Not sure if you’ve ever tried, but do you happen to have used accounts protected by FAST with keytabs before?
I’ve had trouble using them when FAST is at play; but it’s fine when entering creds interactively - might be something to do with salts? 🧂
FWIW, your FAST repo helped a lot at $OLDJOB!
Assumes you’re not loading your own supplementary DLLs though I suppose
PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON?
Amazing, thank you! Definitely a massive win for FAST armouring! Appreciate it :)
Is this the “Machine Identity Isolation” feature, or am I crossing my wires? 😅
Poor wording on my part! I’m wondering if there’s a way to specify that a machine should auto-enroll for a machine certificate stored in Credential Guard, rather than running the command manually on the endpoint
I assume this would have the same OS requirements as the new VBS flags in NCrypt (though I might be wrong there!)?
Doing a deep dive, I can’t seem to spot any other LsaIso RPC callers in the cert enrollment DLLs other than the path that originates from that CLI flag 🤔
@syfuhs.net I’m not sure if it’s in your wheelhouse, but do you happen to know if there’s a chance this feature (CertReq -EnrollCredGuardCert MachineAuthentication) will get exposed to ADCS at some stage (like TPM attestation?) - hadn’t seen it until recently and it’s pretty sweet!
More specifically on the RPC filter part of WFP, but a really good guide!
www.akamai.com/blog/securit...
@damienmiller.bsky.social sorry, not sshd-auth; it’s the monitor process holding the PAM handle. Still, same problem!
Ouch - doesn’t sound fun; would you almost need to keep an sshd-auth process idling holding a PAM handle open?
Excited to see the finished product! It’s really impressive how cleanly it’s all been split out - the side effect of making process trees easier to follow is really handy!
@damienmiller.bsky.social Hi! I’ve been following the privsep work in sshd->sshd[-auth|-session], loving it!
Does there happen to be any doco around on the new design / roadmap compared to older builds? I’ve been able to grok it mostly from the diffs, but any docs on it would be great to reference!
we need to bring back ominous error messages; all i want is for my pc to suggest i "contact my system administrator via ouija board" or something. we used to be a proper country.
2025: out with "oops!!" in error messages, in with "how dare you ... the audacity ... etc. etc."
Perfect, thank you! I assumed that it was something like that, just hadn’t seen anything mentioned anywhere before!
Happy holidays! 🎆
@syfuhs.net I know they’re not “”publicly”” documented, but a question about S-1-12- SIDs:
Does the ‘R’ in S-1-12-R- point to the Azure cloud that the object belongs to? 99% of the time I see 1 (Entra ID global?), but my best guess on the rest (up to 8) is the other clouds… am I in the ballpark? 🤔🤔