Skip to content

Harden AD 2.9.8 - Stable

Latest
Latest
Compare
Choose a tag to compare
@LoicVeirman LoicVeirman released this 23 Apr 20:48
· 9 commits to Master since this release
HardenAD-2.9.8
aba5a4a

Logo HARDEN AD Horizontal RVB@4x - Github

Important: please use HardenAD-2.9.8_2024-05-06_QuickFixRelease.zip file and not the Source provided by gitHub.

Welcome to Harden AD 2.9.8!

Yes! A new release arrived... While the last version focused on stabilizing the code and everything around it, the need to improve certain features and strategies remained. This is what we have done: let's discover together all of this changes!

Managing the local administrators group delegation
We have decided to wipe it away and rethink the whole thing. The script is now spliced in three files:

  1. Set-localAdminGroups.ps1: will be in charge of creating and moving the group in the according OU, depending on OS type and object distinguishedName. The script will be run each time a computer object is created, modified or deleted.
  2. Clear-localAdminGroups.ps1: will run once a day (11PM) and hunts for groups that are still present in AD whereas the associated computer object is inexistant.
  3. Fix-localAdminGroups.ps1: The script runs twice in a day (6AM and 8PM) and cover the case where a group was not created or updated dynamically (schedule has failed, event ID were no more reported to the DC, ...).

All of the scripts and its dependancies are located in %winDir%\HardenAD\SheduledTasks\Set-LocalAdminGroups, so is also the debug files (those ones are explicitly intended for the script maintenance). You will also found two XML files (only one could be used at a time) :

  1. configuration.xml: this is a dynamic file used by the script to manage the group, based from the tasksSequence_hardenAD.xml content. This file is generated when you run harden.ps1 during a new sequence called Prepare GPO files before GPO import.
  2. configuration-custom.xml: more complex, this script is reserved for those who do not want to use the default rules but, instead, use their own ones. Please, refers to the comments within this file to know how to use it.

The script is also self documented, so do not hesitate to read it for further details!

At last, the scripts now generates events in the application event log: you can access it on each DCs through a filtered view in a folder called 'HardenAD'.

HardenAD.ps1: parameters accepted!
Well, to be honest, this point is my favorite one ;) We have implemented three parameters to the main script:

  1. -EnableTask: this will let you enable one or more task sequence WITHOUT touching the XML file!
  2. -DisableTask: same as the previous one, but proceed to disabling. If combined with enabling, disable wins.
  3. -NoConfirmationForRootDomain: avoid validating the domain name in the root domain. Just for lazy guys as I am ;)
image

So, the best news here is that you no more need to edit the TasksSequence_hardenAD.xml to activate the sequence. Yes, no more! However, don't be too happy: the file is still to be updated with relevant information (OU design, translation, object path, ...). More on this later.

TasksSequence_HardenAD.xml: mastering the beast
As you may already know, this file is the core of the engine: everything the script needs will be referred in. We have started a process to rationalize it and simplify the way things need to be personalized by minoring the number of specific value to adapt (as a target OU path, a group name, ...). Obviously, this is impacting on the modules functions, so expect this to change in the future release too.

As of today, we have improve the FR-FR and EN-US input in the script. By default, the file is setup for EN-US: to enable the FR-FR version, juste remove parts commented for English and uncomment the French one:
image
The following sections are concerned by this change:

  • DelegationACEs
  • Translation
  • Groups

GPOs
Some changes are done upon the group policies:

  • HAD-UNC-Hardened-Path: a new GPO, linked to 'domain controllers' OU, that will active UNC hardened Path for SYSVOL and NETLOGON.
  • HAD-LoginRestrictions-{tier}: the parameter 'Deny Network Logon' has been replaced ; it no mores deny other Tier Admin accounts but only the Guest account. This was not relevant from a security perspective (let say a bit too secure) and was the source of unwanted restriction that daily impact technical gesture, such as adding a printer to a computer or enforcing a group policies refresh from the Group Policy Machine Console.

Final words...
This is a big step towards futur changes. We sincerely hope this will ease your journey toward AD hardening! Do not hesitate to reach us through our website or here.

The Harden AD team.

Assets 3