Ready to Start Your Career?

Active Directory Security Checks

manishp 's profile image

By: manishp

September 7, 2016

Active Directory Security Checks

So Again a recreation of work with little modification from recent blackhat event by Sean Metcalf (@Pyrotek3) which talks in detail about the AD Security checks to be performed to increase the security level of the complete setup. i just collaborated all the points to one place to make it easy to implement.

General Recommendations

  • Manage local Administrator passwords (LAPS).
  • Implement RDP Restricted Admin mode (as needed).
  • Remove unsupported OSs from the network.
  • Monitor scheduled tasks on sensitive systems (DCs, etc.).
  • Ensure that OOB management passwords (DSRM) are changed regularly & securely stored.
  • Use SMB v2/v3+
  • Default domain Administrator & KRBTGT password should be changed every year & when an AD admin leaves.
  • Remove trusts that are no longer necessary & enable SID filtering as appropriate.
  • All domain authentications should be set (when possible) to: “Send NTLMv2 response onlyrefuse LM & NTLM.”
  • Block internet access for DCs, servers, & all administration systems.

Protect Admin Credentials

  • No “user” or computer accounts in admin groups.
  • Ensure all admin accounts are “sensitive & cannot be delegated”.
  • Add admin accounts to “Protected Users” group (requires Windows Server 2012 R2 Domain Controllers, 2012R2 DFL for domain protection).
  • Disable all inactive admin accounts and remove from privileged groups.

Protect AD Admin Credentials

  • Limit AD admin membership (DA, EA, Schema Admins, etc.) & only use custom delegation groups.
  • ‘Tiered’ Administration mitigating credential theft impact.
  • Ensure admins only logon to approved admin workstations & servers.
  • Leverage time-based, temporary group membership for all admin accounts.

Protect Service Account Credentials

  • Limit to systems of the same security level.
  • Leverage “(Group) Managed Service Accounts” (or PW >20 characters) to mitigate credential theft (kerberoast).
  • Implement FGPP (DFL =>2008) to increase PW requirements for SAs and administrators.
  • Logon restrictions - prevent interactive logon & limit logon capability to specific computers.
  • Disable inactive SAs & remove from privileged groups.

Protect Resources

  • Segment network to protect admin & critical systems.
  • Deploy IDS to monitor the internal corporate network.
  • Network device & OOB management on separate network.

Protect Domain Controllers

  • Only run software & services to support AD.
  • Minimal groups (& users) with DC admin/logon rights.
  • Ensure patches are applied before running DCPromo (especially MS14-068 and other critical patches).
  • Validate scheduled tasks & scripts.

Protect Workstations (& Servers)

  • Patch quickly, especially privilege escalation vulnerabilities.
  • Deploy security back-port patch (KB2871997).
  • Set Wdigest reg key to 0 (KB2871997/Windows 8.1/2012R2+): HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersWdigest
  • Deploy workstation whitelisting (Microsoft AppLocker) to block code exec in user folders - home dir & profile path.
  • Deploy workstation app sandboxing technology (EMET) to mitigate application memory exploits (0-days).

Logging

  • Enable enhanced auditing:
  • “Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings”
  • Enable PowerShell module logging (“*”) & forward logs to central log server (WEF or other method).
  • Enable CMD Process logging & enhancement (KB3004375) and forward logs to central log server.
  • SIEM or equivalent to centralize as much log data as possible.
  • User Behavioural Analysis system for enhanced knowledge of user activity (such as Microsoft ATA).

Security Pro's Checks

  • Identify who has AD admin rights (domain/forest).
  • Identify who can logon to Domain Controllers (& admin rights to virtual environment hosting virtual DCs).
  • Scan Active Directory Domains, OUs, AdminSDHolder, & GPOs for inappropriate custom permissions.
  • Ensure AD admins (aka Domain Admins) protect their credentials by not logging into untrusted systems (workstations).
  • Limit service account rights that are currently DA (or equivalent).
Credit: Sean Metcalf (@Pyrotek3), s e a n [@] TrimarcSecurity.com, www.ADSecurity.orgTrimarcSecurity.comDetailed References:

• Active Directory Domains and Trusts

https://technet.microsoft.com/en-us/library/cc770299.aspx

• Understanding Trusts

https://technet.microsoft.com/en-us/library/cc736874(v=ws.10).aspx

• Trust Types

https://technet.microsoft.com/en-us/library/cc775736(v=ws.10).aspx

• Active Directory Replication Overview

https://technet.microsoft.com/en-us/library/cc961788.aspx

• How Active Directory Replication Topology Works

https://technet.microsoft.com/en-us/library/cc755994(v=ws.10).aspx

• How the Active Directory Replication Model Works

https://technet.microsoft.com/en-us/library/cc772726(v=ws.10).aspx

• Group Policy Basics

https://blogs.technet.com/b/musings_of_a_technical_tam/archive/2012/02/13/understanding-thestructure-

of-a-group-policy-object.aspx

• Optimizing Group Policy Performance

https://technet.microsoft.com/en-us/magazine/2008.01.gpperf.aspx

• Organizational Units

https://technet.microsoft.com/en-us/library/cc758565(v=ws.10).aspx

• Organizational Unit Design

http://www.windowsnetworking.com/articles-tutorials/windows-server-2008/Crash-Course-Active-

Directory-Organizational-Unit-Design.html

• How DNS Support for Active Directory Works

https://technet.microsoft.com/en-us/library/cc759550(v=ws.10).aspx

• Active Directory-Integrated DNS

https://technet.microsoft.com/en-us/library/cc978010.aspx

• Understanding DNS Zone Replication in Active Directory Domain Services

https://technet.microsoft.com/en-us/library/cc772101.aspx

• What is an RODC?

https://technet.microsoft.com/en-us/library/cc771030(v=ws.10).aspx

• AD DS: Read-Only Domain Controllers

https://technet.microsoft.com/en-us/library/cc732801(v=ws.10).aspx

• Read-Only Domain Controllers Step-by-Step Guide

https://technet.microsoft.com/en-us/library/cc772234(v=ws.10).aspx

• Service Principal Names (SPNs) Overview

https://msdn.microsoft.com/en-us/library/ms677949(v=vs.85).aspx

https://technet.microsoft.com/en-us/library/cc961723.aspx

http://blogs.technet.com/b/qzaidi/archive/2010/10/12/quickly-explainedservice-

principal-name-registration-duplication.aspx

• Register a Service Principal Name for Kerberos Connections

https://msdn.microsoft.com/en-us/library/ms191153.aspx

• Active Directory Reading Library

https://adsecurity.org/?page_id=41

• Read-Only Domain Controller (RODC) Information

https://adsecurity.org/?p=274

• Active Directory Recon Without Admin Rights

https://adsecurity.org/?p=2535

• Mining Active Directory Service Principal Names

http://adsecurity.org/?p=230

• SPN Directory:

http://adsecurity.org/?page_id=183

• MS14-068: Vulnerability in (Active Directory) Kerberos Could Allow Elevation of Privilege

http://adsecurity.org/?tag=ms14068

• Securing Active Directory – An Overview of Best Practices

https://technet.microsoft.com/en-us/library/dn205220.aspx

• Microsoft Enhanced security patch KB2871997

http://adsecurity.org/?p=559

• Tim Medin’s DerbyCon 2014 presentation: “Attacking Microsoft Kerberos: Kicking the Guard Dog of Hades”

https://www.youtube.com/watch?v=PUyhlN-E5MU

• Microsoft: Securing Privileged Access Reference Material

https://technet.microsoft.com/en-us/library/mt631193.aspx

• Mimikatz

https://adsecurity.org/?page_id=1821

• Attack Methods for Gaining Domain Admin Rights in Active Directory

https://adsecurity.org/?p=2362

• Microsoft Local Administrator Password Solution (LAPS)

https://adsecurity.org/?p=1790

• The Most Common Active Directory Security Issues and What You Can Do to Fix Them

https://adsecurity.org/?p=1684

• How Attackers Dump Active Directory Database Credentials

https://adsecurity.org/?p=2398

• Sneaky Active Directory Persistence Tricks

https://adsecurity.org/?p=1929

 
Schedule Demo