Many corporations are nonetheless firmly in an Energetic Listing (AD) world. They might have moved some purposes to the cloud, however key line-of-business purposes nonetheless use AD. Do you keep in mind the final time you reviewed your Energetic Listing safety posture? Microsoft has not saved updated with its Finest practices for Securing Energetic Listing net web page, as elements of it have warnings that it hasn’t been up to date since 2013. Thankfully, different assets can be found for these in want of steerage in defending and hardening AD. Listed here are a few of the websites that I comply with and supply wonderful steerage:
Energetic Listing Safety
At the beginning is Sean Metcalf’s Energetic Listing Safety weblog. If you’re fortunate sufficient to catch his talks in individual, one can find that they’re stuffed with suggestions and explanations of how assaults happen and what you are able to do now to guard your community. A number of months in the past, Metcalf and a few colleagues recorded a webinar on the highest ten methods to enhance Energetic Listing safety that may be accomplished rapidly to guard Energetic Listing.
These suggestions embody reviewing AD administrative group membership frequently and eradicating any inactive accounts. Whereas they point out that annual password adjustments must be enforced, I’d argue that you simply also needs to deploy multi-factor authentication on these administrative accounts. Limit accounts which might be allowed so as to add workstations. With all of the instruments we now have to deploy workstations, there is no such thing as a want to go away SeMachineAccountPrivilege on the default worth, which permits customers so as to add pc accounts. Attackers can abuse this to realize extra entry to a community. The audio system additionally suggest that you simply evaluation accounts which have unconstrained delegation and take away any with no related Kerberos SPN.
One merchandise that we might overlook to test is to reduce providers on area controllers and outward going through servers. Attackers usually begin with a workstation entry level after which use providers similar to a print spooler to realize extra entry. Restrict the print spooler service to run solely on these workstations and servers that want the service operating.
Evaluate what processes you and consultants use to handle the community. If distant desktop providers is used frequently, use the native Home windows firewall to restrict who can and can’t log into the community, and guarantee you have got applied a gaggle coverage object blocking native administrator accounts from logging in over the community.
Subsequent, begin a mission to encourage safer processes for distant administration. You should utilize Distant Server Administration Instruments (RSAT) together with Home windows Admin Heart (WAC). WAC additionally prepares your community directors to handle cloud properties from the identical platform.
hackndo
If you might want to study extra about Energetic Listing fundamentals, learn hackndo. This weblog covers such ideas as Kerberoasting and NTLM relay.
dirkjanm.io
Dirk-jan Mollema is one other blogger who gives deep dives into AD matters. He’s additionally a superb useful resource on Azure Energetic Listing and lately introduced on the Black Hat safety convention on backdooring and hijacking Azure AD accounts by abusing exterior identities.
Microsoft 365 Safety
One other wonderful useful resource I like to recommend you bookmark is Huy’s weblog on Microsoft 365 safety. He has an wonderful useful resource on recovering an Energetic Listing after it’s been compromised. You probably have by no means rebuilt an AD occasion after an assault, depend your self each fortunate. Your agency will in all probability must it carry out sooner or later. I like to recommend that your know-how groups carry out these “what if” workout routines.
Backdoors and Breaches
For those who want steerage to carry out tabletop workout routines, I like to recommend the Black Hills Data Safety card recreation referred to as Backdoors and Breaches. Utilizing the card deck, you possibly can put together a state of affairs with a wide range of assaults that would happen in your group. The playing cards embody assets in addition to suggestions for detection and instruments used.
Sensible 365 and SpecterOps
One other useful resource that I like to recommend that features assets for each Energetic Listing and Azure AD is the Sensible 365 weblog, which is run by consultants who concentrate on Alternate, AD and Microsoft 365. The SpecterOps weblog is one other web site that gives steerage on prevention and looking methods towards Energetic Listing.
Purple Knight
Ideally you have got the assets to rent a pen-testing agency to see in case your AD area is weak to assault. If you’re price range constrained, there are instruments you should use to carry out an evaluation of your agency’s Energetic Listing. One such device is Purple Knight, which has been enhanced to incorporate steerage for each Energetic Listing in addition to Azure AD. Under is a pattern Purple Knight safety evaluation report.
Susan BradleyYou’ll be able to evaluation your area and discover that you could be be topic to assaults similar to PetitPotam, which takes benefit of a flaw in AD Certificates Providers Internet Enrollment that permits NTLM relay assaults to authenticate as a privileged consumer. The device factors to actionable steerage from Microsoft to mitigate the difficulty.
The device evaluations what forest stage you have got in your community and recommends that you simply, “Be sure that your AD domains are operating on the highest purposeful stage out there on your OS model to make sure entry to the newest safety enhancements. Additionally, think about upgrading the OS to 2012-R2 or above, as new purposeful ranges can be found.” Too usually when migrating our area controllers to newer platforms, we increase the forest stage to the naked minimal to carry out the migration and don’t examine if we are able to enhance the forest and area purposeful ranges. Examine the suggestions and steerage from the device because it factors out a number of weaknesses that attackers can simply use to realize entry to your community.
Energetic Listing continues to be alive and fairly properly in our domains. Use these assets to make it tougher for the attacker to realize the entry they need.
Copyright © 2022 IDG Communications, Inc.
Supply hyperlink