Create Repair- function for Dangling SPNs

[TrimarcJake]

Dangling SPNs should be removed from the principals they are attached to. BlueTuxedo should provide code for removing SPNs.

[TrimarcJake]

To remove SPNs from accounts: setspn -d [SPN] [IdentityReference]

Example: setspn -d http/deadhost.horse.local FOAL\user

[nitsewg]

Perfect! That should be easy enough to script out for my list. Thanks a bunch!

[TrimarcJake]

Yeah, buddy! (Almost) none of this stuff is rocket science. It's just hard to find, ya know?

[nitsewg]

I ended up using chatgpt to take the results that BlueTux spit out to reformat it into a CSV that I could easily read in with powershell. hah Just needed "host/name,name" in the CSV, then I used this:

$data = Import-Csv -Path "C:\path\to\spn.csv"

foreach ($row in $data) {
    $spn = $row.spn
    $name = $row.name

    setspn -D $spn $name
}

[TrimarcJake]

Easy peasy! BTW: I plan to get this added in Saturday or Sunday.

[nitsewg]

Awesome. I am pretty sure gpt didn't include all of them in the reformatted output it gave me, but I haven't run the check again. I may wait until you release the updated code so I can test it out. I am actually doing a short presentation on Blue Tuxedo for our team next Friday.

[TrimarcJake]

This may sound weird, but would it be possible for me to join that presentation?

[nitsewg]

Doesn't sound weird at all. That would be cool, but we don't typically stream / record them since they are pretty low key. It is going to be during one of our professional development meetings, and will most likely be a 2-3 minute very high level overview. I can hit you up afterward to give you my talking points, and how it went.

[TrimarcJake]

Love it.

[TrimarcJake]

So, good news and bad news...

Bad news: it looks like my branch protection rules were not set up properly and I stupidly commited to main

Good news: the following commits add the Repair-BTDanglingSPN function! 53401bf7c52f3d0cb95bd10e44ba79d3674c7d59 d31480511b386d0919acb4d157fce4e1698d3548 d9bed143beacf29c73883d5b2af0ac2fd11f2b24

If I understand correctly, @nitsewg, you've already resolved your danglin', but if not, please test this out and let me know if it works!

[nitsewg]

It doesn't look like it gives you the commands when you run invoke-bluetuxedo, but when I ran Repair-BTDanglingSPN by itself, it spit out the code blocks. I still had a few that I guess didn't make it into my list last time. I cleaned up the output and ran the code blocks. Looks like we should be good to go now.

[TrimarcJake]

Guess who just earned the job of User Acceptance Tester... :D jk, thank you for the report!

BTW: All Repair- functions include a -Run switch that will run the fix on your behalf. I will make sure that is included in the documentation (when I get a chance to update it.)

[nitsewg]

:joy: - good to know on the -Run... I remembered something about that from your presentation, but I didn't remember the flag to use. Easy enough. Thanks again for being responsive on this. Now I just need to work on the dynamic update service account. I think just about everything else BT audits is looking pretty good.

[TrimarcJake]

Ooh, can you try to set a gMSA as the dynamic update service account? I am curious if that's possible and haven't had time to lab it up.

[nitsewg]

I'll look into it a bit. I, eh... do all of my testing in production, so I have to be a bit careful not to break things. hah

[TrimarcJake]

"Everyone has a test environment. Some people are lucky enough to have a production environment."

[nitsewg]

I read up a bit on gMSA... but I am not sure what permissions would be needed. The only documentation I have found for using dynamic update credentials shows using domain admin... lol

I should probably do a bit more research before going whole hog on this one. Do you happen to have any links that would give a shove in the right direction on that?

This is the one I found, that shows using domain admin:

https://learn.microsoft.com/en-us/answers/questions/355711/dhcp-reccord-dns-service-account

[JimSycurity]

The DNS Update account for DHCP should be a standard user account. Never tried to use a gMSA for this. Unsure if it's supported.

Some links I have on this topic:

Configure DNS dynamic update credential: https://readwise.io/reader/shared/01he1aeq13ht4238hbvavhrcn3

DHCP Server in DCs and DNS Registrations: https://learn.microsoft.com/en-us/archive/blogs/stdqry/dhcp-server-in-dcs-and-dns-registrations

DHCP, Dynamic DNS, and DCs: How about Some PowerShell to Spice Up a Mind-Numbing Topic?: https://readwise.io/reader/shared/01hdkxzh458desy94dngqxw7xn

Edit: missed one:

Using DNS servers with DHCP: https://readwise.io/reader/shared/01he1af4ykcpmabjjnfaxzegpt

[nitsewg]

@TrimarcJake - The short presentation went well. I discussed the dangers of wildcard records, wpad, dangling SPNs, tombstone records, legacy zones, etc... and then showed screenshots with alerts and remediations using BT. I think most of it was over their heads, but the main point that we are safer now than before came through clearly. I tried to stick with a 10,000 ft view of it. hah