惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

The Register - Security
The Register - Security
云风的 BLOG
云风的 BLOG
U
Unit 42
F
Fortinet All Blogs
The GitHub Blog
The GitHub Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
D
Docker
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
S
Secure Thoughts
Hacker News: Ask HN
Hacker News: Ask HN
Vercel News
Vercel News
S
Security @ Cisco Blogs
GbyAI
GbyAI
Stack Overflow Blog
Stack Overflow Blog
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
I
Intezer
MongoDB | Blog
MongoDB | Blog
AI
AI
MyScale Blog
MyScale Blog
Engineering at Meta
Engineering at Meta
Y
Y Combinator Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
P
Proofpoint News Feed
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
W
WeLiveSecurity
博客园 - 叶小钗
S
SegmentFault 最新的问题
N
News | PayPal Newsroom
WordPress大学
WordPress大学
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
D
DataBreaches.Net
小众软件
小众软件
Microsoft Azure Blog
Microsoft Azure Blog
Spread Privacy
Spread Privacy
H
Help Net Security
美团技术团队
博客园 - 司徒正美
T
Threat Research - Cisco Blogs
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
K
Kaspersky official blog
Application and Cybersecurity Blog
Application and Cybersecurity Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
V
Vulnerabilities – Threatpost
TaoSecurity Blog
TaoSecurity Blog
N
Netflix TechBlog - Medium
L
Lohrmann on Cybersecurity
J
Java Code Geeks
量子位
Martin Fowler
Martin Fowler
博客园_首页

Posts on Noah Bailey

How to turn anything into a router Deploy to Cloudfront from GitHub using OpenID Connect Backup Postgres databases with Kubernetes CronJobs The spelling error made 200 billion times a day Restarting Kubernetes pods using a CronJob You've just bought a new domain. Now what? Who Sawed My Motherboard??? Linux on the P8 Aliexpress Mini Laptop Recovering Mysql/Mariadb after a nasty crash Using EXIF data to pick my next lens Converting and developing RAW photos on Linux automatically Thank you, 2016 iPhone Don't Make It Work Self-hosted Surveillance with ZoneMinder Backups, Monitoring, and Security for small Mastodon servers Block web scanners with ipset & iptables Executing commands over SSH with GitHub Actions Debian Sid on encrypted ZFS Protect your dangerously insecure redis server Debian: the luxurious boring lifestyle Monitor radiation with a Raspberry Pi Simple Linux server alerts: Know your performance, errors, security, syslog, and security NUC crashes on debian 11 - How I fixed it Basic Linux server security with fail2ban, ossec, and firewall Windows 11 will create heaps of needless trash Domesticated Kubernetes Networking The Cursed Certificate Our mostly disposable and entirely stupid world Trying out OpenBSD (as a Linux geek) Making VoIP Calls with Antique Rotary Phones Monitoring WAN speed with speedtest-cli and ElasticSearch Monitoring WAN latency with InfluxDB The Zeroshell botnet returns Installing Gentoo on a vintage Thinkpad T60 Malware emails 2: Russian boogaloo TP-Link Device Weirdness ElasticSearch broke all my nice things (a story of cascading failure) A New Botnet is Targeting Network Infrastructure Malware on the Wire: Monitoring Network Traffic with Suricata and ClamAV Cloud Threat Protection with OSSEC and Suricata Malware Emails From Jerks Surviving the Apocalypse with an Offline Wikipedia Server Being Attacked by Bots Linux Router, Firewall and IDS Appliance You Probably Don't Need a VPN Fix an Oversharded Elasticsearch Cluster Automating KVM Virtualization Update all your linux servers as fast as possible Cleanup Systemd Journald Storage Stop Putting Your SSH Keys on Github! Clustering KVM with Ceph Storage Stealing Windows Sessions FreeRadius Active Directory Integration Retrieving WPA2 Keys on Windows Deploy MDT Litetouch on Linux with TFTPD and Syslinux Generating MSI transform files with Orca Generating Cisco IOS config files with Python Homebrew SAN Getting Cloudy
The Inflatable Dinghy
2018-09-19 · via Posts on Noah Bailey

Preface: Don’t do this on prod gear. This is a bad idea!

I’ve long been a fan of automated deployment.

During the fourth semester technical project at Fanshawe, I had a wonderful domain tree with OUs and global groups, group policies and delegated permissions. It was truly a nice domain. It just…. Felt a little lonely.

Enter PowerShell. Using a fairly simple script, I was able to cozy up the domains with the right users in the right places.

This table shows the imaginary organization we were presented with. By simply pasting this into a CSV file, we can easily bring it into the script:

$csvStructure = Import-Csv -Delimiter ',' -Path .\OrganizationalStructure.csv

This assumes the following about this domain:

  • There is an OU in the root of all your domains called ‘Accounts’
  • This script will be done as the Administrator in the domain that holds the InfrastructureMaster role.
  • We’re crazy enough to let a script written by a stranger on the Internet run on one of the most important servers in the organization

Okay. Let’s try it out..!


[System.Collections.ArrayList]$Departments = (($csvStructure | gm -MemberType NoteProperty).Name)

foreach ($Unit in $csvStructure) {

  Write-Verbose $Unit.BusinessName -Verbose

  $UnitDN = "ou=Accounts"
  Write-Output $UnitDN
  $UnitDNFullyQualifiedPath = $Unit.domain.split('.')
  $UnitDNFullyQualifiedPath | foreach { $UnitDN += ",dc=$_" }

Starting off, let’s establish the base DN of the business unit. In the case of HealthUnit this is "ou=HealthUnit,ou=Accounts,DC=sub,DC=domain,DC=ca"

Let’s create a container there, as well as a security group for all objects in that Unit:


  New-ADOrganizationalUnit `
    -name $Unit.BusinessName `
    -Path $UnitDN `
    -server $Unit.DomainControllerFQDN

  $UnitDN = "ou=$($Unit.businessName),$UnitDN"

  New-ADGroup -Name "$($Unit.BusinessName)" 
    -Path $businessUnitDN `
    -GroupCategory Security `
    -GroupScope DomainLocal ` 
    -Server $Unit.DomainControllerFQDN

Next, we iterate through each department and create sub containers for only occupied departments. We then create a User and Computer container within that Unit’s Department.

  Foreach ($Department in $Departments ) {

    if($Unit.$Department -eq 0) { Continue; }

    # Create business unit OU
    $DepartmentDN = "ou=$Department,$UnitDN"
    Write-Verbose "`t$DepartmentDN "
    New-ADOrganizationalUnit -name $Department ` 
      -Path $businessUnitDN `
      -Server $Unit.DomainControllerFQDN

    # Create a User container in that Unit's Department:
    Write-Verbose "`t`tou=UserAccounts,$DepartmentDN"
    New-ADOrganizationalUnit `
      -name "UserAccounts" `
      -path $DepartmentDN `
      -server $Unit.DomainControllerFQDN
    
    # Create a Workstation container in that Unit's Department:
    Write-Verbose "`t`tou=Workstations,$DepartmentDN"
    New-ADOrganizationalUnit `
      -name "Workstations" `
      -path $DepartmentDN `
      -server $Unit.DomainControllerFQDN 

Finally, let’s create an AD group for that Unit’s Department, and add it to the Unit’s security group:

    New-ADGroup `
      -name "$($Unit.BusinessName)-$Department" `
      -path "$DepartmentDN" `
      -GroupCategory Security -GroupScope DomainLocal `
      -server $Unit.DomainControllerFQDN
    
    Add-ADGroupMember `
      -Identity "cn=$($Unit.BusinessName),$UnitDN" `
      -Members "cn=$($Unit.BusinessName)-$Department,$DepartmentDN" `
      -Server $Unit.DomainControllerFQDN
  }
}

Nice! Now we have a fully laid out and standardized AD domain!

…We still have a problem though. We’ve built all the rooms and hallways, but we’re still horribly lonely in here!

For this part, I found a list of the top 10K first names and last names on the internet. These aren’t too hard to find and import, so I will leave that part to the reader. They exist in my script as the lists $Top10kFirstNames and $Top10kLastNames.

Let’s start by re-using some of the control code from the last script:

foreach ($Unit in $csvStructure) {
  $UnitDN = "ou=Accounts"
  $UnitDNFullyQualifiedPath = $Unit.domain.split('.')
  $UnitDNFullyQualifiedPath | foreach { $UnitDN += ",dc=$_" }

  $UnitDN = "ou=$($Unit.businessName),$UnitDN"

  Foreach ($Department in $Departments ) {
    if($Unit.$Department -eq 0) { Continue; }
    $DepartmentDN = "ou=$Department,$UnitDN"

And right about here we’ll drop in some new code to add users. We will iterate through the Departments in that Unit, and for each one generate a random username. Passwords are generated using the New-Guid command. We will then add this user to the correct security group for that Department.


    $usersPath = "ou=UserAccounts,$DepartmentDN"
    
    1..$Unit.$Department | Foreach {

      $FirstName = ($Top10kFirstNames | Get-Random)
      $LastName = ($Top10kLastNames | Get-Random)
      $UPN = "$FirstName.$LastName@$($Unit.Domain)"
      $SamAccountName = (($FirstName[0..10] -join '') `
          + ($LastName[0..1] -join '')).ToLower()
      $GroupName = "cn=$($Unit.BusinessName)-$Department"

      New-ADUser -GivenName "$FirstName" `
        -Surname "$LastName" ` 
        -Name "$FirstName $LastName" `
        -AccountPassword:$(New-Guid) `
        -Path $usersPath 
        -UPN $UPN 
        -SamAccountName $SamAccountName
        -Server $Unit.DomainControllerFQDN

      $userID = Get-ADUser "cn=$FirstName $LastName,$usersPath" `
        -Server $Unit.DomainControllerFQDN

      $groupID = Get-ADGroup "$GroupName,$DepartmentDN" `
        -Server $Unit.DomainControllerFQDN

      Add-ADGroupMember -Identity $groupID  `
        -Members $userID `
        -Server $Unit.domainControllerFQDN
    }
  }
}

…And that’s it! After a couple minutes, our domain controllers are toasty hot, our replication is going nuts, and most importantly, we’re a little less lonely here in the testing environment.