@JaredBusch said in Create Internal CA for Windows LDAPs and Linux apps:

@pmoncho said in Create Internal CA for Windows LDAPs and Linux apps:

When I export the key, I want to export the private key as well?

That depends. If you are only ever going to have devices using the key to auth against the DC that you created it on, then no.

But if you need to install the cert on a device and then have another device auth to that first device, then that first device needs the private key.

Thank you for the explanation.

Created the another self-signed cert for my lab using (added 2nd DC to same cert):

New-SelfsignedCertificate -dnsname dc01.domain.local, dc02.domain.local -HashAlgorithm SHA256 -KeyUsage KeyEncipherment,DataEncipherment -KeyUsageProperty ALL -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1") -NotAfter (get-date).AddYears(10)

Copied the key into the trusted root store and exported the public key. Imported .DER key into Sonicwall and all seems well to dc01.

I figure I have to get the key into dc02's trusted root store also. When I export the key, I want to export the private key as well?

@Dashrender said in Create Internal CA for Windows LDAPs and Linux apps:

@JaredBusch said in Create Internal CA for Windows LDAPs and Linux apps:

Self signed long term cert on your DC. Just do it. once you import the cert everywhere, you won't need to do it again and everything will trust it.

You have to install that Self Signed on all endpoints, right? I know you can use GP to do this for Windows.

I believe I only need to manually install it on endpoints that will use LDAP/LDAPS. Unless I am missing something, It will be the SSL-VPN and Linux servers as they will use LDAPS. I believe all windows servers/desktops in the domain will use Kerberos, correct?

@JaredBusch said in Create Internal CA for Windows LDAPs and Linux apps:

Self signed long term cert on your DC. Just do it. once you import the cert everywhere, you won't need to do it again and everything will trust it.

That is what I keep thinking. In this situation, I believe it makes the most sense.

I will setup and keep the root CA / Subordinate CA stuff in my lab.

Trying to figure out the best plan of action to comply with Microsoft's LDAPS requirement in the near future.

I have .local domain with multiple RDS servers, MS file server, Sonicwall SSL-VPN appliance, few internal Linux apps and in the near future, create Nextcloud and Bookstack servers. Other than the SSL-VPN, all servers will be accessed internally. Clients access the RDS server through the SSL-VPN

Choices to make based on current setup and ton of reading:

A. Setup an internal CA
From all the reading I have done, "best practices" state to have an offline root CA (non-domain joined, powered off) and use subordinate CA's to create certs for end devices. If both are on Windows Server, I have to blow two windows licenses (ugh. don't really want to do that).

B. Create Self-signed cert on a DC, import self-signed cert into Linux machines and SSL-VPN. Not the best solution. Tested SS-Cert for SSL-VPN in my lab and it worked fine. This has pitfalls as I have to import multiple certs all over the place. Sucks but doable.

C. Create an ad.domain.com UPN, then get a wildcard cert from public CA and adjust DNS (I believe I need to create a new zone). I don't know the ramifications of using a UPN.

D. Other options???

@hobbit666 said in Securing SSH:

@DustinB3403 I've already got the password on the keys. I've just not disabled password logins in case i kill something and need to get access :). Planning on removing it once i've "SSH Key's" the other servers.

Don't forget, you can still login as root or a admin user on the console. You are only securing ssh.

If you want to test, login to the console of the server (stay logged in), change your sshd_config, restart sshd process, test logging in with your keys and/or any other testing you want to do. If all is well, log out of the console.

@dbeato said in Powershell - Find GPO's for specific Group:

@pmoncho said in Powershell - Find GPO's for specific Group:

@dbeato said in Powershell - Find GPO's for specific Group:

Aside from the script you are looking for, is there a reason why the delegation is that way or are you trying to limit access to those GPOs? Or cleaning them up?

Its all of the above.

I created multiple GPO's (limiting the scope of each GPO) that affect only certain groups on the same RDS server. This is due to the upcoming changes in our LOB application and moving to our new 2019 RDS servers. I wanted to make it as easy for my internal users and external remote clients to have what the need while limiting access as much as possible (yes, I do believe I over-complicated things).

The main reason for the script was cleanup. It was rough finding the groups I delegated to each specific GPO's instead of fumbling through each one.

I see, make it then a habit also to document changes That will help ( I know I am stating the obvious) but it comes to bite you in the rear end a lot of times if not in place.

You are NOT kidding. I had a decent doc going but a little laziness and getting side tracked by management, and here we are! ugh! Lol

(having a petty little moment)
<rant>
In details tab of GPO, MS calls it "Comment."

In the GPO, Properties, Comment tab is called "Comment" and the text box is called "Comment."

Want to get the text from the Comment tab in a PS script? Use the parameter "Description"
Why not the word "Comment???????" :angry_face:
</rant>

@Obsolesce said in Powershell - Find GPO's for specific Group:

Here's a quick function I created going by your goal:

@pmoncho said in Powershell - Find GPO's for specific Group:

Goal - Find all GPO's that have "SomeGroupName" in Delegation Tab.

I can change it to a script you can run that takes parameters instead if that was how you planned on using it. But as it is below, it's meant to be used within a script or in ISE for example in the screenshots below.

I am using the -eq, so the parameter you use for -GroupName needs to be exact. Otherwise, you can change it to -match for example.

note I only tried this in PS v5.1

The script works really well and much faster than the generic thing I had.
I added the following to the bottom to get input from the user:

#Get Input from User
$MyGroupName = Read-Host -Prompt "Please enter Group Name"

    # Example 3:
        $GPOs = Get-GPOGroupMatches -GroupName $MyGroupName
        $GPOs.GPOName

@dbeato said in Powershell - Find GPO's for specific Group:

Aside from the script you are looking for, is there a reason why the delegation is that way or are you trying to limit access to those GPOs? Or cleaning them up?

Its all of the above.

I created multiple GPO's (limiting the scope of each GPO) that affect only certain groups on the same RDS server. This is due to the upcoming changes in our LOB application and moving to our new 2019 RDS servers. I wanted to make it as easy for my internal users and external remote clients to have what the need while limiting access as much as possible (yes, I do believe I over-complicated things).

The main reason for the script was cleanup. It was rough finding the groups I delegated to each specific GPO's instead of fumbling through each one.

@Obsolesce said in Powershell - Find GPO's for specific Group:

Here's a quick function I created going by your goal:

@pmoncho said in Powershell - Find GPO's for specific Group:

Goal - Find all GPO's that have "SomeGroupName" in Delegation Tab.

I can change it to a script you can run that takes parameters instead if that was how you planned on using it. But as it is below, it's meant to be used within a script or in ISE for example in the screenshots below.

I am using the -eq, so the parameter you use for -GroupName needs to be exact. Otherwise, you can change it to -match for example.

note I only tried this in PS v5.1

function Get-GPOGroupMatches {
    [cmdletbinding()]
    param(
        [Parameter(Mandatory)]
        [string]$GroupName
    )
    
    $gpos = Get-GPO -All

    $list = foreach ($gpo in $gpos) {

        if ((Get-GPPermission -Name $gpo.DisplayName -All).Trustee.Name -eq $GroupName) {

            [PSCustomObject]@{
                
                GPOName = $gpo.DisplayName

            }

        }

    }

    Write-Output -InputObject $list

}

# Example use(s):

    # Example 1:
        Get-GPOGroupMatches -GroupName "TestGroup1"

    # Example 2:
        $GPOs = Get-GPOGroupMatches -GroupName "TestGroup1"
        $GPOs.GPOName

Thank you very much @Obsolesce.

I will test it out in the ISE. Eventually a script is my goal, but not required. I greatly appreciate your help.

I currently stink at scripting so I will be learning from this also.

@JasGot said in Powershell - Find GPO's for specific Group:

@pmoncho said in Powershell - Find GPO's for specific Group:

I thought it was going to be a one and done but believe I can use it more in the future so it will become an ongoing tool.

Ok. Cool. I did a quick search and found many examples that search the entire GPO for search strings. This would be fine for a quick and dirty one off script. But maybe not for something that goes in your tool bag.

Maybe these will help you get closer to your goal.
https://www.itdroplets.com/searching-gpo-specific-setting-powershell/
https://gallery.technet.microsoft.com/scriptcenter/Search-all-GPOs-in-a-b155491c

and one of my favorite Go-To sites for GPO ideas:
https://deployhappiness.com/searching-gpos-for-that-specific-setting/

I hope you find something helpful here.

Thanks.

I will check those out. I was really hoping there would be a parameter for the Get-GPO cmdlet or the ability to filter but after many searches, it looks as those there will be a bunch of looping.

@black3dynamite said in Securing SSH:

@DustinB3403 said in Securing SSH:

@black3dynamite said in Securing SSH:

@DustinB3403 said in Securing SSH:

@pmoncho said in Securing SSH:

@black3dynamite said in Securing SSH:

On my Fedora laptop and desktop this is what I do.

# Generating a new ED25519 key with a password
ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname)_$(date +%Y-%m-%d_%H:%M:%S%z)" -f ~/.ssh/id_ed25519

May be a stupid question but, should we use passwords?

You can, but you'd have to enter that password every time to connect using your SSH key.

Unless use ssh-agent.

How is ssh-agent storing your keypair password? It would have to be plain-text, wouldn't it? Which kind of defeats the point of adding a password to the keypair if the password for the pair is in plain-text. . .

It's not stored in plain-text.

https://www.emtec.com/ssh/agent.html

Well damn. This is interesting to know. If that is the case, it just may be beneficial to use a passphrase if only done once per 8 hours. I can handle that.

@JasGot said in Powershell - Find GPO's for specific Group:

Is this going to be an ongoing tool, or a one and done cmdlet?

I thought it was going to be a one and done but believe I can use it more in the future so it will become an ongoing tool.

I've been "playing around" with RBAC for AD and make sure to use Groups for my GPO filtering. Top that off with using single function GPO's for specific groups, it can be a little rough trying to find what groups apply to some GPO's.

In the end, I'm thinking it would be nice to have a user, find the groups (possibly nested groups too) they belong to, which can automatically find all GPO's that affects this user on all systems.

I think this may be good for organizations of all sizes too. I get that large org's probably already have tools for this stuff.

@black3dynamite said in Securing SSH:

On my Fedora laptop and desktop this is what I do.

# Generating a new ED25519 key with a password
ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname)_$(date +%Y-%m-%d_%H:%M:%S%z)" -f ~/.ssh/id_ed25519

May be a stupid question but, should we use passwords?

@JaredBusch said in Securing SSH:

@pmoncho said in Securing SSH:

@JaredBusch said in Securing SSH:

@IRJ said in Securing SSH:

You would store your key in an encrypted drive like druva or one drive

Umm WUT.

You don't store your key anywhere. Because that makes it useless.

Are you reusing the same key on different user devices?

Little lost here.

If I use putty on windows to create my key pair and I put my public key on my linux machine (authorized_keys file).

So what do you do with the private key from the key pair?

Nothing. it is only ever on your one machine.

Ok. Got it.

Now if I have my work machine and home laptop (used for remote work), should I create multiple keys, one for each machine or just copy and use the same private key?

Also WTF with putty? SSH is native to even Windows now.

It is what I initially used so it was the first thing that popped in my head.

@JaredBusch said in Securing SSH:

@IRJ said in Securing SSH:

You would store your key in an encrypted drive like druva or one drive

Umm WUT.

You don't store your key anywhere. Because that makes it useless.

Are you reusing the same key on different user devices?

Little lost here.

If I use putty on windows to create my key pair and I put my public key on my linux machine (authorized_keys file).

So what do you do with the private key from the key pair?

@scottalanmiller said in Securing SSH:

@pmoncho said in Securing SSH:

@IRJ said in Securing SSH:

@Dashrender said in Securing SSH:

Is it normal to use the same key over many servers at a user level? or a different key for each server for each person?

Yes. You would use the same key per user (not sever) , but have some form of MFA.

You would store your key in an encrypted drive like druva or one drive

Just to make sure I get this right.

I create my pub/private keys, put my own private key in an encrypted drive, then copy my public key to serverA, serverB, serverC, etc., correct?

(its one of those foggy brained days)

Correct. We put our public keys into scripts to deploy and have them listed on a wiki, too. So that it is easy to add users to a system.

Interesting. I am starting to add more linux systems so I will look into doing the same.

@IRJ said in Securing SSH:

@Dashrender said in Securing SSH:

Is it normal to use the same key over many servers at a user level? or a different key for each server for each person?

Yes. You would use the same key per user (not sever) , but have some form of MFA.

You would store your key in an encrypted drive like druva or one drive

Just to make sure I get this right.

I create my pub/private keys, put my own private key in an encrypted drive, then copy my public key to serverA, serverB, serverC, etc., correct?

(its one of those foggy brained days)

I have the same questions posted above, so I await the answers.

Plus, how do others protect their own private key? In some folder on an encrypted drive/volume?