-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy path3_CrossDomain.ps1
129 lines (99 loc) · 4.55 KB
/
3_CrossDomain.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
<##############################################################################
Ashley McGlone
Microsoft Premier Field Engineer
April 2017
http://aka.ms/GoateePFE
This script is part of a demo of Kerberos Double Hop mitigations in
PowerShell. Presented at the PowerShell and DevOps Global Summit 2017.
http://aka.ms/pskdh
LEGAL DISCLAIMER
This Sample Code is provided for the purpose of illustration only and is not
intended to be used in a production environment. THIS SAMPLE CODE AND ANY
RELATED INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. We grant You a
nonexclusive, royalty-free right to use and modify the Sample Code and to
reproduce and distribute the object code form of the Sample Code, provided
that You agree: (i) to not use Our name, logo, or trademarks to market Your
software product in which the Sample Code is embedded; (ii) to include a valid
copyright notice on Your software product in which the Sample Code is embedded;
and (iii) to indemnify, hold harmless, and defend Us and Our suppliers from and
against any claims or lawsuits, including attorneys’ fees, that arise or result
from the use or distribution of the Sample Code.
##############################################################################>
break
# Now go across domains
# Direct success
dir \\ms1.alpineskihouse.com\Source
# Second hop failure
Invoke-Command -ComputerName sb -ScriptBlock {
dir \\ms1.alpineskihouse.com\Source
}
# Enable RB KCD
$p = @{
ServerB = 'sb.proseware.com'
ServerC = 'ms1.alpineskihouse.com'
DomainBCred = $DomainBCred
DomainCCred = $DomainCCred
Verbose = $true
}
Enable-RBKCD @p
# Validate
Get-RBKCD -ServerC ms1.alpineskihouse.com -DomainCCred $DomainCCred
# Second hop test
# Success with RB KCD
Invoke-Command -ComputerName sb -ScriptBlock {
dir \\ms1.alpineskihouse.com\Source
}
# Failure without RB KCD (different ServerB for comparison)
Invoke-Command -ComputerName sc -ScriptBlock {
dir \\ms1.alpineskihouse.com\Source
}
# Multiple ServerB
# Enable RB KCD
$p = @{
ServerB = 'sa.proseware.com','sb.proseware.com','sc.proseware.com'
ServerC = 'ms1.alpineskihouse.com'
DomainBCred = $DomainBCred
DomainCCred = $DomainCCred
Verbose = $true
}
Enable-RBKCD @p
Get-RBKCD -ServerC ms1.alpineskihouse.com -DomainCCred $DomainCCred
# Second hop test
Invoke-Command -ComputerName sa -ScriptBlock {
dir \\ms1.alpineskihouse.com\Source
}
Invoke-Command -ComputerName sb -ScriptBlock {
dir \\ms1.alpineskihouse.com\Source
}
Invoke-Command -ComputerName sc -ScriptBlock {
dir \\ms1.alpineskihouse.com\Source
}
# Turn it off and try again
Disable-RBKCD -ServerC ms1.alpineskihouse.com -DomainCCred $DomainCCred
# Multiple ServerB & ServerC
$p = @{
ServerB = 'sa.proseware.com','sb.proseware.com','sc.proseware.com'
ServerC = 'ms1.alpineskihouse.com','dc1.alpineskihouse.com'
DomainBCred = $DomainBCred
DomainCCred = $DomainCCred
Verbose = $true
}
Enable-RBKCD @p
# Validate
# cross-domain returns the SID
Get-RBKCD -ServerC ms1.alpineskihouse.com -DomainCCred $DomainCCred
Get-RBKCD -ServerC dc1.alpineskihouse.com -DomainCCred $DomainCCred
Invoke-Command -ComputerName sa,sb,sc -ScriptBlock {
dir \\ms1.alpineskihouse.com\source\*.msi -File
}
Invoke-Command -ComputerName sa,sb,sc -ScriptBlock {
dir \\dc1.alpineskihouse.com\sysvol
}
# All computers with RB KCD configured
Get-ADComputer -LDAPFilter '(msDS-AllowedToActOnBehalfOfOtherIdentity=*)' -Properties PrincipalsAllowedToDelegateToAccount -Server dc1.alpineskihouse.com | Format-List Name,PrincipalsAllowedToDelegateToAccount
Get-ADComputer -LDAPFilter '(msDS-AllowedToActOnBehalfOfOtherIdentity=*)' -Properties PrincipalsAllowedToDelegateToAccount -Server dc.proseware.com | Format-List Name,PrincipalsAllowedToDelegateToAccount
# Clear all computers with this configured
Get-ADComputer -LDAPFilter '(msDS-AllowedToActOnBehalfOfOtherIdentity=*)' -Server dc1.alpineskihouse.com | % {Set-ADComputer -Identity $_ -PrincipalsAllowedToDelegateToAccount $null -Server dc1.alpineskihouse.com -Credential $DomainCCred}
Get-ADComputer -LDAPFilter '(msDS-AllowedToActOnBehalfOfOtherIdentity=*)' -Server dc.proseware.com | % {Set-ADComputer -Identity $_ -PrincipalsAllowedToDelegateToAccount $null -Server dc.proseware.com -Credential $DomainBCred}