Compliance on Janik von Rotz

Monitor and audit Active Directory user and group management

Thu, 12 Oct 2017 15:54:08 +0000

Traceability is key when collaborating in the Active Directory (AD). Multiple admins changing and updating permissions and policies makes it difficult being compliant with the company’s policies. It is important to monitor mutations in the directory. By default audit policies are disabled for Domain Controllers (DC) and must be enabled explicitly. Enabling auditing for the DCs is quite easy, querying the logs for a specific event is a bit more difficult.

In this guide you’ll learn how to enable auditing for a specific case and how to query the audit logs for a specific event.

The tutorial assumes that there is a:

Domain Controller.
Group policies, security groups, users, …
Admins with DC access.

Enable Auditing

Let’s start by have a look on the already enabled audit categories.

Log into the DC.
Open PowerShell as admin.
Run auditpol /get /category:*

The command returns a list of audit categories and its status. These settings have been enabled by either the auditpol tool or via GPOs.

In our scenario we would like to track management of users and groups, which is part of the Audit Account Management. To enable this audit category create a new group policiy for the DC.

Open the GPO management console.
Right-click the Domain Controllers organizational unit.
Create new GPO and open it in the GPO editor.
Enable logging for subcategories: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Audit: Force audit policy subcategory settings...
Increase the security log size to 4GB: Computer Configuration > Windows Settings > Security Settings > Event Log > Maximum security log size: 4268032
Then navigate to Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Account Management
Enable the required audit categories.
Make a gpupdate /force on the DC.
Run auditpol /get /Category:* and double-check whether the settings are correct.

If you open the security event log on the DC there should be events logging account management mutations.

Source: Microsoft Docs - Monitoring Active Directory for Signs of Compromise

Query Audit Logs

As mentioned querying the event log is a bit more difficult. The event log viewer offers limited features for filtering events and searching by specific keywords. In contrast with PowerShell it is possible to filter and search the event log by any property and keyword.

Here is a simple example:

$LogName = "security"
$StartTime = Get-Date("2017-10-12 12:50")
$EndTime = Get-Date("2017-10-12 13:00")
$SearchKey = "username"

Get-WinEvent -FilterHashtable @{LogName=$LogName; StartTime=$StartTime;EndTime=$EndTime} | Where-Object {$_.Message -match $SearchKey} | select Id, TimeCreated, Message | Format-List

Source: Hey, Scripting Guy! Blog - Filtering Event Log Events with PowerShell

Get unlinked GPOs with PowerShell

Fri, 06 Oct 2017 10:06:49 +0000

In terms of IT compliance having valid GPOs is essential. They must be update to date and the GPO directory should be free of any unlinked GPOs. Retrieving a list of unlinked GPOs in the management console is impossible. With PowerShell it is quite easy.

Take this function for example:

Get-UnlinkedGPOs.ps1

function Get-UnlinkedGPOs {

    Import-Module GroupPolicy
    
    $Report = @() 
    $GPOs = Get-GPO -All
    $GPOs | ForEach-Object { 

        $GPO = $_

	    Write-Progress -Activity "Get GPO settings" -status "Analyze GPO: $($GPO.DisplayName)" -percentComplete ([int]([array]::IndexOf($GPOs, $GPO)/$GPOs.Count*100))
        
        $GPOReport = ([XML]$($GPO | Get-GPOReport -ReportType Xml)).GPO

        If(($GPOReport.LinksTo -eq $null) -or (-not ($GPOReport.LinksTo | Where-Object{$_.Enabled -eq $true}))){
            $Report += $GPO
        }
    }
     
    If ($Report.Count -eq 0) {
        Wirte-Warning "No unlinked GPOs found" 
    }else{ 
        return $Report
    }
}

Make sure the group policy PowerShell module is installed.

Once the function is available in your shell you can things like: Get-UnlinkedGPOs | Select DisplayName, GpoStatus | Sort-Object DisplayName | Format-Table

Nginx SSL website

Thu, 03 Apr 2014 07:54:04 +0000

This post is part of my Your own Virtual Private Server hosting solution project.
Get the latest version of this article here: https://gist.github.com/9408793.

Introduction

This best practice shows you the most advanced SSL configurations for your Nginx website. For productive usage it’s recommended to use only public-signed certificates.

Requirements

Installation

Create a ssl folder to store key and cert files

sudo mkdir /etc/nginx/ssl

Upload your key and cert files into this folder.

Now we need to generate stronger DHE parameter:

cd /etc/ssl/certs
sudo openssl dhparam -out dhparam.pem 4096

Add this Nginx configuration to your website config.

server{

        # set ssl port
        listen 443;
        
        ...
        
        # basic ssl configuration
        ssl on;
        ssl_certificate /etc/nginx/ssl/[certificate.crt.ca.bundle];
        ssl_certificate_key /etc/nginx/ssl/[host].key;

        # Force to use stronger DHE parameters 
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        
        # limitation of ssl protocols and algortyhtms
        
        # we don't want to support SSL v2 and SSL v3, it's known to be insecure
        # FIPS 140-2 compliance, TLS1+ only
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        
        # don't let the client decide what ciphers to use, we've told the server which to allow
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
        ssl_prefer_server_ciphers on;
        
        # reduce ssl cpu load
        
        # we want to enable ssl session resumption to avoid
        # having to start the handshake from scratch each page load
        # so first we enable a shared cache, named SSL (creative!) that is 10mb large
        ssl_session_cache shared:SSL:10m;
        
        # save things in the cache for10 minutes
        # if you're not making a request at least every 10 minutes, this isn't going
        # to accomplish anything anyway
        ssl_session_timeout 10m;
        
        ...
}

If you wish to redirect all http traffic to https you can add this additional Nginx server configuration.

server{

      listen 80;
      
      server_name [host];

      return 301 https://[host]$request_uri;
}

Test config and reload Nginx service.

sudo nginx -t && sudo service nginx reload

Source

Nginx converting rewrite rules Configuring HTTPS servers Strong SSL Security on nginx by Raymii