{"id":1081,"date":"2023-06-06T19:39:43","date_gmt":"2023-06-06T17:39:43","guid":{"rendered":"https:\/\/blog.chrisse.se\/?p=1081"},"modified":"2023-06-06T19:49:40","modified_gmt":"2023-06-06T17:49:40","slug":"rodc-ifm-the-ntds-vss-writer-option-and-scrubbing-your-dit-afterwards","status":"publish","type":"post","link":"https:\/\/blog.chrisse.se\/?p=1081","title":{"rendered":"RODC IFM &#8211; The NTDS VSS Writer Option and scrubbing your DIT afterwards"},"content":{"rendered":"\n<p>Did you know that there is a undocumented option you can pass to the VSS &#8220;<a rel=\"noreferrer noopener\" href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/vss\/in-box-vss-writers#active-directory-domain-services-ntds-vss-writer\" target=\"_blank\">NTDS Writer<\/a>&#8221; using <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/vsbackup\/nf-vsbackup-ivssbackupcomponents-setbackupoptions\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/vsbackup\/nf-vsbackup-ivssbackupcomponents-setbackupoptions<\/a> &#8211; if it&#8217;s set to &#8220;RODC_REMOVE_SECRETS;&#8221; &#8211; the NTDS Writer will do the following for you, remove the following attributes:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Hidden and Secret attributes (PEK encrypted) &#8211; <a href=\"https:\/\/learn.microsoft.com\/en-us\/openspecs\/windows_protocols\/ms-drsr\/294168d9-81bf-461b-91d7-95bd8a985737\">https:\/\/learn.microsoft.com\/en-us\/openspecs\/windows_protocols\/ms-drsr\/294168d9-81bf-461b-91d7-95bd8a985737<\/a><br><\/li>\n\n\n\n<li>Attributes configured for FAS (Filtered Attribute Set) &#8211;<a href=\" https:\/\/learn.microsoft.com\/sv-se\/windows\/win32\/ad\/rodc-and-active-directory-schema?redirectedfrom=MSDN\"> https:\/\/learn.microsoft.com\/sv-se\/windows\/win32\/ad\/rodc-and-active-directory-schema?redirectedfrom=MSDN<\/a><\/li>\n<\/ul>\n\n\n\n<p>It will NOT remove FAS (Filtered Attribute Set) from the link_table? Can you even have that? Sure in the &#8220;link_data&#8221; column for the string\/data portion of a linked attribute with syntax DN-String or DN-binary:  <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/adschema\/syntaxes\">https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/adschema\/syntaxes<\/a><\/p>\n\n\n\n<p>Dumping the &#8220;link_table&#8221; from a Windows 2000 Server DC just because there are only a few initial columns in the table initially at Windows 2000 DCs and I have all kinds of DIT&#8217;s around for testing when I write tools.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"826\" height=\"394\" src=\"https:\/\/blog.chrisse.se\/wp-content\/uploads\/2023\/06\/image-47.png\" alt=\"\" class=\"wp-image-1084\" srcset=\"https:\/\/blog.chrisse.se\/wp-content\/uploads\/2023\/06\/image-47.png 826w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2023\/06\/image-47-300x143.png 300w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2023\/06\/image-47-768x366.png 768w\" sizes=\"auto, (max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/figure>\n\n\n\n<p>It will not change InstanceType to 0 either, clearing out the writable (4th flag) &#8211; <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/adschema\/a-instancetype\">https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/adschema\/a-instancetype<\/a>.<\/p>\n\n\n\n<p>So now we&#8217;re coming to the scrubbing part &#8211; Let&#8217;s say you used the VSS API and the NTDS Writer with the &#8220;RODC_REMOVE_SECRETS;&#8221; _AND_ cleaned up any potential linked FAS attribute that  stored it&#8217;s data in the &#8216;link_data&#8221; column by your own. <br><br>Would the NTDS.DIT be secure? Nope &#8211; you need to scrub your DIT so it becomes secure. You just call into esent.dll?JetDBUtilitiesW and ask for a scrub operation (opDBUTILEDBScrub) to take place, if I say securing the DIT instead of scrubbing, sounds more familiar to you?<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"926\" height=\"379\" src=\"https:\/\/blog.chrisse.se\/wp-content\/uploads\/2023\/06\/image-48.png\" alt=\"\" class=\"wp-image-1085\" srcset=\"https:\/\/blog.chrisse.se\/wp-content\/uploads\/2023\/06\/image-48.png 926w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2023\/06\/image-48-300x123.png 300w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2023\/06\/image-48-768x314.png 768w\" sizes=\"auto, (max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/figure>\n\n\n\n<p>So why is this done? Well the &#8220;NTDS Writer&#8221; with the &#8220;RODC_REMOVE_SECRETS;&#8221; just call regular jet\/esent APIs to delete the columns\/attributes that contained hidden, secret or FAS data &#8211; and that is what you&#8217;re doing in the &#8220;link_table&#8221; as well but it&#8217;s more complicated as we can&#8217;t drop the entire column, instead the value for a specific row representing the linked attribute need to reset the data in the &#8220;link_data&#8221; column using for example JetSetColumn | JetSetColumnDefaultValue<br><br>Regardless of the above, there is no guarantee that all metadata and left over data isn&#8217;t still present somewhere in the database &#8211; hence the need to secure \/ scrub the DIT.<br><br>By the way you don&#8217;t need to write up your own code and call into esent.dll?JetDBUtilitiesW you can just use the undocumented option &#8220;Z&#8221; of esentutl.exe that has been there since Windows Server 2008:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"658\" src=\"https:\/\/blog.chrisse.se\/wp-content\/uploads\/2023\/06\/image-49-1024x658.png\" alt=\"\" class=\"wp-image-1086\" srcset=\"https:\/\/blog.chrisse.se\/wp-content\/uploads\/2023\/06\/image-49-1024x658.png 1024w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2023\/06\/image-49-300x193.png 300w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2023\/06\/image-49-768x494.png 768w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2023\/06\/image-49.png 1056w\" sizes=\"auto, (max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/figure>\n\n\n\n<p><br><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Did you know that there is a undocumented option you can pass to the VSS &#8220;NTDS Writer&#8221; using https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/vsbackup\/nf-vsbackup-ivssbackupcomponents-setbackupoptions &#8211; if it&#8217;s set to &#8220;RODC_REMOVE_SECRETS;&#8221; &#8211; the NTDS Writer will do the following for you, remove the following attributes: It will NOT remove FAS (Filtered Attribute Set) from the link_table? Can you even have that? &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/blog.chrisse.se\/?p=1081\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;RODC IFM &#8211; The NTDS VSS Writer Option and scrubbing your DIT afterwards&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"footnotes":""},"categories":[1],"tags":[28,27,29,16],"class_list":["post-1081","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-ese","tag-ifm","tag-ntds-vss-writer","tag-ntds-dit"],"_links":{"self":[{"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=\/wp\/v2\/posts\/1081","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1081"}],"version-history":[{"count":5,"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=\/wp\/v2\/posts\/1081\/revisions"}],"predecessor-version":[{"id":1089,"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=\/wp\/v2\/posts\/1081\/revisions\/1089"}],"wp:attachment":[{"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1081"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1081"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1081"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}