question

DaveC-2278 avatar image
0 Votes"
DaveC-2278 asked DaveC-2278 answered

Delegation of GPO management in external trusted domain

The delegation of GPO management in an externally trusted domain was impacted by the introduction of the UNC hardening documented here (three sources provided):

https://support.microsoft.com/en-us/topic/ms15-011-vulnerability-in-group-policy-could-allow-remote-code-execution-february-10-2015-91b4bda2-945d-455b-ebbb-01d1ec191328

https://msrc-blog.microsoft.com/2015/02/10/ms15-011-ms15-014-hardening-group-policy/?WT.mc_id=ITOPSTALK-blog-abartolo

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/guidance-on-deployment-of-ms15-011-and-ms15-014/ba-p/257759

Please consider the following scenario:

  • An organization manages two domains in a two-way external trust relationship [domain A and domain B]

  • The org has no plans to convert the relationship to a forest trust

  • The org requires IT admins with privileged accounts in domain A to fully manage GPOs (create/delete/modify/link) in domain B

  • The admins in domain A use Windows 10 workstations (UNC hardening enabled by default for Netlogon and SYSVOL)

  • GPMC frequently returns "Network Access is Denied" when trying to manage GPOs in domain B, from domain A

In order to successfully implement this particular delegation scenario, it seems that the admin workstations in domain A need to run with a NetworkProvider policy of RequireMutualAuthentication=0. This would allow usage of NTLM to succeed when GPMC (on a Windows 10 workstation in domain A) connects to SYSVOL in domain B. The policy appears to be a weaker security posture for those workstations.

What is the best configuration of UNC hardening to use in this scenario such that all other UNC paths accessed by the admin workstations run with the default security parameters?

Are there any other suggestions for implementing the desired delegation scenario which do not weaken the security of an admin workstation?

Thanks,
DaveC











windows-serverwindows-active-directorywindows-10-securitywindows-group-policy
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @DaveC-2278,

Thank you for posting here.

We are researching it, and if there is any update, we will reply you here.

Thank you for your understanding and support.


Best Regards,
Daisy Zhou

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @DaveC-2278,

Thank you for your patience.

After my research, for external trust, there is some conditions for Kerberos to be used.

Table 1 External vs. Forest Trusts

85113-trust1.png

Conditions for Kerberos to be used over an External Trust
https://docs.microsoft.com/en-us/archive/blogs/activedirectoryua/conditions-for-kerberos-to-be-used-over-an-external-trust

Technologies for Federating Multiple Forests
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/dd560679(v=ws.10)?redirectedfrom=MSDN


Q:Are there any other suggestions for implementing the desired delegation scenario which do not weaken the security of an admin workstation?
Suggestion: A forest trust enables a transitive trust between all of the domains in two forests. Microsoft recommends a forest trust be created between forests rather than an external trust. A forest trust ensures that Kerberos is used whenever possible. Kerberos provides better security and scalability over NTLM.


Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou



trust1.png (65.5 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaveC-2278 avatar image
0 Votes"
DaveC-2278 answered

@DaisyZhou-MSFT Thank you for the research and your reply. As best I can determine the external trust in this environment meets those requirements, but my tests over both SMB and LDAP always negotiate NTLM.

This is not critical and we are reviewing a conversion to forest trust. I'll point out that it's a bit odd/frustrating to try and implement a more secure privilege delegation model, but be hampered by a different security-related feature :)

-DaveC

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.