Create Repair- function for Dangling SPNs about bluetuxedo HOT 19 CLOSED

To remove SPNs from accounts: setspn -d [SPN] [IdentityReference]

Example: setspn -d http/deadhost.horse.local FOAL\user

from bluetuxedo.

"Everyone has a test environment. Some people are lucky enough to have a production environment."

from bluetuxedo.

Perfect! That should be easy enough to script out for my list. Thanks a bunch!

from bluetuxedo.

Yeah, buddy! (Almost) none of this stuff is rocket science. It's just hard to find, ya know?

from bluetuxedo.

I ended up using chatgpt to take the results that BlueTux spit out to reformat it into a CSV that I could easily read in with powershell. hah
Just needed "host/name,name" in the CSV, then I used this:

$data = Import-Csv -Path "C:\path\to\spn.csv"

foreach ($row in $data) {
    $spn = $row.spn
    $name = $row.name

    setspn -D $spn $name
}

from bluetuxedo.

Easy peasy! BTW: I plan to get this added in Saturday or Sunday.

from bluetuxedo.

Awesome. I am pretty sure gpt didn't include all of them in the reformatted output it gave me, but I haven't run the check again. I may wait until you release the updated code so I can test it out. I am actually doing a short presentation on Blue Tuxedo for our team next Friday.

from bluetuxedo.

This may sound weird, but would it be possible for me to join that presentation?

from bluetuxedo.

Doesn't sound weird at all. That would be cool, but we don't typically stream / record them since they are pretty low key. It is going to be during one of our professional development meetings, and will most likely be a 2-3 minute very high level overview. I can hit you up afterward to give you my talking points, and how it went.

from bluetuxedo.

Love it.

from bluetuxedo.

So, good news and bad news...

Bad news: it looks like my branch protection rules were not set up properly and I stupidly commited to main

Good news: the following commits add the Repair-BTDanglingSPN function!
53401bf
d314805
d9bed14

If I understand correctly, @nitsewg, you've already resolved your danglin', but if not, please test this out and let me know if it works!

from bluetuxedo.

It doesn't look like it gives you the commands when you run invoke-bluetuxedo, but when I ran Repair-BTDanglingSPN by itself, it spit out the code blocks. I still had a few that I guess didn't make it into my list last time. I cleaned up the output and ran the code blocks. Looks like we should be good to go now.

from bluetuxedo.

Guess who just earned the job of User Acceptance Tester... :D jk, thank you for the report!

BTW: All Repair- functions include a -Run switch that will run the fix on your behalf. I will make sure that is included in the documentation (when I get a chance to update it.)

from bluetuxedo.

😂 - good to know on the -Run... I remembered something about that from your presentation, but I didn't remember the flag to use. Easy enough. Thanks again for being responsive on this. Now I just need to work on the dynamic update service account. I think just about everything else BT audits is looking pretty good.

from bluetuxedo.

Ooh, can you try to set a gMSA as the dynamic update service account? I am curious if that's possible and haven't had time to lab it up.

from bluetuxedo.

I'll look into it a bit. I, eh... do all of my testing in production, so I have to be a bit careful not to break things. hah

from bluetuxedo.

I read up a bit on gMSA... but I am not sure what permissions would be needed. The only documentation I have found for using dynamic update credentials shows using domain admin... lol

I should probably do a bit more research before going whole hog on this one. Do you happen to have any links that would give a shove in the right direction on that?

This is the one I found, that shows using domain admin:

https://learn.microsoft.com/en-us/answers/questions/355711/dhcp-reccord-dns-service-account

from bluetuxedo.

The DNS Update account for DHCP should be a standard user account. Never tried to use a gMSA for this. Unsure if it's supported.

Some links I have on this topic:

Configure DNS dynamic update credential:
https://readwise.io/reader/shared/01he1aeq13ht4238hbvavhrcn3

DHCP Server in DCs and DNS Registrations: https://learn.microsoft.com/en-us/archive/blogs/stdqry/dhcp-server-in-dcs-and-dns-registrations

DHCP, Dynamic DNS, and DCs: How about Some PowerShell to Spice Up a Mind-Numbing Topic?: https://readwise.io/reader/shared/01hdkxzh458desy94dngqxw7xn

Edit: missed one:

Using DNS servers with DHCP: https://readwise.io/reader/shared/01he1af4ykcpmabjjnfaxzegpt

from bluetuxedo.

@TrimarcJake - The short presentation went well. I discussed the dangers of wildcard records, wpad, dangling SPNs, tombstone records, legacy zones, etc... and then showed screenshots with alerts and remediations using BT. I think most of it was over their heads, but the main point that we are safer now than before came through clearly. I tried to stick with a 10,000 ft view of it. hah

from bluetuxedo.