Download the ‘AD insights pack’ for new capabilities to audit users, svc/MSA accounts, password last set, expiring, last login AD insights. Includes AD group audit alert capability.
Time to provide key ‘AD insight reports’ into users and groups. Delve into different AD audit capabilities for users and groups. The pack also gathers DC Security events (rules), and lastly, on demand tasks for reports.
The question is what determines a problem?
Every domain admin has a different experience and perspective, whether cyber (hack) focused or not. Audit standards differ, from HIPAA, SOX, CCRI, STIG, etc.
Groups – Choose your OU structure to audit WA in DA, SA in DA, WA in SA etc.
NOTE: Take caution on the OU group audit, to limit the output, as events have a size limitation
Configure ‘AD insight reports’
Now we can configure the user pack for applicable standards, like password age, last set, or AppOwners. The AppOwners is an array, so you can add whatever Application, system owners/teams in your organization. The password datasource (DS) rule runs weekly.
Configure the Password Time, last set, month, week and AppOwners to build out actionable svc/msa accounts failing audit artifacts.
Break out the regular expressions of whatever accounts each team uses, to tailor relevant data into the report alert. Find/Replace (Control-H) might be more effective, as the DS/WA repeat the logic for the on-demand task report, vs. the rule and monitor.
App Owner relevant service accounts by SamAccountName
Update patterns ID naming conventions
Tailor account names to environment to match ingested DC Security events.
Tailor the DC Security Events to account naming conventions.
Configure OU to environment
Configure OU structure to audit based on domain canonical names, groups, DC, etc.
Logical disk cleanup, most times is harder vs. smarter manual intervention required, why not smarter vs. harder?
‘Disk cleanup logic’ traditionally follows manual intervention. Why would you want harder and manual? This article will present options to clean up system and non-system disks, by leveraging largest root folder, API’s and more. This is one step in the OS Addendum pack that needs explanation and can be tailored to applications where admins have regular manual cleanup actions.
Breakdown of Disk cleanup
We want to check system disks and non-system disks for different scenarios. Figure out Disk free space, user profiles, largest folder on root of disk, IIS cleanup, and MECM/SCCM client cache clear API. Second, utilize different behaviors depending on PowerShell version, application log(s) cleanup, and expand drive alerts when NO space after cleanup action.
Check Software Distribution for ConfigMgr/SCCM/MECM client
Checking software distribution path was an item for discussion where the folder was larger than 3GB, stemming from customer and field engineers recommendations.
If ($DiskFreeSpace.FreeSpace -lt 15 )
{
# Audit Software Distribution
#==================================
If ( $SoftwareDistribution -lt “3000” )
{
Write-host “NO SME/SystemOwner/SysAdmin/Server Action required”
}
If ( $SoftwareDistribution -gt “3000” )
{
Write-host “SME/SystemOwner/SysAdmin/Server Action required, stopping Windows Update service, removing SoftwareDIstribution folder and restarting”
Get-Service -Name wuauserv | Stop-Service
Remove-Item -Path C:\Windows\SoftwareDistribution -Recurse
Get-Service -Name wuauserv | Start-Service
Write-host “Windows Update wuauserv service restarted after SoftwareDistribution directory removed”
}
Cleanup Application log folders
The nice part of this is you can reuse this by changing the path and deletion actions to tailor to customer environment. The script comes in handy for VEEAM, SQL, IIS instances and log directory on multiple drives.
The PKI addendum pack monitors PKI certificate hierarchy. Certificates can be a challenge, where we want to change focus to WHEN manual intervention is required.
The ‘PKI Addendum pack’ is a tricky pack, due to certificate hierarchy. The decisions included are part of the three pillars – health, Security, Compliance, as well as alerting WHEN manual intervention required.
The PKI pack provides discoveries of the server certificate stores to then analyze certificates for validity, chain, and expiration. The v1.4.3.0 release adds some task logic and script changes that helps discover more stores, trusted root, etc.
WHAT CAPABILITIES DOES THE ‘PKI ADDENDUM PACK’ PROVIDE?
Set timeframe for certificate per organizational standards.
Break out different expiration alerts based on internal/external certificate, or by AD Client Certificate enrollment templates (to build out the manual intervention required scenario when alerts are generated).
Create groups breaking out application self-signed, PKI certificates.
Separate RDP Auth, Domain Controller, Computer, and OCSP certificates.
If this sounds interesting, and you want to dabble in XML authoring…
Download the pack from GitHub to improve PKI monitoring on Windows Servers.
Additional screenshots of addendum components
Addendum pack creates multiple groups to break out various types of certificates that have different decisions/behaviors requiring unique timing
Groups
Addendum pack created groups to help admins get to the ‘manual intervention’ required alerting goal.
Discoveries
Leverage dynamic groups based on server name and EnhancedKeyUsageList (EKU) list
PKI dynamic group discoveries
Overrides
Change PKI pack default discoveries, lifetime threshold expirations and more
Override PKI pack defaults
DOCUMENTATION AND LINKS
Addendum requires the PKI Certificate MP release v1.4.3.0 download
Stop using the SCOM console to push agents. Move this to Endpoint Manager as application/package and task sequence to install and configure on every server built.
Shout out to Neal Smith, for his help simplifying the ‘SCOM agent application’ install per ConfigMgr/MECM best practice! Stop using the SCOM console to push agents. Move this to Endpoint Manager as application/package and task sequence to install and configure on every server built. Need a MECM package (Application) for the SCOM agent. Leverage a best practice, be more secure, include in task sequence, and automate manual install.
Easy button wrapper
Why? Helpdesk and server admin teams don’t have access to Tier0 devices. After no access, the Manual process (instruction steps get missed), then server is not monitored, becoming an outage resolution task/follow-up.
Use the below thread = ‘easy button’ to package SCOM agent when MECM administrator has availability to add SCOM agent to SCCM task sequence.
MECM/SCCM Application/package script :
Using Powershell.exe:
###############Startscript
“SCOM Super Installer”
start-transcript -path “c:\windows\ccm\logs\SCOMSUPERINSTALLER.log”
##ONLY THIS SECTION NEEDS TO BE EDITED, replace different domain FQDNS and the gateway/management server(s), management groups
# Leverage find/replace for the ##something## variables
# Provide SCOM Gateway or SCOM management server MS for $SCOMGATEWAYFQDN variable.
# Include SCOM Mgmt Group Name for ##SCOMMGMTGroupName##
Switch ($domain) {
“##DomainFQDN1##” {$SCOMManagementGroup=”##SCOMMGMTGroupName##”;$SCOMGATEWAYFQDN=”##SCOMServerName##”}
“##DomainFQDN2##” {$SCOMManagementGroup=”##SCOMMGMTGroupName##”;$SCOMGATEWAYFQDN=”##SCOMServerName##”}
}
########ONLY THIS SECTION NEEDS TO BE EDITED
Lastly, after SCOM agent added to Endpoint Manager, monitoring new servers should be a no-brainer. One less manual step having ‘SCOM agent application’ as part of the task sequence.
Still running Server2012R2 servers with AD DCs with AD integrated DNS?
In case you’re still running Windows Server 2012R2, here’s the ‘DNS2012R2 Addendum pack’ giving the same functionality as the version agnostic 2016+ addendum. Why? DNS is a translation method to convert names to IP’s. Can you imagine if we wanted to connect to google via IP? The number of workflows in the SCOM DNS pack (built by the DNS Product Group) makes for an astounding number of workflows running on your DC every minute. Forward and reverse lookups are a good check, verifying DNS is functioning. In a complex environment with 100’s of zones, SCOM becomes a utilization culprit for a DC’s primary missions – authenticate and resolve. This article will help you understand how the pack will add new capabilities and tune DNS monitoring to best practice.
nslookup to find out IP to name or name to IP resolution.
Simply put: Leverage the ‘DNS Addendum pack’. Why? DNS is a translation method to convert names to IP’s. Can you imagine if we wanted to connect to google via IP? The amount of workflows in the SCOM DNS pack (built by the DNS Product Group) makes for an astounding number of workflows running on your DC every minute. Forward and reverse lookups are a good check, verifying DNS is functioning. In a complex environment with 100’s of zones, SCOM becomes a utilization culprit for a DC’s primary missions – authenticate and resolve. This article will help you understand how the pack will add new capabilities and tune DNS monitoring to best practice.
What capabilities does the ‘DNS Addendum pack’ provide?
Count logic monitors (i.e. x events in y time, and self heal)
Daily summary report of DNS alerts broken out
DNS service(s) recovery automation
Daily alert closure workflow to close out DNS rules/monitor
Synthetic internal/external nslookup monitor (scoped to PDC emulators versus ALL DNS servers
WMI validation alert recovery to prevent false positive alerts with weird one off scenarios – one example: Security tools randomly block WMI access.
Download the DNS Addendum on GitHub and the PDF install guide, to improve AD Integrated (ADI) DNS monitoring on Windows Server 2016+ (version agnostic).
XML authoring
The pack greatly decreases alerts, workflows on your AD integrated DNS servers, and the XML authoring is an easy feat. After you import the pack, find/replace is required for two pieces.
Group GUIDs update, after installing this pack.
Find/replace the GUIDs, as they are unique to every SCOM management group, hard coding the group ID GUID is not possible.
From PowerShell, on your SCOM management server, run these commands (after DNS Addendum installed)
Use get-scomclassinstance -DisplayName “GroupNameHere” | ft Id
Find/Replace the GUID in the pack with the ID from the output above.
Discovery group regular expressions (RegEx)
##DNSServerRegEx##
Find ##DNSServerRegEx## and replace with your DNS server expressions.
Example server names: 16dns01, 19dc01,16dns02,19dc02,19dc03, etc.
RegEx = (?i)16dns0|19dc0
DNS Group discovery example of RegEx for find/replace
One more admin process and workflow is to ‘update SCAP tools’ on servers. Many times overlooked, this can save many headaches with the newest version installed on servers.
Check DOD Cyber Exchange
Check the website here, to search for Win in SCAP tools, then download & Install
SCAP tool download from DOD Cyber Exchange public website.
Navigation steps:
Control Panel > Programs > Programs and Features
In the search bar (top right) enter scap (and hit enter)
SCAP Control panel output showing multiple versions installed. Need to install latest application, then remove the old versions (in this case, all three!)
SCAP Control panel output showing multiple versions installed.
Install SCAP application
Extract files from ZIP
Copy folder to repository (my path example below)
Save SCAP zip and files to folder repository and on server to install SCAP on.
Save SCAP zip and files to folder repository and on server to install SCAP on.
Run SCAP application
Take the defaults (unless you want the checker icon on desktop). Run SCAP application from PowerShell (as admin) window.
Open PowerShell as admin window
Example:
cd “D:\MonAdmin\STIGS\scc-5.7.2_Windows”; gci; .\SCC_5.7.2_Windows_Setup.exe
Hit enter to begin install
Run SCAP install from PowerShell (as admin) window.
On the SCAP EULA radio button application install screen, click ‘I accept’ radio button and click Next.
SCAP EULA radio button application install screen.
Select Destination location (preferably on non-system disk), and click Next
Click on Start > start typing SCAP > Click on SCAP Compliance Checker
From the SCAP checker UAC prompt, click Yes to continue
SCAP checker UAC prompt, click Yes to continue
Click OK to end the install
SCAN new features popup after install
Run Local Scan
Run local scan to prove functionality.
Select STIG(s) in the middle pane > Click Start Scan
Run SCAP scan against server, choose your STIGs and Start Scan
Verify SCAP tool modified files after installation
Recheck Windows Explorer for OpenSSL; look at file properties for version details. Interesting, NONE of these files have versions (openssl, x509 searches show nothing file version wise)
Verify SCAP tool modified files after installation
Extra Extra read all about it, VMwareTools OpenSSL vulnerabilities!
Update VMwareTools to solve OpenSSL vulnerabilities CVE-2023-3446, CVE-2023-2975. The ‘VMwareTools OpenSSL vulnerabilities’ showed up two (2) weeks ago, but it took about a week for the update to post. Latest Tenable scan article shows OpenSSL update to v3.0.10 required for VMware Tools.
Update VMwareTools
Start with the Security scan and the plugin ID to mitigate ‘Tenable Scan output of OpenSSL PlugIn ID documenting problems’
Tenable Scan output of OpenSSL PlugIn ID documenting problems
Talk with your security team to identify the offending path for guidance on which application might be the culprit. The diagnostic/debug details can be a lifesaver!
Snippet of Tenable OpenSSL path from scan diagnostic of OpenSSL vulnerabilities
Newer version of VMwareTools required to fix OpenSSL vulnerabilities.
Originally, no VMwareTools update posted
VmWare tools v12.6 resolves CVE-2023-3446, CVE-2023-2975. Hopefully your virtualization team uses an Endpoint Manager to manage server configurations, and they have an application/package wrapper to install VMwareTools without this being a manual process
Either way, you’ll have to download the update download link
VmWare tools v12.6 has OpenSSL update to resolve CVE-2023-3446, CVE-2023-2975
The ‘MSSQL Addendum pack’ wouldn’t be possible without Brandon Pires contributions. Brandon dealt with my many questions to better alert! If you need more background, check the ‘why addendum pack’ post.
The pack is based on the SQL engineering blog and program team making multiple updates per year for SQL monitoring. The addendum creates two groups for dev/test and notification/subscription modeling. Second, the overrides, man there are a bunch! aid consumption of real issues. Lastly, most environments should be SQL 2016+, as the 2012R2 EOL/EOSL is quickly approaching in October!
MSSQL groups defined in the Addendum pack
MSSQL group discoveries require updates to be applicable to environment
Tailor addendum
First, the Addendum pack requires the MSSQL packs MUST be installed. The addendum is based on the MSSQL 2016+ version agnostic is currently supported, as the 2012,2012R2 products are near end of support.
Find/Replace the variables as needed:
Example ##TESTSERVER##|##DEVSERVER##
Save file
Overrides
Addendum pack contains discovery, monitor, and rule overrides to tune MSSQL to CSA (old PFE/CE/CSAe Microsoft Field engineer recommendations), to match the health model reducing critical ‘wake me up in the middle of the night’ alerts.
Do you associate StarTrek when the word federation is used inside of federation services (ADFS)?
To begin, the ‘ADFS addendum pack’ needs acknowledgement of the contributors who dealt with my many questions to better alert on AD issues! My thanks to Jason Windisch for his help and expertise with Active Directory Federation Services (ADFS). If you need more background, check the ‘why addendum pack’ post. BTW, what do you associate with the word – Federation?
The Active Directory Federation Services ‘ADFS Addendum pack’ configures ADFS group of related classes for notification/subscription modeling. Second, the rules, service monitors, tasks, service recovery, alert cleanup, and summary reports aid consumption of real issues. Third, if you have ADFS2012R2, I have an addendum pack, but coordination necessary to get the ADFS management packs MSI (not currently available). Lastly, most environments should be 2016+, as the EOL/EOSL is quickly approaching in October!
ADFS Addendum pack creates ADFS Group AND discovery requiring server names applicable to environment.
ADFS Group discovery requires server names applicable to environment
Tailoring the pack(s) to your environment
First, the Active Directory Federation Services management packs MUST be installed for the ‘ADFS Addendum pack’ to load. 2016+ agnostic is currently supported, as the 2012,2012R2 products are near end of support.
Find/Replace the variables as needed
##ADFSSERVERNAME1##|##ADFSSERVERNAME1##|##LAB##
Save file
Workflows
First, the DataSources (DS) and WriteActions (WA) clean up alerts, create daily reports, where the WA are the on-demand tasks versions.
Data source (DS) scheduled workflows run weekdays between 0600-0700 local SCOM management server local time. The summary and team reports (run during this time) summarize key insights. NOTE: the Monday report gathers the last 72 hours, so administrators get a ‘what happened over the weekend’ view. Tuesday-Friday reports are past 24 hours. Lastly, the group policy report summarizing unique GPUpdate error output.
Monitoring
ADFS Monitoring components screenshot from Notepad++
Addendum pack rules schedule data source execution, add on-demand tasks. The service monitor, and Recovery tasks add service recovery automation to bring us to the ‘manual intervention required’ alerting. There are a few monitor/rule overrides to match the health model.
Import
Download updated ‘ADFS addendum pack’ and save to your environment
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
