Tag: Advanced Script

How To : Subnet Creation Dates in Active Directory

Yusuf Ustundag Leave a comment

Managing an Active Directory (AD) environment requires a clear understanding of its configuration, including its network subnets. Knowing when specific subnets were added can provide valuable insights for audits, troubleshooting, and change tracking. However, this information is not readily visible in the default Active Directory tools. To address this, I created a script that retrieves and displays the creation dates of subnets in Active Directory.

In this article, I’ll share the purpose of this script, explain how it works, and provide usage instructions. If you’ve been looking for a way to streamline your subnet management tasks, this solution might be just what you need.

Subnet creation dates can be important for:

  1. Auditing: Keeping a record of when changes were made.
  2. Troubleshooting: Identifying if a recent subnet addition aligns with network changes.
  3. Change Management: Ensuring compliance with organizational policies.

While the default AD tools allow you to manage subnets, they lack detailed tracking capabilities. This script bridges that gap by retrieving and displaying the creation timestamps.

The script leverages PowerShell and Active Directory cmdlets to query the CN=Subnets container. By parsing the whenCreated attribute of each subnet object, it provides a clear list of subnets along with their creation dates. Below is a summary of its functionality:

  1. Connects to the Active Directory environment.
  2. Queries the CN=Subnets container.
  3. Retrieves the whenCreated attribute for each subnet.
  4. Outputs the data in a readable format (e.g., table or CSV).

Before running the script, ensure the following:

  • You have administrative privileges to access the CN=Subnets container.
  • PowerShell 5.1 or later is installed on your machine.
  • The Active Directory module for Windows PowerShell is installed.

 

When you execute the script, you’ll see

 

Active Directory Subnet History ;

# Import the Active Directory module

Import-Module ActiveDirectory

try {

    # Retrieve the Configuration container

    $configNC = (Get-ADRootDSE).configurationNamingContext

    

    # Retrieve subnet information

    $subnets = Get-ADObject -Filter 'objectClass -eq "subnet"' `

        -SearchBase "CN=Subnets,CN=Sites,$configNC" `

        -Properties Name, Description, Location, whenCreated, whenChanged, siteObject

    # Process the results

    $subnetInfo = $subnets | Select-Object @{

        Name = "Subnet"

        Expression = { $_.Name }

    },

    @{

        Name = "Created Date"

        Expression = { $_.whenCreated }

    },

    @{

        Name = "Last Modified"

        Expression = { $_.whenChanged }

    },

    @{

        Name = "Location"

        Expression = { if ($_.Location) { $_.Location } else { "Not Specified" } }

    },

    @{

        Name = "Description"

        Expression = { if ($_.Description) { $_.Description } else { "No Description" } }

    },

    @{

        Name = "Associated Site"

        Expression = {

            if ($_.siteObject) {

                ($_.siteObject -split ',')[0] -replace 'CN='

            } else {

                "No Site Associated"

            }

        }

    }

    # Display the total count

    Write-Host "Total Number of Subnets:" $subnets.Count -ForegroundColor Green

    Write-Host "`nDetailed Subnet Information:" -ForegroundColor Yellow

    Write-Host "------------------------`n"

    # Print to screen

    $subnetInfo | Format-Table -AutoSize

    # Export to CSV

    $exportPath = "AD_Subnets_Export_$(Get-Date -Format 'yyyyMMdd_HHmmss').csv"

    $subnetInfo | Export-Csv -Path $exportPath -NoTypeInformation -Encoding UTF8

    Write-Host "`nExported to:" $exportPath -ForegroundColor Cyan

} catch {

    Write-Host "Error occurred: $_" -ForegroundColor Red

    Write-Host "`nCheck if you have the following prerequisites:" -ForegroundColor Yellow

    Write-Host "1. Running PowerShell as Administrator" -ForegroundColor Yellow

    Write-Host "2. Domain Admin or appropriate permissions" -ForegroundColor Yellow

    Write-Host "3. Active Directory PowerShell module is installed" -ForegroundColor Yellow

    Write-Host "4. Running on a domain-joined machine" -ForegroundColor Yellow

}

 

While this script fulfills its primary purpose, there’s always room for improvement. Some potential enhancements include:

Adding filtering options to display subnets created within a specific timeframe.
Incorporating logging functionality for audit purposes.
Automating the script to run periodically and generate reports.

This script provides a straightforward way to retrieve subnet creation dates in Active Directory, making it easier to manage and audit your network environment. Feel free to try it out.

You can also check this article to check for missing subnets in your environment.

 

Have a nice day !

SMBv1: Monitoring and Analyzing Access on Domain Controllers

Yusuf Ustundag Leave a comment

What is SMB1 and What Does It Do?

Server Message Block Version 1 (SMB1) is an older protocol that facilitates file and printer sharing over a network. Widely used in Windows systems, it allows devices on a network to share data with each other.
However, due to security vulnerabilities, more modern and secure alternatives are recommended.

Advantages:

  • Compatible with older hardware.
  • Simplifies file and printer sharing over a network.

Disadvantages:

  • Prone to security issues and more vulnerable to ransomware attacks.
  • May have lower performance.


Finding SMB1 Access on Domain Controllers

To locate SMB1 access on Domain Controller (DC) servers, the first step is to ensure that the Audit-SMB1Access feature is enabled. This feature collects SMB1 access control logs, making them available for analysis.
These logs focus on specific periods (e.g., the last 10 days).

 

SMBAnalysis

 

Enabling the Audit Feature
To enable SMB1 access logging on Domain Controller servers, use the following PowerShell command:

# Get Domain Controllers

$DomainControllers = Get-ADDomainController -Filter * | Select-Object -ExpandProperty Name

# Checking SMBServerConfiguration AuditSmb1Access

foreach ($DC in $DomainControllers) {

    try {

        # Set-SmbServerConfiguration

        $AuditSmb1Access = Invoke-Command -ComputerName $DC -ScriptBlock {

            Set-SmbServerConfiguration -AuditSmb1Access $true -Force

        }

        Write-Host ("Audit SMB1 Access on {0}: {1}" -f $DC, $true) -ForegroundColor Green

    } catch {

        Write-Host ("Failed to enable Audit SMB1 Access on {0}: {1}" -f $DC, $_.Exception.Message) -ForegroundColor Red

    }

}


To check SMB1 access logging on Domain Controller servers, use the following PowerShell command:

# Get Domain Controller

$DomainControllers = Get-ADDomainController -Filter * | Select-Object -ExpandProperty Name

# Checking SMBServerConfiguration AuditSmb1Access

foreach ($DC in $DomainControllers) {

    try {

        # Get-SmbServerConfiguration

        $AuditSmb1Access = Invoke-Command -ComputerName $DC -ScriptBlock {

            Get-SmbServerConfiguration | Select-Object -ExpandProperty AuditSmb1Access

        }

        Write-Host ("Audit SMB1 Access on {0}: {1}" -f $DC, $AuditSmb1Access) -ForegroundColor Green

    } catch {

        Write-Host ("Failed to check Audit SMB1 Access on {0}: {1}" -f $DC, $_.Exception.Message) -ForegroundColor Red

    }

}

Exporting SMB1 Audit Logs

To analyze SMB1 access logs on Domain Controller servers, use PowerShell to deduplicate this data and review activities over the last 10 days.

$DCList = Get-ADDomainController -Filter *

# Calculate the date 10 days ago

$CutOffDate = (Get-Date).AddDays(-10)

foreach ($DC in $DCList) {

    $DCname = $DC.HostName

    Write-Host "Processing domain controller: $DCname"

    Write-Host "---------------------------------------"

    # HashTable to store unique entries (IP as key, latest timestamp as value)

    $UniqueEntries = @{}

    # Retrieve SMB1 audit logs

    $SMB1Audits = Get-WinEvent -LogName Microsoft-Windows-SMBServer/Audit -ComputerName $DCname

    # Process each log message

    $SMB1Audits | Where-Object { $_.TimeCreated -ge $CutOffDate } | ForEach-Object {

        $eventTime = $_.TimeCreated # Get the event timestamp

        $text = $_.Message.ToString().Split([Environment]::NewLine)

        $client = $text | Where-Object {$_ -like "Client*"}

        if ($client) {

            # Extract and clean the IP address

            $clientIP = $client.Trim()

            # Update the hashtable with the latest event time for the IP

            if ($UniqueEntries.ContainsKey($clientIP)) {

                if ($eventTime -gt $UniqueEntries[$clientIP]) {

                    $UniqueEntries[$clientIP] = $eventTime

                }

            } else {

                $UniqueEntries[$clientIP] = $eventTime

            }

        }

    }

    # Write unique entries to the output file

    $OutputPath = "C:\Scripts\SMB1Analysis\$DCname.txt"

    $UniqueEntries.GetEnumerator() | ForEach-Object {

        "$($_.Value) - $($_.Key)"

    } | Set-Content -Path $OutputPath

    Write-Host "Unique client entries (last 10 days) saved to: $OutputPath"

}

Addressing Security Concerns

  • Identify Security Vulnerabilities: SMB1 has inherent security vulnerabilities and, as an older protocol, is more susceptible to ransomware attacks and network threats. Analyze SMB1 logs to identify potential security risks and breaches.
  • Remediation and Updates: If critical security flaws are found in devices using SMB1, it is essential to update them with security patches. Additionally, consider disabling SMB1 or migrating these devices to a more secure SMB version (SMB2 or SMB3).

Protocol Transition and Reconfiguration

  • Transition from SMB1 to SMB2 or SMB3: To close security gaps associated with SMB1 and enhance overall network security, transition all devices from SMB1 to a more modern and secure SMB version (SMB2 or SMB3). This transition can also improve network performance.
  • Configuration Changes: Adjust Domain Controller settings to disable SMB1 access. This can be done via PowerShell or Group Policy.

Updating Network Security Policies

  • Firewall Rules: SMB1 should only be used on trusted networks, with firewall rules restricting SMB1 access. If necessary, SMB1 should not be accessible to the outside world.
  • Monitoring and Auditing: Continuously monitor and audit SMB1 access on all network devices to detect security breaches early. Regularly review audit logs and address any issues promptly.

User Awareness and Training

  • Limit SMB1 Usage: Educate users about the security risks associated with SMB1 and discourage its use. Provide guidance and training to migrate users to more secure alternatives like SMB2 or SMB3.
  • Documentation: Maintain detailed documentation on changes made and security measures taken. This will serve as a reference in case of similar situations in the future and can be used as a resource for network management.

Periodic Checks and Maintenance

  • Regular Checks: SMB1 usage and security audits should be performed regularly. Periodically check SMB1 logs and network security settings to enhance overall network security and quickly identify potential issues.
  • Security Updates and Patching: Regularly update devices with security patches to protect against new vulnerabilities. This is particularly critical for older hardware.

These steps summarize the fundamental processes needed to enhance your network’s security and resilience against potential threats.

Have a nice day !