Active Directory Security Checks

September 7, 2016 | Views: 11046

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Active Directory Security Checks

So Again a recreation of work with little modification from recent blackhat event by Sean Metcalf (@Pyrotek3) which talks in detail about the AD Security checks to be performed to increase the security level of the complete setup. i just collaborated all the points to one place to make it easy to implement.

General Recommendations

  • Manage local Administrator passwords (LAPS).
  • Implement RDP Restricted Admin mode (as needed).
  • Remove unsupported OSs from the network.
  • Monitor scheduled tasks on sensitive systems (DCs, etc.).
  • Ensure that OOB management passwords (DSRM) are changed regularly & securely stored.
  • Use SMB v2/v3+
  • Default domain Administrator & KRBTGT password should be changed every year & when an AD admin leaves.
  • Remove trusts that are no longer necessary & enable SID filtering as appropriate.
  • All domain authentications should be set (when possible) to: “Send NTLMv2 response onlyrefuse LM & NTLM.”
  • Block internet access for DCs, servers, & all administration systems.

Protect Admin Credentials

  • No “user” or computer accounts in admin groups.
  • Ensure all admin accounts are “sensitive & cannot be delegated”.
  • Add admin accounts to “Protected Users” group (requires Windows Server 2012 R2 Domain Controllers, 2012R2 DFL for domain protection).
  • Disable all inactive admin accounts and remove from privileged groups.

Protect AD Admin Credentials

  • Limit AD admin membership (DA, EA, Schema Admins, etc.) & only use custom delegation groups.
  • ‘Tiered’ Administration mitigating credential theft impact.
  • Ensure admins only logon to approved admin workstations & servers.
  • Leverage time-based, temporary group membership for all admin accounts.

Protect Service Account Credentials

  • Limit to systems of the same security level.
  • Leverage “(Group) Managed Service Accounts” (or PW >20 characters) to mitigate credential theft (kerberoast).
  • Implement FGPP (DFL =>2008) to increase PW requirements for SAs and administrators.
  • Logon restrictions – prevent interactive logon & limit logon capability to specific computers.
  • Disable inactive SAs & remove from privileged groups.

Protect Resources

  • Segment network to protect admin & critical systems.
  • Deploy IDS to monitor the internal corporate network.
  • Network device & OOB management on separate network.

Protect Domain Controllers

  • Only run software & services to support AD.
  • Minimal groups (& users) with DC admin/logon rights.
  • Ensure patches are applied before running DCPromo (especially MS14-068 and other critical patches).
  • Validate scheduled tasks & scripts.

Protect Workstations (& Servers)

  • Patch quickly, especially privilege escalation vulnerabilities.
  • Deploy security back-port patch (KB2871997).
  • Set Wdigest reg key to 0 (KB2871997/Windows 8.1/2012R2+): HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersWdigest
  • Deploy workstation whitelisting (Microsoft AppLocker) to block code exec in user folders – home dir & profile path.
  • Deploy workstation app sandboxing technology (EMET) to mitigate application memory exploits (0-days).

Logging

  • Enable enhanced auditing:
  • “Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings”
  • Enable PowerShell module logging (“*”) & forward logs to central log server (WEF or other method).
  • Enable CMD Process logging & enhancement (KB3004375) and forward logs to central log server.
  • SIEM or equivalent to centralize as much log data as possible.
  • User Behavioural Analysis system for enhanced knowledge of user activity (such as Microsoft ATA).

Security Pro’s Checks

  • Identify who has AD admin rights (domain/forest).
  • Identify who can logon to Domain Controllers (& admin rights to virtual environment hosting virtual DCs).
  • Scan Active Directory Domains, OUs, AdminSDHolder, & GPOs for inappropriate custom permissions.
  • Ensure AD admins (aka Domain Admins) protect their credentials by not logging into untrusted systems (workstations).
  • Limit service account rights that are currently DA (or equivalent).

Credit: Sean Metcalf (@Pyrotek3), s e a n [@] TrimarcSecurity.com, www.ADSecurity.org

TrimarcSecurity.com

Detailed References:

• Active Directory Domains and Trusts

https://technet.microsoft.com/en-us/library/cc770299.aspx

• Understanding Trusts

https://technet.microsoft.com/en-us/library/cc736874(v=ws.10).aspx

• Trust Types

https://technet.microsoft.com/en-us/library/cc775736(v=ws.10).aspx

• Active Directory Replication Overview

https://technet.microsoft.com/en-us/library/cc961788.aspx

• How Active Directory Replication Topology Works

https://technet.microsoft.com/en-us/library/cc755994(v=ws.10).aspx

• How the Active Directory Replication Model Works

https://technet.microsoft.com/en-us/library/cc772726(v=ws.10).aspx

• Group Policy Basics

http://blogs.technet.com/b/musings_of_a_technical_tam/archive/2012/02/13/understanding-thestructure-

of-a-group-policy-object.aspx

• Optimizing Group Policy Performance

https://technet.microsoft.com/en-us/magazine/2008.01.gpperf.aspx

• Organizational Units

https://technet.microsoft.com/en-us/library/cc758565(v=ws.10).aspx

• Organizational Unit Design

http://www.windowsnetworking.com/articles-tutorials/windows-server-2008/Crash-Course-Active-

Directory-Organizational-Unit-Design.html

• How DNS Support for Active Directory Works

https://technet.microsoft.com/en-us/library/cc759550(v=ws.10).aspx

• Active Directory-Integrated DNS

https://technet.microsoft.com/en-us/library/cc978010.aspx

• Understanding DNS Zone Replication in Active Directory Domain Services

https://technet.microsoft.com/en-us/library/cc772101.aspx

• What is an RODC?

https://technet.microsoft.com/en-us/library/cc771030(v=ws.10).aspx

• AD DS: Read-Only Domain Controllers

https://technet.microsoft.com/en-us/library/cc732801(v=ws.10).aspx

• Read-Only Domain Controllers Step-by-Step Guide

https://technet.microsoft.com/en-us/library/cc772234(v=ws.10).aspx

• Service Principal Names (SPNs) Overview

https://msdn.microsoft.com/en-us/library/ms677949(v=vs.85).aspx

https://technet.microsoft.com/en-us/library/cc961723.aspx

http://blogs.technet.com/b/qzaidi/archive/2010/10/12/quickly-explainedservice-

principal-name-registration-duplication.aspx

• Register a Service Principal Name for Kerberos Connections

https://msdn.microsoft.com/en-us/library/ms191153.aspx

• Active Directory Reading Library

https://adsecurity.org/?page_id=41

• Read-Only Domain Controller (RODC) Information

https://adsecurity.org/?p=274

• Active Directory Recon Without Admin Rights

https://adsecurity.org/?p=2535

• Mining Active Directory Service Principal Names

http://adsecurity.org/?p=230

• SPN Directory:

http://adsecurity.org/?page_id=183

• MS14-068: Vulnerability in (Active Directory) Kerberos Could Allow Elevation of Privilege

http://adsecurity.org/?tag=ms14068

• Securing Active Directory – An Overview of Best Practices

https://technet.microsoft.com/en-us/library/dn205220.aspx

• Microsoft Enhanced security patch KB2871997

http://adsecurity.org/?p=559

• Tim Medin’s DerbyCon 2014 presentation: “Attacking Microsoft Kerberos: Kicking the Guard Dog of Hades”

https://www.youtube.com/watch?v=PUyhlN-E5MU

• Microsoft: Securing Privileged Access Reference Material

https://technet.microsoft.com/en-us/library/mt631193.aspx

• Mimikatz

https://adsecurity.org/?page_id=1821

• Attack Methods for Gaining Domain Admin Rights in Active Directory

https://adsecurity.org/?p=2362

• Microsoft Local Administrator Password Solution (LAPS)

https://adsecurity.org/?p=1790

• The Most Common Active Directory Security Issues and What You Can Do to Fix Them

https://adsecurity.org/?p=1684

• How Attackers Dump Active Directory Database Credentials

https://adsecurity.org/?p=2398

• Sneaky Active Directory Persistence Tricks

https://adsecurity.org/?p=1929

 

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
11 Comments
  1. Thank you for this! Great help. XD

  2. Great very well summarized

  3. thank you for this..

Page 2 of 2«12
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel