Sizing Domain Controllers correctly on VMware vSphere

This entry is part 2 of 5 in the series Virtualizing Domain Controllers on vSphere

Virtualizing Domain Controllers

In the first part of this series, we discussed why we want to virtualize Domain Controllers. The first question people ask is:

How do I properly size Domain Controllers on my virtualization platform?

Specifically, for VMware vSphere, this is a good question, because there are a couple of areas of attention, beyond the recommended practices from Microsoft:

 

Microsoft recommended practices

For sizing Domain Controllers, Microsoft recommends to:

  • Deploy at least two Domain Controllers per Active Directory domain.
  • Create exceptions for antimalware solutions for the folders containing Active Directory files.
  • Deploy the Local Administrator Password Solution (LAPS).
  • Do not install additional software or Server Roles on Domain Controllers.
  • Install Windows updates on Domain Controllers.
  • Keep information security measures on Domain Controllers, like antimalware, backup, restore, monitoring, auditing, bad password blocking and SIEM solutions, up to date.
  • Have a recovery plan available for Active Directory.

 

Areas of Attention

CPU

A good rule of thumb for the number of virtual Central Processing Units (vCPUs) for is to size virtual Domain Controllers with 1 vCPU, when the environment has 10,000 users, or less. When the environment has more than 10,000 users, add another vCPU to the Domain Controllers.

When in doubt, start with 2 vCPUs in virtual Domain Controllers and add vCPUs as needed. The Domain Controller holding the Primary Domain Controller emulator (PDCe) Flexible Single Master Operations (FSMO) role will be the most burdened Domain Controller of all. It performs these additional tasks, when compared to all the other Domain Controllers in the Active Directory domain:

  • Password changes performed by other Domain Controllers in the Active Directory domain are replicated preferentially to the PDC emulator.
  • If a logon authentication fails at a given Domain Controller in an Active Directory domain due to a bad password, the Domain Controller will forward the authentication request to the PDC emulator to validate the request against the most current password. If the PDC reports an invalid password to the Domain Controller, the Domain Controller will send back a bad password failure message to the user.
  • Account lockout is processed on the PDC emulator.
  • The Domain Controller with the PDC emulator FSMO role, by default, functions as the authoritative source of time in the Active Directory domain.
  • The Domain Controller with the PDC emulator FSMO role fulfills the role of the PDC in the NetLogon Remote Protocol methods. Therefore, the Domain Controller with the PDC emulator FSMO role must support and perform all PDC specific functionality specified in that section. Every other Domain Controller must not perform this functionality.

Tip!
In VMware vSphere-based VMs with more than one vCPU, make sure to look at the Networking section below to avoid the unavailability of receive-side scaling.

RAM

If you want highly-performing Domain Controllers, provide them with a sufficient amount of Random Access Memory (RAM) to be able to cache the Active Directory database (ntds.dit).

A good metric to monitor is the Database/Database Cache %Hit counter for the LSASS process on Domain Controllers. A low hit rate indicates that the Domain Controller would benefit from more RAM.

Storage

Microsoft recommends to use a 40GB system volume (C:\) to store the Windows Operating System. However, Active Directory requires additional storage. You may or may not place these files on the system volume, depending on your view on dynamic files. Independent of this choice, you need to take into account the following storage needs for a Domain Controller:

Active Directory role 250 MB
Active Directory database 4 KB per object (excluding photos)
Active Directory logs 22MB
Active Directory System Volume Any files you store in the SYSVOL share
Active Directory System Volume 2MB per Group Policy object
Active Directory System Volume 20MB for the Central Policy Store
Active Directory System Volume 1GB for the SYSVOL replication staging area

 

For a typical organization of 100,000 persons, this would lead to 5GB of additional storage requirements. Of course, when such an organization would decide to store user photos in Active Directory, storage requirements could potentially triple.

Networking

Ideally, configure virtual Domain Controllers with one virtual Network Interface Card (vNIC). Use VMXNET3 for best performance.

Additionally, upgrade the VMware Tools of existing virtual machines to version 10.2.5. The Windows Receive Side Scaling (RSS) feature is not functional on virtual machines running VMware Tools versions 9.10.0 up to 10.1.5. On virtual Domain Controllers with multiple vNICs, under heavy network load, this may cause a situation where CPU0 is overloaded, as depicted in the below screenshot:

CPU0 Overload

Since VMXNET3 driver version 1.7.3.8 (as part of VMware Tools 10.2.5), this driver version enables Receive-side Scaling (RSS) and Receive Throttle settings, by default – but only for new VMware Tools installations on new virtual machines. If you upgrade an existing VMware Tools install, these settings will remain as is.

On existing virtual Domain Controllers, make sure to enable Receive Side Scaling (RSS) and set the Receive Throttle to 30, using the following line of Windows PowerShell on virtual Domain Controllers running VMware Tools 10.2.5, or up:

Enable-NetAdapterrss –Name “*”

 

Agents and add-ons

On top of the above requirements for the Active Directory role, make sure you provide sufficient resources for the typical agents and add-ons your organization would typically install on Domain Controllers, like antimalware, backup, restore, monitoring, auditing, bad password blocking and SIEM solutions.

 

In practice

Because of this last area of attention, we see organizations typically deploy virtual Domain Controllers with 1 vCPU, 4GB RAM, a 60GB system volume and 1 vNIC.

These dimension are a far cry from the other sizing we often encounter in organization where, according to the design all hardware factors are blades and a physical Domain Controller was deemed necessary. The typical dimension of these Domain Controller blades depend on the phase in the project where its importance was understood. The largest Domain Controller we’ve come across was a blade with 2 CPUs, 24 cores, 512GB RAM and 2 300GB hard disks in RAID1.

 

Concluding

Sizing is often the first hurdle to cross when virtualizing Domain Controllers. Join me for the next parts were we drill deeper into the integrity, confidentiality and availability of Domain Controllers.

Just out of curiosity, what was the largest physical Domain Controller you’ve ever come across in production? Winking smile

0  

Why virtualize Domain Controllers?

This entry is part 1 of 5 in the series Virtualizing Domain Controllers on vSphere

Virtualization

One of the questions I get asked a lot is:

Why virtualize Domain Controllers?

So, in this blogpost, I’m showing you reasons why virtualization for Domain Controllers and Active Directory is a good idea. I also know there are a lot of caveats when virtualization Domain Controllers, so this blogpost serves as a small part of a bigger series on how to do it right.

Reasons to virtualize Domain Controllers fall in three buckets:

  • Virtualization is mainstream
  • Active Directory is virtualization-friendly
  • Physical Domain Controllers waste compute resources

Let’s look at these three areas and provide some real-world examples.

 

Virtualization is mainstream

You’ve probably heard of ‘cloud’. Whether it’s Private Cloud (hosted in your own datacenters or the datacenters of an organization you’ve outsourced it to) or Public Cloud (like Microsoft’s Azure and Amazon’s AWS), virtualization, coupled with self-service, is the cornerstone to making it happen. “Virtualize First” is the new normal.

Also, virtualization is no longer black magic. Virtualization platforms like VMware’s Sphere and Microsoft’s Hyper-V platforms are well-documented. People who want to be proficient at managing virtualization have a wide range of training to follow and certificates to achieve. When you run into problems with any of the virtualization platforms, there’s free support options available, like Stack Overflow and the vendor’s support forums, next to paid support options.

Since Windows Server 2012, virtualization for Active Directory is fully supported by Microsoft. VMware fully supports virtualizing Domain Controller (as long as you follow their recommended practices).

You could ask yourself if Microsoft still tests Domain Controller functionality and updates on physical hardware. If this is the case and you’re running Domain Controllers on physical hardware, aren’t you putting your organization at risk?

Active Directory is virtualization-friendly

From its inception back in 1997, Active Directory has been virtualization-friendly.

It has never had high memory or I/O requirements. You can run Domain Controllers on machines with loathsome specifications. A single CPU, just a few GBs of RAM and some GBs of disk storage is all you need to even run a Windows Server 2019-based Domain Controller. When running Domain Controllers as Server Core installations, the requirements drop even further. This makes them ideal candidates to virtualize.

The distributed nature of the Active Directory database also adds to the virtualization-friendliness of Active Directory. Scale-out is the preferred method to increase Active Directory performance, not scale-up (except perhaps for the Domain Controller holding the PDC emulator FSMO role…). Just add small-sized VMs to the virtualization platform and Active Directory is again ready to go.

All Domain Controllers are created equal (but some Domain Controllers, like the aforementioned PDC emulator) and replication offers a multi-master model. This makes Active Directory resilient; with the majority of Domain Controllers decimated during a disaster, it can still function. Also, purely based on the virtual disk of a Domain Controller, it can be restored on a compatible virtualization platform.

These system specs, its distributed nature and its sustainable level of degradation are all specifics for virtual machines that virtualization admins love to host for you.

Physical Domain Controllers waste compute
resources

When looking for the cheapest rack server on Dell.com today, I stumbled upon the PowerEdge R240. It has a Celeron G4900 3,1GHz processor, 8GB RAM and a 1TB HDD for a mere $589. For $926 there is an Intel Xeon E2124-based, 16GB model available from HP Enterprise. These systems have one thing in common: The smallest sized disk you can buy in them measures 1TB. This disk size is overkill in any networking environment, except for Fortune 500 companies as the Active Directory files don’t take up that much space. (unless you’re storing user profile pictures in them, but even then it’s not a huge problem). Even the 8GB RAM of the cheapest Dell rack server you can get allows you to cache the Active Directory database for an organization with over 100,000 users.

Active Directory simply isn’t able to utilize the compute resources available on modern hardware. Running Domain Controllers on physical hardware equals wasting computer resources. Wasting compute resources means wasting money.

 

Concluding

Virtualize Domain Controllers.

Does that mean you can virtualize all your Domain Controllers? Does that mean you can be as coarse with virtual Domain Controllers as you can be with physical Domain Controllers? Does that mean virtual Domain Controllers are as secure as physical Domain Controllers? Join me for the answers on these questions in the next parts of this series.

0  

What’s New in Azure Active Directory for June 2019

Azure Active Directory

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for June 2019:

                        

What’s New

New riskDetections API for Microsoft Graph Public preview

Service category: Identity Protection
Product capability: Identity Security & Protection

Microsoft is pleased to announce the new riskDetections API for Microsoft Graph is now in public preview. Administrators can use this new API to view a list of their organization’s Identity Protection-related user and sign-in risk detections. Admins can also use this API to more efficiently query risk detections, including details about the detection type, status, level, and more.

                   

New Federated Apps available in Azure AD app gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In June 2019, Microsoft has added these 22 new apps with Federation support to the Azure AD App Gallery:

  1. Azure AD SAML Toolkit
  2. Otsuka Shokai (大塚商会)
  3. ANAQUA
  4. Azure VPN Client
  5. ExpenseIn
  6. Helper Helper
  7. Costpoint
  8. GlobalOne
  9. Mercedes-Benz In-Car Office
  10. Skore
  11. Oracle Cloud Infrastructure Console
  12. CyberArk SAML Authentication
  13. Scrible Edu
  14. PandaDoc
  15. Perceptyx
  16. Proptimise OS
  17. Vtiger CRM (SAML)
  18. Oracle Access Manager for Oracle Retail Merchandising
  19. Oracle Access Manager for Oracle E-Business Suite
  20. Oracle IDCS for E-Business Suite
  21. Oracle IDCS for PeopleSoft
  22. Oracle IDCS for JD Edwards

                   

Automate user account provisioning for these SaaS apps

Service category: Enterprise Apps
Product capability: Monitoring & Reporting

Azure AD admins can now automate creating, updating, and deleting user accounts for these newly-integrated apps:

                           

What’s Changed

View the real-time progress of the Azure AD provisioning service

Service category: App Provisioning
Product capability: Identity Lifecycle Management

Microsoft has updated the Azure AD provisioning experience to include a new progress bar that shows admins how far they are in the user provisioning process. This updated experience also provides information about the number of users provisioned during the current cycle, as well as how many users have been provisioned to date.

                           

Company branding now appears on sign out and error screens

Service category: Authentications (Logins)
Product capability: User Authentication

Microsoft has updated Azure AD so that company branding now appears on the sign out and error screens, as well as the sign-in page. Administrators don’t have to do anything to turn this feature on; Azure AD simply uses the assets that have already been set up in the Company branding area of the Azure portal.

                                

What’s Deprecated

Azure Multi-Factor Authentication (MFA) Server is no longer available for new deployments

Service category: MFA
Product capability: Identity Security & Protection

As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New organizations who want to require multi-factor authentication must now use cloud-based Azure Multi-Factor Authentication. Organizations who activated MFA Server prior to July 1 won’t see a change; Admins will still be able to download the latest version, get future updates, and generate activation credentials.

0  

HOWTO: Disable Unnecessary Services and Scheduled Tasks on AD FS Servers

This entry is part 2 of 7 in the series Hardening Hybrid Identity

Hybrid Identity

Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity, we’re looking at hardening these implementations, using recommended practices.

In this part of the series, we’ll harden the AD FS Server installations, by disabling unnecessary services running on it. This way, we lower their attack surfaces.

Note:
This blogpost assumes you’re running AD FS Servers as domain-joined Windows Server 2016 Server Core installations. However, as management of AD FS on Server Core installations is PowerShell-only, we also include information for AD FS Servers running Windows Server 2016with Desktop Experience (Full).

 

Why harden AD FS Servers

Hardening provides additional layers to defense in depth approaches. It changes the default behavior of products and services to make them more resilient to unauthorized changes and compromise.

Reasons why

Active Directory Federation Services (AD FS) servers are typically placed on the internal network, close to Active Directory Domain Controllers. They offer security translation, and as such can be abused to create claim tokens that misrepresent information towards cloud applications. In the end, the private key for the service communications certificate is trusted by all relying parties. The private keys for the token encryption and token signing certificates provide additional levels of trust, depending on the configuration. Needless to say, you deleted any *.pfx files you used to import these certificates from the hard disk, right?

Possible negative impact (What could go wrong?)

When AD FS servers are improperly hardened, the functionality of the AD FS farm stops and/or monitoring of the AD FS servers stops. This functionality can be easily assessed. However, in situations with load balancers and having hardened some of the AD FS servers, it may be tricky to get results from the right AD FS server.

 

Getting Ready

To disable unnecessary services on AD FS servers, make sure to meet the following requirements:

System requirements

Make sure the AD FS servers are installed with the latest cumulative Windows Updates.

Privilege requirements

Make sure to sign in with an account that has privileges to create and/or change and link Group Policy objects to the Organizational Unit (OU) in which the AD FS servers reside.

Who to communicate to

As the AD FS servers operate as part of a chain, notify all stakeholders in the chain. This means sending a heads-up to the load balancer guys and gals, the networking guys and gals, the rest of the Active Directory team and the teams that are responsible for Azure AD, Office 365 and cloud applications. It’s also a good idea to talk to the people responsible for backups, restores and disaster recovery.

One of the challenges you can easily avoid through communications is that multiple persons and/or teams make changes to the configuration. When it breaks, you don’t want to roll-back a bunch of changes, just the one that broke it. Make sure you have the proper freeze/unfreeze moments to achieve that.

 

Unnecessary services

By default

The following Windows services are disabled, by default, on Server Core installations of Windows Server 2016:

  • Computer Browser (browser)
  • Net.Tcp Port Sharing Service (NetTcpPortSharing)
  • Routing and Remote Access (RemoteAccess)
  • Smart Card (SCardSvr)

The following Windows services are disabled, by default on Windows Server with Desktop Experience installations of Windows Server 2016:

  • Auto Time Zone Update (tzautoupdate)
  • Microsoft App-V Client (AppVClient)
  • Offline files (cscService)
  • User Experience Virtualization Service (UevAgentService)
  • Windows Search (WSearch)

These services do not require any further attention.

Additional services

The following Windows services are enabled and have Manual or Automatic startup types on installations of Windows Server 2016 with the Desktop Experience (Full Installations). These can be disabled:

  • ActiveX Installer (AxInstSV) (AxInstSV)
  • Bluetooth Support Service (bthserv)
  • CDPUserSvc (CDPUserSvc)
  • Contact Data (PimIndexMaintenancesvc)
  • dmwappushsvc (dmwappushsvc)
  • Downloaded Maps Manager (MapsBroker)
  • Geolocation Service (lfsvc)
  • Internet Connection Sharing (ICS) (SharedAccess)
  • Link-Layer Topology Discovery Mapper (lltdsvc)
  • Microsoft Account Sign-in Assistant (wlidsvc)
  • Microsoft Passport (NgcSvc)
  • Microsoft Passport Container (NgcCtnrSvc)
  • Network Connection Broker (NcbService)
  • Phone Service (PhoneSvc)
  • Print Spooler (Spooler)
  • Printer Extensions and Notifications (PrintNotify)
  • Program Compatibility Assistant Service (PcaSvc)
  • Quality Windows Audio Video Experience (QWAVE)
  • Radio Management Service (RmSvc)
  • Sensor Data Service (SensorDataService)
  • Sensor Monitoring Service (SensrSvc)
  • Sensor Service (SensorService)
  • Shell Hardware Detection (ShellHWDetection)
  • Smart Card Device Enumeration Service (ScDeviceEnum)
  • SSDP Discovery (SSDPSRV)
  • Still Image Acquisition Events (WiaRpc)
  • Sync Host (OneSyncSvc)
  • Touch Keyboard and Handwriting Panel (TabletInputService)
  • UPnP Device Host (upnphost)
  • User Data Access (UserDataSvc)
  • User Data Storage (UnistoreSvc)
  • WalletService (WalletService)
  • Windows Audio (Audiosrv)
  • Windows Audio Endpoint Builder (AudioEndpointBuilder)
  • Windows Camera Frame Server (FrameServer)
  • Windows Image Acquisition (WIA) (stisvc)
  • Windows Insider Service (wisvc)
  • Windows Mobile Hotspot Service (icssvc)
  • Windows Push Notifications System Service (WpnService)
  • Windows Push Notifications User Service (WpnUserService)
  • Xbox Live Auth Manager (XblAuthManager)
  • Xbox Live Game Save (XblGameSave)

Most of the above services do not exist on Server Core installations, and can be ignored on these installations.

 

Unnecessary tasks

On Windows Server installations with Desktop Experience, two scheduled tasks exist that can be removed without consequences on AD FS Servers:

  1. \Microsoft\XblGameSave\XblGameSaveTask
  2. \Microsoft\XblGameSave\XblGameSaveTaskLogon

 

How to disable unnecessary services

As the AD FS Servers are part of Active Directory Domain Services, the best way to disable the unnecessary Windows Services is through Group Policy.

Follow these steps:

  1. Sign in with an account that is a member of the Domain Admins group, or with an account that is delegated to create and link Group Policy objects (GPOs) to Organizational Units (OUs).
  2. Open the Group Policy Management console (gpmc.msc).
  3. In the left navigation pane, navigate to the Organizational Unit (OU) where the AD FS Servers reside.
  4. Right-click the OU and select Create a GPO in this domain, and Link it here….
  5. In the New GPO pop-up, provide a name for the Group Policy Object, corresponding to the naming convention for Group Policy objects in the environment.
  6. Click OK
  7. Back in navigation pane of the Group Policy Management console, expand the OU and click on the Group Policy object link.
  8. Click OK in the Group Policy Management Console pop-up, explaining You have selected a link to a Group Policy Object (GPO). Except for changes to link properties, changes you make here are global to the GPO, and will impact all other location where this GPO is linked.
  9. Right-click the Group Policy object and select Edit… from the context menu.
    The Group Policy Management Editor window appears.
  10. In the left navigation pane, under Computer Configuration, expand the Policies node.
  11. Expand the Windows Settings node.
  12. Expand the Security Settings node.
  13. Select System Services.Disable a service through Group Policy (click for original screenshot)
  14. In the main pane, for each service in the above list, double-click the service, and then select the Define this policy setting option and select the Disabled service startup mode.
  15. When done, close the Group Policy Management Editor window.
  16. Close the Group Policy Management Console window.
  17. Sign out.

 

How to remove scheduled tasks

As the AD FS Servers are part of Active Directory Domain Services, the best way to remove the unnecessary scheduled tasks is through Group Policy Preferences.

Note:
Do not place Group Policy settings and Group Policy preferences in the same Group Policy object, as this will result in synchronous processing behavior and slowness during startups of the AD FS Servers.

Follow these steps:

  1. Sign in with an account that is a member of the Domain Admins group, or with
    an account that is delegated to create and link Group Policy objects (GPOs) to
    Organizational Units (OUs).
  2. Open the Group Policy Management console (gpmc.msc).
  3. In the left navigation pane, navigate to the Organizational Unit (OU) where
    the AD FS Servers reside.
  4. Right-click the OU and select Create a GPO in this domain, and Link
    it here…
    .
  5. In the New GPO pop-up, provide a name for the Group Policy
    Object, corresponding to the naming convention for Group Policy objects in the
    environment.
  6. Click OK
  7. Back in navigation pane of the Group Policy Management console,
    expand the OU and click on the Group Policy object link.
  8. Click OK in the Group Policy Management
    Console
    pop-up, explaining You have selected a link to a Group
    Policy Object (GPO). Except for changes to link properties, changes you make
    here are global to the GPO, and will impact all other location where this GPO is
    linked.
  9. Right-click the Group Policy object and select Edit… from
    the context menu.
    The Group Policy Management Editor window
    appears.
  10. In the left navigation pane, under Computer Configuration,
    expand the Preferences node.
  11. Expand the Control Panel Settings node.
  12. Expand the Scheduled Tasks node.
  13. In the main pane, right-click on Scheduled Tasks and select New  and then Scheduled Task from the context menu.GPPDisableScheduledTask
  14. In the New Task Properties window,select Delete as the action and provide the name of the scheduled task, exactly as provided above.
  15. Click OK.
  16. Repeat steps 13-15 for the second task.
  17. When done, close the Group Policy Management Editor
    window.
  18. Close the Group Policy Management Console window.
  19. Sign out.

 

Testing proper hardening

After hardening it’s time to test the hardening. Everyone should sign off (not literally, unless that’s procedure) on the correct working of the AD FS servers. Does authentication to cloud applications still work? Does rolling over the certificate still work? Does monitoring still work? Can we still make back-ups? Can we still restore the backups we make?

Typically, hardening is rolled out to one AD FS server. When testing the hardening of the functionality behind the load balancer, make sure that the load balancer points you to the hardened system, not another one.

Rolling back hardening

To roll back hardening of the services and removal of the scheduled tasks, disable the Group Policy object(s) or remove the link between the Group Policy object(s) and the Organizational Unit (OU) where the AD FS servers reside.

 

Concluding

Disable unnecessary services on all AD FS Servers throughout the Hybrid Identity implementation using Group Policy.

3  

Experiences with Being Published, Part 6: A Matter of Style

This entry is part 6 of 6 in the series Experiences with Being Published

EditingPie

As a published technical writer, I’ve had my share of experiences working with a publisher and its editors for a period of seven months. For my own sanity, I’ll post some of my experiences in this series of blogposts on Experiences with Being Published. I feel these stories can be quite entertaining, and I might even get a smile on my face when I look back at these stores in a couple of years’ time…

Today, let’s talk about how a diverse team, consisting of people from multiple cultures added value f*cked sh*t up.

 

The last mile is the longest one

Once I was done writing the chapters, all I learned I needed to do was to copy all the command lines and PowerShell scripts from the book into separate files on GitHub, write the hardware and software list (listing all the hardware and software used for all the recipes) and write the Preface.

This last item proved to be the hardest, even though I only needed to describe the purpose and scope of the book…

 

A matter of style…

One of the content editors has been bugging me throughout the process with her unneeded and frustrating edits. It started with ‘correcting’ the ActiveDirectory PowerShell module name in the Import-Module command, by adding a space and continues throughout the book with other corrections, where she would continue to edit “The … screen appears.” with “The … screen will appear.” like we were working with some really slow domain controllers, and ‘Click Next >’ with ‘Click on Next >’.

With the help of the technical editor, all these corrections were corrected back, except one.

 

The one that got away

As I was writing the Preface to the book, it was my job to describe the contents for each chapter. For chapter 3, I wrote:

Chapter 3, Managing Active Directory Roles and Features, covers FSMO roles and global catalog servers for addressing all your organization’s multi-forest and multi-domain needs.

Deliberately, I chose not to explain the FSMO acronym. I felt that when people wanted to know what it meant, they would look it up in the chapter anyway.

In the version of the book a week before publishing, the Preface was edited. The above piece of text now read:

Chapter 3, Managing Active Directory Roles and Features, covers Flexible Single Operations Master (FSMO) roles and global catalog servers for addressing all your organization’s multi-forest and multi-domain needs.

That’s right. The editor thought it was wise to introduce the acronym in the Preface. As a matter of style, all introductions for acronyms are noted as bold text.

In the final book, however, this particular sentence reads:

Chapter 3, Managing Active Directory Roles and Features, covers Flexible Single Operations Master (FSOM) roles and global catalog servers for addressing all your organization’s multi-forest and multi-domain needs.

That’s right. A completely new acronym is introduced for Active Directory, because someone didn’t pay attention to write it down perfectly, and then edited it some more to make it look really ridiculous. As it is the only acronym introduced on the page, and therefore the only bold text, it stands out like a sore thumb.

 

Just don’t

When you know nothing about Active Directory and its acronyms, please keep as far away as possible from editing a book on it. Just don’t.

 

Picture by Fellowship of the Rich, under CC BY-NC-ND 2.0 license. Edited in size

 


Learn the intricacies of managing Azure AD, Azure AD Connect as well as Active Directory for Identity and Access Management (IAM) in the cloud and on Windows Server 2019.

Get up to date! Get your 620-page, 147-recipe copy of the Active Directory Administration Cookbook, today. Buy it from Packt directly, or through your favorite local reseller.

0  

HOWTO: Disable Unnecessary Services on Web Application Proxies

This entry is part 1 of 7 in the series Hardening Hybrid Identity

Hybrid Identity

Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity, we’re looking at hardening these implementations, using recommended practices.

Let’s harden the Web Application Proxy installations, by disabling unnecessary services running on it. This way, we lower their attack surfaces even further.

Note:
This blogpost assumes you’re running Web Application Proxies as non-domain-joined Server Core Windows Server 2016 installations. If your Web Application Proxies are domain-joined, use Group Policy to disable unnecessary services instead of PowerShell.

 

Why harden Web Application Proxies

Hardening provides additional layers to defense in depth approaches. It changes the default behavior of products and services to make them more resilient to unauthorized changes and compromise.

Reasons why

One of the requirements for using Active Directory Federation Services (AD FS) with Azure AD is to publish AD FS to the Internet. Web Application Proxies are mainly implemented for this purpose. In this role, they are typically implemented on perimeter networks and not domain-joined. As Internet-facing systems, they are prone to attacks.

Possible negative impact (What could go wrong?)

When Web Application Proxies are improperly hardened, access to the rest of the AD FS farm stops and/or monitoring of the Web Application Proxies stops. This functionality can be easily assessed. However, in situations with load balancers and having hardened some of the Web Application Proxies, it may be tricky to get results from the right Web Application Proxy.

 

Getting Ready

To disable unnecessary services on Web Application Proxies, make sure to meet the following requirements:

System requirements

Make sure the Web Application Proxies are installed with the latest cumulative Windows Updates.

Privilege requirements

Make sure to sign in with an account that has local administrator privileges on each of the Web Application Proxies. Your Web Application Proxies all have different local administrator passwords, right?

Who to communicate to

As the Web Application Proxies operate in a process, notify all stakeholders in the process. This means sending a heads-up to the load balancer guys and gals, the networking guys and gals, the rest of the Active Directory team and the teams that are responsible for Azure AD, Office 365 and cloud applications. It’s also a good idea to talk to the people responsible for backups, restores and disaster recovery.

One of the challenges you can easily avoid through communications is that multiple persons and/or teams make changes to the configuration. When it breaks, you don’t want to roll-back a bunch of changes, just the one that broke it. Make sure you have the proper freeze/unfreeze moments to achieve that.

 

Unnecessary services

Services that are of no use to Web Application Proxies can be disabled.

By default

The following Windows services are disabled, by default, on Server Core installations of Windows Server 2016:

  • Computer Browser (browser)
  • Net.Tcp Port Sharing Service (NetTcpPortSharing)
  • Routing and Remote Access (RemoteAccess)
  • Smart Card (SCardSvr)

These services do not require any further attention.

Additional services

The following Windows services are enabled and have Manual or Automatic startup types on Server Core installations of Windows Server 2016. These can be disabled:

  • Internet Connection Sharing (ICS) (SharedAccess)
  • Link-Layer Topology Discovery Mapper (lltdsvc)
  • Print Spooler (Spooler)
  • Printer Extensions and Notifications (PrintNotify)
  • Smart Card Device Enumeration Service (ScDeviceEnum)
  • Windows Insider Service (wisvc)

 

How to disable unnecessary services

To disable the above services, run the following Windows PowerShell script, when logged on with an account that has local administrative privileges on the Web Application Proxy:

Set-Service SharedAccessStartupType Disabled

Stop-Service SharedAccess

Set-Service lltdsvcStartupType Disabled

Stop-Service lltdsvc 

Set-Service SpoolerStartupType Disabled

Stop-Service Spooler 

Set-Service PrintNotifyStartupType Disabled

Stop-Service PrintNotify 

Set-Service ScDeviceEnumStartupType Disabled

Stop-Service ScDeviceEnum 

Set-Service wisvcStartupType Disabled

Stop-Service wisvc

Testing proper hardening

After hardening it’s time to test the hardening. Everyone should sign off (not literally, unless that’s procedure) on the correct working of the Web Application Proxies. Does authentication to cloud applications still work? Does rolling over the certificate still work? Does monitoring still work? Can we still make back-ups? Can we still restore the backups we make?

Typically, hardening is rolled out to one Web Application Proxy. When testing the hardening of the functionality behind the load balancer, make sure that the load balancer points you to the hardened system, not another one.

Re-enable services

If hardening breaks functionality, re-enable the above services to their previous state. Run the following Windows PowerShell script, when logged on with an account that has local administrative privileges on the Web Application Proxy:

Set-Service SharedAccessStartupType Manual

Set-Service lltdsvcStartupType Manual

Set-Service SpoolerStartupType Automatic

Start-Service Spooler 

Set-Service PrintNotifyStartupType Manual

Set-Service ScDeviceEnumStartupType Manual

Set-Service wisvcStartupType Manual

 

Concluding

Disable unnecessary services on all Web Application Proxies throughout the Hybrid Identity implementation using the Windows PowerShell script above.

0  

I’m a 2019-2020 Microsoft MVP

MVP Logo Persons (click to see actual faces)Today, I received a localized e-mail from the Microsoft Most Valuable Professional (MVP) Award team:

In Dutch, it reads:

Beste Sander Berkouwer,

Nogmaals presenteren we u met genoegen de 2019-2020 Microsoft Most Valuable Professional (MVP) Award als erkenning van uw buitengewone leiderschap in technische community’s. We waarderen uw uitmuntende bijdragen in de volgende technische community’s in het afgelopen jaar:

  • Enterprise Mobility

Uw MVP Award-cadeaupakket is onderweg. U ontvangt binnen vijf werkdagen een verzendingsmelding. Om toegang te krijgen tot alle Award-voordelen, voltooit u de MVP-activeringsstappen hierna.

This roughly translates to the messages I have been receiving from 2009 till 2016 on January 1st of these years and from July 1st, 2017 onward; I’m still worthy of the MVP badge.

It’s an honor to be part of this wonderful group of people helping others and closing the feedback circle with Microsoft, especially for the situations in which people use Microsoft products in ways Microsoft has never imagined.

Thank you! Thumbs up

0  

Join us for the KNVI "Active Directory, What’s Cooking?" Event

Hitland

On June 20, 2019, we officially launched the Packt Active Directory Administration Cookbook in the Netherlands. I signed a ton of books.

After that fun event I was approached by the Royal Dutch Association of Information and IT Professionals (KNVI). They were interested in the book as well. As the book applies to a fairly large number of their members, we agreed upon a second event: “Active Directory, What’s Cooking?”.

        

About KNVI

knvi_logoThe Dutch Professional Association of Information and IT Professionals (KNVI) is an independent platform for sharing professional knowledge and expanding the personal networks of ICT Pros, information professionals, students and employers who want to keep their employees up to date.

KNVI organizes multiple meetings per month, publishes AG Connect both online and in print, and offers discounts to its members.

KNVI is a merged organization of several professional associations, including the Dutch Networking User Group (Ngi-NGN) and the Dutch Association for Documentary Information and Organization Administration (SOD).

     

About KNVI “Active Directory, What’s Cooking?”

On July 9, 2019, KNVI organizes the “Active Directory, What’s Cooking?” event for its members at the Hitland Golf Club in Nieuwerkerk aan den IJssel.

Having fun with Erwin, back in 2018 (click for larger photo)

Starting at 6PM, we are going to enjoy a BBQ. Then, at 8 PM, Erwin Derksen and I will share our experiences with Active Directory and Azure AD.

Part of my experiences is in the Active Directory Administration Cookbook. I will tell a bit about how the book fits in my ambition and strategy for “Better Active Directory admins and environments without breaking the bank”.

Members of KNVI will be able to purchase the Packt Active Directory Administration Cookbook with 40% discount, spending only € 32 instead of the normal Dutch price of € 52 for the book.

      

Join KNVI and the event!

It’s not too late to join KNVI Dutch.
This is a prerequisite to being able to attend the KNVI “Active Directory, What’s Cooking?” event.

Subscriptions to KNVI for students are a mere EUR 30 per year. Subscriptions for individuals start at EUR 99,00 per year for members aged 27 and below, for retirees and for unemployed people. Other individual subscriptions set you back EUR 165 per year. Organizational subscriptions are available upon request.

I’m sure you can do the math how many books you need to buy to break even. Winking smile

0  

Experiences with Being Published, Part 5: Quality Assurance

This entry is part 5 of 6 in the series Experiences with Being Published

Quality

As a published technical writer, I’ve had my share of experiences working with a publisher and its editors for a period of seven months. For my own sanity, I’ll post some of my experiences in this series of blogposts on Experiences with Being Published. I feel these stories can be quite entertaining, and I might even get a smile on my face when I look back at these stores in a couple of years’ time…

As I mentioned previously, the process allows for checks and balances. There are stakeholders; people with roles.

 

My process

I must admit, I had a rough start writing my book. I decided to write a book about Windows Server 2019 and deliver my first chapter on October 15th. I expected Microsoft to release Windows Server 2019 at its Ignite 2018 event, and I figured I could start running Windows Server 2019-based virtual machines in Microsoft Azure Infrastructure as a Service (IaaS) on October 1st, 2018.

I was wrong… Microsoft released Windows Server 2019, but due to quality issues, didn’t release Windows Server 2019 until a whole month later. There was no way to test my command lines and PowerShell scripts. I was basically writing in the dark.

Luckily I didn’t write about Hyper-V Server 2019, as this product was only released last week, after being delayed for over six months.

 

About the technical reviews

Luckily, I knew I could rely on the process.

My technical reviewer (TR) would trace all my steps and note any inconsistencies in the texts, steps and commands. Then, a technical person from my publisher would do the same thing and come up with any items the two of us might have missed.

 

Official confirmations

Two days before the last deadline, I received a message from my publisher:

I need to discuss about codes in the chapters.

 

Can you please give a confirmation that they are working fine… We know that the TR has made suggestions for the codes and you have implemented it, but we need some sort of official confirmation… Unfortunately, the TR did not seem to add this in the questionnaire.

 

We did not find anything erroneous as such at our end… Also, the TR also did not flag anything. it’s just that as a protocol, we have to check it with you as well. Do not worry… the quality of the book is not hampered.

 

I was wrong…

I decided to check the scripts. I had performed most actions in the Active Directory Administrative Center, and copied the PowerShell commands from there, most of the time.

This is when I found out, no-one checked the command lines and PowerShell scripts in the book.

My technical reviewer even suggested some edits for readability that actually broke the lines of PowerShell involved. My publisher couldn’t perform technical reviews, because of some missing technology capabilities on their end.

I went through all the commands and scripts and edited them at break-neck speed. There were 17 commands that needed corrections. Corrections a technical reviewer could have easily picked up on, but apparently didn’t.

 

But … the quality of the book is not hampered. No. Disappointed smile

 

Picture by Louise McLaren, under CC BY 2.0 license. Adjusted in size.

 


 

Learn the intricacies of managing Azure AD, Azure AD Connect as well as Active Directory for Identity and Access Management (IAM) in the cloud and on Windows Server 2019.

Get up to date! Get your 620-page, 147-recipe copy of the Active Directory Administration Cookbook, today. Buy it from Packt directly, or through your favorite local reseller.

0  

Knowledgebase: Azure AD Connect’s Seamless SSO breaks when you disable RC4_HMAC_MD5

Cryptography and Information Security

It’s a recommended practice to disable weak ciphers and encryption algorithms. Some standards require this. As technology evolves, the list of available ciphers and their priority in encryption negotiations changes. This limits the risk of losing confidentiality on communications between systems, applications and (cloud) services.

While you’ve probably heard of disabling 3DES and all versions of SSL, one other recommendation rears its ugly head: disable RC4_HMAC_MD5.

 

About RC4_HMAC_MD5

RC4_HMAC_MD5 means it’s Ron Rivest’s stream Cipher 4 (RC4) with Hashed Message Authentication Code (HMAC) using the Message-Digest algorithm 5 (MD5) checksum function.

When Microsoft released Windows 2000 Server and Active Directory, Microsoft supported backward compatibility with Windows NT and Windows 95. This support entailed support for different clients and enable them to communicate using Kerberos. The easy way to do this was to use the NTLM password hash as the Kerberos RC4 encryption private key used to encrypt/sign Kerberos tickets. Because of this, RC4_HMAC_MD5 takes center stage in several Kerberos attacks, including Kerberoasting.

 

How to disable RC4_HMAC_MD5 in Active Directory

Follow these steps to disable RC4_HMAC_MD5 in Active Directory:

  1. Sign in with an account that is a member of the Domain Admins group of the Active Directory domain for which you want to disable RC4_HMAC_MD5.
  2. Open the Group Policy Management Console (gpmc.msc).
  3. In the left navigation pane, browse to the Default Domain Controllers Group Policy object.
  4. Right-click the object and select Edit… from the context menu.
  5. Navigate to Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies and then Security Options,.
  6. Select the Network Security: Configure encryption types allowed for Kerberos group policy setting.
  7. Double-click the setting to edit it.
  8. Select the Define these policy settings option.
  9. In the list of available encryption types, deselect RC4_HMAC_MD5.
  10. Close the Group Policy setting.
  11. Close the Group Policy Management Console.

 

Impact

There is a situation where the above security measure impacts functionality: When you disable RC4_HMAC_MD5, Azure AD Connect will no longer be able to offer Seamless Single Sign-On (S3O).

This is made clear in the Troubleshoot Azure Active Directory Seamless Single Sign-on page. If you want Azure AD Connect’s Seamless Single Sign-on functionality to work, RC4_HMAC_MD5 will need to be available.

 

Further actions

If you would like Microsoft to address this issue in Azure AD Connect, please vote or this change on the Azure Feedback website.

 

Further reading

SSL and TLS Deployment Best Practices
RC4 in TLS is Broken: Now What?
Prioritizing Schannel Cipher Suites
Cipher Suites in TLS/SSL (Schannel SSP)
245030 How to restrict the use of certain cryptographic algorithms and protocols
How Do I Remove Legacy Ciphers (SSL2, SSL3, DES, 3DES, MD5 and RC4) on NetScaler?
A Cipher Best Practice: Configure IIS for SSL/TLS Protocol
How to disable RC4 and 3DES on Windows Server?

0