1 00:00:01,440 --> 00:00:03,460 Now another principle of delegation. 2 00:00:03,460 --> 00:00:05,960 Let me open up Visual Studio Code, 3 00:00:05,960 --> 00:00:09,210 and because I have the Active Directory RSAT tools, 4 00:00:09,210 --> 00:00:12,600 that means that I have the Active Directory module installed and 5 00:00:12,600 --> 00:00:15,640 it's available in my Windows PowerShell session. 6 00:00:15,640 --> 00:00:18,860 Here is a script file I created called credssp.ps1, 7 00:00:18,860 --> 00:00:23,640 and I have this here, I give it to you in the course files as well, 8 00:00:23,640 --> 00:00:28,340 and it's going to walk us through how we can do Kerberos, 9 00:00:28,340 --> 00:00:32,340 well not Kerberos, but CredSSP‑based delegation. 10 00:00:32,340 --> 00:00:35,570 While I'm on the subject of Kerberos delegation, 11 00:00:35,570 --> 00:00:38,090 you can do that, rather you don't have to do that, 12 00:00:38,090 --> 00:00:43,530 but you can do that here in the context of Active Directory Users and Computers. 13 00:00:43,530 --> 00:00:46,940 You can right‑click a computer account, go to Properties, 14 00:00:46,940 --> 00:00:50,140 and go to Delegation, and notice that, by default, 15 00:00:50,140 --> 00:00:53,410 your member servers here are not trusted for delegation, 16 00:00:53,410 --> 00:00:57,170 and the idea of constrained delegation would be where you trust the 17 00:00:57,170 --> 00:01:00,860 computer for delegation to specified services only, 18 00:01:00,860 --> 00:01:05,140 and then you can add those services in here specifically. 19 00:01:05,140 --> 00:01:06,640 This is the preferred way. 20 00:01:06,640 --> 00:01:10,430 If you're going to delegate credentials from machine to machine that you 21 00:01:10,430 --> 00:01:13,640 not do it just globally or in an unconstrained way, 22 00:01:13,640 --> 00:01:17,840 but you do it in a very intentional constrained way there. 23 00:01:17,840 --> 00:01:21,060 Now, as an alternative to Kerberos constrained delegation, 24 00:01:21,060 --> 00:01:25,840 we have CredSSP, and that's what I'm going to show you here using PowerShell. 25 00:01:25,840 --> 00:01:30,940 So I'm going to right‑click Line 5 here, and I'm going to run that selection. 26 00:01:30,940 --> 00:01:37,770 That's going to use PowerShell WinRM remoting to get me into mem1.timw.info. 27 00:01:37,770 --> 00:01:43,240 Next, I'm going to run Line 6 where from mem1, 28 00:01:43,240 --> 00:01:47,290 I'm going to invoke a command Get‑WindowsFeature to enumerate 29 00:01:47,290 --> 00:01:52,140 the installed features on dc1.timw.info. 30 00:01:52,140 --> 00:01:54,540 Now watch what happens when I do that. 31 00:01:54,540 --> 00:01:57,790 We get a whole bunch of error text mentioning Kerberos. 32 00:01:57,790 --> 00:02:01,040 This is the Kerberos second hop problem. 33 00:02:01,040 --> 00:02:04,220 It was just fine for me to connect with my current 34 00:02:04,220 --> 00:02:07,440 administrative credentials to mem1, 35 00:02:07,440 --> 00:02:11,540 but then when we ran invoke command from mem1, 36 00:02:11,540 --> 00:02:16,760 mem1 was not a delegate, it wasn't given permission to forward my credentials, 37 00:02:16,760 --> 00:02:18,840 hence we bombed out. 38 00:02:18,840 --> 00:02:23,140 So let me exit the PSSession. 39 00:02:23,140 --> 00:02:26,040 To come back to the client machine, again, 40 00:02:26,040 --> 00:02:29,240 just as a check, I'll run hostname, I'm on client1, 41 00:02:29,240 --> 00:02:31,340 and I'll run whoami. 42 00:02:31,340 --> 00:02:36,240 I am signed in as a domain administrator here, so let's clear the screen. 43 00:02:36,240 --> 00:02:36,690 Okay, 44 00:02:36,690 --> 00:02:38,700 so the commands that you should know about 45 00:02:38,700 --> 00:02:42,660 regarding CredSSP delegation are these. 46 00:02:42,660 --> 00:02:44,410 Let me run Line 9. 47 00:02:44,410 --> 00:02:53,640 There is Disable‑WSManCredSSP, Enable‑WSManCredSSP, and Get‑WSManCredSSP. 48 00:02:53,640 --> 00:02:56,090 And the way it works, it's a client server model. 49 00:02:56,090 --> 00:02:58,940 Now the machine that I'm on is going to be the client. 50 00:02:58,940 --> 00:03:07,040 So on Line 12 here, I'm going to say Enable‑WSManCredSSP with the Client role, 51 00:03:07,040 --> 00:03:09,070 the DelegateComputer is going to be mem1, 52 00:03:09,070 --> 00:03:10,810 and I do want to force that. 53 00:03:10,810 --> 00:03:18,040 And again, we can echo back our current settings by running Get‑WSManCredSSP, 54 00:03:18,040 --> 00:03:21,850 and it tells us in very user‑friendly language that the machine is 55 00:03:21,850 --> 00:03:25,790 configured to allow delegating fresh credentials to mem1, 56 00:03:25,790 --> 00:03:28,800 but the computer is not configured to receive 57 00:03:28,800 --> 00:03:31,540 credentials so that's the server piece. 58 00:03:31,540 --> 00:03:33,280 So we have on Line 18, 59 00:03:33,280 --> 00:03:37,470 I'm going to issue a remote command using Invoke‑Command to mem1, 60 00:03:37,470 --> 00:03:42,540 and there I'm going to run Enable‑WSManCredSSP Role‑Server. 61 00:03:42,540 --> 00:03:46,040 But let me right‑click, let me run that selection, 62 00:03:46,040 --> 00:03:49,840 and that'll configure the machine just in the opposite way 63 00:03:49,840 --> 00:03:52,640 to how my current machine is set up. 64 00:03:52,640 --> 00:04:00,040 Matter of fact, I can modify this and make the Scriptblock Get‑WSManCredSSP, 65 00:04:00,040 --> 00:04:03,350 and let's take a look at the configuration of mem1. 66 00:04:03,350 --> 00:04:05,140 Let me run that selection. 67 00:04:05,140 --> 00:04:08,020 So this machine is not configured to delegate, 68 00:04:08,020 --> 00:04:12,440 but it is configured to receive credentials from a remote client computer, 69 00:04:12,440 --> 00:04:13,840 so far so good. 70 00:04:13,840 --> 00:04:19,880 So to finish this out here on Line 21, let's now enter another PSSession to mem1. 71 00:04:19,880 --> 00:04:24,240 I'll specifically mentioned my domain credentials, but this is important. 72 00:04:24,240 --> 00:04:28,040 I'm specifying authentication CredSSP. 73 00:04:28,040 --> 00:04:31,940 So let me right‑click, Run that selection, 74 00:04:31,940 --> 00:04:39,440 put in my password here, and now I'm connected to mem1.timw.info. 75 00:04:39,440 --> 00:04:45,040 So we should find now, if we attempt to run Line 23, 76 00:04:45,040 --> 00:04:48,970 there is the installed feature so we're able to complete the 77 00:04:48,970 --> 00:04:54,020 configuration and work past the Kerberos second hop problem. 78 00:04:54,020 --> 00:04:57,040 Let me Ctrl+C to break that output. 79 00:04:57,040 --> 00:04:58,020 Alright, good. 80 00:04:58,020 --> 00:05:01,450 Now to reset things back to how they were originally, 81 00:05:01,450 --> 00:05:05,640 let me again do an Exit PSSession to close that 82 00:05:05,640 --> 00:05:08,140 session and come back to the client. 83 00:05:08,140 --> 00:05:13,940 I can do a Disable‑WSManCredSSP on my local machine. 84 00:05:13,940 --> 00:05:17,600 And then lastly, I can undo the server configuration. 85 00:05:17,600 --> 00:05:18,920 Now, why do I mention that? 86 00:05:18,920 --> 00:05:22,940 Well, it's because by opening up CredSSP in this way, 87 00:05:22,940 --> 00:05:25,230 even though I'm doing it pretty intentionally, 88 00:05:25,230 --> 00:05:30,540 I'm just doing it from my one workstation to one particular server, 89 00:05:30,540 --> 00:05:34,910 that still expands the attack surface of mem1, 90 00:05:34,910 --> 00:05:38,040 and to a degree, client1. 91 00:05:38,040 --> 00:05:41,070 So unless CredSSP is something that you really 92 00:05:41,070 --> 00:05:43,740 legitimately need enabled all the time, 93 00:05:43,740 --> 00:05:51,000 it may be best to consider it a temporary technique that you then can disable after you finish needing it.