Security Thoughts: Veeam Backup & Replication leaks Azure Password in log

Veeam Backup & ReplicationIn Veeam Backup and Replication 9.5 versions prior to Update 4, the password for the Microsoft Azure account used by the Direct Restore to Azure functionality can be found in the log in plain text.

Veeam Backup and Replication is used by a lot of organizations worldwide to create and restore backups of systems, applications and services. Its Direct Restore to Azure functionality absolutely rocks for both backups and migrations to Azure Infrastructure as a Service (IaaS). Alas, there is a security issue that might diminish your fantastic experience with this feature…

  

The situation

You want to assign the user account in Microsoft Azure Infrastructure as a Service (IaaS) for Veeam Backup & Replication’s Direct Restore to Azure functionality with the minimum of privileges in the Azure tenant.

You follow the steps outlined in Veeam KnowledgeBase article 2702:

  1. You first create a user object in Microsoft Azure Active Directory.
  2. You run the below Windows PowerShell script to create a custom role in Microsoft Azure with minimal privileges:
      
  3. $role = [Microsoft.Azure.Commands.Resources.Models.Authorization.PSRoleDefinition]::new()

    $role.Name
    = ‘Veeam Restore Operator’

    $role.
    Description = ‘Permissions for Veeam Direct Restore to Microsoft Azure’

    $role.
    IsCustom = $true
     

    $permissions
    = @(
    ‘Microsoft.Storage/storageAccounts/listkeys/action’,
    ‘Microsoft.Storage/storageAccounts/read’,
    ‘Microsoft.Network/locations/checkDnsNameAvailability/read’,
    ‘Microsoft.Network/virtualNetworks/read’,
    ‘Microsoft.Network/virtualNetworks/subnets/join/action’,
    ‘Microsoft.Network/publicIPAddresses/read’,
    ‘Microsoft.Network/publicIPAddresses/write’,
    ‘Microsoft.Network/publicIPAddresses/delete’,
    ‘Microsoft.Network/publicIPAddresses/join/action’,
    ‘Microsoft.Network/networkInterfaces/read’,
    ‘Microsoft.Network/networkInterfaces/write’,
    ‘Microsoft.Network/networkInterfaces/delete’,
    ‘Microsoft.Network/networkInterfaces/join/action’,
    ‘Microsoft.Network/networkSecurityGroups/read’,
    ‘Microsoft.Network/networkSecurityGroups/write’,
    ‘Microsoft.Network/networkSecurityGroups/delete’,
    ‘Microsoft.Network/networkSecurityGroups/join/action’,
    ‘Microsoft.Compute/locations/vmSizes/read’,
    ‘Microsoft.Compute/locations/usages/read’,
    ‘Microsoft.Compute/virtualMachines/read’,
    ‘Microsoft.Compute/virtualMachines/write’,
    ‘Microsoft.Compute/virtualMachines/delete’,
    ‘Microsoft.Compute/virtualMachines/start/action’,
    ‘Microsoft.Compute/virtualMachines/deallocate/action’,
    ‘Microsoft.Compute/virtualMachines/instanceView/read’,
    ‘Microsoft.Compute/virtualMachines/extensions/read’,
    ‘Microsoft.Compute/virtualMachines/extensions/write’,
    ‘Microsoft.Resources/checkResourceName/action’,
    ‘Microsoft.Resources/subscriptions/resourceGroups/read’,
    ‘Microsoft.Resources/subscriptions/resourceGroups/write’,
    ‘Microsoft.Resources/subscriptions/locations/read’

    )


    $role
    .Actions = $permissions

    $role
    .NotActions = (Get-AzureRmRoleDefinition -Name ‘Virtual Machine Contributor’).NotActions

    $subs
    = ‘/subscriptions/00000000-0000-0000-0000-000000000000’

    $role
    .AssignableScopes = $subs

    New-AzureRmRoleDefinition
    -Role $role

  4. Then, you register the newly created user object and role in Veeam Backup & Replication using the following command in an elevated Command Prompt window on the Windows Server installation running Veeam Backup & Replication:
          
  5. cd C:\Program Files\Veeam\Backup and Replication\Backup

    Veeam.backup.manager.exe REGISTERAZUREACCOUNT

The account is then ready for use.

  

The issue

When you assign the user account in Microsoft Azure Infrastructure as a Service (IaaS) for Veeam Backup & Replication’s Direct Restore to Azure functionality with the minimum of privileges in the Azure tenant, using the steps outlined in Veeam KnowledgeBase article 2702, the password for the Microsoft Azure account can be found in the C:\ProgramData\Veeam\Backup\VeeamBackupManager.log file in plain text.

This issue affects Veeam Backup & Replication 9.5 versions prior to Update 4.
The issue is described in Veeam KnowledgeBase article 2886.

    

The solution

The issue was addressed in Veeam Backup & Replication 9.5 Update 4.

Veeam Backup & Replication 9.5 Update 4 was released in January 2019. The Direct Restore to Azure functionality was made available in March 2016. The guidance to assign the user account in Microsoft Azure Infrastructure as a Service (IaaS) for Veeam Backup & Replication’s Direct Restore to Azure functionality with the minimum of privileges in the Azure tenant was first released in August 2018.

  

Call to Action

Please upgrade to Veeam Backup & Replication 9.5 Update 4.

If your organization has configured the account for Direct Restore using the guidance in Veeam KnowledgeBase article 2702, or intends to do so on Veeam Backup & Replication 9.5 versions prior to Update 4, apply the necessary security measures for the log file.

If your organization’s security principles allow you to edit or remove the log file, do so.

Further reading

Veeam “Direct Restore to Azure” Walk-Trough 
Veeam Availability Suite 9.5 Update 4 is now available. Here’s how cool it is. 
Release Information for Veeam Backup & Replication 9.5 Update 4

0  

Windows Server 2019’s February 2019 Quality Update fixes two authentication issues

Windows Server

Windows Server 2019’s February 2019 Cumulative Quality Update, bringing the OS version to 17763316 , offers a fix for two authentication issues.

      

About Windows Server 2019 Updates

Microsoft issues two major updates each month for Windows Server 2019, as outlined in the Patching with Windows Server 2016 blogpost.

On the second Tuesday of each month (Patch Tuesday) Microsoft issues a cumulative update that includes security and quality fixes for Windows Server 2019. Being cumulative, this update includes all the previously released security and quality fixes.

In the second half of each month (generally the 3rd week of the month) Microsoft releases a non-security / quality update for Windows Server 2019.  This update, too, is cumulative and includes all quality and security fixes shipped prior to this release.

     

Fixed issues

LMCompatibilityLevel

KB4487044 addresses an issue that fails to set the LmCompatibilityLevel value correctly. LmCompatibilityLevel specifies the authentication mode and session security.

     

Windows Hello for Business

KB4487044 addresses an issue that causes the Windows Hello for Business Hybrid Key Trust deployment sign-in to fail if Windows Server 2019-based Domain Controllers are used for authentication.

The error is:

That option is temporarily unavailable. For now, please use a different method to sign in.

This issue is caused when Active Directory Domain Services (AD DS) activity tracing is enabled. In this scenario, a Local Security Authority Subsystem Service (LSASS) exception may occur in the Windows 2019-based Domain Controller when processing a user’s sign in.

     

Call to Action

When you experience the above issue, you are invited to install Windows Server 2019’s February 2019 Cumulative Quality Update (KB4487044) on your Active Directory Domain Controllers to resolve them. Test the update to avoid any issues with this update.

Known issues

After installing this update, the first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.

After installing this update, Internet Explorer may fail to load images with a backslash (\) in their relative source path and may have authentication issues.

Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.

0  

Windows Server 2016’s February 2019 Quality Update fixes two Hybrid Identity issues

Windows Server

Windows Server 2016’s February 2019 Cumulative Quality Update, bringing the OS version to 14393.2828 , offers a fix for two authentication issues.

      

About Windows Server 2016 Updates

Microsoft issues two major updates each month for Windows Server 2016, as outlined in the Patching with Windows Server 2016 blogpost.

On the second Tuesday of each month (Patch Tuesday) Microsoft issues a cumulative update that includes security and quality fixes for Windows Server 2016. Being cumulative, this update includes all the previously released security and quality fixes.

In the second half of each month (generally the 3rd week of the month) Microsoft releases a non-security / quality update for Windows Server 2016.  This update, too, is cumulative and includes all quality and security fixes shipped prior to this release.

     

Fixed issues

RPT Updates fail with error MSIS7615

KB4487006 addresses an issue that causes updates to a Relying Party Trust (RPT) to fail when using PowerShell or the Active Directory Federation Services (AD FS) Management Tools. This issue occurs if you configure a RPT to use an online federation metadata URL that publishes more than one PassiveRequestorEndpoint.

The error is:

MSIS7615: The trusted endpoints specified in a relying party trust must be unique for that relying party trust.

    

Azure Password Protection Error

KB4487006 addresses an issue that displays a specific error message for external complexity password changes, because of Azure Password Protection policies.

Azure AD Password Protection for Windows Server Active Directory is used to prevent weak passwords being used in the organization using Active Directory Domain Services.

     

Call to Action

When you experience the above issue, you are invited to install Windows Server 2016’s February 2019 Cumulative Quality Update (KB4487006) on your Active Directory Federation Services (AD FS) servers and Window-based endpoints to resolve them. Test the update to avoid any issues with this update.

Known issues

For hosts managed by System Center Virtual Machine Manager (SCVMM), SCVMM cannot enumerate and manage logical switches deployed on the host after installing the update.

The cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the group policy “Minimum Password Length” is configured with greater than 14 characters.

Internet Explorer 11 may have authentication issues.

0  

I am a 2019 Veeam Vanguard

Veeam Vanguard

Yesterday, I received an e-mail from Rick Vanover from Veeam congratulating me with being selected for the 2019 Veeam Vanguard Program by the Veeam Vanguard team.

For me, it means I successfully renewed my previous three Veeam Vanguard Awards, dating back to 2016. I still remain one of the three Dutch Veeam Vanguards.

I feel honored.

 

About Veeam Vanguards

The Vanguard program is led by the Veeam Technical Product Marketing & Evangelism team and supported by the entire company. It’s a program around the community of Veeam experts that truly get Veeam’s message, understand Veeam’s products and are Veeam’s closest peers in IT.

Veeam Vanguard represent Veeam’s brand to the highest level in many of the different technology communities. These individuals are chosen for their acumen, engagement and style in their activities on and offline.

The full list of Veeam Vanguards will be available shortly here.

Further reading

I am a 2018 Veeam Vanguard
I am a 2017 Veeam Vanguard
I am a 2016 Veeam Vanguard
Veeam Availability Suite 9.5 Update 4 is now available. Here’s how cool it is.
Veeam Availability Suite adds support for the latest technology

0  

What’s New in Azure Active Directory for January 2019

Azure Active Directory

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following new and changed functionality for Azure Active Directory for January 2019:

 

What’s New

Active Directory B2B collaboration using one-time passcode authentication Public preview

Service category: B2B
Product capability: B2B/B2C

Microsoft has introduced one-time passcode authentication (OTP) for B2B guest users who can’t be authenticated through other means like Azure AD, a Microsoft account (MSA), or Google federation. This new authentication method means that guest users don’t have to create a new Microsoft account. Instead, while redeeming an invitation or accessing a shared resource, a guest user can request a temporary code to be sent to an email address. Using this temporary code, the guest user can continue to sign in.

 

New Azure AD Application Proxy cookie settings

Service category: App Proxy
Product capability: Access Control

The identity team at Microsoft introduced three new cookie settings, available for apps that are published through Application Proxy:

  • Use HTTP-Only cookie.
    Sets the HTTPOnly flag on your Application Proxy access and session cookies. Turning on this setting provides additional security benefits, such as helping to prevent copying or modifying of cookies through client-side scripting. Microsoft recommends you turn on this flag (choose Yes) for the added benefits.
  • Use secure cookie.
    Sets the Secure flag on your Application Proxy access and session cookies. Turning on this setting provides additional security benefits, by making sure cookies are only transmitted over TLS secure channels, such as HTTPS. Microsoft recommends you turn on this flag (choose Yes) for the added benefits.
  • Use persistent cookie.
    Prevents access cookies from expiring when the web browser is closed. These cookies last for the lifetime of the access token. However, the cookies are reset if the expiration time is reached or if the user manually deletes the cookie. Microsoft recommends you keep the default setting No, only turning on the setting for older apps that don’t share cookies between processes.

For more information about the new cookies, see Cookie settings for accessing on-premises applications in Azure Active Directory.

 

New Federated Apps available in Azure AD app gallery

In January 2019, Microsoft has added these new apps with Federation support to the app gallery:

 

App Lock feature for the Microsoft Authenticator app on iOS and Android devices

Service category: Microsoft Authenticator App
Product capability: Identity Security & Protection

To keep your one-time passcodes, app information, and app settings more secure, you can turn on the App Lock feature in the Microsoft Authenticator app. Turning on App Lock means you’ll be asked to authenticate using your PIN or biometric every time you open the Microsoft Authenticator app.

For more information, see the Microsoft Authenticator app FAQ.

 

Enhanced Azure AD Privileged Identity Management (PIM) export capabilities

Service category: Privileged Identity Management
Product capability: Privileged Identity Management

Privileged Identity Management (PIM) administrators can now export all active and eligible role assignments for a specific resource, which includes role assignments for all child resources. Previously, it was difficult for administrators to get a complete list of role assignments for a subscription and they had to export role assignments for each specific resource.

For more information, see View activity and audit history for Azure resource roles in PIM.

 

What’s Changed

New Azure AD Identity Protection enhancements Public preview

Service category: Identity Protection
Product capability: Identity Security & Protection

Microsoft is excited to announce that it has added the following enhancements to the Azure AD Identity Protection public preview offering, including:

  • An updated and more integrated user interface
  • Additional APIs
  • Improved risk assessment through machine learning
  • Product-wide alignment across risky users and risky sign-ins

For more information about the enhancements, see What is Azure Active Directory Identity Protection (refreshed)? to learn more and to share your thoughts through the in-product prompts.

 

Users removed from synchronization scope no longer switch to cloud-only accounts

Service category: User Management
Product capability: Directory

Microsoft has heard and understood our frustration because of this fix. Therefore, Microsoft has reverted this change until such time that they can make the fix easier for admins to implement in organizations.

0  

Veeam Availability Suite 9.5 Update 4 is now available. Here’s how cool it is.

Veeam Availability`Suite 9.5 Update 3a

Veeam has made its Availability Suite 9.5 Update 4 available, after it was released to manufacturers (RTM) on December 28th, 2018.

This update addresses several minor issues. However, it also add support for the latest and greatest that Veeam Vanguards and Veeam admins work with… and that’s cool!

 

Veeam Backup & Replication

Veeam Backup & Replication 9.5 Update 4 offers many new functions, including effectively unlimited scale-out backup repositories (SOBRs) and a new archive tier

Platform support

Veeam Backup & Replication 9.5 Update 4 brings support for:

  • Microsoft Windows Server 2019
  • Microdoft Hyper-V Server 2019
  • Microsoft Windows Server, version 1809
  • Microsoft Windows 10, version 1809 “October Update”
  • Microsoft Windows Server Core installations (via Managed by Backup Server jobs)
  • Microsoft Exchange Server Database Availability Groups (DAGs, via Managed by Backup Server jobs)
  • Microsoft Exchange Server 2019
  • Microsoft SharePoint Server 2019
  • VMware vSphere 6.7 Update 1
  • VMware vCloud Director 9.5

Secure Restore

Veeam Backup & Replication 9.5 Update 4 introduces Secure Restore. This feature allows organizations to perform an anti-malware scan on the backups they wish to restore, through 3rd party anti-virus integrations.

Microsoft’s Windows Defender, ESET and Symantec Protection Engine are supported out of the box, but any anti-malware solution can be used, when it supports command-line triggering.

Staged Restore

Veeam Backup & Replication 9.5 Update 4 introduces Staged Restore. This feature runs a restored machine directly from the backup file in an isolated data lab environment, for pre-processing, such as the removal of personal data from an application’s database or mask data using solutions as Ekobit BizDataX, before moving the post-processed machine state into the production environment.

Support for Write-Once Media (WORM)

Many enterprise organizations require the use of write-once media. Veeam Backup & Replication 9.5 Update 4 now offers support for this scenario by offering dedicated Worm Media Pools.

Cloud Tier

Veeam Cloud Tier is a new storage tier within the scale-out backup repository (SOBR) — the Capacity Tier — with unlimited capacity for long-term data retention by using native, cost-effective object storage integrations with Amazon S3, Azure Blob Storage, IBM Cloud Object Storage, as well as numerous S3-compatible service providers and on-premises storage solutions.

Here’s the full story on what’s cool in Veeam Backup & Replication 9.5 Update 4.

 

Veeam Agents

All new versions of the Veeam Agents now offer health checks and deleted agent retention. In addition to that, Veeam Agents now offer two backup job types:

  1. Managed by Agent
  2. Managed by Backup Server

Veeam Agent for Windows 3.0

The Veeam Agent for Windows version 3 adds support for:

  • Microsoft Windows Server 2019
  • Microsoft Windows Server, version 1809
  • Microsoft Windows 10, version 1809 “October Update”
  • Microsoft Windows Server Core installations
  • Microsoft Exchange Server Database Availability Groups (DAGs)
  • Microsoft Exchange Server 2019
  • Microsoft SharePoint Server 2019

Note:
Server Core installations and Exchange Server Database Availability Groups are only available through Managed by Backup Server jobs

In addition to the extended platform support, version 3 of the Veeam Agent for Windows also now supports multiple jobs, network throttling, file level restore enhancements, and integration with Windows’ Action Center.

Click here for everything that’s cool in Veeam Agent for Microsoft Windows 3.0.

Veeam Agent for Linux 3.0

Version 2 of Veeam’s Agent for Linux was the first version of the product to be manageable through Veeam Availability Suite. This allows you to streamline the discovery, deployment and centralized management of these agents.

Now, with version 3 of the Veeam Agent for Linux, support is added for the following distributions:

  • RedHat Enterprise Linux 7.6 6.10
  • Oracle Linux (RHCK) 7.6 6.10
  • SUSE Linux Enterprise Edition (SLES) 15
  • SUSE Linux Enterprise Edition (SLES) 12 Service Pack 4
  • CentOS 7.6 6.10
  • Debian 8.11
  • Debian 9.5
  • Debian 9.6
  • Ubuntu 18.10
  • openSUSE Leap 15
  • Fedora 29

Click here for everything that’s cool in Veeam Agent for Linux 3.0.

 

Veeam Backup for Office 365

Veeam Backup for Microsoft Office 365 v2 has been updated with Cumulative Patch KB2809 that updates the build version to 2.0.0.814. Next to optimizations in SharePoint Online and OneDrive for Business, this update, offers:

  • Compatibility support for Backup and Replication 9.5 Update 4, including the new versions of Veeam Explorer for Microsoft Exchange and Veeam Explorer for Microsoft SharePoint
  • Compatibility support for Veeam Cloud Connect 9.5 Update 4

 

Veeam Availability for AWS

Veeam Availability for AWS is a separate solution within the Veeam Availability Platform, but it is enabled by multiple components, one of which is being delivered in the Veeam Availability Suite 9.5 Upgrade 4 release: the External Repository feature in Veeam Backup & Replication 9.5 Update 4. This feature allows to move backup data from the cloud to on-premises. However, this feature can only be leveraged when Veeam Availability for AWS is purchased.

With Veeam Availability for AWS, Veeam leverages the AWS-purpose-built functionality of N2WS Cloud Protection Manager as part of the platform to:

  • Protect both AWS-based workloads and on-premises workloads
  • Consolidate all backup data in a single repository with consistent auditing, reporting and alerting
  • Enable Veeam Backup & Replication to be used to backup and restore both workloads and create cloud mobility from a single user interface.

 

Veeam Cloud Connect

Veeam Cloud Connect has been revamped. Veeam Cloud Service Providers (VCSPs) can now align better with VMware vCloud Director on top of the functionality for VMware vCenter and Microsoft Hyper-V.

Tenant to tape

Veeam Cloud Connect now offers Tenant to Tape. This way, Veeam Cloud Connect Service Providers can offer Tape-as-a-Service to their customers to provide an additional tier of protections.

This feature requires backups made with Veeam Backup & Replication 9.5 Update 4, or up, since it won’t work with older backup files.

 

Veeam Availability Orchestrator

Version 2 of the Veeam Availability Orchestrator expands on the functionality of Version 1, by offering Restore Plans, enhanced reporting and RTO/RPO tracking in localized languages, Site Scopes for roles and permissions, and Virtual Machine Console Access right from the Orchestrator Web User Interface.

 

Veeam ONE

Veeam ONE version 9.5 Update 4 offers a new Business View, Veeam Intelligent Diagnostics (VID), Remediation Actions and App-level Monitoring.

Additionally, monitoring of Veeam Agents is dramatically improved in this version of Veeam ONE, offering more direct views on the status and backup locations of agents.

Click here to see all of What’s New in Veeam ONE 9.5 Update 4.

 

Concluding

Veeam Availability Suite 9.5 Update 4 offers new features for admins of networking infrastructure to cope with the high demands organizations face in terms of regulatory compliance and data.

Veeam Availability Suite 9.5 Update 4 should be on your update list, despite Veeam announced Veeam Availability Suite 10 for next year.

0  

Windows Server 2019’s January 2019 Quality Update fixes the issue with Domain Controller Promotions for new domains

Windows Server

Windows Server 2019’s January 2019 Cumulative Quality Update, bringing the OS version to 17763.292 , offers a fix for the issue you might be experiencing on your Windows Server 2016 and Windows Server 2019-based Domain Controllers.

 

About Windows Server 2019 Updates

Microsoft issues two major updates each month for Windows Server 2019, as outlined in the Patching with Windows Server 2016 blogpost.

On the second Tuesday of each month (Patch Tuesday) Microsoft issues a cumulative update that includes security and quality fixes for Windows Server 2019. Being cumulative, this update includes all the previously released security and quality fixes.

In the second half of each month (generally the 3rd week of the month) Microsoft releases a non-security / quality update for Windows Server 2019.  This update, too, is cumulative and includes all quality and security fixes shipped prior to this release.

 

The issue

As we first encountered, reported the issue and then covered it here, we have all the details on this issue.

The issue is with Windows Server 2016 and Windows Server 2019-based installations, that you want to promote for a new domain in an existing forest, that has the Active Directory Recycle Bin enabled.

In this situation, creation of the domain fails.

Active Directory Domain Services Configuration Wizard

When you use the Active Directory Domain Services Configuration Wizard, it offers the following information:

An error occurred while trying to configure this machine as a Domain Controller

The operation failed because:
Active Directory Domain Services could not replicate the directory partition CN=Schema,CN=Configuration, DC=domain,DC=tld from the remote Active Directory Domain Controller FullyQualifiedDCName.

“The replication operation encountered a database error.”

PowerShell

When you use the Install-ADDSDomain PowerShell cmdlet, you receive the following error:

Install-ADDSDomain : The operation failed because:
Active Directory Domain Services could not replicate the directory partition CN=Schema,CN=Configuration, DC=domain,DC=tld from the remote Active Directory Domain Controller FullyQualifiedDCName.

“The replication operation encountered a database error.”

DCPromo Log

In dcpromo.log on the failed Domain Controller you find the following lines, indicating the error:

[INFO] DsRolepInstallDs returned 1356

 

The cause

This issue is caused by the Active Directory Recycle Bin optional feature being enabled and having update KB4464330 for Windows Server 2019 installed.

If the Active Directory Recycle Bin optional feature is not enabled yet, the Active Directory Domain Services Configuration Wizard and Install-ADDSDomain are successful, as you’d expect.

 

The solution

Back in October, when Windows Server 2019 wasn’t released yet, our advice was to uninstall KB4464330 for Windows Server 2019. Now, the solution is to install KB4476976.

When you experience the above issue, you are invited to install Windows Server 2019’s January 2019 Cumulative Quality Update (KB4476976) on your Active Directory Domain Controllers to resolve them. Test the update to avoid any issues with this update.

Note:
Interestingly, the issue in Windows Server 2016 was resolved in Windows Server 2016’s November 2018 Cumulative Quality Update. Two months ago…

0  

HOWTO: Install CensorNet’s SMS PASSCODE AD FS Agent

HowTo

Today, I had the pleasure of installing and configuring the AD FS Agent that is part of CensorNet’s SMS PASSCODE product., version 2018 (version 10). Here’s how to perform this task yourself.

  

About the Extensible Authentication Framework

Active Directory Federation Services (AD FS) offers the Extensible Authentication Framework (EAF). Leveraging this functionality, multi-factor authentication providers can hook their products into the authentication funnel.

Through an AD FS Agent, the authentication gets routed to the multi-factor authentication software, when an MFA claim is needed. Only when the multi-factor authentication software signals back that the multi-factor authentication was successful, will AD FS be able to successfully send a federation claim to the user.

  

About CensorNet and SMS PASSCODE

SMS PASSCODE is one of the oldest multi-factor authentication solutions in the market. Their solution, currently, offers one-time passwords (OTPs) in SMS text messages and through their SMS PASSCODE mobile app.

The architecture of the product is to use a centralized authentication server, hosting the information for authenticating. Users can be imported into this server from Active Directory and other sources. Fail-over servers can be implemented to reduce the dependency on one server. Agents, called Client Authentication Protections, offer functionality like RADIUS connectivity and, as I’ll point out in this blogpost, AD FS connectivity through the Extensible Authentication Framework (EAF).

  

Prerequisites

Before following the below steps, make sure you meet the following prerequisites:

  • Implement the central CensorNet SMS PASSCODE server. Copy the installation file for the server component to a file location that is accessible to the AD FS Server(s). Make sure users accounts are configured with appropriate authentication information.
  • Log on to the AD FS Server(s) with an account that has privileges to manage Active Directory Federation Services. Make sure you run the last steps of this HowTo on the AD FS Server that is the primary server, when the AD FS Farm leverages the Windows Internal Database (WID) as the AD FS configuration database.
  • Make sure the AD FS Servers are able to communicate with the centralized CensorNet SMS PASSCODE server over TCP port 8988. Web Application Proxies don’t need a connection to the server, though.
  • After installation and configuration of the SMS PASSCODE Client Authentication Protection for AD FS, the AD FS Servers need to be restarted. Make sure to plan this type of actions outside working hours, or have a fully redundant AD FS implementation.

  

How to install and configure the agent

Follow these steps to install and configure the CensorNet SMS PASSCODE Client Authentication Protection for AD FS:

  • Log on to the AD FS server.
  • Locate the CensorNet SMS PASSCODE installation file.

    The SMS PASSCODE Installer in File Explorer (click for original screenshot)

  • Double-click the SmsPasscode-2018-x64.exe installation file to start installing.

    Welcome to the InstallShield Wizard for SMS PASSCODE 2018 (click for original screenshot)

  • In the Welcome to the InstallShield Wizard for SMS PASSCODE screen of the SMS PASSCODE 2018 installer, click Next >.
  • In the License Agreement screen, select the option I accept the terms in the license agreement. Click Next >.

    Installation Scope (click for original screenshot)

  • In the Installation Scope screen, only select the option to Install Authentication Client Protection and click Next >. The other option installs the central server component.
  • In the Destination Folder screen, click Next >. to accept the default installation location: C:\Program Files\SMS PASSCODE\.

    Authentication Clients (click for original screenshot)

  • In the Authentication Clients screen, only select the AD FS Protection option.
    Click Next >.
  • In the Configuration Tool pop-up, click OK to acknowledge that all settings need to be checked and that installation continues after the configuration tool is closed.

    Network tab (click for original screenshot)

  • In the SMS PASSCODE – Configuration Tool, on the Network tab, specify the shared secret to communicate with the central server, twice. Click Save.
  • Navigate to the Backend Hosts tab.

    Backend Hosts tab (click for original screenshot)

  • On the Backend Hosts tab, remove the hostname of the AD FS Server (default) and enter the hostname of the central CensorNet server Click Save when done..
  • Click Test Connection. Click Close in the resulting screen.
  • Click Close to close the SMS PASSCODE – Configuration Tool.
  • Back in the SMS PASSCODE 2018 installation screen, wait for the installer to complete.

    InstallShield Wizard Completed (click for original screenshot)

  • In the InstallShield Wizard Completed screen, click Finish.

Perform the above steps on every AD FS Server in the AD FS Farm, before continuing with the steps below.

             

How to enable Multi-factor Authentication through SMS PASSCODE

Follow these steps to enable Multi-factor Authentication through SMS PASSCODE:

  • Log on to the (primary) AD FS server.
  • Open the AD FS Management tool.
  • In the left navigation pane, select Authentication Policies.
  • In the right task pane, click on Edit Global Multi-factor Authentication… link.
  • Select the SMS PASSCODE Authentication as additional authentication method.
  • To enable authentication for all external authentication, also select Extranet. Alternatively, specify multi-factor authentication per Relying Party Trust (RPT).
  • Click OK.

There is no need to configure additional settings, when the centralized CensorNet SMS PASSCODE server is configured with the default authentication policy, to allow Any.

   

Concluding

Using the the Extensible Authentication Framework (EAF) in Active Directory Federation Services (AD FS) makes enabling multi-factor authentication a breeze.

0  

KnowledgeBase: The Windows Server 2019 Active Directory DFL and FFL do not exist

Windows Server 2019

There is no Windows Server 2019 Forest Functional Level (FFL) or Windows Server 2019 Domain Functional Level (DFL) in Microsoft Windows Server’s Active Directory Domain Services (AD DS).

 

Impact

The unavailability of the Windows Server 2019 Forest Functional Level (FFL) and Windows Server 2019 Domain Functional Level (DFL) has the following impact:

  • There are, apparently, no new features in Active Directory Domain Services in Windows Server 2019, that require a new Domain Functional Level.
  • There are, apparently, no new features in Active Directory Domain Services in Windows Server 2019, that require a new Forest Functional Level.
  • When upgrading or transitioning Active Directory from Windows Server 2016 to Windows Server 2019, the Domain Functional Level (DFL) and Forest Functional Level (FFL) do not have to be raised. This eliminates two steps of the process.
  • When upgrading or transitioning Active Directory from Windows Server 2008, Windows Server 2008 R2, Windows Server 2012 or Windows Server 2012 R2 to Windows Server 2019, the Domain Functional Level (DFL) and Forest Functional Level (FFL) only need to be raised to Windows Server 2016.
  • There is no way to limit the ability for Active Directory admins (for domains in an Active Directory forest) to install Windows Server 2016-based Domain Controllers in an environment with Windows Server 2019-based Domain Controllers. However, since Windows Server 2012, there is a way to limit promotions of Domain Controllers altogether.

The unavailability of the Windows Server 2019 Forest Functional Level (FFL) and Windows Server 2019 Domain Functional Level (DFL), does not eliminate the step to update the Active Directory schema to version 88, using adprep.exe before Windows Server 2019-based Domain Controllers can be installed. However, since Windows Server 2012, this step may be part of the promotion process of the first Domain Controller.

 

About Active Directory Functional Levels

In previous versions of Active Directory, each Windows Server version was accompanied by a corresponding Forest Functional Level (FFL) and Domain Functional Level (DFL).

When upgrading Domain Controllers to newer versions of Windows Server or transitioning to Domain Controllers running newer versions of Windows Server, the functional levels would unlock new functionality on either the Active Directory forest or Active Directory domain level.

Raising functional levels

Only when all Domain Controllers for an Active Directory domain would run the newer version of Windows Server, could an Active Directory admin raise the Domain Functional Level (DFL) to the version corresponding with the version of Windows Server.

Only when all domains for an Active Directory forest would run the newer Domain Functional Level (DFL), could an Active Directory admin raise the Forest Functional Level (FFL) to the version corresponding with the version of the domains.

Lowering functional levels

Starting with the Windows Server 2008 levels, you can revert to lower Domain Functional Levels and Forest Functional Levels.

Note:
The lowest level to return to are the Windows Server 2008 Forest Functional Level (FFL) and the Windows Server 2008 Domain Functional Level (DFL).

Note:
Only when the Active Directory Forest Functional Level (FFL) is lowered to a lower version, can any Active Directory domains be lowered to a lower version of the Active Directory Domain Functional Level (DFL).

Note:
Only when the Active Directory Recycle Bin additional features is not implemented, can the Active Directory Forest Functional Level (FFL) be lowered from the Windows Server 2008 R2 to the Windows Server 2008 Forest Functional Level (FFL).

This paints the following picture:

DFLs&FFLs2019

Further reading

Preventing Domain Controller promotions, cloning and demotions
New features in AD DS in Windows Server 2012, Part 3: New Upgrade Process
How to Revert Back or Lower the Active Directory Forest and Domain Functional Levels
Forest and Domain Functional Levels

0  

What’s New in Azure Active Directory for December 2018

Azure Active Directory

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following new and changed functionality for Azure Active Directory for December 2018:

  

What’s New

Administrators can require users to accept a Terms of use on each device

Service category: Terms of Use
Product capability: Governance

Administrators can now turn on the Require users to consent on every device option to require their users to accept the Terms of use on every device they’re using on the Azure AD tenant.

  

Administrators can configure a Terms of use to expire based on a recurring schedule

Service category: Terms of Use
Product capability: Governance

Administrators can now turn on the Expire consents option to make a Terms of use expire for all users, based on the specified recurring schedule. The schedule can be annually, bi-annually, quarterly, or monthly. After the Terms of use expires, users must reaccept.

    

Administrators can configure a Terms of use to expire based on each user’s schedule

Service category: Terms of Use
Product capability: Governance

Administrators can now specify a duration that user must reaccept a Terms of use. For example, administrators can specify that users must reaccept a Terms of use every 90 days.

  

What’s Fixed

Users removed from synchronization scope no longer switch to cloud-only accounts

Service category: User Management
Product capability: Directory

The team has fixed a bug in which the DirSyncEnabled flag of a user would be erroneously switched to False when the Active Directory Domain Services (AD DS) object was excluded from synchronization scope and then moved to the Recycle Bin in Azure AD on the following sync cycle. As a result of this fix, if the user is excluded from sync scope and afterwards restored from Azure AD Recycle Bin, the user account remains as synchronized from on-premises AD, as expected, and cannot be managed in the cloud since its source of authority (SoA) remains on-premises AD.

Prior to this fix, there was an issue when the DirSyncEnabled flag was switched to False. It gave the wrong impression that these accounts were converted to cloud-only objects and that the accounts could be managed in the cloud. However, the accounts still retained their source of authority (SoA) as on-premises and all synchronized properties (shadow attributes) coming from on-premises AD. This condition caused multiple issues in Azure AD and other cloud workloads (like Exchange Online) that expected to treat these accounts as synchronized from AD but were now behaving like cloud-only accounts.

At this time, the only way to truly convert a synchronized-from-AD account to cloud-only account is by disabling DirSync at the tenant level, which triggers a backend operation to transfer the source of authority (SoA). This type of SoA change requires (but is not limited to) cleaning all the on-premises related attributes (such as LastDirSyncTime and shadow attributes) and sending a signal to other cloud workloads to have its respective object converted to a cloud-only account too.

  

What’s Changed

Updates to the audit and sign-in logs schema through Azure Monitor Breaking Change

Service category: Reporting
Product capability: Monitoring & Reporting

The team is currently publishing both the Audit and Sign-in log streams through Azure Monitor, so admins can seamlessly integrate the log files with Security Incident and Event Monitoring (SIEM) tools or with Log Analytics.

Based on feedback, and in preparation for this feature’s general availability (GA)announcement, the team is making changes to the schema. These schema changes and its related documentation updates will happen by the first week of January.

     

Identity Protection improvements to the supervised machine learning model and the risk score engine

Service category: Identity Protection
Product capability: Risk Scores

Improvements to the Identity Protection-related user and sign-in risk assessment engine can help to improve user risk accuracy and coverage. Administrators may notice that user risk level is no longer directly linked to the risk level of specific detections, and that there’s an increase in the number and level of risky sign-in events.

Risk detections are now evaluated by the supervised machine learning model, which calculates user risk by using additional features of the user’s sign-ins and a pattern of detections. Based on this model, administrators might find users with high risk scores, even if detections associated with that user are of low or medium risk. 

   

Administrators can reset their own password using the Microsoft Authenticator app (Public preview)

Service category: Self Service Password Reset
Product capability: User Authentication

Azure AD administrators can now reset their own password using the Microsoft Authenticator app notifications or a code from any mobile authenticator app or hardware token. To reset their own password, administrators will now be able to use two of the following methods:

  • Microsoft Authenticator app notification
  • Other mobile authenticator app / Hardware token code
  • Email
  • Phone call
  • Text message
0