Posts
-
Golden SAML - How It Happened and What We Can Do About It
Reposting it somewhere else - stay tuned.
-
The Consequences and Side-Effects of Checking “Account is Sensitive and Cannot be Delegated”
The Introduction
Kerberos Delegation is the feature that allows an application (service account, or computer) to act on behalf of another user. More information is provided by Microsoft.To protect sensitive accounts, such as Domain Admins, Enterprise Admins, etc., Active Directory administrators can selectively set an account to “Account is sensitive and cannot be delegated” (as you can see in Figure 1), this will prevent a user’s credentials (TGT) from being reused.
Figure 1. Checkbox to tag an account to be sensitive and cannot be delegatedThe idea of this setting is to limit scope of attack, particularly those categorized as privilege of escalation. Without this, sensitive credential may be harvested from compromised servers/service accounts where Kerberos delegation is enabled.
With this setup, attacks such as credential harvesting, the “printer bug” and others can be partially mitigated by simply switching on “Account is sensitive and cannot be delegated”.
The Problem
However, if this setting can mitigate attacks, why aren’t it widely adopted, and turned on by default? The reality, there may be instances where users need this for certain operations and depending on your organization this may or may not be an essential setting. However, security experts can agree on one thing, it is dangerous to leave this unchecked for privileged accounts and “shadow” privileged account.
It then begs the question, what are the possible side-effects of setting the “Account is sensitive and cannot be delegated” flag.
Indeed, setting this flag may prevent some day-to-day operations that may require Kerberos delegation. One such example is Live Migration for Hyper-V Virtual Machines, which you can read more at Live Migration via Constrained Delegation.
-
My new blog location
I have always been active in blogging, and throughout my career in Microsoft, I posted quite a few of my learnings at Microsoft Blogs. When I left Microsoft back at the end of 2018 and joined Alsid I needed to find a new home. At the same time, I have also started to move my blogs from MSDN over to Github Pages slowly, as Microsoft was at that time was decomissioning MSDN blogs. Eventually it was moved to Archive, which you can still access here.
-
Welcome to Jekyll!
this page was intentionally left here You’ll find this post in your
_postsdirectory. Go ahead and edit it and re-build the site to see your changes. You can rebuild the site in many different ways, but the most common way is to runjekyll serve, which launches a web server and auto-regenerates your site when a file is updated. -
Separating Tags in Azure Usage Details using *free* Power BI Desktop for Better Data Visualization
Originally posted at https://blogs.msdn.microsoft.com/kennethteo/2016/09/15/separating-tags-in-azure-using-free-power-bi-desktop-for-better-data-visualization/
The Problem
Azure supports tagging of resources for the longest time; However, one of the complaints I have with this feature is: there is no easy way to separate them into their own column when exporting the usage details (see exhibit 1).
Tagging can be done at resource group or individual resource. The purpose of tags is loosely defined. Most often than not, an organization uses it to tag for cross-charge purposes.
Notice that the Tags column is very messy/unorganized when you have multiple tags.
subscribe via RSS