Many firms are still firmly in an Active Directory (AD) world. They may have moved some applications to the cloud, but key line-of-business applications still use AD. Do you remember the last time you reviewed your Active Directory security posture? Microsoft has not kept up to date with its Best practices for Securing Active Directory web page, as parts of it have warnings that it hasn’t been updated since 2013. Fortunately, other resources are available for those in need of guidance in protecting and hardening AD. Here are some of the sites that I follow and provide excellent guidance:
Active Directory Security
First and foremost is Sean Metcalf’s Active Directory Security blog. If you are lucky enough to catch his talks in person, you will find that they are full of tips and explanations of how attacks occur and what you can do now to protect your network. Several months ago, Metcalf and some colleagues recorded a webinar on the top ten ways to improve Active Directory security that can be done quickly to protect Active Directory.
Those recommendations include reviewing AD administrative group membership regularly and removing any inactive accounts. While they indicate that annual password changes should be enforced, I’d argue that you should also deploy multi-factor authentication on those administrative accounts. Restrict accounts that are allowed to add workstations. With all the tools we have to deploy workstations, there is no need to leave SeMachineAccountPrivilege at the default value, which allows users to add computer accounts. Attackers can abuse this to gain more access to a network. The speakers also recommend that you review accounts that have unconstrained delegation and remove any with no associated Kerberos SPN.
One item that we may forget to check is to minimize services on domain controllers and outward facing servers. Attackers often start with a workstation entry point and then use services such as a print spooler to gain more access. Limit the print spooler service to run only on those workstations and servers that need the service running.
Review what processes you and consultants use to manage the network. If remote desktop services is used on a regular basis, use the native Windows firewall to limit who can and cannot log into the network, and ensure you have implemented a group policy object blocking local administrator accounts from logging in over the network.
Next, start a project to encourage safer processes for remote management. You can use Remote Server Administration Tools (RSAT) along with Windows Admin Center (WAC). WAC also prepares your network administrators to manage cloud properties from the same platform.
If you need to learn more about Active Directory basics, read hackndo. This blog covers such concepts as Kerberoasting and NTLM relay.
Dirk-jan Mollema is another blogger who provides deep dives into AD topics. He’s also an excellent resource on Azure Active Directory and recently presented at the Black Hat security conference on backdooring and hijacking Azure AD accounts by abusing external identities.
Microsoft 365 Security
Another excellent resource I recommend you bookmark is Huy’s blog on Microsoft 365 security. He has an excellent resource on recovering an Active Directory after it’s been compromised. If you have never rebuilt an AD instance after an attack, count yourself both lucky. Your firm will probably need to it perform at some point. I recommend that your technology teams perform these “what if” exercises.
Backdoors and Breaches
If you need guidance to perform tabletop exercises, I recommend the Black Hills Information Security card game called Backdoors and Breaches. Using the card deck, you can prepare a scenario with a variety of attacks that could occur in your organization. The cards include resources as well as recommendations for detection and tools used.
Practical 365 and SpecterOps
Another resource that I recommend that includes resources for both Active Directory and Azure AD is the Practical 365 blog, which is run by consultants who specialize in Exchange, AD and Microsoft 365. The SpecterOps blog is another site that provides guidance on prevention and hunting techniques against Active Directory.
Ideally you have the resources to hire a pen-testing firm to see if your AD domain is vulnerable to attack. If you are budget constrained, there are tools you can use to perform an analysis of your firm’s Active Directory. One such tool is Purple Knight, which has been enhanced to include guidance for both Active Directory as well as Azure AD. Below is a sample Purple Knight security assessment report.
You can review your domain and find that you may be subject to attacks such as PetitPotam, which takes advantage of a flaw in AD Certificate Services Web Enrollment that enables NTLM relay attacks to authenticate as a privileged user. The tool points to actionable guidance from Microsoft to mitigate the issue.
The tool reviews what forest level you have in your network and recommends that you, “Ensure that your AD domains are running at the highest functional level available for your OS version to ensure access to the latest security improvements. Also, consider upgrading the OS to 2012-R2 or above, as new functional levels are available.” Too often when migrating our domain controllers to newer platforms, we raise the forest level to the bare minimum to perform the migration and do not investigate if we can increase the forest and domain functional levels. Investigate the recommendations and guidance from the tool as it points out several weaknesses that attackers can easily use to gain access to your network.
Active Directory is still alive and quite well in our domains. Use these resources to make it harder for the attacker to gain the access they want.
Copyright © 2022 IDG Communications, Inc.