Web directory

Recommended security resources for Microsoft Active Directory

Many companies are still firmly entrenched in an Active Directory (AD) world. They may have moved some applications to the cloud, but the core business applications are still using AD. Do you remember the last time you reviewed your Active Directory security posture? Microsoft hasn’t kept its Best Practices for Securing Active Directory web page up-to-date, as parts of it have warnings that it hasn’t been updated since 2013. Other resources are available for those who need advice on how to protect and strengthen UN D. Here are some of the sites I follow that provide great advice:

Active Directory Security

First, Sean Metcalf’s Active Directory Security blog. If you’re lucky enough to attend his talks in person, you’ll find they’re packed with advice and insight into how attacks happen and what you can do now to protect your network. Several months ago, Metcalf and a few colleagues recorded a webinar on the top ten ways to improve Active Directory security that can be done quickly to protect Active Directory.

These recommendations include regularly reviewing AD administration group membership and deleting all inactive accounts. Although they say annual password changes should be enforced, I would say you should also deploy multi-factor authentication on those administrative accounts. Restrict accounts allowed to add workstations. With all the tools we have for deploying workstations, there is no need to leave SeMachineAccountPrivilege at the default, allowing users to add machine accounts. Attackers can abuse this to gain more access to a network. The speakers also recommend that you review accounts that have unconstrained delegation and remove those that don’t have an associated Kerberos SPN.

One item we may forget to check is to minimize services on externally facing domain controllers and servers. Attackers often start with a workstation entry point and then use services such as a print spooler to gain more access. Restrict the print spooler service to run only on workstations and servers that require the service to run.

Review the processes you and the consultants use to manage the network. If Remote Desktop Services is used regularly, use the native Windows firewall to limit who can and cannot connect to the network, and ensure that you have implemented a GPO preventing accounts from local administrator to connect to the network.

Then start a project to encourage more secure processes for remote management. You can use Remote Server Administration Tools (RSAT) with Windows Administrative Center (WAC). WAC also prepares your network administrators to manage cloud properties from the same platform.

hackndo

If you need to learn more about the basics of Active Directory, read hackndo. This blog covers concepts such as Kerberoasting and NTLM Relay.

dirkjanm.io

Another blogger who offers deep dives into AD topics is Dirk-jan Mollema. He is also a great resource on Azure Active Directory and recently presented at the Black Hat Security Conference on hijacking and hacking Azure AD accounts by misusing external identities.

Microsoft 365 Security

Another great resource that I recommend you bookmark is Huy’s Microsoft 365 security blog. He has a great resource on recovering an Active Directory after it has been compromised. If you’ve never rebuilt an AD instance after an attack, count yourself both lucky. Your business will probably need it at some point. I recommend your technology teams perform these “what if” exercises.

Backdoors and Breaches

If you need some guidance on performing tabletop exercises, I recommend the Black Hills Information Security card game called Backdoors and Breaches. Using the deck of cards, you can prepare a scenario with a variety of attacks that might occur in your organization. The sheets include resources as well as recommendations for detection and the tools used.

Practice 365 and SpectreOps

Another resource I recommend that includes resources for Active Directory and Azure AD is the Practical 365 blog, which is run by consultants who specialize in Exchange, AD, and Microsoft 365. The SpecterOps blog is another site that provides guidance on prevention and hunting techniques. against Active Directory.

purple knight

Ideally, you have the resources to hire a penetration testing company to see if your AD domain is vulnerable to attacks. If your budget is limited, there are tools you can use to perform a scan of your company’s Active Directory. One such tool is Purple Knight, which has been enhanced to include guidance for Active Directory and Azure AD. Below is an example of a Purple Knight Security Assessment Report.

bradley purple knight Susan Bradley

You may examine your domain and find that you may be subject to attacks such as PetitPotam, which takes advantage of a flaw in AD Certificate Services Web Enrollment that allows NTLM relay attacks to authenticate as a privileged user. The tool points to practical advice from Microsoft to mitigate the problem.

The tool examines the level of forest you have on your network and recommends that you “Ensure that your AD domains are operating at the highest functional level available for your operating system version to ensure access to the latest security improvements. Also consider upgrading the operating system to 2012-R2 or higher as new feature levels are available. Too often when migrating our domain controllers to new platforms, we raise the forest level to the bare minimum to perform the migration and don’t consider whether we can raise the forest functional levels and of the domain. Study the tool’s recommendations and advice, as it highlights several weaknesses that attackers can easily use to gain access to your network.

Active Directory is still alive and quite well in our domains. Use these resources to prevent the attacker from gaining the access they want.

Copyright © 2022 IDG Communications, Inc.