Download the ‘AD insights pack’ for new capabilities to audit users, svc/MSA accounts, password last set, expiring, last login AD insights. Includes AD group audit alert capability.
Time to provide key ‘AD insight reports’ into users and groups. Delve into different AD audit capabilities for users and groups. The pack also gathers DC Security events (rules), and lastly, on demand tasks for reports.
The question is what determines a problem?
Every domain admin has a different experience and perspective, whether cyber (hack) focused or not. Audit standards differ, from HIPAA, SOX, CCRI, STIG, etc.
Groups – Choose your OU structure to audit WA in DA, SA in DA, WA in SA etc.
NOTE: Take caution on the OU group audit, to limit the output, as events have a size limitation
Configure ‘AD insight reports’
Now we can configure the user pack for applicable standards, like password age, last set, or AppOwners. The AppOwners is an array, so you can add whatever Application, system owners/teams in your organization. The password datasource (DS) rule runs weekly.
Configure the Password Time, last set, month, week and AppOwners to build out actionable svc/msa accounts failing audit artifacts.
Break out the regular expressions of whatever accounts each team uses, to tailor relevant data into the report alert. Find/Replace (Control-H) might be more effective, as the DS/WA repeat the logic for the on-demand task report, vs. the rule and monitor.
App Owner relevant service accounts by SamAccountName
Update patterns ID naming conventions
Tailor account names to environment to match ingested DC Security events.
Tailor the DC Security Events to account naming conventions.
Configure OU to environment
Configure OU structure to audit based on domain canonical names, groups, DC, etc.
Active Directory monitoring – definitely needs an addendum!
To begin, the ‘ADDS addendum pack’ needs acknowledgement of the contributors who dealt with my many questions to better alert on AD issues! My thanks to Bob Williams, Vance Cozier, Jason Windisch for their help and expertise with Active Directory (AD/ADDS). If you need more background, check the why addendum pack post.
The Active Directory ADDS Addendum pack(s) change how Tier0 health, and Domain Admins consume alerts. Then, AD product team re-wrote the packs back in 2016 to PowerShell workflows. Many workflows measuring replication, health of your forest(s), at the cost of less alert noise than the 2008 packs. Third, the addendums for 2012, 2012R2, and 2016+ version agnostic should help reduce alert ‘burden’. Lastly, most environments should be 2016+, as the EOL/EOSL is quickly approaching in October!
Workflows
First, the DataSources (DS) and WriteActions (WA) clean up AD pack alerts, create daily reports, team, and AD pack summary alerts, where the WA are the on-demand tasks versions.
DataSources (DS) and WriteActions (WA) clean up AD pack alerts, create daily reports, team, and AD pack summary alerts, and the WA are the on-demand tasks versions of the DS
Data source (DS) scheduled workflows run weekdays between 0600-0700 local SCOM management server local time. The summary and team reports (run during this time) summarize key insights. NOTE: the Monday report gathers the last 72 hours, so administrators get a ‘what happened over the weekend’ view. Tuesday-Friday reports are past 24 hours. Lastly, the group policy report summarizing unique GPUpdate error output.
Monitoring
ADDS monitoring snapshot showing rules, tasks, recoveries with added capabilities
Addendum pack rules schedule data source execution, adding on-demand task alerts, including new group policy rule alerts. The Recovery tasks add service recovery automation to bring us to the ‘manual intervention required’ alerting. There are a few monitor/rule overrides to match the health model. NOTE: The 2012R2 pack is missing the component alert, as there’s less than 2 months until the platform support ends.
The component alert is a new workflow that’s helped Tier0 admins.
Basically, this is a PowerShell workflow that checks SCOM alerts for multiple DC alerts to determine DC health. I don’t change the AD critical service monitors, but simply summarize the alerts to tell you when intervention is required.
Tailoring the pack(s) to your environment
First, the Active Directory Domain Services management packs MUST be installed for the ‘ADDS Addendum pack'(s) to load. The three versions currently supported have addendums, hopefully 2012,2012R2 are planned to be decommissioned in the short term.
Update the AD summary and team reports
The AD summary and team reports for specific Tier0 servers owned by Domain Administrators, AD Team (or any other aliases the SME’s may go by) group regular expressions.
In your favorite XML editor (mine is Notepad++), open the addendum pack(s), and find/replace for the following strings:
Data from StarTrek the next generation – Mr. Tricorder makes me laugh!
‘AD Application monitoring’ > web synthetics, artificial users > android what image comes to mind? Is it a person, or a thing from a Sci-Fi movie? Perhaps Bishop from Aliens, Data from Star Trek. What does ‘AD Application monitoring’ consist of? Currently that means a CRL validity check, and ADFS web synthetic (proving that ADFS is responding). My thanks to Jason Windisch CSA, for the supplied PowerShell!
The purpose of the pack is to add scheduled workflow that acts like the user, identifies if the CRL’s are about to expire. Most times, monitoring stops at ICMP ping. Most times, there’s still an outage, as the network, and servers are responding. The next layer is IIS, Apache, etc. Sometimes the network team gets involved, checking a base IIS URL is configured. Most outages aren’t network, nor IIS wasn’t running. This is why we focus on the web application responding. Does the multi-prong tactical attack make sense?
This pack delivers on-demand tasks, daily reports, and rules/monitors to reflect health. Customize the watcher node, some URL’s, save, and import into SCOM! The purpose
Assign watcher node(s)
Assign a watcher node by creating a registry key.
What does that mean? Watcher nodes are needed to provide user perspective.
Multiple site example
Issue: Users from sites 1,2,3 are having problems accessing web pages. To understand a user in site 2, leverage a server in site 2 to initiate the web request (invoke-webRequest in PowerShell).
Why: Differentiate user experience (per site). Answer the ‘did you know’ – is the application responding from this site/perspective.
Unfortunately, the watcher node concept eludes most administrators. Mastering ‘user perspective’ makes for an invaluable aid moving from reactive ‘fire fighting’ to proactively being told before users. Hopefully this explains the power where monitoring imitates user interactions for key web applications.
How: Create registry key on whatever servers you want to initiate web monitor
From PowerShell (as Admin), or Command Prompt (as admin)
Example of XML snippet from AD Applications management pack
AD Applications Watcher Node – create specific registry key
Set up CRL Validity check and ADFS synthetic
Next, configure the URL’s for the customer environment for the ‘AD Application monitoring’ management pack.
Update AD Applications module types for monitor/rules for CRL and ADFS synthetics
Configure the CRL validity check array
From your favorite XML editor (notepad++ pictured)
Find/Replace ##FQDN##, ##CRLstring##, numbers to customer environment
CRL Validity check, create your array length as needed for customer environment
Configure the ADFS synthetic request(s)
From your favorite XML editor (notepad++ pictured)
Find/Replace $server, ##FederationFQDN##, if necessary, update ADFS URL string if different (the /adfs/ls/idpiniatedsignon.aspx portion) to customer environment
Update ADFS URL for invoke-webRequest, ADFS default URL in specified example
I attribute Kerberos AD delegation as the Navajo and Comanche helped allies in WW2, encrypted and encoded communication
Next on the list is to setup SCOM WebConsole settings for Kerberos AD Delegation. I attribute Kerberos AD delegation as the Navajo and Comanche helped allies in WW2, encrypted and encoded communication. Time to make the donuts! (to setup SCOM WebConsole settings for Kerberos AD Delegation)
If you’re improperly setup – you’ll flag on STIG configs V-243470, V-243478
Configure delegation on SCOM and/or PowerBI servers
Take the list of affected servers, to take action. Use the steps below to configure relevant SCOM or PowerBI servers.
Configure SCOM Web Console server
With domain administrator (DA or Tier0) rights, open the Active Directory Users and Computers MMC snap-in.
From ADUC > change ‘Find’ drop-down to Computers
In the Computer name text box, enter <SCOMWebConsoleServerName> and click search
Right click the server in the results box > Select Properties.
Select the Delegation tab.
Select Trust this computer for delegation to specified services only > Use any authentication protocol.
Under Services to which this account can present delegated credentials, select Add.
In the new dialog box, select Users or Computers.
Enter <SCOMWebConsoleServerName>, and then select OK.
Click the Add button to add services
Select the w3svc and www processes
Select OK.
ADUC SCOM Lab server choosing process
Verification of delegation settings
ADUC Delegation flags with SCOM MS processes selected.
Depending on replication times for the forest, wait and later reboot <SCOMWebConsoleServerName> to have settings take effect.
PowerBI Report Server
With domain administrator (DA or Tier0) rights, open the (ADUC) Active Directory Users and Computers MMC snap-in. NOTE: RSAT tools recommended to be installed on SCOM Management Server(s)
In the Search text box, enter PowerBI service account <Example can be SCOMDataAccessReader Account> and click search
Right-click the PowerBI service account <Example can be SCOMDataAccessReader Account>, select Properties.
Select the Delegation tab.
Select Trust this computer for delegation to specified services only > Use any authentication protocol.
Under Services to which this account can present delegated credentials, select Add.
In the new dialog box, select Users or Computers.
Enter the service account for the data source, and then select OK.
Select the SPN that you created for <PowerBI Report Server Name>
Select both as FQDN and the NetBIOS names are in the SPN
Select OK.
Back to ADUC (AD Users and Computers), change Find drop-down to Computers
Enter <PowerBI Report Server Name>, and click search
Right click the server in the results box > Select Properties.
Select the Delegation tab.
Select Trust this computer for delegation to specified services only > Use any authentication protocol.
Under Services to which this account can present delegated credentials, select Add.
In the new dialog box, select Users or Computers.
Enter <Example can be SCOMDataAccessReader Account>, and then select OK.
Click the Add button to add services
Select the HTTP process
ADUC Delegation Add Services > HTTP, WWW
Select OK.
ADUC Delegation Settings for http for PowerBI Report Server (PBIRS)
Sometimes as the monitoring admin, you may be responsible to secure your servers, being told from Security/Cyber Teams about new vulnerabilities. The vulnerabilities may be from Tanium, ACAS, Tenable or other security tools. This article is how to help you secure related SCOM web console, and SSRS reporting sites against Unconstrained Delegation vulnerabilities CVE-2020-17049, also AD STIG V-36435.
First we need to identify IF this is a true finding.
Typically this comes from Server/SystemsAdmin with domain admin access:
After identifying SCOM servers with unconstrained delegation (scope of blog post is focused on SCOM in a hybrid scenario (prem/cloud), we need to resolve.
With domain administrator rights, open the Active Directory Users and Computers MMC snap-in.
In ADUC, change Find drop-down to Computers
In the Computer name text box, enter <SCOMServer> and click search
Right click the server in the results box > Select Properties.
Select the Delegation tab.
ADUC view of lab server delegation setting
Select Trust this computer for delegation to specified services only > Use any authentication protocol.
Under Services to which this account can present delegated credentials, select Add.
In the new dialog box, select Users or Computers.
Enter <SCOMServer>, and then select OK.
Click the Add button to add services
Select the w3svc and www processes
Select OK.
ADUC GUI adding services for delegation on SCOM server
Once set in AD, reboot server. Running ‘gpupdate /force’ may not apply AD changes to the server object.
After reboot, reach out to SCOM Admins to test webconsole authentication
From edge browser, go to SCOM web console, typically @ https://<SCOMServer>/OperationsManager
On the Monitoring tab, click on Active Directory dashboard on left
The highlighted items show a Override for a Rule, named ‘DRA Outbound Bytes Comp’ (compressed)
Now, if you’re impatient like me, and can’t wait for the new sealed MP to fix the console error, here’s how you can fix the MP.
Unseal the three monitoring MP’s
After unsealing the MP, update the RulePropertyOverride(s) for 2012, 2012R2, and 2016 Monitoring management packs, and then import into your SCOM Management group.
Add Referencing MP to the Rule overrides
For 2012 – AD2012Core! was missing (See Manifest section for AD2012Core MP info)
For 2012R2 – AD2012R2Core! was missing (See Manifest section for AD2012R2Core MP info)
For 2016 – AD2016Core! was missing (See Manifest section for AD2016Core MP info)
The RODC group is created with each version of AD Directory Services (2008, 2012,2016)
In the 2008 MP the overrides exist in the Discovery MP
To correct the 2012, 2012R2, 2016 MP’s, the discovery MP reference must be added to the Rule
Verify overrides in SCOM Console
Click on Authoring Tab, Management Pack Objects, Overrides
“Microsoft.EnterpriseManagement.Common.ObjectNotFoundException: An object of class ManagementPackClass with ID <guid here>”
Through persistence, you may be able to search for Overrides
In ‘Look For’ bar, type RODC
Hit enter
Verify there are 4 (fyi there are 4 rules per AD version you have installed in your management group)
Remove Sealed AD Monitoring MP’s
Import unsealed MP’s
Verify in Console that overrides show up (No Errors seen)
Click on Authoring Tab, Management Pack Objects, Overrides
In ‘Look For’ bar, type RODC
Hit enter
Verify 16 (4 rules per AD version (2008, 2012,2012R2, 2016; or 12 rules will display if AD 2008 packs are not installed)
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
