Delegate permission to manage “User cannot change password” in User ‘Account Options’

Hey, have you noticed, when you delegate write permissions for nt_SecurityDescriptor, you still cannot change an option ‘User cannot change password’ ? When you try mark this option and save, all looks fine, because you can save it, but once you open user account properties again, you see that option ‘User cannot change password’ is blank :\ . This is cause by missing permission to add ‘Everyone’ – DENY in security Tab. Yes, you also must have permission to modify permission of user object. If you do not want to give Full permission, you must explicitly add and allow ‘modify permissions’

User Object – Account Options

get-adgroupmember : The size limit for this request was exceeded

Although I have worked in big infrastructures, it is not long time ago, I have personally met with the limitation of ADWS service.  Because exists good reasons why this limit should not be changed on DC server, command-let get-adgroupmember can be easily replaced by Get-ADGroup ‘GroupName’ -properties Member | select-object -ExpandProperty member 🙂

https://docs.microsoft.com/en-us/archive/blogs/activedirectoryua/active-directory-maximum-limits-and-scalability-topic-updated
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd391908(v=ws.10)?redirectedfrom=MSDN

ADLDS and Password Policies

Have you ever thought about how password policies are managed in ADLDS ? This short article will describe how it works.

When host server of the ADLDS instance is domain member, domain password policies are applied.  Host server in workgroup is using local password policies. To ignore inherited domain password policies can be done by using ADSIEdit.
Open ADSIEdit and connect to the Configuration naming context on the LDAP server., please find path below.

On the object:
CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,CN={guid},
there is a multi-valued attribute called msDS-Other-Settings. The attribute ADAMDisablePasswordPolicies has by default value 0, set value to 1 means disable inheritance from domain and start using local password policies of the host server.

TLS 1.0 is also obsolete ! This article tell you how to protect Windows Web Servers against vulnerabilities.

If your servers still support TLS 1.0 or older obsolete cryptographic protocols (SSL, PCT, …) for communication over the network , you should act asap!

Description:

SSL 3.0 and older protocols, now also TLS 1.0 are vulnerable to man-in-the-middle attacks, risking the integrity and authentication of data sent between a website and a browser. Disabling TLS 1.0 and older protocols support on your server is sufficient to mitigate this issue! These obsolete protocols should be Disabled before public deadline – June 30, 2018 for SSL/Early TLS Migration. Ups.. Yes , this date is gone already :\….and also Windows Servers 2016 by default support these protocols !!!

The deadline -June 30, 2018  it is not my invention. This deadline was scheduled by The PCI Security Standards Council which is a global open body formed to develop, enhance, disseminate and assist with the understanding of security standards for payment account security. Probably after this date, this vulnerability could be reported to ICT teams by their local security team. – https://blog.pcisecuritystandards.org/4-things-to-know-about-pci-dss-in-2018

 

Technical Details:

Secure Sockets Layer (SSL) and early versions of Transport Layer Security (TLS) are no longer considered secure forms of encryption. It is critically important that organizations upgrade to a secure version of TLS – such as TLS v1.2 or higher – as soon as possible and disable any fallback to SSL/early TLS.
Many PCI DSS requirements require the use of ‘strong cryptography’ as defined in the PCI DSS glossary. After 30 June 2018 SSL/early TLS should not be used as a security control to meet any PCI DSS requirements attempting to demonstrate strong cryptography.

 

Default Windows Server 2012 R2, Server 2016 configuration is below:

Recommend configuration (change requires server restart):

Screenshots from tool – https://www.nartac.com/Products/IISCrypto
IISCrypto is very good alternative way how to set secure sonfiguration on your server, when you do not want to do it directly in Registry.

Microsoft sources about this topic:

https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protocols

https://support.microsoft.com/en-us/help/187498/how-to-disable-pct-1-0-ssl-2-0-ssl-3-0-or-tls-1-0-in-internet-informat

GPMC Search Item – with “User Configuration” it does not work

 

Today I  opened GPMC on the Windows Server 2019 Preview and really after long time I tried to use Search Item in GPMC console. I was surprised that Search Item with User Configuration did not allow me to add any condition. Please check in the picture below. It is suprise that same behavior I can see on S2K12R2, Windows 10 and etc….so it is nothing new :(. I spent some time with searching on  internet than I found TechNet article about it.  – https://social.technet.microsoft.com/wiki/contents/articles/23169.the-value-drop-down-list-is-grayed-out-when-you-perform-search-for-group-policy-objects-in-gpmc.aspx

Because I did not find any advice except article above I believe that more articles about this bug (or what it is) could be useful.

All what is necessary to do is open REGEDIT , go to this path (go to the part of registry, where OS has Client Side Extension for GPO) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4D2F9B6F-1E52-4711-A382-6A8B1A003DE6}]

click on GPextension with number above and choose export ! Yes, we should backup this key, because it should be our first step before we do any change in registry.

 

When we have backup, right click on GPExtension {4D2F9B6F-1E52-4711-A382-6A8B1A003DE6} again and choose “Permissions….”  perform 3 steps describes in the pictures. Change owner to your account used for logon. After we change owner, full control “Access” should be visible for our new owner.

 

Now we have to change Default value of REG_SZ which is empty. We have to put there this string RemoteApp and Desktop Connections , lets check picture below

 

Now is necessary close GPMC and open this console again. Try to use Search Item and choose User Configuration, now it should be ok 🙂 . Tested and for me it is working 🙂 . Thanks