Share this page!

Nathan McNulty Profile picture
Twitter logo
5 Feb, 10 tweets, 4 min read
You really should use (g)MSA's instead of user accounts for services, IIS, scheduled tasks, SQL, etc.

Even if you have a cred vault that rotates and handles dependencies, MSA's are probably still better.

Read Steve's thread for how they work, then this one for how to use them.
First, a couple of things Steve didn't mention:

1) MSA passwords are incredibly strong and rotate frequently enough that Kerberoasting is near impossible (especially with AES)

2) The password can be retrieved on one server and used on another, pass the hash/ticket still works..
OK, first, let's find out if you have a KDS root key set up. Run Powershell on a machine with the Active Directory Powershell Module installed and run this:

Get-KDSRootKey

If you get nothing, then run this:

Add-KDSRootKey –EffectiveImmediately

Now wait 10 hours.. seriously :(
First, create a security group (DVWA-Servers), then create the gMSA in Powershell:

New-ADServiceAccount -Name DVWA-Svc -DNSHostName DVWA.domain​.com -PrincipalsAllowedToRetrieveManagedPassword DVWA-Servers -KerberosEncryptionType AES256

For MSA: Use -RestrictToSingleComputer
Next, on the server you want to use the MSA, run:

Test-ADServiceAccount DVWA-Svc

This should return "True"

Windows Services

You can grant "Log on as Service" permissions using secpol.msc, or Windows will do it for you when you add the gMSA to a service (leave password blank).
IIS

Open the IIS console, go to the Application Pool you want to use the gMSA on, and open Advanced Settings.

Scroll down to Identity and edit it to use a custom account. Specify your gMSA without a password and hit OK all the way out.

Grant folder permissions to the gMSA too
Scheduled Tasks

First, make sure you grant "Logon as batch" to the gMSA using secpol.msc.

Easy mode - create the task using the GUI and leave it as SYSTEM, then run cmd/PS as admin, and do this:

schtasks /change /TN \DVWA-Task /RU DOMAIN\DVWA-Svc$ /RP

Leave password blank
If you prefer Powershell :)

$principal = New-ScheduledTaskPrincipal -UserID DOMAIN\DVWA-Svc$ -LogonType Password

Set-ScheduledTask -TaskName DVWA-Task -Principal $principal

Now verify everything was updated in Task Scheduler and is working properly.

Don't forget permissions!
Running things as the MSA using PsExec is something I've never thought about.

Doing this allows you to "Get-Credential | Export-Clixml" a credential blob to disk for the MSA to use in scheduled tasks, or you could store certs for credential based auth.

gMSA's are a very secure way to do service accounts, but there are still areas you may need to secure further. Stealthbits covers this well here:

stealthbits.com/blog/securing-…

Also, consider using Authentication Policy Silos to limit where MSA's can be used.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Nathan McNulty

Nathan McNulty Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @NathanMcNulty

Nathan McNulty Profile picture
6 Feb
I'm seeing another big push by vendors that their solution will fix education's ransomware woes

You can't make up for poor operational management by buying products

Do these free things first, then consider purchases that scale your staff

Note: #6 is for non-AD bound devices
1. For email filtering, I have a nice series here you can borrow ideas from:

blog.opsecedu.com/using-transpor…

For Office macros, it's how something like 90% of ransomware starts (rest is unpatched remote access).

At least block macros from the Internet:

microsoft.com/security/blog/…
3. Attackers move around your network easily when you have the same admin accounts on many machines. Make them all unique and make them work for it.

LAPS is a simple, effective way to do this.

blog.nowmicro.com/2018/02/28/con…

See @RyanLNewington's free LAPS Web:
github.com/lithnet/laps-w…
Read 10 tweets
Nathan McNulty Profile picture
3 Feb
I could write a book...

You gain expertise through the process of fixing things, sometimes the things you break - don't fear mistakes.

As your expertise gets deeper, you find new exotic ways of breaking things where even Stack Overflow won't save you.

Here's a few of mine :)
First week on a new job, ran a driver cleanup script for ConfigMgr 2007 and forgot the params - dumped the entire driver catalog

Deployed apps based on UTC instead of local time

$list | % { Restart-Computer $_ } while the server I was running it from was in the list...
Filtered in Graylog to push a new client config without realizing it included some servers. New log sources flooded Graylog with 200GB of data.

Set up a mail flow rule to catch spoofing (from header contains domain) but forgot to specify from external... QT'd my outbound email.
Read 4 tweets
Nathan McNulty Profile picture
12 Jul 20
This is such an awesome writeup, but it's missing one thing - remediation steps

Some AD admins may know how to fix these issues, but it's fair to assume some do not.

I'd also highly recommend using PingCastle by @mysmartlogon as it audits most of this and more.

Thread time!
@mysmartlogon 1) Remove user rights to join devices to AD

Powershell: Set-ADDomain -Identity <Domain> -Replace @{"ms-DS-MachineAccountQuota"="0"} -Verbose
GPO: Modify Default Domain Controller Policy and remove Authenticated Users from the user rights assignment (1st pic)
ADSI: (2nd pic)
Instead, consider setting up bind accounts per tier/group/service and delegate to appropriate OU's:
moderndeployment.com/correct-domain…

Also, change binding to create objects in an OU with strict policies:
redircmp "OU=Bind,DC=Domain,DC=Com"

redirusr can be used for users if you want.
Read 17 tweets
Nathan McNulty Profile picture
6 Apr 20
Re: NYC blocking Zoom

I like Matthew a lot, but I don't feel this is a "dumb overreaction."

As a security admin overseeing 40K+ students and participating in communities serving over 1.5M students, I would love to shed some light on the difficulties Zoom has created for us.
First, let's start with Zoombombing. The answer seems very simple - let's add a password. The problem is that many places allowed teachers to go create their own accounts, and we had to rely on them reading email from IT.

Is that ever 100% effective?

For those of us who do have an admin console to control settings, sure we can change the settings to add a password, but that only affects future meetings (according to the console), not past meetings.

Again, communicating to teachers to change existing meetings? This is hard.
Read 11 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @NathanMcNulty has new unrolls!

Check out other threads from @NathanMcNulty!

Read all threads by @NathanMcNulty