Friday, June 7, 2013

Random Password Generator Tool

Sure, there are lots of random password generators out there, but how many of them are integrated with our very feature-rich open source code repository of tools that will help you to code against Active Directory, while also standing alone as a simple quick to use tool for a helpdesk?


Yeah, that's right, only 1 random password generator tool does that.  Get it and its open source code now: https://github.com/Securology/ActiveDirectoryServices/tree/master/PasswordGenerator

Thursday, June 6, 2013

Coding for Active Directory: Quickly import Exchange Rooms or Resources

Do you have a copy of Visual Studio, a very rudimentary knowledge of C# .NET, and a need to import a list of Exchange Rooms or Resources into your Active Directory?

If so, check out a couple very simple example apps that can import .CSV files to knock out this frequent task:

Wednesday, June 5, 2013

Coding for Active Directory: Programmatically Get or Set Obscure Attribute Data in C#

If you are an organization of any size, chances are you have an Active Directory instance sitting around, and maybe some level of additional investment in Microsoft products beyond Windows on client machines and a couple servers.  And the more investment you have, the more value you will get from having relevant data in your Active Directory.  You may even have some developers on staff that write applications in C# or VB .NET.  Chances are, though, your developers won't understand or even want to understand Active Directory.

They may, however, be able and willing to code to a few random source code examples that float around on the web, but most examples are not very feature complete.  So it requires developers digging into the musty underbelly layers of Active Directory to learn how to get what they need.  Few will dig.

You could purchase an API, but the licenses may be expensive, and you may only want to read or set a couple of attributes on a user or group object that nobody else seems to have documented how to do well enough to satisfy your developers.

Or you could just send your developers to the new Securology GitHub repository to pull down a fully-functional, open source, non-restrictively licensed API to include in their projects to get up and going.

Maybe you just dealt with a large scale AD migration and you need to peel back the layers and extract user or group SIDs (Security Identifiers) or validate that SIDs from previous domains on imported objects are properly stored in the SID History?

Maybe you have a basic interface with your HR system, but don't want to shell out tons of cash to purchase a metadirectory tool like Identity Lifecycle Manager to move HR data like manager/reporting relationships around, but could really benefit from having that data in your Exchange, SharePoint or other application environments.

Maybe you need to set the user's employee number from your HR system on each AD user to identify the authoritative data source to satisfy an Active Directory Audit.

Maybe you just want to read or write the AD user's address, telephone, or even IP Phone number.

Maybe you have a mixed environment that also contains Unix servers and you need to set Unix attributes on the IT Unix Admin user accounts for a Unix SSO to AD product that you're using.

Maybe you'd like to programmatically setup Microsoft Exchange or Lync (Office Communicator) attributes?

Maybe you'd like a safer way to programmatically move or delete Active Directory objects?

Maybe you'd like an easier way to programmatically add or remove a user from an AD group?  Or maybe check if they already are in that group?

Maybe you'd like to populate your AD with Contact objects for business partners who don't need user accounts in your domain or forest, but so that they'll still show up in the Global Address List (GAL)?

Maybe you need a way to programmatically create an Organizational Unit (OU)?

Maybe you'd like to toggle an AD group from "Security" to "Distribution" and back again?  Or "domain local" to "universal"?  Or dump all of its members?  Or check if the AD group has no members?  Or set the "owner" of the group for audit/management purposes?

Maybe you'd like to prune back old computer objects?  Or build a report to show what Operating Systems are in your directory?  Or safely move or delete computer objects?

Maybe you'd like a way to expose the True Last Logon time of a user account without manually checking each Domain Controller and comparing times?  Or maybe you'd like a nice multi-threaded (and fast!) way of checking all Domain Controllers simultaneously?

If any of those are even remotely interesting to you, check out our extended version of Microsoft's System.DirectoryServices.AccountManagement namespace that we provide on GitHub.

Tuesday, June 4, 2013

Coding for Active Directory: Proxying Users into an AD-LDS Application Directory

In another IT Pro tip related to Active Directory, suppose an organization has an internal AD forest, but has a company policy that only paid personnel are to have accounts in that directory.  That's a fairly rational policy:

  • If we pay you directly, then you're an employee, so you get an account
  • If we pay you indirectly, then you're a contractor that we've hired, so you can also get an account
  • If you pay us, whether directly as a consumer, retailer, or reseller, or indirectly as a consumer through a retailer or reseller, then you're a customer, so you probably should not have an account in our internal AD forest.
But suppose you have an application that needs to be built that will allow both employees/contractors, AND customers to access it, and you don't want to setup yet-another-provisioning process for granting and revoking access for employees and contractors?

Enter a common solution: Active Directory - Lightweight Directory Services (previously known as ADAM, AD Application Mode, a.k.a. an "application" directory).  This is a lightweight, LDAP only directory with less bells and whistles than AD has, but many Microsoft-centric applications can plumb right into it.

But to achieve a true Single Sign On for the internal AD users, the IT Admin must create either a UserProxy or a UserProxyFull object in the AD-LDS.  Both function nearly the same, but a UserProxyFull has additional schema data elements for storing additional contact data fields, which are generally handy for today's applications.

Under the hood, when an internal AD user connects to the application, an authentication request is passed to the AD-LDS, which looks up the UserID of the internal user, finds the User Proxy object, and then performs Kerberos authentication against the internal AD.  All other attributes, though, from contact data fields, to the group memberships that the UserProxy has, are separate from the internal AD forest.  In essence, nothing is automatically the same and it's yet-another-directory-to-manage.

Wouldn't it be nice if there was a way to build a service or application in C# .NET so that a configurable subsection of your organization's internal AD user community could automatically be provisioned and deprovisioned, complete with metadata updates, and maybe even rudimentary AD-LDS group memberships based on your AD data?  Why yes, yes that would be very nice.  

Wouldn't it be even nicer if the code was open source so we can take it, borrow it, and use it internally without a restrictive license?  Why yes, yes that would be very nice, too.

Wouldn't be even nicer still if this article linked straight to that source code?
Why yes, yes it sure would be nice.

Good thing we just did! 

Monday, June 3, 2013

Active Directory Tip: Hitting Snooze on the Password Expiration Policy

The Active Directory Password Expiration Snooze Button

IT Administrators have certainly been in the tough scenario where a security policy mandates that passwords expire in X days, but there are constraints that make it really hard for the user account passwords to actually change.  For example:
  • Dealing with service, application, or generic accounts and a strict constraint to not mark them as non-expiring (forever) passwords
  • Dealing with rarely active human users who suddenly need to (on-demand) authenticate against an application, such as HR benefits open enrollment for employees who are not "information workers" (don't access computers).

There are a couple tricks for dealing with this without causing interruption.  Take note that these "tricks" may completely circumvent the letter and perhaps even the intent of the "policy".  But even with astute auditors, the intent of using these tricks will likely never get noticed. 

Or perhaps you are an auditor, and reading the details of these tricks will open up your mind to look for new events that signify lack of compliance.

Administrative Password Resets
If you know the password for the account in question, then simply perform a password reset with that password.  If you have never thought to do this before, this may at first seem counter-intuitive: after all, resetting a password with a password history rule turned on by policy will cause the password to change, right?

Wrong.  There are two ways an Active Directory password can change: 
  1. The user initiates a password change event, in which they are required to supply the current password in addition to a new password.
  2. The administrator with permissions on the UserAccountControl attribute of the AD user object can perform an administrative reset.
A reset by an administrator must support changing the password when the user is locked out and does not know the password, therefore, the administrator is not required to know the current password.

Also, a reset by an administrator does not enforce password history.  If it did, a rogue administrator could inadvertently learn the current password if the new password supplied by the administrator failed to reset due to password history requirements.  Sure, they just reset the password and could impersonate the user anyway, but that may not be the point: that user's password might be the same on a different (non-Active Directory integrated) application.

So, if you know the current password, perform a RESET and the password last set date attribute on the user account in the directory will update, effectively hitting the snooze button.

A More Clever Trick
But what if you don't know the current password for the account?  

In the scenario of a mostly-inactive end user community that suddenly need to hit an application (e.g. your company's HR system for annual benefits enrollment):
  • there may be too many users to learn their passwords
  • asking the user for their password is likely faux pas
  • the user may not even know the password anyway (since it's been a year), and 
  • resetting a large collection of users passwords to a standard/default that everyone shares is insecure
  • and resetting individually unique passwords for an infrequent, on-demand access presents communication problems all of its own
So, what to do? 

You could disable or extend password expiration.  In Windows 2003 AD and earlier, this meant changing the policy for everybody, which may not be the intent at all.  This is especially true if there are both active and inactive users in the directory, since active users will not get the normal "your password is about to expire" warning X days before it's too late.  Reverting your password expiration policy setting back to the original value could result in a portion of your active users suddenly being locked out and calling for help.  In Windows 2008 and later, you can have multiple expiration policies within a domain, but your user objects may not be grouped to distinguish the inactive users of concern.  You could identify them and move them (and even script that step), but then you may have to move them back to many different OUs (Organizational Units) which could be just as much of a pain as the original problem.

Or you could follow this set of steps (which are scriptable!):
  1. In Active Directory Users and Computers, locate the user with the expiring or expired password
  2. Check the "force password change at next logon" box.
  3. Click Apply.
  4. Uncheck the "force password change at next logon" box.
  5. Click Apply.
And VOILA!  That user's password expiration has just been snoozed-- effectively reset for another iteration, and with zero knowledge of the current password.  The password last set date will appear to be the moment you hit step 5.

How does this work?

Under the hood, the user attribute which stores the date/time when the password was last set is also dual purposed for the password must change flag.  The value is a really large integer which contains the number of ticks of seconds as a representation of time.  But when the force password change button is checked, the value of seconds of time is wiped out.  "Empty" is how the flag is stored.  The last date/time is wiped out.  So, when the administrator unchecks the force password change checkbox, AD Users & Computers has to put SOMETHING in that attribute, because NOTHING appears like it is flagged for change.  But the original value is gone forever!  So what does it store there?  The current date/time.  Hence, the user appears to have had its password reset without any actual (visible) changes to the user.

This can all be scripted out using the dsquery and dsmod commands the Microsoft ships with Active Directory.  PowerShell could also be used.  Or, an astute C# (or VB) .Net developer could simply take a look at the Securology GitHub repository, to see the example Password Snooze Button console app, to incorporate it into your organization's existing user management applications and services.

For the Auditor
To detect if an organization that you are auditing has been using the first option (administrative password resets to snooze the expiration), look for:
  • Event log data for password resets of multiple accounts at roughly the same time, since this would likely be done "in mass" by the IT administrator
  • Service accounts that all have roughly the same password last set date and time.  Manually resetting multiple passwords would have a period of time between each reset event, but a script would cause them all to be within a few seconds of each other
  • User accounts that have been in existence for longer than the password expiration policy's time out, but that have one or few historical passwords stored in the directory (requires a very low level AD editing tool to discover), while still being active (lots of log on events)
To detect if an organization has been using the second option (password must change flag), look for:
  • Lots of user accounts with nearly the same date/time value for the password last set attribute.
  • Lots of user accounts that have not logged in since their password was last set.
  • If event log data is available, look for lots events denoting the must change password flag was set or unset.
Even if long term historical event log data is available, the determined IT administrator could spread out these events to appear sporadic, random, or intentionally related to a user's call to a help desk.  A determined administrator could both keep the lights on and keep auditors at arms' length without detection of a policy violation.