The hidden benefit of hacking your own Active Directory?

This summary stems from a brief conversation within a peer circle. A parallax perspective on the issue of passwords. 

Most IT organisations have an IT Security policy, which defines the required password parameters for an organisation.  Active Directory provides a method to enforce the password parameters, from their complexity and length to the frequency that they must be changed. 

Once a company’s password policy is understood and required parameters are known, internally bad practice can set in and this is not necessarily limited to the end users, IT can equally be at fault.  For example the service desk may create all new user or service accounts with the same common password.  Password1234$$ or Welcome2015! 

So what has this got to do with hacking your own Active Directory? 

Using one of the numerous Active Directory password cracking tools on the internet, you can analyse (crack the easy ones) the passwords stored in Active Directory and produce a list of the most common passwords.

These common passwords can then be cross referenced to their owners and with a little bit of mathematics, it is possible to deduce that perhaps with 10 passwords, 70 % of all systems can be accessed, not only is this a rather frightening metric, but this is reality and one attack vector for anyone with access to a domain controller. 

This is not a simple problem to fix with the current architecture of Active Directory, but with small process changes and education around the use of common passwords the percentage of systems that could be accessed or compromised may be reduced. 

 

Active Directory: What to learn next?

The Microsoft MVP summit was held last week (3rd – 7th November) in Redmond, where I had the good fortune to spend the week with members of various Microsoft product teams that are responsible for what we commonly know as Active Directory.  I can genuinely say that in technology terms I have not been this interested in the future of Windows since I did my first Windows Server 2000 course (MOC 1561) back  in 1999.

The MVP Summit content is mostly under NDA and I have always respected the NDA and with this in mind all I will say is that over the next few months I will be reading and learning as much as I can on the following areas of Microsoft technology.

Azure Active Directory

Azure Active Directory Sync Services

Azure Rights Management

Windows 10

I would also recommend that you start to start to think about the concept of Active Directory being an identity provider and that in the future it will all be about managing identities and not solely about managing the technologies that deliver them.

Food for thought, think about what type of identities your business will support, business only or perhaps personal too? What is an identity? What is a personal identity? Who owns the identity?  (I will follow up on this concept with another post).

Lifelong Learning

There are so many things to learn about in life, that I rarely find time to read fiction and over time I appear to have made an unconscious decision to subscribe to constant or “lifelong learning”.

This may appear to directly contradict what I stated in this post , but lifelong learning does not necessarily relate directly to the skills you need to do your job, it may give you the ability to progress or diversify in your career, skills that compliment your current skillset to enable you to advance into management or leadership positions; equally you could learn about something for no other reason than to learn about it.

Since embarking on lifelong learning, I have academically studied wireless and mobile data networks; copyright and mathematics; additionally self-studied TOGAF©, Six Sigma© and evolutionary leadership. Many of the new skills that I have learned, I have found helping me in my professional career and personal life in ways that perhaps I did not originally conceive when I started to learn. The skills I have learned for example, the mathematics has enabled me to assist my son with his homework; copyright introduced ethical concepts into my thought process and TOGAF© has made me think about how I approach aspects of the deliverables I produce.

My constant quest for knowledge has also had what some people may determine being a negative benefit, such as I have picked up systems at work and learned them because I needed to leverage the applications capabilities, by default I became the owner and administrator of the application, which was not my intended outcome.

As Francis Bacon is attributed to have said “knowledge is power” and for me the power comes from knowing more about what you currently don’t know about. Lifelong learning is not down to your employer, whilst they can contribute it is ultimately your choice.

So where do you start? Pick a topic or subject, buy a book, find a website and start to learn.

Originally published on LinkedIn.

I don’t need to be managed but I do need a mentor.

I am at the point of my working career where effectively I don’t need to be managed, I know my role, I know how to behave and I am also very aware of what will happen if I don’t perform. I have learned to ask what the priorities to the business are and I work to them accordingly, senior people within the organisation know I will get things done if given an open road and the opportunity to deliver.

With certain professions there comes a certain point in time where you have to take a step back and think am I still as effective as I once was, when professionals such as footballers and athletes face this question they often take up management or coaching roles which enables them to mentor the new talent that is coming through their profession, though this usually does not happen overnight.

I feel that am fast approaching the professional crossroads of my career, I regularly ask myself, Am I as effective as I once was? Am I still relevant? My current answer is yes, but I am aware that technology is constantly evolving and soon technology will creep up on me and when it does, it will mean that I will have to learn an entirely new set of skills, at which point I will ask myself the same questions. Am I as effective as I once was? Am I still relevant? This time I will probably answer No.

In preparation for the next phase of my career, I need to find myself a mentor, one who can help to prepare me for the future, so that when I do move into more of corporate management role, just as I now don’t need to be managed, I will know my role and what is expected of me, albeit from a totally different perspective.

So to all the current managers out there, by enabling someone else to do your job, you too maybe able to succeed further – but perhaps only if you also have a mentor.

Originally posted on: linkedIn

Brazilian laptop and the ?/ᴏ key does not function.

It always happens on a Sunday.

Whilst working on a rollout on the outskirts of Rio, I discovered that the ?/ᴏ key was not working on the laptops I was deploying.

Keyboard

The machine did not have an OEM installation of Windows 7, but a customised image with the Brazilian MUI installed.

To resolve I had to add this registry key and reboot.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout]
“Scancode Map”=hex:00,00,00,00,00,00,00,00,02,00,00,00,73,00,1d,e0,00,00,00,00

This issue occurs with ABNT and ABNT2 keyboards.

Active Directory: A user cannot be in more than 1015 groups.

In any Microsoft Active Directory forest, a user can only a member of 1024 groups but after allowing for up to 9 well known SIDS this number is actually 1015.
See KB http://support.microsoft.com/kb/328889

If a user exceeds the hard limit of 1015 group memberships they probably will not be able to logon.

  • What do you do to rectify the issue?
  • How do you find out what changed and caused a tipping point?

A quick visual method to see a user’s nested group memberships expanded, is to run the command:

dsget user “CN=Mark Parris,OU=Administration,DC=clickclicknext,DC=com” -memberof -expand

If this command returns a short list of groups then the membership of too many groups is probably not an issue, but if the command returns a scrolling list of group memberships then we need to utilise NTDSUTIL. NTDSUTIL has within it a command that you may not even know is there, unless you have this specific issue.

The command is group membership evaluation

At an elevated command prompt.

Type

ntdsutil

group membership evaluation

set account DC nameOfDC

set global catalog nameOfDC

set resource dc nameOfDC

run clickclicknext.com mark.parris

clickclicknext.com is the fqdn of your domain and mark.parris is the username.

The output of this command is a .tsv file and will be found in the path of the prompt (run it from C:\Temp it will be in C:\Temp), this file can be renamed to a .csv.
The report produces a lot of interesting information in a tabular format.

The report will have these column headings.

SID in token
SID type
SID History Count
Distinguished Name
SamAccountName
Active Directory Domain Controller Queried
Group Owner
Group Owner SID
WhenCreated (UTC)
WhenChanged (UTC)
Member WhenChanged (UTC)
GroupType WhenChanged (UTC)
One Level MemberOf Count
Total MemberOf Count
Group Type
Depth From User
Closest Parent OU

From the column heading, there are specific columns with timestamps, if these are then sorted upon, it will tell you what group or groups were modified most recently, these changes then need to be understood and reversed or perhaps other legacy group memberships identified and removed.

2014-07-31_17-41-38

 

As I review and update my old consulting notes I have decided to publishing them.
These are by no means definitive and are intended as an ‘aide memoire’.

Comments welcome.

Associated Post: MaxTokenSize – Change of recommendation from Microsoft

 

 

 

Recommended Reading: Start with Why – Simon Sinek.

Why

This is a book that I have read a few times and I have found it invaluable in how I approach issues in life, the office and specifically issues around IT.

This book has made me no longer approach the problem with the question “What are you trying to do?”, but with “Why are you doing this?“.

Understanding the “Why

Attempting to understanding the “Why” has helped me immensely when implementing a solution or service, if it does meet the “Why”, it has made me think perhaps I should not be doing it.

Amazon Link