Create Repair- function for Dangling SPNs

Question

Create Repair- function for Dangling SPNs

Closed this issue 8 months ago · 19 comments

Dangling SPNs should be removed from the principals they are attached to. BlueTuxedo should provide code for removing SPNs.

TrimarcJake commented 8 months ago

Love it.

Answer 1 · 2023-10-24T14:21:14.000Z

To remove SPNs from accounts: setspn -d [SPN] [IdentityReference]

Example: setspn -d http/deadhost.horse.local FOAL\user

Answer 2 · 2023-10-24T17:19:26.000Z

Perfect! That should be easy enough to script out for my list. Thanks a bunch!

Answer 3 · 2023-10-25T16:48:08.000Z

Yeah, buddy! (Almost) none of this stuff is rocket science. It's just hard to find, ya know?

Answer 4 · 2023-10-25T20:48:56.000Z

I ended up using chatgpt to take the results that BlueTux spit out to reformat it into a CSV that I could easily read in with powershell. hah
Just needed "host/name,name" in the CSV, then I used this:

$data = Import-Csv -Path "C:\path\to\spn.csv"

foreach ($row in $data) {
    $spn = $row.spn
    $name = $row.name

    setspn -D $spn $name
}

Answer 5 · 2023-10-26T13:32:29.000Z

Easy peasy! BTW: I plan to get this added in Saturday or Sunday.

Answer 6 · 2023-10-26T13:45:35.000Z

Awesome. I am pretty sure gpt didn't include all of them in the reformatted output it gave me, but I haven't run the check again. I may wait until you release the updated code so I can test it out. I am actually doing a short presentation on Blue Tuxedo for our team next Friday.

Answer 7 · 2023-10-26T13:56:05.000Z

This may sound weird, but would it be possible for me to join that presentation?

Answer 8 · 2023-10-26T14:02:44.000Z

Doesn't sound weird at all. That would be cool, but we don't typically stream / record them since they are pretty low key. It is going to be during one of our professional development meetings, and will most likely be a 2-3 minute very high level overview. I can hit you up afterward to give you my talking points, and how it went.

Answer 9 · 2023-10-28T10:57:54.000Z

So, good news and bad news...

Bad news: it looks like my branch protection rules were not set up properly and I stupidly commited to main

Good news: the following commits add the Repair-BTDanglingSPN function!
53401bf
d314805
d9bed14

If I understand correctly, @nitsewg, you've already resolved your danglin', but if not, please test this out and let me know if it works!

Answer 10 · 2023-10-30T18:00:52.000Z

It doesn't look like it gives you the commands when you run invoke-bluetuxedo, but when I ran Repair-BTDanglingSPN by itself, it spit out the code blocks. I still had a few that I guess didn't make it into my list last time. I cleaned up the output and ran the code blocks. Looks like we should be good to go now.

Answer 11 · 2023-10-30T18:54:53.000Z

Guess who just earned the job of User Acceptance Tester... :D jk, thank you for the report!

BTW: All Repair- functions include a -Run switch that will run the fix on your behalf. I will make sure that is included in the documentation (when I get a chance to update it.)

Answer 12 · 2023-10-30T19:04:56.000Z

😂 - good to know on the -Run... I remembered something about that from your presentation, but I didn't remember the flag to use. Easy enough. Thanks again for being responsive on this. Now I just need to work on the dynamic update service account. I think just about everything else BT audits is looking pretty good.

Answer 13 · 2023-10-30T19:11:42.000Z

Ooh, can you try to set a gMSA as the dynamic update service account? I am curious if that's possible and haven't had time to lab it up.

Answer 14 · 2023-10-30T19:21:02.000Z

I'll look into it a bit. I, eh... do all of my testing in production, so I have to be a bit careful not to break things. hah

Answer 15 · 2023-10-30T19:22:53.000Z

"Everyone has a test environment. Some people are lucky enough to have a production environment."

Answer 16 · 2023-10-30T22:07:32.000Z

I read up a bit on gMSA... but I am not sure what permissions would be needed. The only documentation I have found for using dynamic update credentials shows using domain admin... lol

I should probably do a bit more research before going whole hog on this one. Do you happen to have any links that would give a shove in the right direction on that?

This is the one I found, that shows using domain admin:

https://learn.microsoft.com/en-us/answers/questions/355711/dhcp-reccord-dns-service-account

Answer 17 · 2023-10-30T23:38:54.000Z

The DNS Update account for DHCP should be a standard user account. Never tried to use a gMSA for this. Unsure if it's supported.

Some links I have on this topic:

Configure DNS dynamic update credential:
https://readwise.io/reader/shared/01he1aeq13ht4238hbvavhrcn3

DHCP Server in DCs and DNS Registrations: https://learn.microsoft.com/en-us/archive/blogs/stdqry/dhcp-server-in-dcs-and-dns-registrations

DHCP, Dynamic DNS, and DCs: How about Some PowerShell to Spice Up a Mind-Numbing Topic?: https://readwise.io/reader/shared/01hdkxzh458desy94dngqxw7xn

Edit: missed one:

Using DNS servers with DHCP: https://readwise.io/reader/shared/01he1af4ykcpmabjjnfaxzegpt

Answer 18 · 2023-11-06T23:19:12.000Z

@TrimarcJake - The short presentation went well. I discussed the dangers of wildcard records, wpad, dangling SPNs, tombstone records, legacy zones, etc... and then showed screenshots with alerts and remediations using BT. I think most of it was over their heads, but the main point that we are safer now than before came through clearly. I tried to stick with a 10,000 ft view of it. hah