DSAccount XML Serialization

MichaelGrafnetter / DSInternals

Directory Services Internals (DSInternals) PowerShell Module and Framework

https://www.dsinternals.com

MIT License

1.66k stars 255 forks source link

DSAccount XML Serialization #96

Open arnydo opened 5 years ago

arnydo commented 5 years ago

Working on auditing multiple domains and exported the results of Get-ADReplAccount via ... | Export-CliXML report.xml.

Upon importing the XML and piping to Test-PasswordQuality the following error is received.

Test-PasswordQuality : The input object cannot be bound to any parameters for the command either because the command
does not take pipeline input or the input and its properties do not match any of the parameters that take pipeline
input.

The only difference I can see between the original object and the imported XML object is that the XML version is deserialized.

Is there any way that we can follow this process to import saved XMLs and then pipe them to Test-PasswordQuality?

Full process:

> Get-ADReplAccount -All -NamingContext "dc=domain,dc=io" -Server dc1 | Export-CLIXML report.xml

> Import-CLIXML report.xml | Test-PasswordQuality -WeakPasswordHashesSortedFile "file.txt"

MichaelGrafnetter commented 5 years ago

Hi @arnydo , for this to work, one would have to implement XML serialization in the DSAccount class and its subclasses. The default one does not go deep enough. But even if it worked, I would strongly discourage anyone from using it. Writing password hashes of all accounts into a cleartext file and copying such files between computers might expose passwords and other sensitive data to unwanted audience, which is a huge security risk.

arnydo commented 5 years ago

Good point. Trying to compare against HIBP list and didn't want to lug the 20+ GB file around. I will find an alternative that doesn't jeopardize the sensitive info.

Thank you!

MichaelGrafnetter commented 5 years ago

It is recommended to have a dedicated Privileged Access Workstation for this purpose. In a multi-forest environment, you could either use runas /netonly... or Get-ADReplAccount -Credential... to connect to DCs under different identities.

BTW, I am working on cross-domain password duplicate discovery using Test-PasswordQuality.

arnydo commented 5 years ago

BTW, I am working on cross-domain password duplicate discovery using Test-PasswordQuality.

This would be great. Looking forward to it!

Considering the security implications for the proposed task...this issue can be closed, unless you had another idea.

Thanks again.

MichaelGrafnetter commented 5 years ago

Well, I still want to implement Export-CliXml support, because I have never done such thing and I want to learn how to do it. So I will leave this issue open as a reminder for myself.