AD insight reports

Need to audit AD? Use AD insight reports pack!
Need to audit AD? Use AD insight reports pack!

Download the ‘AD insights pack’ for new capabilities to audit users, svc/MSA accounts, password last set, expiring, last login AD insights. Includes AD group audit alert capability.

 

Quick Download https://github.com/theKevinJustin/ADInsights/

 

 

AD audit

Time to provide key ‘AD insight reports’ into users and groups.  Delve into different AD audit capabilities for users and groups.  The pack also gathers DC Security events (rules), and lastly, on demand tasks for reports.

 

The question is what determines a problem?

Every domain admin has a different experience and perspective, whether cyber (hack) focused or not.  Audit standards differ, from HIPAA, SOX, CCRI, STIG, etc.

Pack examples:

Users – service account naming conventions, password change frequency, expired date/time configured.

Groups – Choose your OU structure to audit WA in DA, SA in DA, WA in SA etc.

NOTE: Take caution on the OU group audit, to limit the output, as events have a size limitation

 

Configure ‘AD insight reports’

Now we can configure the user pack for applicable standards, like password age, last set, or AppOwners.  The AppOwners is an array, so you can add whatever Application, system owners/teams in your organization.  The password datasource (DS) rule runs weekly.

Configure the Password Time, last set, month, week and AppOwners to build out actionable svc/msa accounts failing audit artifacts.
Configure the Password Time, last set, month, week and AppOwners to build out actionable svc/msa accounts failing audit artifacts.

 

Break out the regular expressions of whatever accounts each team uses, to tailor relevant data into the report alert.  Find/Replace (Control-H) might be more effective, as the DS/WA repeat the logic for the on-demand task report, vs. the rule and monitor.

App Owner relevant service accounts by SamAccountName
App Owner relevant service accounts by SamAccountName

 

Update patterns ID naming conventions

Tailor account names to environment to match ingested DC Security events.

Tailor the DC Security Events to account naming conventions
Tailor the DC Security Events to account naming conventions.

 

Configure OU to environment

Configure OU structure to audit based on domain canonical names, groups, DC, etc.

AD Group audit example
AD Group audit example

 

Save file(s) and import

DNS2012R2 Addendum pack

Still running Server2012R2 servers with AD DCs with AD integrated DNS?
Still running Server2012R2 servers with AD DCs with AD integrated DNS?

In case you’re still running Windows Server 2012R2, here’s the ‘DNS2012R2 Addendum pack’ giving the same functionality as the version agnostic 2016+ addendum.  Why?  DNS is a translation method to convert names to IP’s.  Can you imagine if we wanted to connect to google via IP?  The number of workflows in the SCOM DNS pack (built by the DNS Product Group) makes for an astounding number of workflows running on your DC every minute.  Forward and reverse lookups are a good check, verifying DNS is functioning.  In a complex environment with 100’s of zones, SCOM becomes a utilization culprit for a DC’s primary missions – authenticate and resolve.  This article will help you understand how the pack will add new capabilities and tune DNS monitoring to best practice.

 

Quick Download HTTPS://GITHUB.COM/THEKEVINJUSTIN/DNSADDENDUM2012R2/

 

 

What capabilities does the ‘DNS Addendum pack’ provide?

Count logic monitors (i.e. x events in y time, and self heal)

Daily summary report of DNS alerts broken out

Daily alert closure workflow to close out DNS rules/monitor

DNS service(s) recovery automation

Synthetic internal/external nslookup monitor (scoped to PDC emulators versus ALL DNS servers

WMI validation alert recovery to prevent false positive alerts with weird one off scenarios – one example: Security tools randomly block WMI access.

 

Download the ‘DNS2012R2 Addendum pack’ on GitHub to improve AD Integrated (ADI) DNS monitoring on Windows Server 2016+ (version agnostic).

Save and Import pack, then update XML for group GUIDs

 

 

Update XML

First, update XML with the GUIDs from your management group.  Second, map the group DisplayName to find/replace the GUID for each group.

Get-SCOMClassInstance output for DNS2012R2 groups
Get-SCOMClassInstance output for DNS2012R2 groups

 

Third, using Notepad++ highlight the ContextInstance GUID and hit Control-H, and paste the group GUID then click Replace All.

Using Notepad++ highlight the ContextInstance GUID and hit Control-H, and paste the group GUID then click Replace All.
Using Notepad++ highlight the ContextInstance GUID and hit Control-H, and paste the group GUID then click Replace All.

Fourth – Rinse and repeat for the other three groups.

Lastly, save file, move to SCOM MS, and import!

 

Documentation and links

DNS Pack download

DNS2012R2 addendum blog including updates

GitHub Repository https://github.com/theKevinJustin/DNSAddendum2012R2/

 

ADDS addendum pack

Active Directory monitoring - definitely needs an addendum!
Active Directory monitoring – definitely needs an addendum!

To begin, the ‘ADDS addendum pack’ needs acknowledgement of the contributors who dealt with my many questions to better alert on AD issues!  My thanks to Bob Williams, Vance Cozier, Jason Windisch for their help and expertise with Active Directory (AD/ADDS).  If you need more background, check the why addendum pack post.

Quick Download(s)

2012 HTTPS://GITHUB.COM/THEKEVINJUSTIN/ADDS2012ADDENDUM/

2012R2 HTTPS://GITHUB.COM/THEKEVINJUSTIN/ADDS2012R2ADDENDUM/

2016+ https://github.com/theKevinJustin/ADDSAddendumAgnostic

 

Overview of capabilities

The Active Directory ADDS Addendum pack(s) change how Tier0 health, and Domain Admins consume alerts.  Then, AD product team re-wrote the packs back in 2016 to PowerShell workflows.  Many workflows measuring replication, health of your forest(s), at the cost of less alert noise than the 2008 packs.  Third, the addendums for 2012, 2012R2, and 2016+ version agnostic should help reduce alert ‘burden’.  Lastly, most environments should be 2016+, as the EOL/EOSL is quickly approaching in October!

 

Workflows

First, the DataSources (DS) and WriteActions (WA) clean up AD pack alerts, create daily reports, team, and AD pack summary alerts, where the WA are the on-demand tasks versions.

DataSources (DS) and WriteActions (WA) clean up AD pack alerts, create daily reports, team, and AD pack summary alerts, and the WA are the on-demand tasks versions of the DS
DataSources (DS) and WriteActions (WA) clean up AD pack alerts, create daily reports, team, and AD pack summary alerts, and the WA are the on-demand tasks versions of the DS

Data source (DS) scheduled workflows run weekdays between 0600-0700 local SCOM management server local time.  The summary and team reports (run during this time) summarize key insights.  NOTE: the Monday report gathers the last 72 hours, so administrators get a ‘what happened over the weekend’ view.  Tuesday-Friday reports are past 24 hours.  Lastly, the group policy report summarizing unique GPUpdate error output.

 

Monitoring

ADDS monitoring snapshot showing rules, tasks, recoveries with added capabilities
ADDS monitoring snapshot showing rules, tasks, recoveries with added capabilities

Addendum pack rules schedule data source execution, adding on-demand task alerts, including new group policy rule alerts.   The Recovery tasks add service recovery automation to bring us to the ‘manual intervention required’ alerting.  There are a few monitor/rule overrides to match the health model.  NOTE: The 2012R2 pack is missing the component alert, as there’s less than 2 months until the platform support ends.

The component alert is a new workflow that’s helped Tier0 admins.

Basically, this is a PowerShell workflow that checks SCOM alerts for multiple DC alerts to determine DC health.  I don’t change the AD critical service monitors, but simply summarize the alerts to tell you when intervention is required.

 

 

 

Tailoring the pack(s) to your environment

First, the Active Directory Domain Services management packs MUST be installed for the ‘ADDS Addendum pack'(s) to load.  The three versions currently supported have addendums, hopefully 2012,2012R2 are planned to be decommissioned in the short term.

 

Update the AD summary and team reports

The AD summary and team reports for specific Tier0 servers owned by Domain Administrators, AD Team (or any other aliases the SME’s may go by) group regular expressions.

In your favorite XML editor (mine is Notepad++), open the addendum pack(s), and find/replace for the following strings:

Look for the $ADDSServerAlerts

$ADDSServerAlerts = $ADDSReportAlerts | ? { ( $_.NetBiosComputerName -like “*A1*” ) `

 

Save pack

Import and enjoy!

 

Documentation

ADDS 2012+ management pack download

AD Application monitoring

Data from StarTrek the next generation - Mr. Tricorder makes me laugh!
Data from StarTrek the next generation – Mr. Tricorder makes me laugh!

‘AD Application monitoring’ > web synthetics, artificial users > android what image comes to mind?  Is it a person, or a thing from a Sci-Fi movie? Perhaps Bishop from Aliens, Data from Star Trek.  What does ‘AD Application monitoring’ consist of?  Currently that means a CRL validity check, and ADFS web synthetic (proving that ADFS is responding).  My thanks to Jason Windisch CSA, for the supplied PowerShell!

 

Quick Download https://github.com/theKevinJustin/ADApplications/

Tailoring the pack to your environment

The purpose of the pack is to add scheduled workflow that acts like the user, identifies if the CRL’s are about to expire.  Most times, monitoring stops at ICMP ping.  Most times, there’s still an outage, as the network, and servers are responding.  The next layer is IIS, Apache, etc.  Sometimes the network team gets involved, checking a base IIS URL is configured.  Most outages aren’t network, nor IIS wasn’t running.  This is why we focus on the web application responding.  Does the multi-prong tactical attack make sense?

This pack delivers on-demand tasks, daily reports, and rules/monitors to reflect health.  Customize the watcher node, some URL’s, save, and import into SCOM!  The purpose

 

Assign watcher node(s)

Assign a watcher node by creating a registry key.

What does that mean?   Watcher nodes are needed to provide user perspective.

 

Multiple site example

Issue:  Users from sites 1,2,3 are having problems accessing web pages.  To understand a user in site 2, leverage a server in site 2 to initiate the web request (invoke-webRequest in PowerShell).

Why:  Differentiate user experience (per site).  Answer the ‘did you know’ – is the application responding from this site/perspective.

Unfortunately, the watcher node concept eludes most administrators.  Mastering ‘user perspective’ makes for an invaluable aid moving from reactive ‘fire fighting’ to proactively being told before users.   Hopefully this explains the power where monitoring imitates user interactions for key web applications.

How:  Create registry key on whatever servers you want to initiate web monitor

From PowerShell (as Admin), or Command Prompt (as admin)

reg add “HKLM\SOFTWARE\ADApplications\WatcherNode”

 

 

AD Applications regedit registry key validation
AD Applications regedit registry key validation

 

Example of XML snippet from AD Applications management pack

AD Applications Watcher Node - create specific registry key
AD Applications Watcher Node – create specific registry key

 

 

Set up CRL Validity check and ADFS synthetic

Next, configure the URL’s for the customer environment for the ‘AD Application monitoring’ management pack.

Update AD Applications module types for monitor/rules for CRL and ADFS synthetics

Update AD Applications module types for monitor/rules for CRL and ADFS synthetics

Configure the CRL validity check array

From your favorite XML editor (notepad++ pictured)

Find/Replace ##FQDN##, ##CRLstring##, numbers to customer environment

CRL Validity check, create your array length as needed for customer environment
CRL Validity check, create your array length as needed for customer environment

 

Configure the ADFS synthetic request(s)

From your favorite XML editor (notepad++ pictured)

Find/Replace $server, ##FederationFQDN##, if necessary, update ADFS URL string if different (the /adfs/ls/idpiniatedsignon.aspx portion) to customer environment

Update ADFS URL for invoke-webRequest, ADFS default URL in specified example
Update ADFS URL for invoke-webRequest, ADFS default URL in specified example

Save pack

Import and enjoy!

 

Documentation

URLGenie for advanced website monitoring

PowerShell invoke-webRequest

Addendum logic blog

Check your delegation settings

 

Sometimes as the monitoring admin, you may be responsible to secure your servers, being told from Security/Cyber Teams about new vulnerabilities.  The vulnerabilities may be from Tanium, ACAS, Tenable or other security tools.   This article is how to help you secure related SCOM web console, and SSRS reporting sites against Unconstrained Delegation vulnerabilities CVE-2020-17049, also AD STIG V-36435.

 

First we need to identify IF this is a true finding.

Typically this comes from Server/SystemsAdmin with domain admin access:

From PowerShell run:

Get-ADComputer -LDAPFilter
“(userAccountControl:1.2.840.113556.1.4.803:=524288)”

After identifying SCOM servers with unconstrained delegation (scope of blog post is focused on SCOM in a hybrid scenario (prem/cloud), we need to resolve.

With domain administrator rights, open the Active Directory Users and Computers MMC snap-in.

In ADUC, change Find drop-down to Computers
In the Computer name text box, enter <SCOMServer>  and click search

Right click the server in the results box > Select Properties.

Select the Delegation tab.

ADUC view of lab server delegation setting

 

Select Trust this computer for delegation to specified services only > Use any authentication protocol.

Under Services to which this account can present delegated credentials, select Add.

In the new dialog box, select Users or Computers.

Enter <SCOMServer>, and then select OK.

Click the Add button to add services

Select the w3svc and www processes

Select OK.

ADUC GUI adding services for delegation on SCOM server

Once set in AD, reboot server.  Running ‘gpupdate /force’ may not apply AD changes to the server object.

After reboot, reach out to SCOM Admins to test webconsole authentication

From edge browser, go to SCOM web console, typically @ https://<SCOMServer>/OperationsManager

On the Monitoring tab, click on Active Directory dashboard on left

Verify authentication works

 

Documentation

Pentestlab – Detecting Unconstrained Delegation Exposures in AD Environment

Petri.com find and block unconstrained delegation

Learn.Microsoft.com unconstrained kerberos article

Explanatory documents on what/why

Remove Unconstrained Kerberos Delegation

 

ADCS – Active Directory Certificate Services Addendum pack

Time to talk Certificates!
Certificate of Achievement

 

Hello again, it’s time to talk about ADCS – Active Directory Certificate Services Addendum!

 

First, I’d like to call out Bob Williams and Vance Cozier for their help and expertise!

SCOM-ADCS-Addendum download

 

 

Background

ADCS is Active Directory Certificate Services, or what we would know as a Certificate Authority.  The goal was to improve the pack, because the focus is on how important certificates are to a modern enterprise.  Let’s begin the Active Directory Certificate Services Addendum pack review.

Collaboration

In this paragraph, let’s talk through the Certificate Services packs for 2016+, and how we as Microsoft consultants, and field engineers, recommend changes to the pack.  First, for some background, the collaboration process gets a better result improving Microsoft products.   Second, the collaboration result can vary.  Third, collaboration input can be based on customer input, or field engineer experience.  Most importantly, this is how we ‘would have liked’ the pack to work.

 

AD Certificate Services Monitoring

The Certificate services pack alerts on events/services.  Therefore, the pack does NOT monitor the SCEP URL.  For instance, a transaction web monitor was added.   The collaboration effort was focused on improving the ADCS pack, resulting in the creation of the Active Directory Certificate Services Addendum and customizations packs.

 

Download File

Let’s delve into the download file

SCOM-ADCS-Addendum download

 

Review file contents

  • Download.txt (in case you need to find it later!)
  • Version.Info.txt (MP version history, what was added & when)
  • XLS MP export of rules/monitors
  • ADCS Addendum & Customizations packs

 

References

Configuring Certificate Services docs site

ADCS download

Management Pack wiki

Active Directory 2012-2016 Addendum packs updated

Man time flies!

 

Thought I’d share some new functionality for AD DS (Active Directory Domain Services)

 

Ran across some customer errors with AD Event ID 1084, which exists in the old 8321 pack, but not in the v10.x pack.

Well, if you get these errors, your DC isn’t replicating, and most likely will need to be rebuilt.

 

Gallery download

 

Broke out the packs to separate the Recovery Tasks in their own pack, versus added functionality in the addendum.

Figured better to send packs NOT sealed, so that meant 2 packs,

WYSIWYG (wizzy-wig acronym)

 

What this means

v1.0.0.1 pack had just the AD DS Service Recovery Tasks

v1.0.0.2 pack has a Service Recovery Tasks pack, and the Addendum pack

What I think is cool is that the Addendum pack contains 2 rules, simple rule event (enabled by default), and also a PowerShell rule.

 

Rule Figured out how to simply look for criteria, count it, and alert on it.

We always look for alert suppression, some of the sliding/counting monitors are too much.

 

Starting with Holman’s alerting rule fragment, we can create more powerful combinations than just a single symptom.

Using Variations of the get-date command, we can actually specify how far back to look, to count for alerts.

Easier method to count events, to figure out an alert threshold.

 

From the rule in the Addendum pack

# Check blog for more detail https://blogs.technet.microsoft.com/heyscriptingguy/2015/01/21/adding-and-subtracting-dates-with-powershell/
# If you want this in other time increments – AddHours, AddSeconds, AddMilliseconds
#
$LastCheck = (Get-Date).AddMinutes(-65)

[int]$TempCount = (get-eventlog -logName “Directory Service” -Source “NTDS Replication” -InstanceID 1084 -Message “*8451 The replication operation encountered a database error*” -After $LastCheck).Count

IF ($TempCount -ge 1)
{
$Result = “BAD”
$Message = “The number of 1084 Replication Database error events was greater than 1”
}
ELSE
{
$Result = “GOOD”
}

 

Maybe we need multiple event ID’s, or search multiple event logs… you decide, and let me know.

 

Console Errors in the new Active Directory Directory Services MP

New MP released that resolves this – v10.0.2.0 download here

 

Console Errors in the new Active Directory Directory Services MP

doh

 

At least it’s not the Security patch issue when you click on Health/State views, right?

https://support.microsoft.com/en-us/help/3200006/system-center-operations-manager-management-console-crashes-after-you

 

In the SCOM Console

Do you get an error when clicking on Authoring Tab, Management Pack Objects, Overrides?

overridesconsoleerror

If you are running the 2012-2016 Active Directory Directory Services v10.0.1.0 MP’s, you most likely get an error

“Microsoft.EnterpriseManagement.Common.ObjectNotFoundException: An object of class ManagementPackClass with ID <guid here>”

 

Unfortunately, the RODC group rule overrides were not referenced to the Discovery MP.

It’s an awesome MP, and I’m thankful for the new AD MP.

Check out Holman’s blog for all the fun and features.

 

Figure out which management pack has the issue with the ID

To find the offending item from the console error, see this blog.

Blog Summary = Using Ops Manager Shell, export the overrides

get-scomOverrides | out-file d:\monadmin\overrides.txt

Search for your GUID to know the ID and what in SCOM that ID is attached to.

Property          : Enabled
XmlTag            : RulePropertyOverride
Rule              : ManagementPackElementUniqueIdentifier=78ee983f-268d-0b99-0ca6-b1ca75c46621
Context           : ManagementPackElementUniqueIdentifier=0903521d-f768-3d26-a0af-ae52f8c09a29
ContextInstance   : 
Enforced          : False
Value             : false
ManagementGroup   : SCOM2012R2
ManagementGroupId : 28b70e43-4655-edfc-6127-ff4a72642488
Identifier        : 1|Microsoft.Windows.Server.AD.2012.Monitoring/31bf3856ad364e35|1.0.0.0|Microsoft.Windows.Server.2012.AD.DomainController.DRAOutboundBytesComp.Collection.Override.RODCGroup||
Name              : Microsoft.Windows.Server.2012.AD.DomainController.DRAOutboundBytesComp.Collection.Override.RODCGroup

The highlighted items show a Override for a Rule, named ‘DRA Outbound Bytes Comp’ (compressed)

 

Now, if you’re impatient like me, and can’t wait for the new sealed MP to fix the console error, here’s how you can fix the MP.

Unseal the three monitoring MP’s

After unsealing the MP, update the RulePropertyOverride(s) for 2012, 2012R2, and 2016 Monitoring management packs, and then import into your SCOM Management group.

MP Viewer How-To, Tool Download

 

Add Referencing MP to the Rule overrides
For 2012 – AD2012Core! was missing (See Manifest section for AD2012Core MP info)
For 2012R2 – AD2012R2Core! was missing (See Manifest section for AD2012R2Core MP info)
For 2016 – AD2016Core! was missing (See Manifest section for AD2016Core MP info)
The RODC group is created with each version of AD Directory Services (2008, 2012,2016)
In the 2008 MP the overrides exist in the Discovery MP
To correct the 2012, 2012R2, 2016 MP’s, the discovery MP reference must be added to the Rule

 

Verify overrides in SCOM Console

Click on Authoring Tab, Management Pack Objects, Overrides

overridesconsoleerror  “Microsoft.EnterpriseManagement.Common.ObjectNotFoundException: An object of class ManagementPackClass with ID <guid here>”

Through persistence, you may be able to search for Overrides

 

In ‘Look For’ bar, type RODC

Hit enter

Verify there are 4 (fyi there are 4 rules per AD version you have installed in your management group)

 

Remove Sealed AD Monitoring MP’s

Import unsealed MP’s

 

Verify in Console that overrides show up (No Errors seen)

 

Click on Authoring Tab, Management Pack Objects, Overrides

In ‘Look For’ bar, type RODC

Hit enter

 

Verify 16 (4 rules per AD version (2008, 2012,2012R2, 2016;  or 12 rules will display if AD 2008 packs are not installed)

Sample XML for Overrides
<Overrides>
<RulePropertyOverride ID=”Microsoft.Windows.Server.2012.AD.DomainController.DRAIntersiteOutBytes.Collection.Override.RODCGroup” Context=”AD2012Core!Microsoft.Windows.Server.2012.AD.RODCGroup” Enforced=”false” Rule=”Microsoft.Windows.Server.2012.AD.DomainController.DRAIntersiteOutBytes.Collection” Property=”Enabled”>
<Value>false</Value>
</RulePropertyOverride>
<RulePropertyOverride ID=”Microsoft.Windows.Server.2012.AD.DomainController.DRAOutboundBytesComp.Collection.Override.RODCGroup” Context=”AD2012Core!Microsoft.Windows.Server.2012.AD.RODCGroup” Enforced=”false” Rule=”Microsoft.Windows.Server.2012.AD.DomainController.DRAOutboundBytesComp.Collection” Property=”Enabled”>
<Value>false</Value>
</RulePropertyOverride>
<RulePropertyOverride ID=”Microsoft.Windows.Server.2012.AD.DomainController.DRAOutboundBytesNotComp.Collection.Override.RODCGroup” Context=”AD2012Core!Microsoft.Windows.Server.2012.AD.RODCGroup” Enforced=”false” Rule=”Microsoft.Windows.Server.2012.AD.DomainController.DRAOutboundBytesNotComp.Collection” Property=”Enabled”>
<Value>false</Value>
</RulePropertyOverride>
<RulePropertyOverride ID=”Microsoft.Windows.Server.2012.AD.DomainController.DRAOutboundBytesTotal.Collection.Override.RODCGroup” Context=”AD2012Core!Microsoft.Windows.Server.2012.AD.RODCGroup” Enforced=”false” Rule=”Microsoft.Windows.Server.2012.AD.DomainController.DRAOutboundBytesTotal.Collection” Property=”Enabled”>
<Value>false</Value>
</RulePropertyOverride>
</Overrides>

 

Enjoy!

woohoo