SlideShare a Scribd company logo

Developing a Secure Active Directory

N
Nathan Buuck

This document provides tips and best practices for securing an Active Directory environment, including mitigating pass-the-hash attacks, restricting privileged user access, enabling Kerberos authentication, running an enterprise CA, disabling anonymous access, implementing security monitoring, using read-only domain controllers, backing up data, auditing the environment, and staying informed of the latest threats. It discusses technical approaches for hardening Active Directory against common attacks while maintaining usability.

1 of 23
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Securing Your Data in an Open World Developing a Secure Active Directory
INTRODUCTION
Agenda Risks Mitigations ValidationandAuditing TipsfromtheField
PASS THE HASH Convenienceof SSOat cost of additional risk. What makesa“hash” inthiscontext? h= 𝑓(𝑥) PredatesWindowsNT3.1but still verymuchapplicabletoday. Astolenhashcreatesthepotential for impersonation. Astolenhashinheritsanyauthorizationsgrantedtotheaccount.
PASS THE HASH BASIC SCENARIO BoblogsontoCORPBOB-E550. WindowsSAMstoreshishashinkernel memory. AlicelogsonremotelytoBOB-E550. Aliceisamember of BUILTINAdministrators. Aliceperformsamemorydumpof BOB-E550fromanelevatedprocess. Aliceexfiltratesthememorydumptoher workstationusingSMB. AliceextractsBob’shashfromthememorydumpoffline.
PASS THE HASH BASIC LESSONS Limitingopportunitiesfor untrustedprocessestoelevateisimportant. User AccessControl (UAC) isafirst lineof defense. What if BobwasaDomainAdmin? If Alicehaslocal admin, doyoutrust AliceenoughtoseeeverythinginRAMonthat system. If wecan’t protect auser’sidentity, theconcept of identityor authenticationonour networkisweakened.
PASS THE HASH CROSS-SYSTEM PC-AandPC-Bbothhavealocal user named“helpdeskadmin” Theplaintext passwordfor .helpdeskadminisTr1viAl&triNg. Theequivalent hashfor theaccount isthesameonbothmachines. Acompromiseof thehashbyaprocessonPC-Acanbeusedtoattackanyother Windowshost that hasthat sameusernameandpasswordcombination, evenwithout knowledgeof theplaintext password.
PASS THE HASH CROSS-SYSTEM LESSONS Again, processelevationcreatestheopportunity. Diversificationof local user passwordsacrossmachinesisimportant. SeeMSKB3062591: Local Administrator PasswordSolution(LAPS) Bewareprevioussolutions; not all similar solutionsusesecurecommunicationsfor storingthelocal adminpassword. Restrict remotelogonof local accountswhereit isn’t needed.
PASS THE HASH RECENT DEVELOPMENTS Windows10/Server 2016introducesIsolatedUser Mode. StoreNTLMhashesinavirtualizedmicro-kernel. Hypervisor executingthemicro-kernel actsasagatekeeper. Limitedimplementationdetailsavailable. Concernsof howmuchprotectionthisreallyprovides. Ultimately, will needtobeauditedandtestedbeforeweknow.
LANMAN and NTLM For compatibility, ADcanstill communicateusingLMor NTLM. Bothhaveknownandeasytoexploit weaknesses. Allowingolder protocolscreatesopportunityfor downgradeattacks. Similar toSSL/TLSdowngradeattackspopular in2014. GroupPolicycanbeusedtorestrict or eliminateuseof NTLM.
LMv1 and NTLMv1 Source: SANS Digital Forensics http://bit.ly/1JXjuuG
PRIVILEGED GROUPS AND USERS BEST PRACTICES DisableBUILTINAdministrator. Disablenetworklogonfor thelocal administrator account . Donot performday-to-dayactivities aswithyour adminaccount. Donot keepusersinEnterpriseor SchemaAdmins. Donot logontoclient systemswithprivilegednetworkaccounts. Don’t disablepasswordexpirationonprivilegedaccounts. Don’t useDomainAdminasashortcut for domain-wideneeds.
KERBEROS Providesenhancedauthenticationarchitectureandcryptography. Not aPass-the-Hashmitigation; seePass-the-Ticket. Keepingyour entireWindowsenvironment patchediskeytomaintainingasecure Kerberosenvironment. Vectorsexist whereKerberostickets areforged; SeeMS14-068. Kerberos, likeanymanyprotocols, requiresiterationtoimproveitssecurityandso wemustpatch.
Source: SANS Digital Forensics http://bit.ly/1JXjuuG
ENTERPRISE CA WhyrunanEnterpriseCA? For existingWindowsCAs, implicationsof SHA-1deprecation. http://bit.ly/mscasha1to2 AWindowsCAisnot fire-and-forget; it needsmaintenance, too.
ANONYMOUS BINDS & ENUM EnabledonmanydomainsupgradedfromNT/Server 2000. Anonymousbindoff bydefault inServer 2003andlater for newdomains. Easyintelligencesourcefor hostileactors. For binds, modifydsHeuristicsobject inaneditor likeADSI. For enumeration, aGroupPolicysettingexists. Canimpact pre-2000clientsanddomaintrust functionality. Needtounderstandwhat reliesonanonymousaccesstoday. Maynot befeasibletodisable; part of thehardeningprocess.
MONITORING Whenactivedefensefails, apassiveapproachcanhelp. Changestoprivilegedgroups(integritymonitoring). InvalidattributesinKerberosrequests. Presenceof NTLMautheventsSecuritylog. Statistical anomalies(Fail Audit volume, request volume, lockouts). SecurityInformationandEvent Management productsexist for this. AD/ NTFSAuditingisextremelyvaluableif configuredwell.
READ-ONLY DCs ManyassociateRODCs withbranchofficesor poor connectivity. Anoptionfor providingLDAPdatainpotentiallyhostileor untrustedenvironments: Lowphysical security. Multi-tenant environments. Canrestrict thereplicationof passwordhashestoRODCs. Why?Offlineattacksafter physical loss. Bythesametoken, must physicallysecurewriteableDCs’ disksandtheirbackups.
DATA PROTECTION Not anactiveprotection, but likeanydata, abackupisequallycritical. Whilenot exactlyasecuritytopic, it isoftenoverlooked. It’snot enoughtosnapshot your virtual DCs. Infact, it’sdangerousif theDCisanythingolder than2012R2. AWindowsSystemStatebackupof anyDCwill backuptheADdatabase. Several agent-basedbackupproductscancapturethesystemstate.
AUDIT AND VALIDATION All of thesemeasuresarehelpful, but lessmeaningful without validation. Thirdpartyfirms. Microsoft Consultingopportunities. SaaSvulnerabilityscanningservices. In-housetesting(MBSA).
OTHER TIPS EnforceCTRL+ALT+DELasthesecurekeystrokeonclients. Avoidusingwebbrowsersonservers. Inspect softwarethoroughlybeforeexecutingonaserver. Don’t disabletheWindowsFirewall. Don’t disableUAConanyWindowssystemsif it canbeavoided.
STAY INFORMED Attendsecuritysessionsat conferences(MSIgnite, VMworld, etc). EngagewithanITsecurityprovider whereit makessensefor you. Monitor consistent, well-maintainedsources: US-CERT(us-cert.gov) SANSISC(isc.sans.edu) andThreat Level status. Microsoft Technical SecurityNotifications(http://bit.ly/mssecnot) Talkabout securitywithinyour organizations.
Thank You

More Related Content

ODP
Virtually Pwned
Claudio Criscione
 
PPTX
Anatomy of Exploit Kits
securityxploded
 
PDF
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
michelemanzotti
 
PPT
На страже ваших денег и данных
Positive Hack Days
 
PDF
Внедрение безопасности в веб-приложениях в среде выполнения
Positive Hack Days
 
PDF
Exploit development 101 - Part 1 - Null Singapore
Mohammed A. Imran
 
ODP
Open Source Security
wremes
 
PDF
How to secure web applications
Mohammed A. Imran
 
Virtually Pwned
Claudio Criscione
 
Anatomy of Exploit Kits
securityxploded
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
michelemanzotti
 
На страже ваших денег и данных
Positive Hack Days
 
Внедрение безопасности в веб-приложениях в среде выполнения
Positive Hack Days
 
Exploit development 101 - Part 1 - Null Singapore
Mohammed A. Imran
 
Open Source Security
wremes
 
How to secure web applications
Mohammed A. Imran
 

What's hot (6)

PDF
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Rob Fuller
 
PDF
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Anant Shrivastava
 
PPTX
Defeating public exploit protections (EMET v5.2 and more)
securityxploded
 
PPTX
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
securityxploded
 
PPTX
Random numbers
Positive Hack Days
 
PDF
Wordpress security
Mehmet Ince
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Rob Fuller
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Anant Shrivastava
 
Defeating public exploit protections (EMET v5.2 and more)
securityxploded
 
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
securityxploded
 
Random numbers
Positive Hack Days
 
Wordpress security
Mehmet Ince
 
Ad

Similar to Developing a Secure Active Directory (20)

PDF
Securing Cassandra for Compliance
DataStax
 
PDF
Hardening cassandra q2_2016
zznate
 
PPT
How to configure esx to pass an audit
Concentrated Technology
 
PDF
Tips to Remediate your Vulnerability Management Program
BeyondTrust
 
PDF
Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Peter Souter
 
PPT
Defending Against Attacks With Rails
Tony Amoyal
 
PDF
System Hardening Using Ansible
Sonatype
 
PDF
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
CODE BLUE
 
PDF
Technical Architecture of RASP Technology
Priyanka Aash
 
PPTX
Server hardening
Teja Babu
 
PPTX
Penetration Testing and Intrusion Detection System
Bikrant Gautam
 
PDF
今Serverlessが面白いわけ
Yoichi Kawasaki
 
PDF
Dynamic Database Credentials: Security Contingency Planning
Sean Chittenden
 
PDF
Pentesting RESTful webservices
Mohammed A. Imran
 
PDF
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
Scott Sutherland
 
PDF
Gartner Security & Risk Management Summit 2018
Paula Januszkiewicz
 
PDF
Two Years, Zero servers: Lessons learned from running a startup 100% on Serve...
Cloud Native Day Tel Aviv
 
PDF
There is No Server: Immutable Infrastructure and Serverless Architecture
Sonatype
 
PDF
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Kangaroot
 
PDF
How the antiviruses work
Dawid Golak
 
Securing Cassandra for Compliance
DataStax
 
Hardening cassandra q2_2016
zznate
 
How to configure esx to pass an audit
Concentrated Technology
 
Tips to Remediate your Vulnerability Management Program
BeyondTrust
 
Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Peter Souter
 
Defending Against Attacks With Rails
Tony Amoyal
 
System Hardening Using Ansible
Sonatype
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
CODE BLUE
 
Technical Architecture of RASP Technology
Priyanka Aash
 
Server hardening
Teja Babu
 
Penetration Testing and Intrusion Detection System
Bikrant Gautam
 
今Serverlessが面白いわけ
Yoichi Kawasaki
 
Dynamic Database Credentials: Security Contingency Planning
Sean Chittenden
 
Pentesting RESTful webservices
Mohammed A. Imran
 
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
Scott Sutherland
 
Gartner Security & Risk Management Summit 2018
Paula Januszkiewicz
 
Two Years, Zero servers: Lessons learned from running a startup 100% on Serve...
Cloud Native Day Tel Aviv
 
There is No Server: Immutable Infrastructure and Serverless Architecture
Sonatype
 
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Kangaroot
 
How the antiviruses work
Dawid Golak
 
Ad

Developing a Secure Active Directory

  • 1. Securing Your Data in an Open World Developing a Secure Active Directory
  • 4. PASS THE HASH Convenienceof SSOat cost of additional risk. What makesa“hash” inthiscontext? h= 𝑓(𝑥) PredatesWindowsNT3.1but still verymuchapplicabletoday. Astolenhashcreatesthepotential for impersonation. Astolenhashinheritsanyauthorizationsgrantedtotheaccount.
  • 5. PASS THE HASH BASIC SCENARIO BoblogsontoCORPBOB-E550. WindowsSAMstoreshishashinkernel memory. AlicelogsonremotelytoBOB-E550. Aliceisamember of BUILTINAdministrators. Aliceperformsamemorydumpof BOB-E550fromanelevatedprocess. Aliceexfiltratesthememorydumptoher workstationusingSMB. AliceextractsBob’shashfromthememorydumpoffline.
  • 6. PASS THE HASH BASIC LESSONS Limitingopportunitiesfor untrustedprocessestoelevateisimportant. User AccessControl (UAC) isafirst lineof defense. What if BobwasaDomainAdmin? If Alicehaslocal admin, doyoutrust AliceenoughtoseeeverythinginRAMonthat system. If wecan’t protect auser’sidentity, theconcept of identityor authenticationonour networkisweakened.
  • 7. PASS THE HASH CROSS-SYSTEM PC-AandPC-Bbothhavealocal user named“helpdeskadmin” Theplaintext passwordfor .helpdeskadminisTr1viAl&triNg. Theequivalent hashfor theaccount isthesameonbothmachines. Acompromiseof thehashbyaprocessonPC-Acanbeusedtoattackanyother Windowshost that hasthat sameusernameandpasswordcombination, evenwithout knowledgeof theplaintext password.
  • 8. PASS THE HASH CROSS-SYSTEM LESSONS Again, processelevationcreatestheopportunity. Diversificationof local user passwordsacrossmachinesisimportant. SeeMSKB3062591: Local Administrator PasswordSolution(LAPS) Bewareprevioussolutions; not all similar solutionsusesecurecommunicationsfor storingthelocal adminpassword. Restrict remotelogonof local accountswhereit isn’t needed.
  • 9. PASS THE HASH RECENT DEVELOPMENTS Windows10/Server 2016introducesIsolatedUser Mode. StoreNTLMhashesinavirtualizedmicro-kernel. Hypervisor executingthemicro-kernel actsasagatekeeper. Limitedimplementationdetailsavailable. Concernsof howmuchprotectionthisreallyprovides. Ultimately, will needtobeauditedandtestedbeforeweknow.
  • 10. LANMAN and NTLM For compatibility, ADcanstill communicateusingLMor NTLM. Bothhaveknownandeasytoexploit weaknesses. Allowingolder protocolscreatesopportunityfor downgradeattacks. Similar toSSL/TLSdowngradeattackspopular in2014. GroupPolicycanbeusedtorestrict or eliminateuseof NTLM.
  • 11. LMv1 and NTLMv1 Source: SANS Digital Forensics http://bit.ly/1JXjuuG
  • 12. PRIVILEGED GROUPS AND USERS BEST PRACTICES DisableBUILTINAdministrator. Disablenetworklogonfor thelocal administrator account . Donot performday-to-dayactivities aswithyour adminaccount. Donot keepusersinEnterpriseor SchemaAdmins. Donot logontoclient systemswithprivilegednetworkaccounts. Don’t disablepasswordexpirationonprivilegedaccounts. Don’t useDomainAdminasashortcut for domain-wideneeds.
  • 13. KERBEROS Providesenhancedauthenticationarchitectureandcryptography. Not aPass-the-Hashmitigation; seePass-the-Ticket. Keepingyour entireWindowsenvironment patchediskeytomaintainingasecure Kerberosenvironment. Vectorsexist whereKerberostickets areforged; SeeMS14-068. Kerberos, likeanymanyprotocols, requiresiterationtoimproveitssecurityandso wemustpatch.
  • 14. Source: SANS Digital Forensics http://bit.ly/1JXjuuG
  • 15. ENTERPRISE CA WhyrunanEnterpriseCA? For existingWindowsCAs, implicationsof SHA-1deprecation. http://bit.ly/mscasha1to2 AWindowsCAisnot fire-and-forget; it needsmaintenance, too.
  • 16. ANONYMOUS BINDS & ENUM EnabledonmanydomainsupgradedfromNT/Server 2000. Anonymousbindoff bydefault inServer 2003andlater for newdomains. Easyintelligencesourcefor hostileactors. For binds, modifydsHeuristicsobject inaneditor likeADSI. For enumeration, aGroupPolicysettingexists. Canimpact pre-2000clientsanddomaintrust functionality. Needtounderstandwhat reliesonanonymousaccesstoday. Maynot befeasibletodisable; part of thehardeningprocess.
  • 17. MONITORING Whenactivedefensefails, apassiveapproachcanhelp. Changestoprivilegedgroups(integritymonitoring). InvalidattributesinKerberosrequests. Presenceof NTLMautheventsSecuritylog. Statistical anomalies(Fail Audit volume, request volume, lockouts). SecurityInformationandEvent Management productsexist for this. AD/ NTFSAuditingisextremelyvaluableif configuredwell.
  • 18. READ-ONLY DCs ManyassociateRODCs withbranchofficesor poor connectivity. Anoptionfor providingLDAPdatainpotentiallyhostileor untrustedenvironments: Lowphysical security. Multi-tenant environments. Canrestrict thereplicationof passwordhashestoRODCs. Why?Offlineattacksafter physical loss. Bythesametoken, must physicallysecurewriteableDCs’ disksandtheirbackups.
  • 19. DATA PROTECTION Not anactiveprotection, but likeanydata, abackupisequallycritical. Whilenot exactlyasecuritytopic, it isoftenoverlooked. It’snot enoughtosnapshot your virtual DCs. Infact, it’sdangerousif theDCisanythingolder than2012R2. AWindowsSystemStatebackupof anyDCwill backuptheADdatabase. Several agent-basedbackupproductscancapturethesystemstate.
  • 20. AUDIT AND VALIDATION All of thesemeasuresarehelpful, but lessmeaningful without validation. Thirdpartyfirms. Microsoft Consultingopportunities. SaaSvulnerabilityscanningservices. In-housetesting(MBSA).
  • 22. STAY INFORMED Attendsecuritysessionsat conferences(MSIgnite, VMworld, etc). EngagewithanITsecurityprovider whereit makessensefor you. Monitor consistent, well-maintainedsources: US-CERT(us-cert.gov) SANSISC(isc.sans.edu) andThreat Level status. Microsoft Technical SecurityNotifications(http://bit.ly/mssecnot) Talkabout securitywithinyour organizations.