Testing 8.0 Credential phishing prevention

Reply
L6 Presenter

Re: Testing 8.0 Credential phishing prevention


@staustin wrote:

Hi @Brandon_Wertz,

 

 

What I had to do to get it working is as follows:

1.  I created an AD object called allmyusers and added all user accounts to the group.

2.  I added allmyusers object to "Allowed rodc password replciation group"

3.  Bounced the pan userid and credential agent

 

Until PAN fixes the issue, "Domain users" will not work and you have to create a different group that essentially does the same thing but isn't the build in "Domain users" group.


 

 

 

Also regarding your "step 1"

 

I'm not sure how larger your AD environment is, but with service account, process control accounts, and various user accounts/types numbering best guess 25k+; for us to accomplish this "Step 1" would be an extremely long process and would be fraught with potential for missing critical accounts.  Hence my stance in bypassing this whole headache and just move this to a writeable DC.

L6 Presenter

Re: Testing 8.0 Credential phishing prevention

Just my theory...they don't want to be liable if something malicious happens and the software is somehow used to make changes to account creds when the purpose is meant to protect credentials so I see why the stated architecture is on an RODC.

 

In practice it doesn't seem to be like a viable option though, if the only way to use the RODC is to also use a group which would cache creds to RODCs we don't want.

L2 Linker

Re: Testing 8.0 Credential phishing prevention

This isn't necessarily true.  You could do it in a single line powershell script.  This should copy everything in domain users to a group2

 

Get-AdGroupMember -Identity "Domain Users" | %{Add-AdGroupMember -Identity "group2" -members $_}

 

L6 Presenter

Re: Testing 8.0 Credential phishing prevention


@staustin wrote:

This isn't necessarily true.  You could do it in a single line powershell script.  This should copy everything in domain users to a group2

 

Get-AdGroupMember -Identity "Domain Users" | %{Add-AdGroupMember -Identity "group2" -members $_}

 


<-- Traditional FW/Network guy with 3 years of AD experience 14 years ago so my knowledge on how easy / difficult some processes are aren't to great.

 

It's good to see this is doable.  Unfortunately it still leverages a group which for us probably wouldn't work from a security risk perspective.  Maybe we can use this user ID scrape for future needs though.

L6 Presenter

Re: Testing 8.0 Credential phishing prevention

Response from TAC on my support case just relayed to me that:

 

"I have confirmed that the UID credential agent only query the Allowed RODC Password Replication Group."

 

So until there's an update to the software (FR) users of this product will be required to utilize the "Allowed RODC password Replciation Group"

L2 Linker

Re: Testing 8.0 Credential phishing prevention

figured as much.  sorry to hear that.

Highlighted
L1 Bithead

Re: Testing 8.0 Credential phishing prevention

The Domain Users group is now supported (8.0.10) for use in "Allowed RODC Password Replication Group"

aemr
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!