Monthly Archive

Categories

Security

NTFSsecurity module

Just came across the NTFSsecurity module. Its available on the PowerShell gallery or from https://github.com/raandree/NTFSSecurity.

The *-Acl cmdlets have been around since Windows PowerShell v1 but aren’t easy to use and don’t cover all our needs.

 

This module contains a number of cmdlets:

Add-NTFSAccess
Add-NTFSAudit
Clear-NTFSAccess
Clear-NTFSAudit
Copy-Item2
Disable-NTFSAccessInheritance
Disable-NTFSAuditInheritance
Disable-Privileges
Enable-NTFSAccessInheritance
Enable-NTFSAuditInheritance
Enable-Privileges
Get-ChildItem2
Get-DiskSpace
Get-FileHash2
Get-Item2
Get-NTFSAccess
Get-NTFSAudit
Get-NTFSEffectiveAccess
Get-NTFSHardLink
Get-NTFSInheritance
Get-NTFSOrphanedAccess
Get-NTFSOrphanedAudit
Get-NTFSOwner
Get-NTFSSecurityDescriptor
Get-NTFSSimpleAccess
Get-Privileges
Move-Item2
New-NTFSHardLink
New-NTFSSymbolicLink
Remove-Item2
Remove-NTFSAccess
Remove-NTFSAudit
Set-NTFSInheritance
Set-NTFSOwner
Set-NTFSSecurityDescriptor
Test-Path2

 

Some of the cmdlets appear to overlap with standard PowerShell cmdlets

Copy-Item2
Get-ChildItem2
Get-FileHash2
Get-Item2
Move-Item2
Remove-Item2
Test-Path2

which needs further investigation.

PS> get-command Test-Path -Syntax

Test-Path [-Path] <string[]> [-Filter <string>] [-Include <string[]>]
[-Exclude <string[]>] [-PathType <TestPathType>] [-IsValid]
[-Credential <pscredential>] [-UseTransaction] [-OlderThan <datetime>]
[-NewerThan <datetime>] [<CommonParameters>]

Test-Path -LiteralPath <string[]> [-Filter <string>] [-Include <string[]>]
[-Exclude <string[]>] [-PathType <TestPathType>] [-IsValid]
[-Credential <pscredential>] [-UseTransaction] [-OlderThan <datetime>]
[-NewerThan <datetime>] [<CommonParameters>]

PS> get-command Test-Path2 -Syntax

Test-Path2 [-Path] <string[]> [-PathType <TestPathType>] [<CommonParameters>]

 

There isn’t a complete set of help files for the module at the moment but some documentation is available through the github repository.

 

This is a Windows PowerShell only module at the moment as it requires System.Windows.Forms but may work on PowerShell core through the Windows compatibility module.

Constrained PowerShell or JEA?

PowerShell remoting gives you access to all of the functionality on the box by default. You can created constrained (or restricted) endpoints that limit that functionality to specific cmdlets.

 

Alternatively you can use Just Enough Admin (JEA) to lock down an endpoint through  a Role Based access Control (RBAC) system.

 

JEA is the later option and is more flexible.

 

The PowerShell Team has an interesting (and new to me) take on Constrained Language and JEA.  https://blogs.msdn.microsoft.com/powershell/2017/11/02/powershell-constrained-language-mode/

 

I recommend you read it

PowerShell Attacks–advice on defending

PowerShell Attacks–advice on defending from Lee Holmes – PowerShell security expert – is available at

https://blogs.msdn.microsoft.com/powershell/2017/10/23/defending-against-powershell-attacks/

Read, learn, inwardly digest and apply

Generating passwords

Generating new passwords can be a painful business. There are many ways of accomplishing password generation – depending on your needs.  One suggestion for generating passwords is to use a GUID as the basis of the password

PS> New-Guid

Guid 
---- 
269f328d-b80d-446a-a14c-6197ff1bcc40

You could then remove the hyphens and extract part of the guid

PS> (New-Guid).Tostring() -replace '-' 
c5023096aee24b3ba1d9988ff1c774e4

You need to decide the length of the password.  Guids are 32 characters so make sure you start your extraction in a position that gives room for the length you need

$length = 8

((New-Guid).Tostring() -replace '-').Substring((Get-Random -Minimum 0 -Maximum (31-$length)), $length)

Your results will look like these examples

fbe8e66e 
980d4032 
0341d71f 
6f6478fd 
fbfea1ce 
34694bc6 
62666733 
b1419ac0 
3cf8aa7d

The drawback is that you only have numbers and lower case characters

If you use the Membership class from System.Web you can do this

PS> Add-Type -AssemblyName System.Web 
PS> [System.Web.Security.Membership]::GeneratePassword(8,2) 
1L*q381)

The GeneratePassword method takes 2 arguments – the first is the length of the password and the second is the number of non-alphanumeric characters

If you’re running PowerShell v5 you can utilise the using keyword instead of Add-Type

PS> using assembly System.Web 
PS> [System.Web.Security.Membership]::GeneratePassword(8,1) 
f>jg84XR

How many domain admins do you need?

I was working on a book chapter this afternoon and  something I was reading made me  stop and think for a moment. How many people are members of your domain admins group – or even worse the enterprise admins or schema admins groups.

 

Many of the organisations where I’ve reviewed their AD have 15, 20, 50 or even 70 people in the domain admins group – this is for a single domain!

Is this necessary?

 

Most often the answer is no, no and no again.

 

Way back in NT times you had to be a domain admin to do practically any administration. Now things are different.

You can be much more granular in assigning permissions  -remember the principal of least privilege – there a a whole raft of groups for administering facets of your environment.

 

You can use tools like JEA and PowerShell to delegate permissions rather than lumping everyone in domain admins

 

  In this day and age there is no excuse for having a domain admins group with huge numbers of members unless you prescribe to the “that’s how we’ve always done it” school of thought. If you do then expect problems sooner rather than later