Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Missing Domain Controller GPOs #62873

Closed
dstoliker opened this issue Oct 12, 2022 · 0 comments · Fixed by #62936
Closed

[BUG] Missing Domain Controller GPOs #62873

dstoliker opened this issue Oct 12, 2022 · 0 comments · Fixed by #62936
Assignees
@twangboy
Labels
Bug broken, incorrect, or confusing behavior Confirmed Salt engineer has confirmed bug/feature - often including a MCVE Execution-Module lgpo Sulfur v3006.0 release code name and version Windows
Milestone
Sulfur v3006.0

Comments

@dstoliker
Copy link

dstoliker commented Oct 12, 2022
edited
Loading

Description
Salt lgpo module cannot find two of the "Domain controller" security settings policies: "Domain controller: Allow vulnerable Netlogon secure channel connection", and "Domain controller: LDAP server channel binding token requirements".

Setup
Salt 3005.1 installed on Windows Server 2016
This was tested and set up on a VMware virtual machine (VMware Fusion).

Steps to Reproduce the behavior
Log into the Windows Server 2016 UI. It doesn't need to be promoted to a domain controller. Launch gpedit.msc. Navigate to Local Computer Policy, Windows Settings, Security Settings, Local Policies, Security Options. Note the Policy names starting with "Domain controller:". In the UI, note that five policies are listed:

  • Domain controller: Allow server operators to schedule tasks
  • Domain controller: Allow vulnerable Netlogon secure channel connections
  • Domain controller: LDAP server channel binding token requirements
  • Domain controller: LDAP server signing requirements
  • Domain controller: Refuse machine account password changes

Run salt-call --local lgpo.get machine return_full_policy_names=True. Note that only three of the policies listed above are returned.

...
        Domain controller: Allow server operators to schedule tasks:
            Not Defined
        Domain controller: LDAP server signing requirements:
            Not Defined
        Domain controller: Refuse machine account password changes:
            Not Defined
...

These policies are missing:

  • Domain controller: Allow vulnerable Netlogon secure channel connections
  • Domain controller: LDAP server channel binding token requirements

Expected behavior
Policies showing up in the UI should also show in the list returned by lgpo.get.

Screenshots
Domain controller security settings policies

Versions Report

salt --versions-report (Provided by running salt --versions-report. Please also mention any differences in master/minion versions.) 
Salt Version:
          Salt: 3005.1

Dependency Versions:
          cffi: 1.14.6
      cherrypy: 18.6.1
      dateutil: 2.8.1
     docker-py: Not Installed
         gitdb: 4.0.7
     gitpython: Not Installed
        Jinja2: 3.1.0
       libgit2: Not Installed
      M2Crypto: Not Installed
          Mako: 1.1.4
       msgpack: 1.0.2
  msgpack-pure: Not Installed
  mysql-python: Not Installed
     pycparser: 2.21
      pycrypto: Not Installed
  pycryptodome: 3.10.1
        pygit2: Not Installed
        Python: 3.8.14 (tags/v3.8.14:f43e767, Sep 30 2022, 10:51:05) [MSC v.1929 64 bit (AMD64)]
  python-gnupg: 0.4.8
        PyYAML: 5.4.1
         PyZMQ: 19.0.0
         smmap: 4.0.0
       timelib: 0.2.4
       Tornado: 4.5.3
           ZMQ: 4.3.2

System Versions:
          dist:
        locale: cp1252
       machine: AMD64
       release: 2016Server
        system: Windows
       version: 2016Server 10.0.14393 SP0 Multiprocessor Free

Additional context
@twangboy asked me to include the reference to the backing registry keys.
"Domain controller: Allow vulnerable Netlogon secure channel connections" is backed by

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters:VulnerableChannelAllowList

"Domain controller: LDAP server channel binding token requirements" is backed by

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters:LdapEnforceChannelBinding

CIS document added this note: This Group Policy path requires the installation of the March 2020 (or later) Windows security update. With that update, Microsoft added this setting to the built-in OS security template.
@dstoliker dstoliker added Bug broken, incorrect, or confusing behavior needs-triage labels Oct 12, 2022
@twangboy twangboy self-assigned this Oct 12, 2022
@twangboy twangboy added Confirmed Salt engineer has confirmed bug/feature - often including a MCVE Windows lgpo Execution-Module and removed needs-triage labels Oct 12, 2022
@twangboy twangboy added this to the Sulphur v3006.0 milestone Oct 12, 2022
@twangboy twangboy added the Sulfur v3006.0 release code name and version label Oct 12, 2022
@twangboy twangboy mentioned this issue Oct 21, 2022
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@twangboy twangboy

Labels
Bug broken, incorrect, or confusing behavior Confirmed Salt engineer has confirmed bug/feature - often including a MCVE Execution-Module lgpo Sulfur v3006.0 release code name and version Windows
Projects
None yet
Milestone
Sulfur v3006.0
Development

Successfully merging a pull request may close this issue.

Added support for missing DC Policies twangboy/salt
2 participants
@twangboy @dstoliker