Active Directory Archives | Page 2 of 3 | FolderSecurityViewer Blog

Windows Server: Clean Up Orphaned Foreign Security Principals

October 19, 2018/0 Comments/in Active Directory, HowTo /by Carsten

This article will show different ways to clean up orphaned Foreign Security Principals. There are more ways to do it, but before any method described, it is needed to say that if it is possible, clean your “orphaned FSP’s” with GUI method. PowerShell methods are not recommended to users without excellent knowledge of console, due to possible issues that method can cause.

But first, let’s see overview – What is FSP?

Overview

Foreign Security Principals (FSPs) are security principals, created when an object ( user, computer or group) is added to some domain group, but with origins from an external trusted domain.

FSP is recognized by mark. It is marked with a red curly arrow connected to an icon of object and acts as a pointer.

Active Directory creates them automatically, after adding security principal from another forest to a group from that domain.

When security principal, on which FSP is pointing, is removed, the FSP becomes orphan. Orphan is a term used for FSP’s which have no more principals, FSP is pointing on.

In the case of the creation of the same principle, old FSP will still be orphaned. New FSP will have different SID ( security identifier) number, no matter what principle is the same.

The outcome could be that FSP that is once orphaned, stays orphaned forever until it is removed/cleaned up by the administrator.

There are two ways of identification and cleaning orphaned FSP. It can be done by GUI ( Graphics User Interface), and by PowerShell console.

Identification and clean up of orphaned FSP via GUI

As mentioned before, this is the most recommended way of cleaning orphaned FSP’s.

In “GUI” way, orphaned FSP can be found in Active Directory Users and Computers console, when advanced features are enabled (If advanced features are not enabled, FSP won’t be seen). They are stored in the ForeignSecurityPrincipals container. Orphaned FSP can be identified through column “Readable Name”.

If FSP is orphaned, Readable Name column in the console will show up empty.

They can be cleaned by selection and right-click deletion.

Cleaning FSP via PowerShell

For PowerShell cleaning, all FSP objects first have to be listed.

All FSP’s can be listed by usage of Get-ADObject cmdlet.

Get-ADObject -Filter {ObjectClass -eq ‘ForeignSecurityPrincipal'}

When listed, they can be removed by usage of the Translate method, but precaution is advised. There is a possibility, in case of network connectivity issue FSP’s can be seen as momentarily orphaned, PowerShell method will delete them too, and that can make problems due to SID change.

$ForeignSecurityPrincipalList = Get-ADObject -Filter {ObjectClass ‑eq 
 ‘foreignSecurityPrincipal' }    
foreach($FSP in $ForeignSecurityPrincipalList)  
{      
Try     
 {$null=(New-Object System.Security.Principal.SecurityIdentifier($FSP.objectSid)).Translate([System.Security.Principal.NTAccount])}      
Catch    
  {Remove-ADObject -Identity $FSP}  
}

Scheduled removal of orphaned FSP

A task can be scheduled to make removal of orphaned FSP automatic.

The best way to remove FSP by schedule is by created script like for example :

The fictive company has a monthly turnover of 50 employees.

A custom script can be made to delete orphaned FSP’s in the time range of 1 month :

Import-Module -Name OrphanForeignSecurityPrincipals 
 $MyCompanyTurnover = 20 
 $OrphanFSPListFilePath ='c:\temp\OFSP.txt' 
 $OrphanForeignSecurityPrincipalsList = Get-OrphanForeignSecurityPrincipal ‑TabDelimitedFile $OrphanFSPListFilePath 

 If ($OrphanForeignSecurityPrincipalsList) 
 { 
    If ($OrphanForeignSecurityPrincipalsList.Count -gt $MyCompanyTurnover) 
    { 
        $MailParameters = @{ 
            SmtpServer = 'mail.mycompany.com' 
            From       = 'NoReply@mycompany.com' 
            To         = 'Administrator@mycompany.com' 
            Subject    = "Orphan Foreign Security Principals found" 
            Body       = 'Please check attached file.' 
            Attachment = $OrphanFSPListFilePath 
        } 
           Send-MailMessage @MailParameters 
    }    else { 
        Remove-OrphanForeignSecurityPrincipal -TabDelimitedFile $OrphanFSPListFilePath 
    } 
}

Recovery of deleted FSP

Deleted orphaned FSP’s can be restored by restoring it from recycle bin if recycle bin feature is activated before deletion is made.

FSP can be restored via PowerShell cmdlets too :

An object can be found with the following cmdlet, and after they are listed, selected orphaned FSP’s can be restored:

Get-ADObject -Filter 'IsDeleted -eq $TRUE' -IncludeDeletedObjects | Where-Object {$_.DistinguishedName -like "CN=S-*"}

There is one more way of restoring orphaned Foreign security principals that we need to mention.

It is the way of following same steps as made before first creation. By adding foreign user/computer/group account into the same groups where it has been before it got orphaned status. This step will create the same Foreign Security principal as it was before, just with different SID number.

Avoid having problems on the FSP or Foreign Security Principals

Protect yourself and your clients against security leaks and get your free trial of the easiest and fastest NTFS Permission Reporter now!

Active Directory Design Guide

October 12, 2018/0 Comments/in Active Directory, ManagingDataAccess /by Carsten

Companies use the Active Directory Domain Services (AD DS) in a server environment to make the work of network users less complicated and ensure resource sharing and management is secure, scalable, and all objects work as per their respective configurations. A well-designed AD DS can be used to manage the entire network infrastructure including the branch office and multiple forest environment. System Administrators should develop a habit of documenting all aspects of the domain structure and security strategies, as this becomes the new plan for future infrastructure and possible migration.

The Basics of Active Directory Planning

When planning for a domain, two things come into play: domain upgrading and domain restructuring. Upgrading your domain is more than just upgrading every domain controller; it involves the upgrading of both the Primary Domain Controller (PDC) and the Backup Domain Controller (BDC). Restructuring involves the creation of a new Active Directory from scratch. Restricting may lead to few but expanded domains.

Develop a Migration Strategy

Having a migration strategy in place is an integral part of your overall design plan. Migration strategy involves studying the current or proposed configuration details and identifying which aspects of the domain will be migrated. A fall back system also has to be in place to counter any possible failure.

Working with a Simple Design

An Active Directory should be flexible in giving you an easy time when designing the forests. Designing a Domain for every department may look desirable in an organization but do not forget the general rule of running fewer but effective domains. An alternative to creating domains for every department is to use the Organizational Units, which are flexible and easy to manage.

Active Directory Domain Design

An Active Directory has four main divisions: the forests, the domain, the sites, and the organizational units. The system Administrators should maximize on the potential of these divisions to get the best out of any directory structure.

When creating your domains, it is recommended that you use domain members who are near each other as possible. This is the best practice because the level of traffic within a domain is higher than you would expect between two different domains. Smaller domains also limit the need for investing in expensive connections to increase bandwidth. Remember to use the Organizational units to delegate Administrative privileges within an Active Directory.

The Design of Groups and Organizational Units

Before thinking of how the Groups and Organizational Units will work, System Administrators should know in advance the role of each group or units. The idea is to have a functional Organizational Unit and Groups in a bid to simplify the Active Directory environment. This goes a long way in simplifying management by giving you more control over the Active Directory. An active directory without a logical design of its users may lead to confusion. Here are some of the best practices when designing Organizational Units:

Maintain a simple OU structure
Limit OU nesting to less than 10 layers
Apply Group Policy to groups via the Group Policy Filtering
Do not utilize local groups for permissions in a domain environment
Use local groups in the domain to control access to resources and group similar user groups.

You can also use hidden OU to prevent viewing or altering in an environment where network application services are shared within departments and with external customers.

Use Rules for Active Directory Sites

Using Directory sites is an important element for any Active Directory domain. Sites can be limited to any computer object within a forest. Thus, they can be found across domains and organizational units. Sites are used to impose physical network to facilitate traffic flow. Sites also regulate traffic flowing to slower WAN links within the network; this will effectively increase productivity and serve to reduce costs on connectivity.

The general good practice when designing sites

Sites should be a reflection of the physical and geographical topology
Every site should have at least one local Domain Controller
Sites should be connected to faster links
Remote clients do not need a dedicated site
Sites are desirable when replication services are needed
Sites can be added, changed, removed, without affecting network operations or configurations

Active Directory Design Requirements

Before the deployment of any Active Directory Services, the logical structure that reflects the working environment should be in place. The AD DS logical structure defines directory objects are organized and a method of managing individual accounts and shared resources. When planning for the logical structure, determine the number of forests, domain designs, the Domain Name System infrastructure, and Organizational Units.

The Design of the Logical Structure should follow the following process

Identification of the technical staff in charge of deployment
Creation of the forest design
Creation of the domain design for each forest
Design a DNS infrastructure to support AD DS for every forest
Design organizational units for delegating administrative tasks for every forest

Designing the Site Topology

The site topology of the Active Directory network is a logical representation of the physical network. It has all the information about the AD DS location sites, the site of Domain Controllers, and the site links that support the AD DS replication taking place between sites.

The site topology design goes through the following process

Gather all network information
Plan where to place the domain controllers
Create the site design
Create the link design
Create the site link bridges

2. Planning for Domain Controller Capacity

For an efficient output of the AD DS, System Administrators should determine the number of domain controllers for each site. Capacity planning for the domain controllers takes care of all the hardware requirements and avoids incidences of poor performance by the domain controllers

The process of planning for the domain controller capacity planning involves:

Collect site topology and design information
Determine the number of domain controllers
Create the site design
Assess disk space and memory requirements
Monitor domain controller performance

Please note that some features can be added to the Domain design by raising the functional levels of the forests.

Conclusion

The strategies presented in this guide apply in any server-operating environment. If you are not sure if your environment can meet the minimum system requirements, consult with other professionals on what needs to be done to deploy the AD DS.

Want to have efficient and accurate reports about NTFS permissions on all your folders on your Windows Server Environment?

Protect yourself and your clients against security leaks and get your free trial of the easiest and fastest NTFS Permission Reporter now!

How to Optimize Your Active Directory for Windows Server 2016

October 5, 2018/0 Comments/in Active Directory, Windows 2016 /by Carsten

Microsoft Windows Server 2016 is still new in the market and organizations are already asking their IT experts to evaluate its added value and possible challenges that one may encounter when moving from the current systems to the new server platform. In addition to the features found on Windows Server 2012 and 2012 R2, Windows Server 2016 presents new possibilities and capabilities that are missing on previous Windows Server platforms. Any new Windows Server Operating System that breaks the market gets more attention. Windows Server 2016 had made tremendous improvements to its Active Directory Optimization.

The best approach to take before implementing Windows Server 2016 is to test its readiness by looking for ways of minimizing the likely impact of migration. Another way to look at it would be to identify organizational needs and how they can be integrated for future implementations. The reason Administrators would want to try on the Windows Server 2016 Active Directory Optimization is to provide an opportunity for growth, offer flexibility, and enhance security setup in the organization. Now let us talk about active directory optimization

Why Does Windows Server 2016 Matter

Windows Server 2016 is a representation of combinations from different principles that define computation, identity, management and automation, security and assurance, and storage. All these are broken down into the core elements of the Server Operating System that consists of Visualization, System Administration, Network Management, and Software Defined Network (SDN) technologies, Cloud Integration and Management, Disk Management and Availability. All these are supposed to bring organizations to the future of technology without the need to discard some of the infrastructures being used in the current environment.

Windows Server 2016 is a full-featured server Operating System boasting of solid performance with modern advancements. This new server shares so many similarities with the Data Center edition that incorporates support for Hyper-V containers and new storage features and enhanced security solely to protect virtual machines and network communications that have no trust configured between them.

This article should help you the reader learn more about Windows Server 2016 features, factors to consider before moving from old to a new setup, and how to do Active Directory Optimization. More details on how to prepare to move and migrate efficiently by managing the new environment effectively.

Windows Server 2016 New Features

Several features and enhancements form part of this server operating system. Here are some of the highlights:

Temporary Group Membership

This form of membership gives Administrators a way of adding new users to a security group for a limited time. For this feature to work, Windows Server 2016 Active Directory must be operating at the functional level. System Administrators need to know beforehand all the system installation requirements during and after the transition.

Active Directory Federation Service

There are essential changes that come with Microsoft Windows 2016 Server Federation Service:

Conditional Access Control

Active Directory in previous installations had straightforward access controls because the assumption had always been that all users would be logging in from a computer joined to a domain with proper Group Policy Security settings. The conditional access gives users access to resources that have been assigned to them.

In the current technological setup users’, access resources from different types of devices that are not connected to the domain and usually work outside the organizations operating norms. This is a direct call for the improvement of security by introducing a Conditional Access Control Feature enabling administrators to have better controls over users whose requests should be handled on per application basis. For example, administrators may enforce multi-factor authentication when the compliant devices try to access business applications.

Support for Lightweight Directory Access Protocol (LDAP) v3

Another change that has been introduced in line with regard to the Active Directory Federation Systems is the Support for Lightweight Directory Access Protocol. The capability makes it easier to centralize identities across different directories. For example, an organization that uses non-Microsoft directory format for identification and access control can centralize identities to office Azure cloud or Office 365. LDAP v3 making it easier to configure a single sign-on for SaaS applications.

Domain Naming Service (DNS)

Active Directory and DNS go hand in hand because of the dependency of Windows Server systems on DNS. There have been no significant changes in the Windows Server DNS service until the arrival of Windows Server 2016. The following are new features under the DNS:

1. DNS Policies

The inherent ability to create new DNS policies is said to be the most significant. These policies enable administrators to control the way DNS responds to different queries. Some examples of these policies are load balancing and Blocking of DNS requests coming from IP addresses whose domain have been listed as malicious.

2. Response Rate Limit

The rate of the server response to DNS queries can now be controlled. This control is designed to help defend against external attacks such as denial of service by limiting the number of times in a second a DNS can respond to a client

3. Microsoft IP Address Management (Microsoft IPAM)

The most significant improvement to the DNS is in its IP Address Management System that helps in the tracking of IP address usage. The integration of Microsoft IPAM feature on DHCP has been robust while the DNS one is minimal. The introduction of Windows Server 2016 brings in some new changes like DNS management capabilities by recording inventory. The support for multiple Active Directory forests by IPAM is a welcome feature. Supporting multiple forests is only possible if there is already an existing trust between them and that IPAM is installed on each forest.

Migration Considerations

Planning is critical when moving from an earlier Windows Server version to Server 2016. The goal of any migration should be minimizing its impact on business operations. Going ahead with the migration should be an opportunity for administrators to set up a scalable, flexible, compliant, and secure platform.

1. Understanding the Existing Server Environment.

It is a rookie mistake to jump into implementation without a proper analysis of the current server environment. Assessment at this stage should look at users, groups, distribution lists, applications, folders, and Active Directory. On the business side, there is a workflow, emails, programs, and any infrastructure used that should be assessed before making the big move.

It is also vital that you:

Understand what needs to be moved and what is to be left as it is. For example, there is no need of moving inactive accounts and old data that is no longer relevant. All active data stores, mailboxes, and users are part of what you should not leave behind.
You will also want to analyze applications, users, and processes that need access and should be migrated to ensure that the relevant resources are available during and after the transfer.

2. Improving Active Direct Security and Compliance Settings

Another critical factor to consider during migration is security and delegation by controlling who makes changes to Window Active Directory objects and policies. Most organizations choose to give access to Active Directory objects to solve an immediate problem and never clear the permissions. Proper controls should be in place to manage what can be added to the AD and who should be responsible for making such changes.

Continuous monitoring of activities in the Active Directory to ascertain if they comply with both internal and external performance regulations should be ongoing. Microsoft Windows Server and AD can audit events with visible output and can be implemented quickly in a busy setup. Having a coherent AD audit cluster with analytical capabilities is critical for marking unauthorized changes, spotting inappropriate use of the AD and related resources, tracking users in the entire infrastructure, and give compliance reports to the auditors.

3. Ensuring Application Compatibility

Before making an effort to initiate migration, make sure that all software and third-party application used on your organization are compatible and can work with Windows Server 2016. All the in-house applications should also be tested to make sure they work correctly in the new environment.

4. Minimizing Impact on Business

Minimizing in-house software compatibility is one aspect of reducing the cost of migration on the business. As an Administrator, you need to know how the issue of downtime will be handled when moving from legacy to new system. One thing you need to avoid is underestimating the impact of migration on users and operations by failing to analyze all access points. Many such challenges can be avoided by scheduling resource intensive migration tasks during off-peak hours.

Failure to have a smooth transition between legacy and the new system can lead to service disruptions lost productivity and increased the cost of doing business. The co-existence of both the old and the new system is essential in any Active Directory migration because users still need to access resources to ensure continuity. Directory synchronization is important at this stage to make sure that users can access their data.

5. Restructure the Activate Directory

Moving from your legacy system to Windows Server 2016 should be taken seriously and not treated like any other routine IT task. This is an opportunity to restructure your Active Directory Optimization to meet its current and future needs. Every time there is a significant system upgrade, changes in organizational models and requirements may have prompted it. Changes in the IT technology is also a major force that influences restructuring of the Active Directory.

Determine the number of domains and forests needed. Examine the need to merge some forests or create new ones. You can also take an opportunity to join new infrastructure to remote offices that may not have been in existence in the legacy system.

Active Directory Management and Recovery

Every IT management faces challenges when managing the Active Directory on a daily basis. The configuration of user properties is time-consuming and error-prone when dealing with a large and a complex Windows Network. Some of these duties have to be performed manually leading repetitive and mundane tasks that end up taking up most of the Administrators time. However, when you decide to accomplish the above tasks using Windows Native Tools or the PowerShell means that you must have a deeper understanding of how the Active Directory and its features work.

The use of software to manage the Active Directory repetitive tasks simplifies the process. You can also get detailed reports on tasks and their status. Using software offers solutions that help in the planning and execution of an efficient AD restructuring, which will eventually help you, implement a secure system. Managing AD using software gives a common console where the management can view and manage Active Directory, users, computers, and groups. Some software’s enable the administration to plan for a secure way of delegating repetitive tasks and perform controlled automation of the Active Directory Structure.

Software Implementation

Two popular software being used in the management of Active Directory optimization tasks are:

ADManager Plus
Quest Software

They both can help in the restructuring and consolidation of Windows Server 2016 in a new environment.

1. ADManager Plus

The ADManager Plus has additional features such as sending and receiving customized notifications via SMS or emails. The search options make it easier for IT managers to search the directory with ease through its software interface panel. Using the ADManager Plus, the IT department can execute windows optimization tasks with ease in addition to the integration of utilities such as ServiceNow, ServiceDesk, and AdselfService Plus.

Active Directory User management

ADManager Plus manages thousands of your Active Directory through its interface. This property helps you create and modify users by configuring general attributes, exchange server attributes, and apply exchange policies, terminal service attributes, and remote login permissions. You can set new users in Office 365 and G suite when creating the new accounts in the Active Directory. You can design templates that can help the help desk team to modify and configure user accounts and properties by a single action.

Active Directory Computer Management

This solution allows for the management of all computer in the existing environment from any location. You can create objects in bulk using CSV templates by modifying group and general attributes of computers, move them between organizational units, and enable/disable them.

Active Directory Group Management

The management of groups is made more flexible using the software modules used in the creation and modification of groups using templates and conduct all configuration attributes in an instant.

Active Directory Contact Management

You can use this software management tool to import and update Activate Directory contacts as a single process. Therefore, this implies that you do not have to select individual contacts for an update.

Active Directory Help Desk Delegation

The ADManager Plus delegation feature can help administrators to create help desk administrators, and delegate desired tasks related to user attributes. The various repetitive management tasks for users, group, computers, and contacts can be delegated using customized account creation templates. The help desk users can share the workload of the administrators which frees them up giving them more time to work on core duties.

Active Directory Optimization Reports and Management

The ADManager plus provides information on different objects within the AD which allows for the viewing and analysis of information on its web interface. For example, you can see a list of all inactive users and modify the accountant accordingly.

2. Quest

Quest software takes a different approach because it deals with preparation, recovery, security and compliance, migration, consolidation, and restructuring.

Preparation

During preparation, Quest helps in the assessment of the existing environment with the enterprise reporter gives a detailed evaluation of the current setup that includes the Active Directory, Windows Server, and SQL Server. During this assessment, Quest can report the number of accounts you have in the Active Directory and isolate the active and the disabled ones. Knowing the exact status of your environment is paramount before the migration begins.

Quest helps discover identities and inventories on application servers that are dependent on the Active Domains that are being moved to enable you to fix or redirect them on the new server.

Migration, Consolidation, and Restructuring

The Migration Manager for Active Directory gives the Zero IMPACT AD restructuring and consolidation. The Migration Manager offers a peaceful coexistence to both the migrated and yet to be migrated by maintaining secure access to workstations and resources.

Secure Copy offers an automated solution for quick migration and restructuring files on the data server by maintaining the security and access points. Its robustness makes the tool to be rated as perfect for planning and verification of successful file transfers.

Migrator for Novell Directory Service (NDS) helps administrators move from Novel eDirectory to Active Directory. The tool also moves all data within Novell and re-assigns permission to new identities in the new server.

Security and Compliance

The Change Auditor for Active Directory gives a complete evaluation of all the changes that have taken place in the Active Directory Optimization. The evaluation report contains information such as who made the changes, what kind of changes was made, what were the initial and final values before and after adjustment, and the workstation name where the change occurred. The change auditor tool also prevents changes, for example, you can disable the deletion of or transfer of Organization Units and changes that can be made Group Policy Settings.

Access Control

Active Roles modules ensure that security of the AD complies by enabling you to control access by delegating tasks using less privilege. This gives an opportunity to generate access rules based on defined administrative policies and access rights. You can use the Active Roles to bring together user groups and mailboxes as well as changing and removing access rights based on role changes.

Centralized Permission Management

The Security Explorer facilitates the management of Microsoft Dynamic Access Controls (DAC) by enabling administrators to add, remove, restore, backup, and copy permission all on a single console. The tool can make targeted or bulk changes to server emissions made possible by the enhanced by Dynamic Access Control management features such as the ability to grant, revoke, clone, and modify permissions.

Monitoring Users

The InTrust enables the secure collection, storage, and reporting alerts on the data log that complies with both internal and external regulations surrounding policies and security best practice. Using InTrust, you get an insight into user activities by auditing access to critical systems. You can see suspicious Logins in real time.

Management and Recovery

The easiest way the IT administrator can manage user accounts, computers, and objects via the Group Policy. Poor management of the Group Policy Objects (GPO) can cause many damages. For example, if your GPO is assigning proxy settings with wrong proxy values.

GPO Admin will automate Group Policies, and it has a workflow to enable the checking of changes before being approved by the GPOs. When GPO’s are used in the production industry, the management team will be impressed by the reduced tasks as it improves security.

Recovery is a critical process in any organization that runs its system based on Windows Server 2016. You can also recover the wrong entries and accounts that were removed. The Recovery Manager for Active Directory gives access to other features that report on the differences and help restore objects that were changed.

It is important to be prepared in readiness for disaster and data recovery. In case your domain finds itself in the wrong hands, or the entire network setup is corrupted, use the Recovery Manager for Active Directory optimization utility.

Conclusion

Windows Server 2016 has a wealth of new features and capabilities to streamline and improve the management and facilitate better user experience. A successful implementation means that Active Directory Optimization has a sound consolidation process. Administrators who have already tested this Server Operating Services should take advantage of the new capabilities

The benefits of Active Directory optimization tools and utilities are numerous because they help in setting up a flexible and secure Windows Server 2016 and Active Directory that will work for your current and future environment. These utilities help managers who are not well conversant with some IT related Active Directory optimization management tools who need to switch to the new server to comply with regional and international standards.

Prevent Unauthorized Access to Sensitive Windows Folders!

No more unauthorized access to sensitive data
No more unclear permission assignments
No more unsafe data
No more security leaks

Get your free trial of the easiest and fastest NTFS Permission Reporter now!

Overview: How to Troubleshoot Active Directory Replication Issues

September 28, 2018/0 Comments/in Active Directory, HowTo /by Carsten

Active Directory Replication is more or less the center of all sorts of problems. It is a crucial service and it becomes more complicated when dealing with more than one domain controller. Issues relating to replication can vary from authentication issues and problems arising when trying to access resources over the network.

All objects in the Active Directory are replicated between domain controllers so that all partitions are synchronized. A large company with multiple sites means that replication takes place at the local site as well as the other sites to keep all partitions synchronized. This article aims to show you how to troubleshoot Active Directory replication issues.

Active Directory replication problems come from different sources, some of which are Domain Name System failures, network problems, or security issues.

Resources Needed to Troubleshoot Active Directory Replication

Failures coming in and out the active directories due to replication issues lead to many inconsistencies between domain controllers. Such failures lead to systemic failures or inconsistent output. Identifying the main cause of replication failure helps system administrators identify the possible cause and hence elimination of the problem. One of the commonly used interfaces based replication-monitoring tool is the Active Directory Replication Status Tool.

Understanding Recommendations from the tool solution

The red and yellow warning events in the system logs will always point out to the specific cause of replication failure and give the source and destination in the Active Directory. Any steps that are suggested by the warnings should be tried as explained. Other tools such as the Repadmin tool can give more information to help resolve replication issues.

Eliminating Disruptions or Hardware Failures

Before troubleshooting replication failures, it is important to rule out any issues related to software updates or upgrades, intentional disruptions, software configurations, and hardware failures.

Intentional Disruptions

Disruptions caused by unavailability (offline state) of a remote domain controller can be corrected by adding the computer as a member server using the Install From Media (IFM) method to configure the Active Directory Domain Services. The Ntdsutil command-line tool can be used to create installation media.

Software Upgrades and Hardware Failures

Hardware failures can come from failing motherboards or hard drives. Once a hardware problem is identified, system administrators should take immediate action to replace the failing components. Active Directory Replication failures can take place after a planned upgrade. The best way to handle this is through an effective communication plan that prepares people in advance.

Software Configurations

Some software settings such as the typical windows firewall have port 135 open alongside other advanced security settings. Some firewalls can be configured to allow for replication.

Responding to Failures Reported on Windows 2000 Server

Active Directory configured on Windows 2000 Server that has failed beyond the tombstone lifetime should be resolved by:

Moving the server from a corporate to a private network
Removing the Active Directory or Reinstalling the Operating System
Removing its metadata from the Active Directory to hide its objects

Removing the server metadata ensures that any attempt by the server to revive objects settings after 14 days is impossible. This also helps avert further error logs due to replication attempts with a missing Domain Controller.

What are the Root Causes of Replication?

Apart from the already discussed causes leading to replication failures, here are some other reasons.

Network Connectivity: caused by unavailable network or wrong configurations

Name Resolutions: Wrong DNS configurations

Authentication and Authorizations: Aces denied errors every time a domain controller tries to connect for replication

Directory Database: A slow data store not being able to handle fast transactions that take place within replication timeouts.

Replication Engine: when replication schedules are short, it will lead to longer queues and large processing which may not be possible within the outbound replication schedule.

Replication Topology: All domain controllers need to have links linking them to other sites within the Active Directory. The links should map wide area networks or the virtual private network connections. All objects should be supported by the same site topology within the network to avoid replication failures.

How do We Fix Replication Problems

Any of the following approaches can be used to fix Active Directory Replication Issues:

Daily monitoring of the state of replication using the Repadmin.exe to extract daily status updates
Resolving reported replication failures as soon as possible, using steps provided in the event logs. Replication failures resulting from software configurations require un-installation of the software before attempting any other solutions.
If all attempts to resolve replication issues do not work, remove the Active Directory Directory Services from the server and reinstall.

When an attempt to remove AD DS fails when the server is online, any of the following methods can resolve the issue.

Force the removal of the AD DS from the Directory Restore Mode (DSRM) by cleaning up the server metadata and reinstall the AD DS.
Reinstall Operating system and reconfigure the Domain Controller

Retrieving Replication Status Using Repadmin

When everything in the Active Directory is working as intended and produces no errors, then it means the following services are working correctly:

DNS
Remote Procedure Call (RPC)
Network Connectivity
Window Time Service (W32time)
Kerberos Authentication Protocol

The Repadmin tool is used to study the daily replication activities. The tool is able to access all the replication status of all domain controllers in the forest. The report is relayed in a .CSV format that can be accessed using any spreadsheet reader.

Generating Repadmin for Domain Controllers in a Spreadsheet.

Using the command prompt as an administrator type the following:

Repadmin /showrepl * /csv > showrepl.csv

Open Microsoft Excel, navigate to the showrepl.csv, and click open
Hide or delete column A and the Transport Type Column
Select the row below the column heading and click freeze panes by clicking on Freeze Top Row
Select the whole spreadsheet and click filter from the data tab
Click on the down arrow below the source DC column, point to text filters, and select the custom filter.
In the custom AutoFilter box, below show rows where click on does not contain. On the box next to it, type Del to eliminate results from deleted domain controllers.
Repeat the previous step for the Last Failure Known Column and use does not equal and type 0
Resolve replication issues.

Conclusion

Replication going on smoothly throughout the Active Directory is critical. Poor replication means all manner of problems from authentication to inconsistent results. The article is supposed to help you check on your system’s replication status and learn how to resolve the common replication errors.

Protect Yourself and discover all permissions owner on your Windows fileservers!

Pass your next security audit without worrying about security leaks!

Get your free trial of the easiest and fastest NTFS Permission Reporter now!

Active Directory Account Lockout: Best Practices

September 21, 2018/0 Comments/in Active Directory, Planning /by Carsten

Windows account lockout policies are useful when you want to limit the attempts made by people who try to access your network by guessing passwords.

The policies are also good for enforcing strong password guidelines. When an account lockout policy is in place, it limits the number of times a person can consecutively make login attempts within a set period.

However, to reduce the frequent calls to the customer desk office, you need a lockout policy with increased account lockout duration, decreased lockout threshold, and increased reset lockout counter.

Robust Windows account lockout policies are defined by three independent policies:

Reset account lockout policy
Account lockout duration
Account lockout threshold

Generally, the account lockout policy is configured in the Group Policy Management Console.

Here is the path to the console:

Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy

This article reviews some of the best practices that can be used to disable a user account if a wrong password is issued within a specified period.

Here are some of the best practices for Active Directory account lockout, as used in a typical Windows environment.

1. Create an Account Lockout Policy

You need to create a lockout policy GPO that can be edited through the following path:

Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy

For example, the default parameters for account lockout duration can be:

1440 minutes for lockout duration;
10 invalid logins for account threshold;
0 minutes for reset account counter to ensure the account does not unlock itself.

Once the account is locked, the administrator should determine the lockout period before intervening.

Any settings between 1 and 99,999 minutes will automatically unlock the account. The policy must be set to be equal to or greater than reset account lockout counter.

The value for account threshold is the number of attempts an account can sustain when a wrong password is used.

The reset counter prompts Windows to look for consecutive failed attempts, and counterchecks if it needs the reset account lockout after the threshold is met.

2. Review Account Lockouts

Account lockout investigations will be successful only through captured logs that can be used to trace where the breach is coming from.

The administrator can take the following steps:

enable auditing of login events;
enable the logging of Netlogon events;
Kerberos auditing should also be logged.

After looking at the data coming from the enabled features above, the administrator should analyze security event log files and net login files to find out the origin of the lockouts, and why it is taking place.

Once they have identified the machine with login errors, its event logs can be analyzed to determine the cause.

3. Use Account Lockout and Management Tools

Some Microsoft and third-party tools can be used to investigate account lockouts to help determine the cause. These tools send an alert in real time; thus, giving the help desk an easy time when asked to resolve them.

a. Netwrix Account Lockout Examiner

This tool helps the system administrator to know of an account lockout. It is a freeware that helps to identify the root cause of persistent lockouts.

System administrators can access the troublesome accounts from the console. This account tool and examiner reduces the strain on the service desk who are alerted even before the user makes the call for help.

A working Netwrix Account Lockout Examiner is enough evidence that the Active Directory Account Lockout policy complies with set standards.

Netwrix Account Lockout is a tool Administrators can use to identify malicious attacks from viruses leading to multiple lockouts.

b. The AD Lockouts and Bad Password Detection

The tool is used to track the origin of lockouts in the Active Directory due to bad password attempts. The utility is useful in large organizations running multiple domains.

The system administrator can use this tool to:

search the domain for bad password attempts against a particular account(s);
analyze any events related to failed login attempts on each domain controller by tracing the possible origin of the lockout.

Furthermore, the event logs from every machine in the network can be used to determine if the following common causes of account lockout are present:

mapped drives with open permissions;
old and possibly running Login and RDP sessions;
tasks and services running on old credentials.

c. Microsoft Account Lockout Status Tools

This account lockout tool is available from Microsoft and can be downloaded to increase the functionality of the Active Directory.

Microsoft recommends using this tool alongside the Account Passwords and Policies white paper.

The primary functions of this tool are:

helps in isolating and troubleshooting locked accounts by changing user password on the domain controller; it automatically adds property pages to the user account in the Active Directory Users and computer’s management console;
on the client side, the tool determines what processes or applications are sending the wrong signals or credentials;
you can use the tool to display account names and age of respective passwords;
it can be used as a startup script by allowing Kerberos to run on clients using Windows 2000 and later;
it collects events from event logs of all machines to a central location;
the tool also identifies all domain controllers involved in a lockout by way of gathering all logs; the output is generated and saved as a .CSV file whose content can be sorted if needed;
the lockout tool can be used to extract and display specific entries from the Netlogon log files.

Please Note: Microsoft account lockout status tools should not be used on a server hosting network application and services as it may prevent some critical services from loading.

4. Know The Causes of Account Lockouts

Knowing the reasons that cause Active Directory accounts to be locked out can assist you in establishing robust security policies.

Here are some reasons that may cause account lockouts:

when the port 3389 used by the RDP is open, and brute force applied;
replication in the Active Directory;
programs running with cached user credentials;
service accounts with expired or changed passwords;
low password threshold settings;
shared drive mappings;
disconnected terminal sessions;
mobile access to the exchange server via IIS;
user logging on multiple computers;
saved account credentials with redundant passwords and usernames.

Conclusion

An account lockout policy is usually placed to disable users with bad passwords from accessing the system.

This policy is enforced after several attempts have been made within a specified period. Using such a policy, and with the help of third-party tools and utilities, can prevent malicious intrusions and reduce successful attacks on a network.

The user can access the affected account after the system administrator has reset the password or after the specified lockout period has lapsed.

Protect yourself and discover all permissions owners on your Windows fileservers!

Pass your next security audit without worrying about security leaks!

Get your free trial of the easiest and fastest NTFS Permission Reporter now!

What’s New in Windows Server 2016 Federation Services?

September 14, 2018/0 Comments/in Active Directory, Windows 2016 /by Carsten

The corporate environment requires many collaboration application services to promote a seamless workflow environment. Windows Server 2016 represents major steps towards an environment that supports cloud features and an improved level of security and innovations. Some of the improvements found in Windows Server 2016 include:

Active Directory Federation Services (ADFS)
Microsoft IP Address Management (IPAM)
Conditional Access
Temporary group membership

Our main concern will be to highlight the new things Active Directory Federation Services (ADFS) bring into a Windows Server 2016 network environment.

Active Directory Federation Services gives access to single Logons across the entire network on a different application such as Office 365, SaaS applications, and other cloud-based applications.

In general, the IT department can enforce Logons and access controls to both modern and legacy software. The user benefits by accessing a seamless Login using the same account credential and the developers will also have an easy time managing running applications because the authentication process is handled by the federation services.

Here are some of the new features that came with Windows Server 2016 Federation Service:

Eliminate the Use of Passwords on A Private Network

Active Directory Federation Services gives three possibilities for Logons without passwords. This eliminates the risk of the network being compromised by leaked or stolen passwords.

Using Azure Authentication Features

Federation 2016 services are based on Multi-Factor Authentication (MFA) that allows signing in using an Azure MFA code without the need to key in the username and password. The user will be prompted for a username and a one-time password (OTP) code for authentication.

When the MFA code is used as an additional authentication method, the user will be prompted to give the usual authentication credentials and later on prompted for text, OTP, or a voice password before logging in.

Setting a Federation Service to work with Azure MFA is now simple because organizations will implement Azure without the need of having a physical Azure server location. Azure can be configured to work in both local and private networks or be incorporated within an access control policy of the organization.

Allowing Password-less Access

Active Directory Federation Services 2016 uses device configuration capabilities to allow access on network-based devices. Users log in using the devices and its validity tested for attribute changes to maintain the integrity of the device and network security. Use of accepted devices ensures that granted access is granted to specific devices, private network access is only accepted via managed devices, and authentication requires several steps for any non-compliant computer or devices.

Using Windows Hello for Business Credentials

Workstations using the Windows 10 Operating System have an inbuilt Windows Hello and Windows Hello for Business. The credentials used are protected by gestures such as fingerprints, facial recognition, voice recognition, etc. Using the Windows 10 capabilities means that users can sign in to a Federation Server 2016 without the need of a password.

Secure Access to Applications

Windows Server 2016 Federation Services works with the latest modem protocols to offer a better experience to Windows 10, Android, and iOS users.

Some access control policies can be changed without necessarily having the knowledge of the claim rules language. This made it almost impossible to configure and maintain policies. Using Federation Services, one can simply use built-in templates to be applied in common policies such as:

Limit access to Local Area Network only
Allow everyone to access the server and ask for an MFA from private networks
Allow everyone to access the server and ask for an MFA from a specific group

Using templates is recommended because they are easy to customize and add exceptions or additional policies that can be applied to one or many applications.

Allow Logons without Active Directory Lightweight Directory Access Protocol (LDAP) Directories

Most firms use Active Directories alongside third-party directories for Logons. The introduction of Federation Services allows for the authentication of users whose credentials are stored in LDAP. This further helps third-party users whose data are stored in LDAP v3 compliant directories, also works with users in a forest with an Active Directory that has its two-way trust not configured. Users found in Active Directory Lightweight Directory Services are able to sign in.

Flawless Sign-in Experience

All applications using Active Directory Federation Services give users ability to customize Login experience. This is more appropriate for organizations dealing with various companies and brands. In previous editions, there was a common sign-on experience with customization facility available only for a single application. The Windows Server 2016 gives you the ability to customize messages, images, web themes, and logos. Additional customized web pages can be created for every business platform.

Improved Management and System Operations

Streamlined Auditing

Auditing is streamlined in Active Directory Federation Services 2016, unlike the previous versions where every single vent necessitated an event log.

Improved Interoperability with Security Assertion Markup Language (SAML 2.0)

Additional SAML protocols that support trusts importation with multiple entries are found in Active Federation Services 2016. This allows for the configuration of Active Directory to be part of confederations and implementations that conform to the eGov 2.0 standard.

Simple Password Management for Office 365 Users

Active Directory Federation Services enable password configuration that allows sending of password expiry claims within protected applications. For instance, Office 365 users rely on updates implemented via Exchange and Outlook to get notifications on the expiry status of their passwords.

Migration from AD FS Windows Server 2012 to AD FS Windows Server 2016 Made Easier

Previous editions demanded that configurations be exported from the old farm and importing into the new farm. When moving from Windows Server 2012 to Windows Server 2016, adding a new Windows Server 2016 to Windows Server 2012 and eventually adding Windows Server 2012 to the farm by verifying functionalities and removing the old server from the load balancer. The new features are ready to use once Windows Server 2016 is running and upgraded to farm behavior level 2016.

Conclusion

Federation Services help in managing identities across different networks and as such forms the foundation of cybersecurity in the cloud world. With this information, it is time to optimize your Active Directory environment by giving it a new design and restructure it before migrating to the latest Windows Server 2016 Federation Services.

Unauthorized Access to Sensitve Data?

Analyze and Report Data Access on Windows Folders in Under 60 Seconds!

Protect yourself and your clients against security leaks and get your free trial of the easiest and fastest NTFS Permission Reporter now!

Setting Up Active Directory in Windows Server 2016

September 5, 2018/0 Comments/in Active Directory /by Carsten

The latest addition to the Windows Server versions is the Windows Server 2016. Setting up an Active Directory may be something you have already done in the previous versions, but still, getting to know the steps needed to set up an Active Directory role for 2016 is important.

There are two important steps to consider before starting this process. If the Windows Server is to be used in a production environment, the IP addresses should be defined as static. The other thing to keep in mind is to rename the server to a suitable name because renaming the server after the AD has been defined may not be all that easy.

In this article, we will look at:

Installing the Active Directory
Setting up the Domain Controller

All these two activities need administrative privileges because they are the foundation of user and group management, policy, and security in a typical server environment.

Installing the Active Directory

Click on the Start button then on the Server Manager icon.
The Server Manager dashboard will load, giving access to the roles and features wizard. Click Next to proceed.
Choose the installation type as the default (role-based or feature-based installation).
The next step is to select the Installation Server from the already existing server based on the local server list.
When you click on Next, a pop-up screen will appear. Check the Active Directory Domain Service box. The associated features specific to that role will pop up. Another pop-up wizard will show up that enables you to add the selected role(s).
Click on the add featured followed by Next. The .NET 4.6 features should be checked on the following screen.
On the Active Directory Services screen, click on Next. You will be given an overview of the roles of a Domain Controller and all the services that will be installed. All first Domain Controllers require that a DNS service be set up after this step.
Click on Install to initiate the process.
Once the installation is complete, click on the Promote this Server to a Domain Controller option.
An Active Directory configuration wizard will open up with an option to:

Add a Domain Controller to an existing Domain
Add a new Domain to an existing Forest
Add a new Forest

Setting up the Domain Controller

To set up a new Domain Controller, select the option Add New Forest and type in the root Domain name.

The next screen is for selecting the Domain and Forest functional levels. The Directory Service restore mode password should be entered if the first Domain Controller use Windows Server 2016 as the forest and functional. The DNS option should also be checked alongside the Global Catalog (GC). Click on Next.
When configuring the first DNS server in a new Forest, an error message is bound to pop up. For now, no need to make any modification because the Domain Controller is using the Active Directory integrated DNS. Click on Next.
Click on the NetBIOS Domain name (selected by default) and click on Next. For the NetBIOS name, the default is okay.
Next wizard is the selection of paths in the Active Directory database, Log files folder, and SYSVOL folder. The default values are okay. Click on Next.
Then we have the review wizard that contains all the selected configurations. Review everything and make necessary changes. If no change is needed, you can click on Next.
Pre-requisite checks are needed to make sure everything falls into place. The install button will only be active once the pre-requisite check has passed. If the checks are successful, click on Install.
The server will automatically reboot when the installation has finished.

Once the computer reboots, log in as the Domain administrator and head straight to the Administrative Tools. Open the Active Directory users and computers to confirm successful operation of the Active Directory and the DNS.

Other Things You Need to Know

Setting up Static IP addresses on Windows Server 2016.

Open the Control Panel.
Click on the View Network and Status Tasks found in the Network and Internet applet.
Click on Change Adapter Settings.
Right click on Network Connections and select Properties from the pop-up menu.
Scroll down, select Internet Protocol Version 4 (TCP/IPv4) and click on Properties.
Key in the IP address, the subnet mask, and the default gateway. The preferred and alternate DNS server addresses are also needed. Click OK.
Reboot the server.

The new features made available in Windows Server 2016 should also make system administrators aware of the minimum system requirements to install and configure both Active Directory and Domain Controller.

Here are the minimum software and hardware requirements:

Processor

A 1.4 GHz 64-bit processor compatible with the x64 instruction set.
Support both NX (no execute) and DEP (Data Execution Prevention).
Supports second-level address translation such as EPT and NPT.

RAM

At least 512MB (if you are installing a server with a desktop environment, then a minimum of 2GB is needed).
RAM with ECC (error correcting code).

Storage Controllers and Disk Space

A computer designed to use the Windows Server 2016 Operating System should have storage adapters compliant with the PCI Express specifications. Hard disks or any permanent form of storage cannot be PATA since Windows Server 2016 does not allow ATA/ PATA/ IDE/ EIDE configurations.
Hard disks can have a minimum partition requirement of 32GB.

Network Adapter

Any adapter that can use gigabit throughput.
A card compliant with PCI Express architecture.
A card that supports Pre-Boot Execution Environment (PXE)
A network debugging enabled card is desirable, but not a requirement.

Conclusion

Installation of the Active Directory is almost standard across all Windows Server Operating Systems. Some people may use their experience to set up a new Active Directory without putting into focus the minimum hardware and software requirements needed. When handling an installation in an old system, you may be forced to confirm if all the requirements are met.

We hope that you find it helpful to have read this article.

Do you have unclear NTFS Permissions assignments?
Do you have too many special permissions set on your fileservers?
Or blocked NTFS Permission Inheritance?

Protect yourself and your clients against security leaks and get your free trial of the easiest and fastest NTFS Permission Reporter now!

Windows Server Optimization: Active Directory Auditing – Track User Logons

August 31, 2018/0 Comments/in Active Directory, HowTo /by Carsten

Tracking user logons gives system administrators an opportunity to identify active and inactive accounts and global access rights that could put the organization information at risk.

Active Directory auditing involves the collection of data on all Active Directory Objects and attributes that are helpful in analyzing and reporting the overall health of the Active Directory.

Audits are performed to secure the Active Directory from attacks and to keep the IT operations running. Tracking User Logons is needed to help in the following operations:

1. Track the logon activity on Domain Controllers.
2. Track user logon activities (logon failures, recent logons, last logon on workstations).
3. Track logon activities on Member Servers and Workstations.
4. Monitor RADIUS logon on computers.

In a busy working environment, Active Directory Auditing helps verify the number of users accessing the Active Directory at any given time, identify remote logon users, determine the peak logon sessions, monitor all critical logons, act on unauthorized attempts and access, and generate backup reports in case of any queries or investigations.

Why Using the Native Active Directory Auditing is Insufficient

1. The day-to-day logon information collected in the server logs may not be friendly to non-technical staff.
2. The logon information requires expertise to understand the specific events correlating to every logon activity.
3. The amount of data collected is voluminous due to the continuous activities on the Domain Controller. Dealing with such huge amount of data is tedious and time consuming.
4. The restrictive nature of the Domain Controllers means access to its logos are limited to specific personnel.
5. The inability of other Non-Administrative staff outside the IT department to access real time logon data also makes the Native Active Directory Auditing out of reach for managers, auditors, human resource staff, etc.

The Solution to Native Active Directory Auditing

The only possible way of tracking real time logon activities on a large scale for auditing is to use a software like Manage Engine ADAudit Plus that details all logon information into a single document that can be shared from a central server console.

The ADAudit Plus tool gives all information relating to successful and failed logon attempts.

Active Directory Logon Auditing

Real time auditing means tracking every logon activity as it happens to the entire Active Directory. The outcome of this audit is listing all logon activities that can be viewed on the central server in an instant.

The logon report contains information on failed logons, Domain Controller logon information, Member Server logon information, Workstation logon, recent and last logon activities.

Active Directory Logon Auditing also helps in reporting on specific logon events by listing all Logon related actions. All this information is presented on a web interface displaying data in statistical format via charts, lists, and graphs. Due to the insufficient nature of Active Directory, using the ADAudit Plus relays more information some of which are explained below:

Logon Activities on Domain Controllers
Domain Controllers from the critical element in Active Directory because all changes taking place in the Active Directory takes place here. Such logons are restricted to network administrators or privileged users. Any attempts by other users should be a wake up call for administrators to take corrective action.

ADAudit Plus give details such as user’s location, time of logon, success or failed logon attempts, and the reason for failure if any.

Tracker User Logon Activities (logon failures, recent logons, last logon on workstations)
Logon failure report gives information on reasons why a failure occurred and the number of failed attempts reported for a particular user. This information could be useful for system administrators on possible external attacks.

Some common reasons for logon attempts could be related to bad name or wrong password. Other reasons such as errors due to time restrictions, replication delays, and different workstation OS version can also be reported.

Reports on user logon give all the information needed for auditing the entire logon history on the server and the clients end. This information is only accessible to specific domain users. User’s logon history is used to draw a logon pattern and used to show system auditors proof of activities on the network.

Recent activities are used by administrators to ascertain whether every past logon was used as intended. An analysis of past logon can be used to measure levels of irregularities. ADAudit Plus gives details of both successful and failed logons alongside reasons for unsuccessful attempts. The unsuccessful logs are used for planning any corrective measures.

The last logon on workstations has all the information on the time of last successful logon attempts. The report of this audit can be used to show absenteeism or availability of a user.

Track Logon Activities on Member Servers and Workstations
Tracking logon activities on member servers and workstations help administrators tracks the logon activities of users with authority to access selected servers and workstations. The type of information displayed here are times of access, location of the user, including the workstation details, successful or failed logins, and the reason behind the logon failure.

Monitor RADIUS Logon on Computers
Users accessing the Domain server from a remote location need to use the Remote Authentication Dial-in User Service (RADIUS). Getting reports on remote users in the form of logon failures, authentication through the Active Directory and logon history. Only RADIUS logon activities running through Network Policy Servers can be reported.

Conclusion

Since the aim of any server optimization is to speed up operations and in the case of logon auditing, speed up reporting. Native Active Directory Auditing may give comprehensive information, but is weighed down by the reporting time.

System administrators should take advantage of Active Directory auditing tools such as ADAudit Plus to help in carrying Active Directory audit. An Active Directory Reporting tool should be able to filter out information by marking out WHEN a change in the Active Directory was made, WHERE the change took place, WHAT is the nature of the change, and WHO is responsible for the change.

All these identifiers in a report are to facilitate easier understanding when reviewing the summarized information.

Do you have unclear NTFS Permissions assignments?
Do you have too many special permissions set on your fileservers?
Or blocked NTFS Permission Inheritance?

Protect yourself and your clients against security leaks and get your free trial of the easiest and fastest NTFS Permission Reporter now!

How to Audit Active Directory Using ‘Netwrix’

August 24, 2018/0 Comments/in Active Directory /by Carsten

Auditing Active Directory in any environment has become a critical task in the IT department. Small and large organizations are using Windows Active Directory Auditing Software to pass compliance tests and overcome security challenges.

At the heart of a Windows-based Enterprise Network, the mechanisms used by administrators to organize and control the resources and objects in can Active Directory determine how the structural framework, securities, and database operations take place from authentication to authorization.

Therefore, this means that it is important to keep track of all the activities taking place within the Active Directory to make sure network activity is at its best at all times.

Netwrix Auditor for Active Directory gives a report of what is going on inside the Active Directory and Group Policy. The software is supposed to audit the changes made to the directory and Logons credentials to reduce the possible risk of abuse, streamline troubleshooting while at the same time enforcing IT Governance and compliance. Netwrix Auditor can be deployed on the premises, on a Windows Server, or on a Virtual Server.

Getting Started

The installation for the first run needs the configuration of the SQL server instance because of the SQL Server Reporting Services (SSRS) in addition to the database engine. Features such as the .NET Framework 3.5 and above must be installed prior to installing the auditing software. Netwrix Software runs in two modes:

The Administrator console, which configures the auditing environment.
The Auditor client, which handles the query and reporting tool.

The two modes have other nodes within the consoles with specific tasks:

Managed Objects – for defining supported applications.
AuditArchive – connects to the database providing for the long-term audit storage options.
Settings – handles all credentials via SMTP protocols, licenses, and email addresses.

Netwrix Expected Output

Active Directory is the home of several objects that generate many logs, however, after defining what objects to audit in the Netwrix console, here are some of the expected results:

1. Listing all Changes
All changes made in the Active Directory will be detected and information such as WHO, WHAT, WHEN, and WHERE also form part of the report.

Login activities in the critical systems will be reported and all failed and successful attempts will be displayed. The Logon history of any particular user is also available.

2. Current Configuration Reports
The current state of users and groups, including properties such as permissions and other common user settings can be compared against a particularly known standard for consistencies.

The software will also look at the compliance levels of the Active Directory by testing compliance with set standards. Any changes to the audit policy settings or modifications of the group policy are also displayed.

3. Active Directory Risk Assessment
Any risk associated with wrong privilege assessment and management of user account is assessed. This assessment helps in closing security gaps early enough. All the threat patterns are indicated, Netwrix gives you an opportunity to react within minutes of the threat alert.

4. Behavior Anomaly Reporting
Any malicious attempt from insiders and hacked accounts can be detected early enough to help system administrators take action to save critical systems and cloud applications. Any internet searches within the Active Directory can be customized to look like the one on your preferred browser.

Your search history can be saved and retrieved on demand. Low profile threat such as unusual logons such as identity theft can also be reported as a possible threat to the Active Directory.

5. Detailed Reports on All Dashboards
The IT and business users are able to get Active Directory audit reports in the format that they need by sorting, exporting, filtering, drilling, use of web and email subscriptions.

6. Gives Additional Controls
By enforcing effective control permissions, streaming access management through reports of who is supposed to access what resource in the network. The format followed in assigning the rights is also indicated.

7. Interactive User Tracking and Password Expiration Alerts
All inactive user accounts are deactivated as the remaining Active Directory users are given password change alerts before expiration. All issues relating security lockouts can be resolved by analyzing data on the report.

8. Rolling Back Changes
In an event that there is a system breakdown, Netwrix Auditing Software enables the system to revert to changes made when the system was in an OK state without the need of using a backup.

Netwrix Software works in the background and thus, it does not reduce system performance or cause downtime.

Defining Managed Objects

A managed object is the target (AD objects) Netwrix will audit. Things like the details of the database, the scope of the audit and real-time alert settings should be set up when defining objects, after object definition running a data collection job will help to gather the overall overview of the Active Directory.

Viewing Audit Data

The Netwrix auditor home page has several icons that offer a one-click access to many tasks. Upon clicking on the relevant test, a table with results will pop up based on the search criteria. Viewing specific audit outcome that answers pertinent security questions like WHO, WHAT, WHEN, and WHERE system administrators should use the search feature for creating custom queries.

Generating Reports

Netwrix Audit Software runs on top of Windows Server built-in security services. Instead of worrying about how to create queries to generate reports, Netwrix Auditing Software has pre-built reports that cover several aspects of the Active Directory.

The good thing about the pre-built reports is that they have been pre-formatted to comply with known industry standards; therefore passing compliance tests with Netwrix is faster and more accurate. The final report can be exported to other formats such as text, PDF, or HTML.

Conclusion

Many organizations today find themselves subjected to compliance regulation and testing. Auditing changes in the Active Directory are considered a mandatory as part of the organization’s security strategy.

Plenty of tools and packages can help make this work easier with some still facing limitations and others offer a comprehensive outlook when used on a complex network. Netwrix strikes a balance giving almost all the information needed without having to worry too much.

How to Set Up Azure Active Directory Account

August 14, 2018/0 Comments/in Active Directory, HowTo /by Carsten

Microsoft is always dedicated to ensuring that individuals can access their computers and perform various tasks. The company established the Windows system to enable its users to launch and run various programs.

As such, it is designed to accommodate other minor programs which perform specified tasks, enabling the use of Microsoft and computers become friendly to several users.

This article focuses on Azure Active Directory Connect and its functions. Also, this article will enlighten the user on how to set up Azure AD connect in a computer, or any other device designed to use Windows system to run.

But first, one must understand Azure AD Connect, thereby understand its function. By understanding the primary functions, one will automatically be able to understand the various installation steps and their essentially to smooth running of the program.

BACKGROUND

Azure AD Connect is one of the main components of Microsoft, dedicated to synchronization of identities data between a device and the entire Microsoft environment. The program is designed to enable the user to configure and deploy the pre-requisites required for connection such as including synchronization and sign on.

Also, it has incorporated functionalities such as Dirsyn and AAD sync which were initially released as individual programs. Once installed by an administrator, the program will install a few essential programs such as .NET Framework and Microsoft Online Service Sign-in assistant, which are necessary for its functioning.

Thereafter, it installs and configures AAD sync, then necessitate sync in the Azure AD tenant. Lastly, it sets up the password harsh sync to create a sign-on option as selected by the administrator.

MODES OF INSTALLATION

Azure AD Connect may be installed in two primary ways, custom installation and express installation, depending on the preferences of the user.

Express installation is the default setting found in a newly-acquired program. This form of installation is designed for new users that are not yet conversant with the program. It provides the user with the basic installation tools.

Custom installation, on the other hand, is mainly implemented by users who are accustomed to the program and require certain functions that may not be accessible via express installation. Custom installation enables the user to implement various options that are not readily accommodated by the usual installation.

Express Installation

1. Sign in as the local administrator on the server where you will be installing Azure AD Connect on. The administrator authorizes installation of all programs on the computer. One then allows the installation of the program, particularly on the server that one wishes to be the main sync server.
2. Navigate and locate AzureADConnect.msi then double click on it. This will display a welcome home screen bearing the terms and conditions clause. Check off the Agree option, and select Continue.
3. At the bottom of the window, you’ll be presented with two options: customize and use express setting. Since we are using the Express option, hit the use express setting button.
4. A window will pop up, prompting for the username and password of the global administrator for your company’s Azure AD. Key in the correct details then hit Next.
5. The AD DS screen window will then pop up, prompting for the username and password of the organization’s admin account. For the username text field, enter the domain in either FQDN or NetBIOS format (i.e. pnl.co.uk\administrator or PNL\administrator). Ensure that every domain present in the next page is verified and once they are, hit Next.
6. Next up with be install screen. Click on install and commence the synchronization process till every element is fully configured. In case there is exchange on-premise, one must enable the Exchange Hybrid Employment. Lastly, click on the Install option and hit Exit once everything is installed.
7. Sign off, then sign back in again prior to using the Synchronization Manager.

Custom Installation

The initial process to custom install this program is not so different from the express installation. A user may opt to use custom install setting when the options provided by the express settings are not satisfactory to the user.

1. Follow steps 1 & 2 for express installation, then for step 3, select the customize option.
2. Proceed to install required components for the optional configurations. There are four options provided on this screen.
a. Password Hash synchronization
b. Passthrough authentication
c. Federation with AD DS
d. Do not configure
For the first three, users have the ability to sign in to Microsoft cloud services, such as Office 365, with the same password they use for signing in to their on-premise accounts. Select your preferred option and proceed to check off the Enable single sign-on box.
3. Next, you’ll see the Connect to Azure AD screen and be prompted for the global Azure AD admins username and password. In case the administrative account has multi-factor authentication enabled, ensure to verify it using a verification code that is sent either via a phone call or message.
4. Once the option is enabled, a connect to directory screen will pop up. Select the Active Directory option and add a forest name necessary credentials.
5. After this, an option for add directory will appear with two choices — create a new account and use an existing account. One then uses the necessary credentials for the account and proceeds to the Azure AD sign-in configuration. All the options presented on this screen must be verified. If not, one would have to verify them then just refresh the screen. Then select a suitable under principal name then click on Next.
6. Other options such as the domain and OU filtering must also be filled. This option allows the user to either synchronize all domains or synchronize only selected domains.
7. Select uniquely the user for the program. There are two options present here — users are represented only once across all directories or the user identities exist across multiple directories. Also, one must select how the users need to be identified.
8. Proceed with synchronization of data for various users and devices then hit Next.
9. An option feature screen will pop up. Select the appropriate options according to the desired preference.
10. Then, an option for available apps within the Azure AD will pop up. Just choose all the suitable apps then hit Next.
11. Select the necessary directory extension, then move on to configure and install the program. Just like for express installation, just put in the proper forest credentials to enable the sign on option.