Monday

Tag: Domain Controller

How to Detect a New Domain Controller in Your Network

Some malware can create a Domain Controller to infect your network and steal data. DCShadow is a late-stage kill chain attack that allows an attacker with compromised privileged credentials to register a rogue Active Directory (AD) domain controller (DC). Then the adversary can push any changes they like via replication — including changes that grant them elevated rights and create persistence. It can be extremely difficult to detect a new Domain Controller, so you need to know how to find one if you suspect an infection.

Overview

A domain controller is a server that manages the security and authentication of users and computers in a domain. A domain is a logical grouping of network resources that share a common name and directory database. A new domain controller can be added to a domain for various reasons, such as increasing redundancy, improving performance, or expanding the network.

However, a new domain controller can also pose a security risk if it is not authorized or configured properly. An unauthorized domain controller can compromise the security of the entire domain by granting access to unauthorized users or computers, or by intercepting and modifying network traffic. Therefore, it is important to detect and monitor any new domain controllers in your network.

In this blog post, we will show you how to detect a new domain controller in your network using some simple tools and techniques. We will assume that you have administrative privileges on your network and that you are familiar with basic Windows commands and PowerShell.

Use the Netdom Command

The netdom command is a Windows command-line tool that can be used to manage domains and trust relationships. One of the functions of the netdom command is to list all the domain controllers in a domain. To use the netdom command, you need to open a command prompt as an administrator and type the following command:

netdom query dc

This command will display all the domain controllers in your current domain. You can also specify a different domain name after the dc parameter if you want to query another domain. For example:

netdom query dc example.com

The output of this command will look something like this:

List of domain controllers with accounts in the domain:

DC1DC2DC3The command completed successfully.

You can compare this output with your previous records or expectations to see if there is any new or unexpected domain controller in your domain. If you find one, you should investigate further to determine its origin and purpose.

Use the Get-ADDomainController PowerShell Cmdlet

The Get-ADDomainController PowerShell cmdlet is another tool that can be used to retrieve information about domain controllers in a domain. To use this cmdlet, you need to open a PowerShell window as an administrator and type the following command:

Get-ADDomainController -Filter *

This command will display all the domain controllers in your current domain along with some additional information, such as their name, site, operating system, IP address, and roles. You can also specify a different domain name after the -Server parameter if you want to query another domain. For example:

Get-ADDomainController -Filter * -Server example.com

The output of this command will look something like this:

DistinguishedName : CN=DC1,OU=Domain Controllers,DC=eexample, DC comDNSHostName : DC1.example.comEnabled : TrueName : DC1ObjectClass : computerObjectGUID : 12345678-1234-1234-1234-123456789012SamAccountName : DC1$SID : S-1-5-21-1234567890-1234567890-1234567890-1000Site : Default-First-Site-NameOperatingSystem : Windows Server 2019OperatingSystemVersion : 10.0 (17763)Forest : example.comDomain : example.comIPv4Address : 192.168.1.1IPv6Address : fe80::1234:5678:90ab:cdef%12IsGlobalCatalog : TrueIsReadOnly : FalseIsSeized : FalseRoles : {PDCEmulator, RIDMaster, InfrastructureMaster, SchemaMaster...}DistinguishedName : CN=DC2,OU=Domain Controllers,DC=example, DC ComDNSHostName : DC2.example.comEnabled : TrueName : DC2ObjectClass : computerObjectGUID : 23456789-2345-2345-2345-234567890123SamAccountName : DC2$SID : S-1-5-21-2345678901-2345678901-2345678901-1000Site : Default-First-Site-NameOperatingSystem : Windows Server 2019OperatingSystemVersion : 10.0 (17763)Forest : example.comDomain : example.comIPv4Address : 192.168.1.2IPv6Address : fe80::1235:5678:90ac:cdef%12IsGlobalCatalog : TrueIsReadOnly : FalseIsSeized : FalseRoles : {PDCEmulator, RIDMaster, InfrastructureMaster, SchemaMaster...}

You can also use Event ID 4742 in your Security log to monitor the changes to your registered Domain Controllers. This event shows which user initiated the change, so you know which Domain Administrator account is being used to perform the attack.

Provisioning SharePoint Server 2013 on Windows Azure – Part II

Problem

When you initially attempt to configure SharePoint 2013 on Azure, it will point you to a SharePoint 2013 trial in the template gallery. This is not the correct way to configure an instance of SharePoint on Azure. This template virtual image is not meant for a single standalone SharePoint Server 2013 installation. Microsoft intends for you to use SharePoint Online or Office 365, or if you wan more control you need to crate an on-premise installation.

Solution

You need to “manually” create a SharePoint environment in Azure. As a minimum, there are 4 steps (with multiple sub-steps) that you will need to complete to properly provision a SharePoint  2013 environment on Windows Azure. Your environment is unique to your needs, but this should help you understand the general steps required.

  1. Create and Configure Network components
  2. Install and Configure Domain Controller
  3. Install and Configure SQL Server
  4. Install and Configure SharePoint Server 2013

Let’s go through these steps and see what is required to successfully work our way through this configuration. You can refer to Part I to get through step 1 shown above. Several people have written articles on this subject, so I’ll attempt to just summarize here. If you need details, I hope you will seek out the details and read more on this subject.

The next step is to install and configure a domain controller.

  • Create Domain Controller VM – Go to “New Virtual Machine” and choose “Windows Server 2012 DataCenter” from the Azure Gallery. Select the size (I suggest as medium) to begin the configuration.
    • Configuring Domain Controller –  Once the Domain Controller is provisioned, click on the “Connect” button and RDP into the new instance. Click on “Add Roles and Features” and follow the basic procedures to create a domain controller.
      1. In the Server Roles section, choose “Active Directory Domain Services”.
      2. Click on “Add Features” and then on the “Confirmation” tab click on “Install”. Once this is done you may be required to restart the server. Restart and again RDP into the instance. Near “Manage this server” click on the yellow triangle and click on “Promote to Domain Controller”.
      3. Add a new Forest. Mention the domain name you want to use.
      4. You can ignore the DNS Options error about “Parent Zone”.
      5. Change the paths, if required, for the ADDS Database folder, log files folder, and SYSVOL folder.
      6. Once you click on “Install”, the prerequisites will be installed and your Domain Controllert is ready to add users.
  • Add new user accounts to the domain – This is just like on-premise installation, so we will create 4 users to this new domain:
    • “sp_farm” to manage the SharePoint farm
    • “sp_farm_db” to have sysadmin rights on SQL Server instances.
    • “sp_install” to have domain administration rights needed for installing roles and features
    • “sqlserver” to have an identity that SQL instances can run as
  • sp_install user configuration – All the users can just be added normally (“Action” –> “New” –> “User”), except sp_install. We will specifically walk through creating this user since there are some extra steps required to properly configure this user. The other 3 users are simple user creations.
    • Add “sp_install” to the Domain Admin Group
    • Go to “Domain” –> “Properties” –> “Security Tab” then click the “Advanced” button then select the “Principle” link then type “sp_install”.
    • Select “Read All Properties” and “Create Computer Objects” from the options.

You can read more on this topic here.

In future articles, we will continue to work our way through the process until we have a working SharePoint instance on Azure.

Provisioning SharePoint Server 2013 on Windows Azure – Part I

Problem

When you initially attempt to configure SharePoint 2013 on Azure, it will point you to a SharePoint 2013 trial in the template gallery. This is not the correct way to configure an instance of SharePoint on Azure. This template virtual image is not meant for a single standalone SharePoint Server 2013 installation. Microsoft intends for you to use SharePoint Online or Office 365, or if you wan more control you need to crate an on-premise installation.

Solution

You need to “manually” create a SharePoint environment in Azure. As a minimum, there are 4 steps (with multiple sub-steps) that you will need to complete to properly provision a SharePoint  2013 environment on Windows Azure. Your environment is unique to your needs, but this should help you understand the general steps required.

  1. Create and Configure Network components
  2. Install and Configure Domain Controller
  3. Install and Configure SQL Server
  4. Install and Configure SharePoint Server 2013

Let’s go through these steps and see what is required to successfully work our way through this configuration. Several people have written articles on this subject, so I’ll attempt to just summarize here. If you need details, I hope you will seek out the details and read more on this subject.

So the first step is to create and configure network components. At the minimum we will need the following network components:

  • One Virtual Private Network – Click on the Network Services in t
  • he Windows Azure Manage portal and click on “New”. Enter the details such as the Name of the VPN and your selected Region.
  • Three Subnets – Create a minimum of 3 is required for a small farm where Application Subnet and Web Subnet can be joined together. As the name suggests, you will be using these for the Domain Controller, SQL Database, Application Server and Web Server roles.
  • One DNS Server – Choose the static IP given to the DNS Server.
  • One Windows Azure Storage Account – After the network is ready, create a storage account. Give it a name and follow the wizard. Your storage account will be created in just a few seconds.

You can read more on this topic here.

In future articles, we will continue to work our way through the process until we have a working SharePoint instance on Azure.

%d bloggers like this: