Monday, August 29, 2016

Powershell: Find AD Users' Logon History with their Logged on Computers

Finding the user's logon event is the matter of event log in the user's computer. In domain environment, it's more with the domain controllers. What makes a system admins a tough task is searching through thousands of event logs to find the right information regarding users logon events from every domain controllers. Though we filter only the Kerberos Authentication Events for TGT (Ticket-Granting-Ticket) Requests, there are so many information in each event regarding to specific users.

Sunday, August 21, 2016

How to Digitally Sign the Powershell Scripts with Microsoft CA in Domain – A step-by-step Guide - Part 4

4) Run the test scripts
Go to >> Part-1:Install ADCS service and configure Code Signing Certificate Template
Go to >> Part-2: Request the certificate to sign the script by user1
Go to >> Part-3: Configure GPO to allow only signed scripts and add user1’s certificate to trusted publisher group on domain computers

Now, it's time for user2(new user who recently joined the company ;) to run some scripts on Node-2 computer which is a newly domain joined computer. Also, don't forget to "gpupdate" on client computers after your GPO is changed.
We will do the following test cases:

Test case-1: user2 run unsigned script on computer Node-2.
Result: user2 cannot run the unsigned script because Node-2 computer is enforced by GPO not to run any unsigned scripts.


Test case-2: user2 gets the script written and signed by user1 and tries to run on Node-2 computer.
Result: user2 can run the script successfully since the script is digitally signed and unmodified.


Test case-3: user2 changes some code of user1's script and tries to run on Node-2 computer.
Result: user2 cannot run the script because the digital signature of certificate does not match the hash value of the file, which content has been changed.
You can see the output in Figure-1.


                                  Figure-1: Results of user2 tried to run various scripts

How to Digitally Sign the Powershell Scripts with Microsoft CA in Domain – A step-by-step Guide - Part 3

3) Configure GPO to allow only signed scripts and add user1’s certificate to trusted publisher group on domain computers
Go to >> Part-1:Install ADCS service and configure Code Signing Certificate Template
Go to >> Part-2: Request the certificate to sign the script by user1
Go to >> Part-4: Run the test scripts



In Part-2, we have signed the script with user1's certificate. There are some manual works such as adding user1 certificate to trusted publisher group. Let us see how can we automate this process by using GPO.


First of all, we need to export user1 certificate from Node1 computer's personal store to DC1 computer where we can distribute this certificate via Group Policy.
i) From MMC console on Node1 computer, right-click the user1's certificate and export.
ii) In the "Export File Format" page, we can either DER encoded or Base-64 encoded option. See Figure-1.
iii) Select the location to save the certificate. Click Next, Next and OK.
                                      Figure-1: Select certificate type


How to Digitally Sign the Powershell Scripts with Microsoft CA in Domain – A step-by-step Guide - Part 2

2) Request the certificate the sign the script by user1
Go to >> Part-1:Install ADCS service and configure Code Signing Certificate Template
Go to >> Part-3: Configure GPO to allow only signed scripts and add user1’s certificate to trusted publisher group on domain computers
Go to >> Part-4: Run the test scripts


In the Part-1, we have configured AD CS role and configure certificate template. Now, it's time that user1 request his certificate and sign his script.

On the Node-1 computer with user1 logged on as domain user:
i) In the Run box, type mmc and select "Certificates" from Add or Remove Snap-ins. See Figure-1.
ii) In the certificate tab, right-click Personal >> All Tasks >> Request New Certificate. See Figure-2.
iii) Click Next and go until you find different types of certificates available on "Request Certificates" tab. Choose "Powershell Code Signing" and click "Enroll". See Figure-3.
iv) If everything is working fine, you will see the certificate is enrolled and installed.
v) Check user1's enrolled certificate in certificate personal store. See Figure-5.


Note: If you turn-on "Certificate Manager" Approval in your certificate Template(see fig-4), then the certificate request will be shown as pending in "Certification Authority" console, rather then automatically enrolled to user1 computer. Certificate Manager Needs to approve the pending certificate to issue.

How to Digitally Sign the Powershell Scripts with Microsoft CA in Domain – A step-by-step Guide - Part 1


Go to >> Part-2: Request the certificate the sign the script by user1
Go to >> Part-3: Configure GPO to allow only signed scripts and add user1’s certificate to trusted publisher group on domain computers
Go to >> Part-4: Run the test scripts




Every drivers and built-in softwares in windows environment are pre-packaged with digital signatures. With an increasing number of malicious attacks on windows, every executable, dll or script file should be signed with certificate in domain environment. Moreover, Active Directory & GPO made life easier because it has a very good integration with ADCS services especially with certificate auto enrollment via group policy. This becomes very useful when you want to limit the execution of scripts on servers in your domain environment, preventing malicious scripts from running and unauthorized changes. Today, I will show you how to sign your powershell scripts from Microsoft CA and use GPO to control the execution of unsigned scripts in domain environment.


Scenario:
Let’s say user1 usually write powershell scripts in Contoso organization. Administrator needs to allow only the execution of scripts written by user1 on certain computers, while other scripts are blocked. Moreover, if one of the user1’s script is modified by a malicious user and run on client computers or servers, how can we stop these things? Let’s see how it works.