Microsoft ATA: Encryption downgrade activity

If you have Microsoft Advanced Threat Analytics (ATA) within your environment, you may have seen the following warning:

Encryption downgrade activity
The encryption method of the ETYPE_INFO field of KRB_ERR message from x computers has been downgraded based on previously learned behavior. This may be a result of a Skeleton Key on x domain controllers.

I work for quite a large firm, and we were getting these for a handful of computers and accounts.

Initially we looked through Microsoft’s somewhat useful Advanced Threat Analytics suspicious activity guide. However under the heading “Encryption downgrade activity” it somewhat puts the fear of God into you. Indeed, after we did our investigations with the tools provided in that article, we found nothing. So what was going on?

We raised an incident with Microsoft and eventually found that these accounts have passwords that had not been updated for a very long time (before 2010).

Essentially:

  1. When a client negotiates with the KDC (a Domain Controller), it will send the client principal name and realm (eg username/domain.local)
  2. The KDC will look up the client in Active Directory, specifically the supplementalCredentials field in AD.
  3. Should the user be missing the Primary:Kerberos-Newer-Keys property, then the KDC will negotiate a lower encryption with the client, and the warning will be raised in ATA.

If your domain functional level is Windows 2008 or higher (which quite frankly it should be by now!), reset the users password, as 2008 DFL introduces the Primary:Kerberos-Newer-Keys property. By resetting the users password, this *should* set the Primary:Kerberos-Newer-Keys property, and the error should go away in ATA.

If you want to test if you have this issue, just try logging on with one of these impacted user accounts to a domain joined PC, or any other system that authenticates via Kerberos.  Just use a bogus password for the account, don’t worry about it if you don’t know the accounts password because the Kerberos negotiation happens before authentication. If your failed logon raises an alert in ATA, then that account needs to change it’s password.

TL;DR: Just reset the password of the impacted users.

 

Filtering the Windows Security Log

Filtering the Windows Security Log can be a pain in the arse if you don’t know how to use the XML filtering.

Here are two filtering options I use a lot in order to glean some information…

Filter Security Log by username:

Find all successful and unsuccessful logons from a particular user…

<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">* [EventData[Data[@Name='TargetUserName']='USERNAME']]</Select>
</Query>
</QueryList>

Get NTLM Logons

Find all logons that were done with NTLM (good for finding the old crap on your network)

<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">* [EventData[Data[@Name='AuthenticationPackageName']='NTLM']]</Select>
</Query>
</QueryList>

Visio org chart: entries not in the organization

If you are trying to create an organisation chart in Visio using Exchange, and getting the error:

organization-data.png

 

Your organization data contains 1 entries that are not in the organization. Do you want to include them in your drawing?

To fix this, turn off caching in Outlook.

No idea why this works, haven’t looked much into it. If you do know of a more elegant way to solve this issue, leave a comment!

2012R2 Core and Hyper-V on Intel Nuc

As I am currently between jobs (read: Unemployed), I thought I would build my own mini lab to help practice the timeless art of being a Windows System Administrator.  To that end I have purchased a Intel i5 NUC (D54250WYKH). I chose this as a lab computer because my current place doesn’t have much space, and while it may not have incredible performance, it’s reasonably powerful enough to run a number of virtualised servers, provided you have enough ram and an SSD.

This post will cover installing Windows Server 2012 R2 Core with Hyper-V on an Intel NUC in a workgroup environment (non domain joined).

Initial Notes

  1. According to Intel the D54250WYKH does not come with AMT, so unfortunately you’ll have to connect a keyboard and monitor at least initially as Windows Server 2012 R2 does not come with the nic drivers ootb.
  2. The steps below rely on using both the command prompt and PowerShell. To enter PowerShell from the command prompt in Windows Server Core, just type: powershell. To exit PowerShell back to the command prompt, just type: exit.
  3. The client I am using is a Windows 8.1 Pro computer

Ingredients

You’ll need the following:

  1. An Intel NUC (D54250WYKH), and the following drivers:
    1. Ethernet Adapter (you will need to modify the driver to allow installation on Windows Server 2012 R2, follow these steps)
    2. Chipset Device Software (you will need to extract the driver from the installer, you can do that by running SetupChipset.exe with the -extract argument)
    3. Management Engine Driver
  2. Windows 2012 R2 on a bootable USB
  3. Hyper-V Remote Management Configuration Utility (HVRemote)

Steps

  1. Install Windows Server 2012 R2 Core.
  2. Give the server a name, in PowerShell run:
    Rename-Computer -NewName server-name -Restart

  3. Because we are installing modified drivers, we need to disable Windows restrictions around unsigned drivers, run the following commands in command prompt:
    bcdedit /set LOADOPTIONS DISABLE_INTEGRITY_CHECKS
    bcdedit /set TESTSIGNING ON
    bcdedit /set nointegritychecks ON
    You will now need to reboot the server

  4. Install the drivers using pnputil in command prompt:
    pnputil.exe -i -a D:intel-driversnicRarSFX0PRO1000Winx64NDIS64e1d64x64.inf
    You will be prompted with Windows can’t verify the publisher of this driver software, just Install this driver software anyway
    pnputil.exe -i -a D:intel-driverssmbusChipset_SMBus.inf
    pnputil.exe -i -a D:intel-driversintelMEDriversMEIheci.inf

  5. Now you should have network connectivity, lets enable remote desktop connections, file sharing and ping with powershell:
    Set-ItemProperty -Path ‘HKLM:SystemCurrentControlSetControlTerminal Server’ -Name “fDenyTSConnections” -Value 0
    Enable-NetFirewallRule -DisplayGroup “Remote Desktop”
    Enable-NetFirewallRule –DisplayGroup “File and Printer Sharing”

  6. Install Hyper-V and allow remote management (this is where you will need the hvremote script):
    Install HyperV: Install-WindowsFeature –Name Hyper-V -IncludeManagementTools –Restart
    cscript hvremote.wsf /mode:server /add:administrator
    cscript hvremote.wsf /mode:server /firewallhypervmgmt:enable
    cscript hvremote.wsf /mode:client /anondcom:grant

  7. If you are remoting to this server you will need to whitelist clients using the following command:
    winrm set winrm/config/client @{TrustedHosts=”client-name”}

  8. On your Hyper-V client
    1. Make sure you have PowerShell and the HyperV Management Tools installed
    2. Open Component Services
    3. Expand Component Services, then Computers
    4. Right click on My Computer and click on Properties.
    5. In the COM Security tab, click Edit Limits under Access Permissions.
    6. Enable Remote Access for Anonymous Logon
    7. In PowerShell run:
      Set-Item WSMAN:LocalhostClientTrustedHosts -Value * -Force # *
    8. In command prompt (replace the server-name and password):
      cmdkey /add:server-name /user:ADMINISTRATOR /pass:password

Closing Notes

You should now be able to:

  1. Connect your client HyperV manager to the server you created
  2. Enter remote PowerShell sessions via Enter-PSSession -ComputerName
  3. Ping and File Share with your server

There will be some devices that aren’t installed, these are 2 Audio Devices and the Infrared sensor on the front of the Nuc, I have not bothered to install those drivers.

If you have any comments, please leave them! I would appreciate the feedback, and I would also love to know if I have missed anything or whether I should have done something differently.

LibreOffice group policy

LibreOffice 4.2 introduced the ability to control LibreOffice settings via registry keys. In so doing, it allows Group Policy to set LibreOffice settings.

Unfortunately, LibreOffice have not provided much documentation on their main.xcd file, so it’s hard to know exactly what registry key you need to create in order to set a particular setting.

I have created a stub Group Policy admx / adml file for LibreOffice. Check it out on github.

With this admx file, hopefully it will be easy for you to set LibreOffice settings, without trying to figure out where the particular setting is stored in main.xcd.

user profile not loading

Have you got a windows user profile that isn’t loading correctly?

Have you checked:

  1. Is the profile loaded into the registry already? (check regedit under HKEY_USERS)
  2. Has the user got write access to the registry hive? (can be an issue in default profile / roaming profile scenarios)

Well if it’s not those things! Open regedit and head to:

HKLMSoftwareMicrosoftWindows NTCurrentVersionProfileList

Find the folder that contains your user profile information (it’ll be in the key ProfileImagePath) and then delete this folder.