD FS) token endpoints. These web applications might suddenly stop working when they call AD FS from external networks.
  • It addresses an issue with Administrative Template settings you configure using a Group Policy Object (GPO). When you change the value of the policy settings to Not configured, the system fails to remove the previous settings. This issue is most noticeable with roaming user profiles.

Posted on February 2, 2021 by Sander Berkouwer in Active Directory, Active Directory Federation Services, Microsoft Windows Server 2016, Microsoft Windows Server 2019, Security Updates

0  

What's New in Azure Active Directory for January 2021

Azure Active Directory

Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for January 2021:

 

What’s planned

Secret token will be a mandatory field when configuring provisioning

Service category: App Provisioning
Product capability: Identity Lifecycle Management

In the past, the secret token field could be kept empty when setting up provisioning on a custom / Bring your own App (BYOA) application. This function was intended to solely be used for testing. Microsoft will update the user interface (UI) to make the field required. Organizations can work around this requirement for testing purposes by using a feature flag in the browser URL.

 

What’s New

Customize and configure Android shared devices for First-line Workers at scale Public Preview

Service category: Device Registration and Management
Product capability: Identity Security & Protection

Azure AD and Microsoft Endpoint Manager teams have worked together to bring the capability to customize, scale, and secure first-line workers’ devices.

The following preview capabilities will allow organizations to:

  • Provision Android shared devices at scale with Microsoft Endpoint Manager
  • Secure access for shift workers using device-based Conditional Access
  • Customize sign-in experiences for shift workers with Managed Home Screen

 

Provisioning logs can now be downloaded as CSV or JSON Public Preview

Service category: App Provisioning
Product capability: Identity Lifecycle Management

Organization can download the provisioning logs as a *.csv or *.json file through the user interface (UI) and via the Graph API.

 

Assign cloud groups to Azure AD custom roles and admin unit scoped roles Public Preview

Service category: Role-based Access Control (RBAC)
Product capability: Access Control

Organizations can assign a cloud group to Azure AD custom roles and to roles that are scoped to Administrative Units (AUs).

 

Azure AD Connect cloud sync Generally Available

Service category: Azure AD Connect cloud sync
Product capability: Identity Lifecycle Management

Azure AD Connect Cloud Sync, previously known as Azure AD Connect Cloud Provisioning) is now generally available.

Azure AD Connect cloud moves the heavy lifting of transform logic to the cloud, reducing the on-premises footprint of Hybrid Identity implementations. Additionally, multiple light-weight agent deployments are available for higher sync availability.

 

Attack Simulation Administrator and Attack Payload Author built-in roles Generally Available

Service category: Role-based Access Control (RBAC)
Product capability: Access Control

Two new roles in Role-Based Access Control are available to assign to users:

  1. Attack simulation Administrator
  2. Attack Payload author

Users in the Attack Simulation Administrator role have access for all simulations in the tenant and can:

  • create and manage all aspects of attack simulation creation
  • launch/scheduling of a simulation
  • review simulation results.

Users in the Attack Payload Author role can create attack payloads but not actually launch or schedule them. Attack payloads are then available to all administrators in the tenant who can use them to create a simulation.

 

Usage Summary Reports Reader built-in role Generally Available

Service category: Role-based Access Control (RBAC)
Product capability: Access Control

Users with the Usage Summary Reports Reader role can access tenant level-aggregated data and associated insights in Microsoft 365 Admin Center for Usage and Productivity Score. However, they cannot access any user level details or insights.

In the Microsoft 365 Admin Center for the two reports, Microsoft now differentiates between tenant level aggregated data and user level details. This role adds an extra layer of protection to individual user identifiable data.

 

Require App protection policy grant in Azure AD Conditional Access Generally Available

Service category: Conditional Access
Product capability: Identity Security & Protection

The Azure AD Conditional Access grant for "Require App Protection policy" is now generally available. The policy provides the following capabilities:

  • Allows access only when using a mobile application that supports Intune App protection
  • Allows access only when a user has an Intune app protection policy delivered to the mobile application

 

Email One-Time Passcode Generally Available

Service category: Business to Business Collaboration (B2B)
Product capability: B2B/B2C

Email OTP enables organizations to collaborate with anyone by sending a link or invitation via email. Invited people can verify their identities with the one-time passcode sent to their email to access resources in the inviting organization’s tenant.

 

New provisioning connectors in the Azure AD Application Gallery

Service category: App Provisioning
Product capability: 3rd Party Integration

Organizations can now automate creating, updating, and deleting user accounts for these newly integrated apps:

 

New Federated Apps available in Azure AD Application gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In January 2021, Microsoft has added the following new applications in the App gallery with Federation support:

 

What’s Changed

Second level manager can be set as alternate approver Public Preview

Service category: User Access Management
Product capability: Entitlement Management

An extra option when you select approvers is now available in Entitlement Management. If you select Manager as approver for the First Approver field, a second option, labeled Second level manager as alternate approver, is now available to choose in the alternate approver field. If you select this option, you need to add a fallback approver to forward the request to in case the system can't find the second level manager.

 

Navigate to Teams directly from My Access portal Generally Available

Service category: User Access Management
Product capability: Entitlement Management

You can now launch Teams directly from the My Access portal.

To do so, sign-in to My Access, navigate to Access packages, then go to the Active tab to see all of the access packages you already have access to. When you expand the selected access package and hover on Teams, you can launch it by clicking the Open button.

 

Improved Logging & End-User Prompts for Risky Guest Users

Service category: Identity Protection
Product capability: Identity Security & Protection

The Logging and End-User Prompts for Risky Guest Users have been updated.

Posted on February 1, 2021 by Sander Berkouwer in Azure Active Directory, What's New

0  

Active Directory’s ESE database code now available on GitHub

Active Directory Database

Active Directory Domain Services (AD DS) and Active Directory Certificate Services (AD CS) use the Extensible Storage Engine (ESE) as its database. Now Microsoft has open sourced the code for its database engine available to all on GitHub.

 

About the Extensible Storage Engine

The Extensible Storage Engine (ESE) is an embedded / Indexed Sequential Access Method (ISAM)-based database engine, that provides rudimentary table and indexed access. However the library provides many other strongly layered and thus reusable sub-facilities as well: A synchronization and locking library, a data-structures / STL-like library, an Operating System (OS)-abstraction layer, and a Cache Manager.

First shipping in Windows NT 3.51 and shortly thereafter in Exchange 4.0, and rewritten twice in the 90s, and heavily updated over the subsequent two decades after that, it remains a core Microsoft asset to this day.

 

What this means

This change impacts several groups of people:

Developers

For developers using ESE, Microsoft already offers ESENT Managed Interop to provide managed access to esent.dll, the embeddable database engine native to Windows. The availability of the code now enables them to check their assumptions and plan work accordingly.

Researchers

From a security point of view, vulnerabilities in the ESE code may now be discovered by researchers. These vulnerabilities will be addressed through Microsoft’s Windows Updates.

Admins

For admins, the idea of open sourcing the software they use should give them the idea that security in Active Directory is not about security through obscurity.

 

Concluding

I feel open sourcing core components of widely used technology is always a good thing.

Vendors now get a clearer understanding of what happens under the hood., We might see new advanced functionality in Active Directory backup and restore (looking at you, Veeam) and the ability of blocking certain Active Directory requests, resulting in a proactive Layer 7 protection solution (kind of what Stealthbits currently offers…).

Posted on January 31, 2021 by Sander Berkouwer in Active Directory

0  

Making the Case for 30-day Token-signing and Token-decrypting Certificates in AD FS

AD FS Sign-in screen

I feel we are at a crossroads. Five years ago, I made the case for token-signing and token-decrypting certificates in Active Directory Federation Services (AD FS) with a validity of 5-year. Today, I’m making the case for 30-day Token-signing and Token-decrypting certificates, based on my understanding of the UNC2452 attack campaign (also known as ‘SolariGate’).

About the token-signing and token-decrypting certificates

Active Directory Federation Services (ADFS) creates and manages the two certificates used for the tokens issued:

  • The token-signing certificate
    The private key of this certificate is used to sign tokens that are issued by the AD FS servers in the AD FS farm. The public key for this certificate is published in the Federation Metadata, so relying party trusts (RPTs) can check the validity and integrity of the issued token. 
  • The Token-decrypting certificate
    The private key of this certificate is used to decrypt tokens that have been encrypted by relying party trusts (RPTs) and claims provider trusts (CPTs) with the public key of the certificate. The public key for this certificate is also published in the Federation Metadata.

By default, these certificates are valid for one year from their creation and automatically renew. The renewal process starts 15 days prior to the end of validity. At this moment, a new certificate is created, published and used. Any RPT or CPT that is unaware of the change, breaks. I believe this was the number one headache for AD FS admins in the past couple of years.

What changed?

In the past five years, a lot has changed. Our collective understanding of AD FS and claims-based authentication has grown, our processes to maintain AD FS have matured and attacks have gotten more sophisticated.

The biggest change we made was to allow relying party trusts (RPTs) and claims provider trusts (CPTs) to be configured based on federation metadata.

My previous advice to extend the validity period of the AD FS token-signing and token-decrypting certificates was formed in the days that RPTs and CPTs were created manually, most of the time.

UNC2452 as it relates to Active Directory Federation Services: Golden SAML attacks

The intrusion campaign that focused on compromising SolarWinds as a supplier to many of the biggest names in the industry is known as ‘SolariGate’ and tracked as UNC2452.

The attack chain has many steps. In their Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452 threat research, FireEye concludes that the attackers stole the Active Directory Federation Services (AD FS) token-signing certificate and used it to forge tokens for arbitrary users (known as Golden SAML attacks). This would have allowed the attacker to authenticate into a federated resource provider (such as Microsoft 365) as any user, without the need for that user’s password or their corresponding multi-factor authentication (MFA) mechanism.

I believe the Golden SAML attack can be made less efficient, when we apply the same steps as we do to make Kerberos Golden Ticket attacks less efficient: Limit the time the golden ticket is valid.

By limiting the validity period of token-signing and token-decrypting certificates in AD FS to 30 days, Golden SAML attacks would only work for 15 days.

When attackers need to gain access to the private key every 15 days instead of every 350 days, we might be able to detect them when they access the certificate store in Active Directory, the AD FS configuration database or the certificate store of the AD FS service account.

Requirements

If you want to go the route of 30-day token-signing and token-decrypting certificates, there are three requirements that you should meet:

  • Automatic certificate rollover should be enabled.
  • All relying party trusts (RPTs) should have been configured based on federation metadata. The Monitor relying party option should be enabled. The Automatically update relying party option should be enabled.
  • Any claims provider trust (CPT) should have been configured based on federation metadata. The Monitor claims provider option should be enabled. The Automatically update claims provider option should be enabled.

  

Checking automatic certificate rollover

To check if automatic certificate rollover is enabled in AD FS, use the following line of Windows PowerShell on the primary AD FS server in the AD FS farm:

(Get-ADFSProperties).AutoCertificateRollOver

Checking Relying Party Trusts

To check all the relying party trusts, use the following lines of Windows PowerShell on the primary AD FS server in the AD FS farm:

$RPTs = Get-ADFSRelyingPartyTrust

Foreach ($RPT in $RPTs) {

Write-Host $RPT.Name -ForeGroundColor Yellow

(Get-ADFSRelyingPartyTrust -Name $RPT.Name).AutoUpdateEnabled

(Get-ADFSRelyingPartyTrust -Name $RPT.Name).MonitoringEnabled

Write-Host

}

For all relying party trusts (RPTs), both properties should return TRUE.

If a relying party trust doesn’t have the Monitor relying party option and/or the Automatically update relying party option enabled, you can enable these options on the Properties screen for the relying party trust. This only works when the relying party trust is configured with a Federation Metadata file that it can monitor and the app automatically updates the file on its end.

Checking claims provider Trusts

To check all the claims provider trusts, use the following lines of Windows PowerShell on the primary AD FS server in the AD FS farm:

$CPTs = Get-ADFSClaimsProviderTrust

Foreach ($CPT in $CPTs) {

Write-Host $CPT.Name -ForeGroundColor Yellow

(Get-ADFSSClaimsProviderTrust -Name $CPT.Name).AutoUpdateEnabled

(Get-ADFSSClaimsProviderTrust -Name $CPT.Name).MonitoringEnabled

Write-Host

}

For all claims provider trusts (CPTs), both properties should return TRUE.

If a claims provider trust doesn’t have the Monitor relying party option and/or the Automatically update relying party option enabled, you can enable these options on the Properties screen for the claims provider trust. This only works when the claims provider trust is configured with a Federation Metadata file that it can monitor and the downstream identity provider automatically updates the file on its end.

 

Configure 30-day token-signing and token-decrypting certificates

To get the current validity period (in days), use the following line of Windows PowerShell on the primary AD FS server in the AD FS farm:

(Get-ADFSProperties).CertificateDuration


To configure 30-day token-signing and token-decrypting certificates, use the following line of Windows PowerShell on the primary AD FS server in the AD FS farm:

Set-AdfsProperties -Certificateduration 30

Now, nothing happens to the token-signing and token-decrypting certificates after you issue that last one-liner, since both certificates have no issues in their current state. Eventually, near the end of their lifetime, they would automatically roll-over, but we want it to happen now.

We have to tell the certificates to roll over to their new settings. The following two PowerShell one-liners can be used to this purpose:

Update-AdfsCertificate -CertificateType Token-Signing –Urgent

Update-AdfsCertificate -CertificateType Token-Decrypting –Urgent


Concluding

Defending against sophisticated attacks, requires effort from admins. AD FS admins, especially, should make a new trade-off between certificates that have a long validity period and certificates that allow for more (automatic) flexibility.

Limiting the validity period of token-signing and token-decrypting certificates in AD FS to 30 days helps to invalidate Golden SAML attacks and detect attackers. However, it can only be achieved when all relying party trusts and claims provider trusts are configured with monitoring and automatic updating.

This defense method is increasingly effective when combined with an AD FS service account based on a group Managed Service Account (gMSA)

Further reading

Configuring the AD FS Token Signing and -Decrypting Certs for a longer lifetime 
From the field: The Case of the Unstable AD FS Farm 
The WID Service consumes 100% CPU after transitioning AD FS Servers 
A Real-world tested Approach for Transitioning AD FS Servers 
The use of Distributed Key Manager (DKM) in Active Directory Federation Services  
Obtain and Configure TS and TD Certificates for AD FS

Posted on January 26, 2021 by Sander Berkouwer in Active Directory Federation Services, Enterprise Security

4  

HOWTO: Configure Accurate Time in Active Directory

Windows Server 2016 introduced the Accurate Time feature. Microsoft introduced increased polling and clock update frequency in Windows Server 2016 Active Directory, when compared to Windows Server 2008/2012. While this introduces a small additional CPU load on Domain Controllers, it does provide for more Accurate Time for Windows Server 2016 because of more frequent polling, updating and through an algorithm that calculates time difference trends.

Now let’s see how to configure it.

 

About the Accurate Time feature

The Accurate Time feature helps admins in Microsoft-oriented networking infrastructures to:

  1. Create more accurate logging and auditing through accurate timestamps across systems and appliances.
  2. Adhere to government regulations like FINRA and ESMA (MiFID II), that require accurate time.
  3. Build more reliable Windows Clustering solutions.
  4. Get more accurate outcomes on the last write wins mechanisms that ultimately determine the outcome of competing changes within Active Directory replication.

I’ve discussed some of these challenges previously in my blogpost on Managing Active Directory Time Synchronization on VMware vSphere. I mentioned the Accurate Time feature in that context, too, but did not elaborate on how to configure it.

The Accurate Time feature is not enabled, by default.

 

About the Active Directory Time Hierarchy

In every Active Directory environment, time is synchronized in a hierarchy. This hierarchy is depicted in the below image, courtesy of the Time Synchronization in Active Directory Forests page in the Microsoft TechNet Wiki:

ADTimeHierarchy

The Domain Controller holding the Primary Domain Controller emulator (PDCe) Flexible Single Master Operations (FSMO) role in the root domain represents the top of the hierarchy and is considered the authoritative time source. That’s why the Active Directory Best Practices Analyzer (BPA) reports an action when this Domain Controller does not synchronize its time with an external source, like a pool of NTP servers on the Internet or a couple of GPS-equipped internal appliances, or a combination of both.

The Domain Controller holding the PDCe FSMO role represents the top. It is important to identify the Domain Controller with the PDCe FSMO role, as we need to perform changes on this host.

 

How to configure Accurate Time on the Domain Controller with the PDCe FSMO Role

To configure the Accurate Time feature on the Domain Controller with the PDCe FSMO Role, perform these steps:

 

Determine the Domain Controller with the PDCe FSMO Role

We start with double-checking the configured time servers on the Domain Controller holding the PDCe FSMO role. Determine the Domain Controller using the following command on the command line of any domain-joined system:

netdom.exe query fsmo

 

Get the currently configured time servers for the Domain Controller

Sign in interactively to this Domain Controller and start an elevated Windows PowerShell window, or enter a PowerShell remote session. Run the following line to return the comma-separated list of time servers specified:

Get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\' | Select-Object NtpServer

 

Make sure the NTP servers listed are on the list of Stratum 1 servers, are denoted as OpenAccess (or you have prior arrangements for servers that are denoted as ClosedAccess or RestrictedAccess), are hosted reasonably geographic nearby and maintained by an organization with an excellent reputation.

 

Configure the server to offer accurate time

Configure the Domain Controller with the PDCe FSMO role to offer the Accurate Time feature using the following lines of Windows PowerShell:

$NTP = 'HKLM:\SYSTEM\CurrentControlSet\Services\W32Time'

New-ItemProperty -Path $NTP"\Config\" -Name MinPollInterval -Value 6 -Propertytype DWORD

New-ItemProperty -Path $NTP"\Config\" -Name MaxPollInterval -Value 6 -Propertytype DWORD

New-ItemProperty -Path $NTP"\Config\" -Name UpdateInterval -Value 100 -Propertytype DWORD

New-ItemProperty -Path $NTP"\Config\" -Name FrequencyCorrectRate -Value 2 -Propertytype DWORD

New-ItemProperty -Path $NTP"\TimeProviders\NtpClient" -Name SpecialPollInterval -Value 64 -Propertytype DWORD

w32tm.exe /config /update

Restart-Service w32time

 

(Optionally) Configure NTP for 3rd-party systems and appliances

Optionally, make the Domain Controller an authoritative server for 3rd-party systems and appliances, using the following lines of Windows PowerShell:

$NTP = 'HKLM:\SYSTEM\CurrentControlSet\Services\W32Time'

New-ItemProperty -Path $NTP"\Parameters\" -Name Type -Value NTP -Propertytype DWORD

New-ItemProperty -Path $NTP"\Config\" -Name AnnounceFlags -Value 5 -Propertytype DWORD

New-ItemProperty -Path $NTP"\TimeProviders\NtpServer\" -Name Enabled -Value 1 -Propertytype DWORD

New-ItemProperty -Path $NTP"\Config\" -Name MaxPosPhaseCorrection -Value 1800 -Propertytype DWORD

New-ItemProperty -Path $NTP"\Config\" -Name MaxNegPhaseCorrection -Value 1800 -Propertytype DWORD

w32tm.exe /config /update

Restart-Service w32time

How to configure Accurate Time on domain-joined devices

To perform the steps below, sign in to a system with the Group Policy Management Console (GPMC) installed with an account that is either:

  • A member of the Domain Admins group, or;
  • The current owner of the Group Policy Object, and have the Link GPOs permission on the Organizational Unit(s), Site(s) and/or Domain(s) where the Group Policy Object is to be linked, or
  • Delegated the Edit Settings or Edit settings, delete and modify security permission on the GPO, and have the Link GPOs permission on the Organizational Unit(s), Site(s) and/or Domain(s) where the Group Policy Object is to be linked.

To configure the Accurate Time feature on domain-joined devices, perform these steps:

 

Create a new Group Policy object

To create a Group Policy Object, perform these steps:

  • Open the Group Policy Management Console (gpmc.msc)
  • In the left navigation pane, expand the Forest container.
  • Expand the Domains container, and then navigate to the domain where you want to create the GPO.
  • Expand the domain name.
  • Right-click the Group Policy Objects node and select New from the menu.
  • In the New GPO pop-up window, enter a descriptive name for the Group Policy Object for instance ‘NTP Client Settings’. Make sure you don’t select a Starter GPO.
  • Click OK to create the GPO.

 

Configure settings for Accurate Time

Make the appropriate changes in the Group Policy object for the Accurate Time feature, while still in the Group Policy Management Console (GPMC):

  • Select the previously created Group Policy object.
  • In the left navigation pane, right-click the GPO and select Edit… from the menu.
    The Group Policy Editor (gpedit.msc) appears.
  • In the left navigation pane of the Group Policy Editor window expand the Computer Configuration node, then the Policies node, the Administrative Templates node, the System node, the Windows Time Service node and finally the Time Providers node.
  • In the main pane of the Group Policy Editor window, double-click the Configure Windows NTP Client setting.
    The Configure Windows NTP Client window appears:

Configure NTP Client Group Policy setting

  • Configure the setting as Enabled at the top of the window.
  • In the left pane in the Options: area, specify the following settings:
    • As the NTPServer, specify the domain name.

Note:
You could alternatively specify the fully-qualified DNS domain name of the Domain Controller holding the PDCe FSMO role, but this would create a single point of failure in the otherwise redundant infrastructure. As the other Domain Controllers would synchronize time accurately with the Domain Controller holding the PDCe FSMO role, this is a good configuration.

    • As the Type, specify NT5DS.
    • For the CrossSiteSyncFlags value, specify 2.
    • For the ResolvePeerBackoffMinutes value, specify 15.
    • For the ResolvePeerBackoffMaxTimes value, specify 7.
    • For the SpecialPollInterval value, specify 64.
    • For the EventLogFlags value, specify 0.
  • Click OK.
  • Back in the main pane of the Group Policy Editor window, double-click the Enable Windows NTP Client setting.
  • Configure the setting as Enabled at the top of the window.
  • Click OK.
  • Close the Group Policy Editor (gpedit.msc) window.

 

Assign the Group Policy object to the Domain

To link the previously created Group Policy Object, perform these steps, while still in the Group Policy Management Console (GPMC):

  • In the left navigation pane of the Group Policy Management Console (GPMC) navigate to the node that represents the domain name.
  • Right-click the node and select Link an existing GPO… from the menu.
  • In the Select GPO window, select the GPO you created earlier from the list of available Group Policy objects:.
  • Click OK to link the GPO.

 

Concluding

The Accurate Time feature might benefit your organization. The feature is not enabled by default, but you can enable it easily, using the lines of Windows PowerShell above.

Further reading

Configure NTP Time Sync Using Group Policy
VMware vSphere 7.0U1 introduces advanced time sync configuration
vSphere 7's vMotion notifies for time differences
Managing Active Directory Time Sync on VMware vSphere
Active Directory Time Sync, broken by default

Posted on January 25, 2021 by Sander Berkouwer in Active Directory

0  

What’s New in Identity in Microsoft Edge v88

Microsoft Edge

Today, Microsoft made Edge version 88.0.705.50 generally available to the Edge stable channel. Consequently, Edge 88 will be rolling out to devices in the next few days.

 

What’s New in Identity

Edge version 88 provides these new features in terms of identity:

 

Single Sign-on on Windows 7 and Windows 8.1

When using Microsoft Edge on Windows 10, people enjoy Single Sign On (SSO) access to their Azure Active Directory (Azure AD) accounts and Microsoft Account (MSA). These results in lesser prompts, a more pleasant browsing experience and helps to eliminate prompt-fatigue.

This functionality is now also available on down-level Windows. A person signed in on Microsoft Edge on down-level Microsoft Windows (7, 8.1) will now get automatically signed into websites that are configured to allow single sign on with Work and Microsoft accounts, like bing.com, office.com, msn.com and outlook.com.

Note:
You may have to sign out and then sign back in if they'd signed into Microsoft Edge in a version prior to Microsoft Edge 88 to leverage this feature.

 

Password generator

Microsoft Edge version 88 introduces a built-in strong password generator that people can use when signing up for a new account or when changing an existing password.

You can now also edit your saved passwords directly in Microsoft Edge Settings. Any time a password has been updated outside of Microsoft Edge, it’s easy to replace the saved older password with the new one by editing the saved entry in Settings.

 

Password Monitor

Alerts are generated if a  password is found in an online leak. When any of your passwords saved to the browser matches with those seen in sets of leaked credentials, Microsoft Edge will notify you and prompt you to update your password.

Passwords are checked against a repository of known-breached credentials and sends an alert if a match is found. To ensure security and privacy, passwords are hashed and encrypted when they're checked against the database of leaked credentials.

Password Monitor scans for matches on your behalf and is on by default.

 

Group Policy settings changes

Microsoft Edge now offers the Allow Basic authentication for HTTP Group Policy setting. If you enable this policy or leave it unset, Basic authentication challenges received over non-secure HTTP will be allowed. If you disable this policy, HTTP requests from the Basic authentication scheme are blocked, and only HTTPS is allowed. This Group Policy setting corresponds to the BasicAuthOverHttpEnabled DWORD Registry setting.

The Enable Proactive Authentication Group Policy setting is being deprecated in version 88. It will be removed in Microsoft Edge version 91. Proactive Authentication is turned on, by default and configures Microsoft Edge to try to seamlessly authenticate to websites and services using the account which is signed-in to the browser. If you disable this policy, Microsoft Edge does not try to authenticate with websites or services using single sign-on (SSO). Authenticated experiences like the Enterprise New Tab Page (NTP) will not work.

Posted on January 22, 2021 by Sander Berkouwer in Microsoft Edge, What's New

0