Comments (19)
To remove SPNs from accounts: setspn -d [SPN] [IdentityReference]
Example: setspn -d http/deadhost.horse.local FOAL\user
from bluetuxedo.
"Everyone has a test environment. Some people are lucky enough to have a production environment."
from bluetuxedo.
Perfect! That should be easy enough to script out for my list. Thanks a bunch!
from bluetuxedo.
Yeah, buddy! (Almost) none of this stuff is rocket science. It's just hard to find, ya know?
from bluetuxedo.
I ended up using chatgpt to take the results that BlueTux spit out to reformat it into a CSV that I could easily read in with powershell. hah
Just needed "host/name,name" in the CSV, then I used this:
$data = Import-Csv -Path "C:\path\to\spn.csv"
foreach ($row in $data) {
$spn = $row.spn
$name = $row.name
setspn -D $spn $name
}
from bluetuxedo.
Easy peasy! BTW: I plan to get this added in Saturday or Sunday.
from bluetuxedo.
Awesome. I am pretty sure gpt didn't include all of them in the reformatted output it gave me, but I haven't run the check again. I may wait until you release the updated code so I can test it out. I am actually doing a short presentation on Blue Tuxedo for our team next Friday.
from bluetuxedo.
This may sound weird, but would it be possible for me to join that presentation?
from bluetuxedo.
Doesn't sound weird at all. That would be cool, but we don't typically stream / record them since they are pretty low key. It is going to be during one of our professional development meetings, and will most likely be a 2-3 minute very high level overview. I can hit you up afterward to give you my talking points, and how it went.
from bluetuxedo.
Love it.
from bluetuxedo.
So, good news and bad news...
Bad news: it looks like my branch protection rules were not set up properly and I stupidly commited to main
Good news: the following commits add the Repair-BTDanglingSPN function!
53401bf
d314805
d9bed14
If I understand correctly, @nitsewg, you've already resolved your danglin', but if not, please test this out and let me know if it works!
from bluetuxedo.
It doesn't look like it gives you the commands when you run invoke-bluetuxedo
, but when I ran Repair-BTDanglingSPN
by itself, it spit out the code blocks. I still had a few that I guess didn't make it into my list last time. I cleaned up the output and ran the code blocks. Looks like we should be good to go now.
from bluetuxedo.
Guess who just earned the job of User Acceptance Tester... :D jk, thank you for the report!
BTW: All Repair-
functions include a -Run
switch that will run the fix on your behalf. I will make sure that is included in the documentation (when I get a chance to update it.)
from bluetuxedo.
😂 - good to know on the -Run... I remembered something about that from your presentation, but I didn't remember the flag to use. Easy enough. Thanks again for being responsive on this. Now I just need to work on the dynamic update service account. I think just about everything else BT audits is looking pretty good.
from bluetuxedo.
Ooh, can you try to set a gMSA as the dynamic update service account? I am curious if that's possible and haven't had time to lab it up.
from bluetuxedo.
I'll look into it a bit. I, eh... do all of my testing in production, so I have to be a bit careful not to break things. hah
from bluetuxedo.
I read up a bit on gMSA... but I am not sure what permissions would be needed. The only documentation I have found for using dynamic update credentials shows using domain admin... lol
I should probably do a bit more research before going whole hog on this one. Do you happen to have any links that would give a shove in the right direction on that?
This is the one I found, that shows using domain admin:
https://learn.microsoft.com/en-us/answers/questions/355711/dhcp-reccord-dns-service-account
from bluetuxedo.
The DNS Update account for DHCP should be a standard user account. Never tried to use a gMSA for this. Unsure if it's supported.
Some links I have on this topic:
Configure DNS dynamic update credential:
https://readwise.io/reader/shared/01he1aeq13ht4238hbvavhrcn3
DHCP Server in DCs and DNS Registrations: https://learn.microsoft.com/en-us/archive/blogs/stdqry/dhcp-server-in-dcs-and-dns-registrations
DHCP, Dynamic DNS, and DCs: How about Some PowerShell to Spice Up a Mind-Numbing Topic?: https://readwise.io/reader/shared/01hdkxzh458desy94dngqxw7xn
Edit: missed one:
Using DNS servers with DHCP: https://readwise.io/reader/shared/01he1af4ykcpmabjjnfaxzegpt
from bluetuxedo.
@TrimarcJake - The short presentation went well. I discussed the dangers of wildcard records, wpad, dangling SPNs, tombstone records, legacy zones, etc... and then showed screenshots with alerts and remediations using BT. I think most of it was over their heads, but the main point that we are safer now than before came through clearly. I tried to stick with a 10,000 ft view of it. hah
from bluetuxedo.
Related Issues (11)
- Look for Zones with identical names in different Partitions
- Look for GlobalNames zone HOT 2
- Problem with 'DhcpServer' module HOT 10
- no HOT 1
- Create Repair- function for Legacy Zones. HOT 1
- Add Logic to Repair-BTADIZone to Select Domain- or Forest-replicated Destination Zone
- Failed to Enumerate Zones HOT 35
- Specify domain HOT 5
- Update Show- functions.
- Run script automated and output to file? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bluetuxedo.