-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathBuild-Tier0-AuthPolicySilo.ps1
172 lines (138 loc) · 6.41 KB
/
Build-Tier0-AuthPolicySilo.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
<#
.Synopsis
BlockInboundTrust.ps1
AUTHOR: Robin Granberg ([email protected])
THIS CODE-SAMPLE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR
FITNESS FOR A PARTICULAR PURPOSE.
.DESCRIPTION
A script that creates an Authentication Poicy and Silo for Tier 0
.EXAMPLE
.\Build-Tier0-AuthPolicySilo.ps1 -create
Creates an Authentication Poicy and Silo for Tier 0
.OUTPUTS
.LINK
https://github.com/canix1/Build-Tier0-AuthPolicySilo
.NOTES
Version: 1.0
5 September, 2022
#>
Param
(
# Run protect operations in the current domain
[Parameter(Mandatory=$false,
ParameterSetName='')]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[switch]
$create,
# Name of the Authentication Policy
[Parameter(Mandatory=$false,
ParameterSetName='')]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[string]
$AuhtPolicyName = "AuthPolicy-Tier 0",
# Name of the Authentication Policy Silo
[Parameter(Mandatory=$false,
ParameterSetName='')]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[string]
$AuhtPolicySiloName = "AuthSilo-Tier0",
# List of computers
[Parameter(Mandatory=$false,
ParameterSetName='')]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[array]
$t0computers,
# List of computers
[Parameter(Mandatory=$false,
ParameterSetName='')]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[array]
$t0users
)
clear-host
Write-host "********************************************"
Write-host "Author: [email protected]"
Write-host "twitter: @ipcdollar1"
Write-host "github: https://github.com/canix1/Build-Tier0-AuthPolicySilo"
Write-host "********************************************`n"
$VerbosePreference = "continue"
#Get the current domain name
$DomainDN = (get-addomain).DistinguishedName
#Get the configuration naming context
$configDN = (Get-ADDomain).SubordinateReferences | Where-Object{($_.Remove(16,($_.Length-16))) -eq "CN=Configuration"}
if($create)
{
#Verify if the Authentication Policy already exist
if(!(Get-ADAuthenticationPolicy -filter "Name -eq '$AuhtPolicyName'"))
{
#Create Authentication Policy
New-ADAuthenticationPolicy -Name:$AuhtPolicyName -Description:"Block Tier 0 accounts from accessing host outside of Tier 0" -Enforce:$true -RollingNTLMSecret:"Disabled" -UserAllowedToAuthenticateFrom:$('O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo == "' +$AuhtPolicySiloName + '"))') -UserTGTLifetimeMins:240
#Protect the Authentication Policy
Set-ADAuthenticationPolicy -Identity:$AuhtPolicyName -ProtectedFromAccidentalDeletion:$true
Write-Host "Authentication Policy $($AuhtPolicyName) created!`n" -ForegroundColor Green
}
else
{
Write-Host ("Authentication Policy "+[char]34+"$($AuhtPolicyName)"+[char]34+" already exist! `n") -ForegroundColor Yellow
}
if(!(Get-ADAuthenticationPolicySilo -filter "Name -eq '$AuhtPolicySiloName'"))
{
#Create Authentication Policy Silo
New-ADAuthenticationPolicySilo -Name:$AuhtPolicySiloName
#Update Authentication Policy with description and policy and protect it from deletion
Set-ADAuthenticationPolicySilo -Identity:"CN=$AuhtPolicySiloName,CN=AuthN Silos,CN=AuthN Policy Configuration,CN=Services,$configDN" -Replace:@{"description"="Defined the boundary for Tier 0 accounts";"msDS-ComputerAuthNPolicy"="CN=$AuhtPolicyName,CN=AuthN Policies,CN=AuthN Policy Configuration,CN=Services,$configDN";"msDS-ServiceAuthNPolicy"="CN=$AuhtPolicyName,CN=AuthN Policies,CN=AuthN Policy Configuration,CN=Services,$configDN";"msDS-UserAuthNPolicy"="CN=$AuhtPolicyName,CN=AuthN Policies,CN=AuthN Policy Configuration,CN=Services,$configDN"} -ProtectedFromAccidentalDeletion:$true
#Update Authentication Policy with enforcement
Set-ADAuthenticationPolicySilo -Identity:"CN=$AuhtPolicySiloName,CN=AuthN Silos,CN=AuthN Policy Configuration,CN=Services,$configDN" -Replace:@{"msDS-AuthNPolicySiloEnforced"=$true}
Write-Host "Authentication Policy Silo $($AuhtPolicySiloName) created!`n" -ForegroundColor Green
}
else
{
Write-Host ("Authentication Policy Silo "+[char]34+"$($AuhtPolicySiloName)"+[char]34+" already exist! `n") -ForegroundColor Yellow
}
if($t0computers)
{
$arrt0computers = @($t0computers.split(","))
Foreach($computer in $arrt0computers)
{
if(Get-ADComputer -Filter "Name -eq '$computer'")
{
#Get the samaccountname of the computer object
$SamAccountName = (Get-ADComputer -Filter "Name -eq '$computer'").SamAccountName
#Add the computer to Authentication Policy Silo
Grant-ADAuthenticationPolicySiloAccess -Identity $AuhtPolicySiloName -Account $SamAccountName
#Add the Authentication Policy Silo to the computer
Set-ADComputer -Identity $SamAccountName -AuthenticationPolicySilo $AuhtPolicySiloName
Write-Host ("Granted computer "+[char]34+"$($SamAccountName)"+[char]34+" access to "+[char]34+"$($AuhtPolicySiloName)"+[char]34+" `n") -ForegroundColor Green
}
else
{
Write-Host ("Computer "+[char]34+"$($SamAccountName)"+[char]34+" does not exist! `n") -ForegroundColor Yellow
}
}
}
if($t0users)
{
$arrt0users = @($t0users.split(","))
Foreach($user in $arrt0users)
{
if(Get-ADUser -Filter "Name -eq '$user'")
{
#Add the user to Authentication Policy Silo
Grant-ADAuthenticationPolicySiloAccess -Identity $AuhtPolicySiloName -Account $user
#Add the Authentication Policy Silo to the user
Set-ADUser -Identity $user -AuthenticationPolicySilo $AuhtPolicySiloName
Write-Host ("Granted user "+[char]34+"$($user)"+[char]34+" access to "+[char]34+"$($AuhtPolicySiloName)"+[char]34+" `n") -ForegroundColor Green
}
else
{
Write-Host ("User "+[char]34+"$($User)"+[char]34+" does not exist! `n") -ForegroundColor Yellow
}
}
}
}