Scribd
Upload
25 views100 pages

Active Directory Security Journey

Uploaded by

zhiyuya
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
25 views100 pages

Active Directory Security Journey

Uploaded by

zhiyuya
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 100

Active Directory Security:

The Journey

Sean Metcalf (@Pyrotek3)


s e a n [@] TrimarcSecurity.com
www.ADSecurity.org
TrimarcSecurity.com
ABOUT
❖Founder Trimarc, a security company.
❖Microsoft Certified Master (MCM) Directory Services
❖Speaker: Black Hat, Blue Hat, BSides, DEF CON, DerbyCon,
Shakacon, Sp4rkCon
❖Security Consultant / Researcher
❖Own & Operate ADSecurity.org
(Microsoft platform security info)
* Not a Microsoft MVP
Sean Metcalf (@PyroTek3) TrimarcSecurity.com
AGENDA
• Current state of Active Directory Security
• AD Security Evolution
• Expanding AD Permissions
• Common Issues
• Microsoft Guidance
• Recommendations

Slides: Presentations.ADSecurity.org Sean Metcalf (@PyroTek3) TrimarcSecurity.com


The Current State of Active Directory:
The Good, the Bad, & the UGLY

Sean Metcalf (@PyroTek3) TrimarcSecurity.com


The Good
• Better awareness of the importance of AD security.
• AD security more thoroughly tested.
• Less Domain Admins (overall).
• Less credentials in Group Policy Preferences.
• More local Admin passwords are automatically
rotated (LAPS).
• PowerShell security improvements (v5).

Sean Metcalf (@PyroTek3) TrimarcSecurity.com


The Bad & UGLY
• Too many Domain Admins still administer AD from their regular
workstation.
• Privilege escalation from regular user is still too easy.
• Lots of legacy cruft reduces security.
• Not enough (PowerShell) logging deployed.
• Too many blind spots (poor visibility).
• The UGLY
• 2018: cybersecurity spending = ~$90B
what improved?
• Attack detection hasn’t really improved.
• Now with more Ransom/Crypto-Ware
Sean Metcalf (@PyroTek3) TrimarcSecurity.com
The Evolution of
Active Directory
Security

Sean Metcalf (@PyroTek3) TrimarcSecurity.com


AD Security: The early days
• The year is 2000, the OS is too!
• Active Directory key design decisions
• Replication is feared
• Kerberos is embraced and extended
• Enter SIDHistory
• Compromises to support Windows NT legacy
• NT lives on! 

Sean Metcalf (@PyroTek3) TrimarcSecurity.com


AD Security: AD v2 & v3
• Windows 2003 Server
• Lots of improvements
• AD matures significantly
• LastLogonTimestamp tracks last logon (& replicates!)
• Constrained Delegation
• Selective Authentication for Trusts. Everyone ignores…
• Many organizations deploy Active Directory

Sean Metcalf (@PyroTek3) TrimarcSecurity.com


AD: Let’s Do Security!
• Windows Server 2008/2008 R2
• Enter the AD Recycle Bin
• Last interactive logon information
• Fine-grained password policies
• Authentication mechanism assurance which identifies
logon method type (smart card or user name/password)
• Managed Service Accounts (let AD handle the password)
• Automatic SPN management for services running under
context of a Managed Service Account.
• Goodbye Kerberos DES, hello AES
Sean Metcalf (@PyroTek3) TrimarcSecurity.com
AD: Security Enhancements
• Windows Server 2012/2012 R2
• Focus on protecting credentials
• Shift in security focus
• DC-side protections for Protected Users
• No NTLM authentication
• No Kerberos DES or RC4 ciphers
• No Delegation – unconstrained or constrained delegation
• No user tickets (TGTs) renewed beyond the initial 4 hr lifetime
• Authentication Policies & Authentication Policy Silos
Sean Metcalf (@PyroTek3) TrimarcSecurity.com
Rearchitecting Security
Windows Server 2016/Windows 10
• Major changes in OS security architecture
• From Normal World to Secure World (VSM)
• Credential Guard & Remote Credential Guard
• Lots of minor changes, big impact (recon)
• New shadow security principals (groups)
• An expiring links feature (Group TTL)
• KDC enhancements to restrict Kerberos ticket lifetime to the
lowest group TTL
Sean Metcalf (@PyroTek3) TrimarcSecurity.com
AD Permissions:
What you don’t know can hurt
It's important to understand that it doesn't
matter what Active Directory permissions a
user has when using the Exchange
management tools. If the user is authorized,
via RBAC, to perform an action in the
Exchange management tools, the user can
perform the action regardless of his or her
Active Directory permissions.
https://technet.microsoft.com/en-us/library/dd638106.aspx
Sean Metcalf (@PyroTek3) TrimarcSecurity.com
Highly Privileged Exchange Groups
• Exchange Trusted Subsystem (like SYSTEM, only better)
• “The Exchange Trusted Subsystem is a highly privileged …Group that has
read/write access to every Exchange-related object in the Exchange
organization.”
• Members: Exchange Servers
• MemberOf: Exchange Windows Permissions
• Exchange Windows Permissions
• Provides rights to AD objects (users, groups, etc)
• Members: Exchange Trusted Subsystem
• Organization Management (the DA of the Exchange world)
• “Members … have administrative access to the entire Exchange 2013
organization and can perform almost any task against any Exchange 2013
object, with some exceptions.
…is a very powerful role and as such, only users or … groups that perform
organizational-level administrative tasks that can potentially impact the
entire Exchange organization should be members of this role group.”
• Members: 2 to 3 Exchange organization admin accounts (or less)
Sean Metcalf (@PyroTek3) TrimarcSecurity.com
Exchange Rights & RBAC
• Exchange has extensive rights throughout Active Directory.
• Modify rights on most objects, including users and groups (even
admins).
• Except AdminSDHolder protected groups/users.
• Access provided through Exchange groups (like Exchange
Windows Permissions)
• Migrated to O365?
Great, all these permissions are still in AD.

Sean Metcalf (@PyroTek3) TrimarcSecurity.com


Old Exchange Permissions Persist
Upgrade after Upgrade…
Exchange 2000  2003  2007  2010  2013  2016

Sean Metcalf (@PyroTek3) TrimarcSecurity.com


Microsoft System Center Configuration Manager
(SCCM)
• Originally SMS (not text messaging)
• Granular delegation was a challenge, better in SCCM 2012.
• Role-Based Access breakout
• All Desktops - Workstation Assets
• All Servers - Server Assets
• Typically manages (& patches) all Windows systems
• Workstations
• Servers
• Domain Controllers
Sean Metcalf (@PyroTek3) TrimarcSecurity.com
3rd Party Product Permission Requirements
• Domain user access • Active Directory privileged
• Operations systems access rights
• Mistaken identity – trust • Domain permissions
the installer during install
• AD object rights • More access required
than often needed.
• Install permissions on
systems • Initial start/run
permissions
• Needs System rights
• Needs full AD rights
Sean Metcalf (@PyroTek3) TrimarcSecurity.com
3rd Party Product Permission Requirements
• Domain user access • Active Directory privileged
• Operations systems access rights
• Mistaken identity – trust • Domain permissions during
the installer install
• AD object rights • More access required than
• Install permissions on often needed.
systems • Initial start/run permissions
• Needs System rights • Needs full AD rights
Sean Metcalf (@PyroTek3) TrimarcSecurity.com
Over-permissioned Delegation
• Use of built-in groups for delegation
• Clicking the "easy button": Full Control at the domain
root.
• Let's just "make it work"
• Delegation tools in AD are challenging to get right

Sean Metcalf (@PyroTek3) TrimarcSecurity.com


Sean Metcalf (@PyroTek3) TrimarcSecurity.com
Sean Metcalf (@PyroTek3) TrimarcSecurity.com
Sean Metcalf (@PyroTek3) TrimarcSecurity.com
Active Directory & the Cloud
• AD provides Single Sign On (SSO) to cloud services.
• Some directory sync tools synchronizes all users & attributes
to cloud service(s).
• Most sync engines only require AD user rights to send user
and group information to cloud service.
• Most organizations aren’t aware of all cloud services active
in their environment.
• Do you know what cloud services sync information from
your Active Directory?
Sean Metcalf (@PyroTek3) TrimarcSecurity.com
Azure AD Connect
• Filtering – select specific objects to sync (default: all users, contacts,
groups, & Win10). Adjust filtering based on domains, OUs, or attributes.
• Password synchronization – AD pw hash hash ---> Azure AD.
PW management only in AD (use AD pw policy)
• Password writeback - enables users to update password while connected
to cloud resources.
• Device writeback – writes Azure AD registered device info to AD for
conditional access.
• Prevent accidental deletes – protects against large number of deletes
(enabled by default).
feature is turned on by default and protects your cloud directory from
numerous deletes at the same time. By default it allows 500 deletes per
run. You can change this setting depending on your organization size.
• Automatic upgrade – Keeps Azure AD Connect version current (express
settings enabled by default).Sean Metcalf (@PyroTek3) TrimarcSecurity.com
Express Permissions for Azure AD Connect

Sean Metcalf (@PyroTek3) TrimarcSecurity.com


Express Permissions for Azure AD Connect

DEF CON 25 (July 2017)

Sean Metcalf (@PyroTek3) TrimarcSecurity.com


DCSync

Sean Metcalf (@PyroTek3) TrimarcSecurity.com


Custom Permissions for Azure AD Connect

Sean Metcalf (@PyroTek3) TrimarcSecurity.com


https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-accounts-permissions
Sean Metcalf (@PyroTek3) TrimarcSecurity.com
https://technet.microsoft.com/en-us/library/security/4056318.aspx
Azure AD Connect Server: PW Sync
Every two minutes, the password synchronization
agent on the Azure AD Connect server requests
stored password hashes (the unicodePwd
attribute) from a DC via the standard MS-DRSR
replication protocol used to synchronize data
between DCs.

Sean Metcalf (@PyroTek3) TrimarcSecurity.com


PW Sync (MD4+salt+PBKDF2+HMAC-SHA256)

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-implement-
password-synchronization Sean Metcalf (@PyroTek3) TrimarcSecurity.com
Azure AD Connect Server Recommendations
• Protect like a Domain Controller
• Lock down AAD Connect server
• Firewall off from the network – only needs to connect to Azure AD
& DCs
• Only AD Admins should be allowed to logon/admin
• Lock down AADC service account (MSOL_*) logon ability
• Monitor AADC service account logon
• Keep the Account Operators group empty

Sean Metcalf (@PyroTek3) TrimarcSecurity.com


Common Issues Persist…

Sean Metcalf (@PyroTek3) TrimarcSecurity.com


Sean Metcalf (@PyroTek3) TrimarcSecurity.com
Default Domain Controllers Policy

Sean Metcalf (@PyroTek3) TrimarcSecurity.com


Sean Metcalf (@PyroTek3) TrimarcSecurity.com
From Basic to Bad

Sean Metcalf (@PyroTek3) TrimarcSecurity.com


From Basic to Bad: Users with DC Logon Rights

Sean Metcalf (@PyroTek3) TrimarcSecurity.com


From Basic to Bad: DC Remote Logon Rights

Sean Metcalf (@PyroTek3) TrimarcSecurity.com


From Basic to Bad: Clearing DC Event Logs

“Audited events are viewed in the security log of


the Event Viewer. A user with this policy can also view
and clear the security log.”

Sean Metcalf (@PyroTek3) TrimarcSecurity.com


From Basic to Bad: Delegation

Sean Metcalf (@PyroTek3) TrimarcSecurity.com


Kerberos Delegation
Impersonate Anyone
Sean Metcalf [@Pyrotek3 | [email protected]]
Kerberos “Double Hop” Issue

Sean Metcalf [@Pyrotek3 | [email protected]]


Discover Servers Configured with Unconstrained Delegation

Sean Metcalf [@Pyrotek3 | [email protected]]


Kerberos Unconstrained Delegation

Sean Metcalf [@Pyrotek3 | [email protected]]


Kerberos Unconstrained Delegation

Sean Metcalf [@Pyrotek3 | [email protected]]


Kerberos Unconstrained Delegation

Sean Metcalf [@Pyrotek3 | [email protected]]


Kerberos Unconstrained Delegation

Sean Metcalf [@Pyrotek3 | [email protected]]


Exploiting Kerberos Delegation

Sean Metcalf [@Pyrotek3 | [email protected]]


Constrained Delegation
• Impersonate authenticated
user to allowed services.

• If Attacker owns Service


Account = impersonate user
to specific service on server.

Sean Metcalf [@Pyrotek3 | [email protected]]


KCD Protocol Transition
• Less secure than “Use
Kerberos only”.

• Enables impersonation
without prior AD
authentication
(NTLM/Kerberos).

Sean Metcalf [@Pyrotek3 | [email protected]]


Control Delegation… Control AD
Domain Controllers Policy Full Control on Servers OU

Sean Metcalf [@Pyrotek3 | [email protected]]


DC Silver Ticket for ‘LDAP’ Service - > DCSync

DerbyCon 2015: Red vs. Blue: Modern Active Directory Attacks & Defense
Sean Metcalf [@Pyrotek3 | [email protected]]
KCD Protocol Transition To DCSYNC

Sean Metcalf [@Pyrotek3 | [email protected]]


Discovering All Kerberos Delegation
UserAccountControl 0x0080000 = Any Service (Kerberos Only), ELSE Specific Services
UserAccountControl 0x1000000 = Any Auth Protocol (Protocol Transition), ELSE Kerberos Only
msds-AllowedToDelegateTo = List of SPNs for Constrained Delegation

Unconstrained
Constrained
KCD – Protocol Transition

Unconstrained Constrained Constrained – Protocol Transition

https://support.microsoft.com/en-us/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-
properties Sean Metcalf [@Pyrotek3 | [email protected]]
Kerberos Delegation Mitigations
GOOD:
• Set all AD Admin accounts to:
“Account is sensitive and cannot be delegated”

BEST:
• Add all AD Admin accounts to the “Protected Users” group (Windows
2012 R2 DFL).
• Use delegation service accounts with long, complex passwords
(preferably group Managed Service Accounts).
• Don’t use Domain Controller SPNs when delegating.
• Monitor who has the ability to configure Kerberos delegation.

Limitation: Service Accounts can’t be added to Protected Users and are


not/cannot be set with “Account is sensitive and cannot be delegated”

Sean Metcalf [@Pyrotek3 | [email protected]]


Attacker Capability & Mitigations

Sean Metcalf (@PyroTek3) TrimarcSecurity.com


Attackers Require…
• Account (credentials)
• Rights (privileges)
• Access (connectivity to resources)

Sean Metcalf (@PyroTek3) TrimarcSecurity.com


Traditional AD Administration
• All admins are Domain Admins.
• Administration from anywhere – servers, workstations,
Starbucks.
• Need a service account with AD rights – Domain Admin!
• Need to manage user accounts – Account Operators!
• Need to run backups (anywhere) – Backup Operators!
• Management system deploys software & patches all
workstations, servers, & Domain Controllers.
• Agents, everywhere!
• Full Compromise… Likely
Sean Metcalf (@PyroTek3) TrimarcSecurity.com
As an Attacker, Do I Need Domain Admin?
No.

Sean Metcalf (@PyroTek3) TrimarcSecurity.com


Avenues to Compromise
• GPO permissions
• AD Permissions
• Improper group nesting
• Over-permissioned accounts
• Service account access
• Kerberos Delegation
• Password Vaults
• Backup Process
Sean Metcalf (@PyroTek3) TrimarcSecurity.com
In the Real World, Rights are Everywhere
• Workstation Admins have full control on workstation computer
objects and local admin rights.
• Server Admins have full control on server computer objects and local
admin rights.
• Often, Server Admins are Exchange Admins.
• Sometimes Server Admins have rights to Domain Controllers.
• Help Desk Admins have local admin rights and remote control on user
workstations.
• Local admin accounts & passwords often the same among
workstations, and sometimes the same among servers.
• “Temporary” admin group assignments often become permanent.
Sean Metcalf (@PyroTek3) TrimarcSecurity.com
Accidental Privilege Escalation

Sean Metcalf (@PyroTek3) TrimarcSecurity.com


Accidental Privilege Escalation

Sean Metcalf (@PyroTek3) TrimarcSecurity.com


Red Team Perspective

Sean Metcalf (@PyroTek3) TrimarcSecurity.com


Securing AD Counterpoint
• AD is only as secure as the AD admin accounts.
• Domain Admin accounts are everywhere!
• DAs logon to Exchange, SCCM, servers, and workstations.
• Service Accounts in DA are often used on domain
computers.
• Authenticated security scans can leave privileged creds
behind
• Account right is combination of:
• Group Membership (AD & local computer)
• Delegated OU & GPO permissions
• Compromise the right account or computer to 0wn AD
Sean Metcalf (@PyroTek3) TrimarcSecurity.com
Jump (Admin) Servers
• If Admins are not using Admin workstations, keylog
for creds on admin’s workstation.
• Discover all potential remoting services.
• RDP (2FA?)
• WMI
• WinRM/PowerShell Remoting
• PSExec
• NamedPipe
• Compromise a Jump Server, 0wn the domain!
Sean Metcalf (@PyroTek3) TrimarcSecurity.com
Hijacking the Admin/Jump Server
• Get Admin on the server
• Get SYSTEM
• Run tscon.exe as SYSTEM

”if you run tscon.exe as the SYSTEM user, you can connect to
any session without a password”

https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-
move-through-an-da2a1e73a5f6
Sean Metcalf (@PyroTek3) TrimarcSecurity.com
Sean Metcalf (@PyroTek3) TrimarcSecurity.com
Alexander Korznikov demonstrates using Sticky Keys and tscon to access an administrator RDP
session — without even logging into the server.

https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-
move-through-an-da2a1e73a5f6 Sean Metcalf (@PyroTek3) TrimarcSecurity.com
Microsoft Active Directory
Security Guidance
Sean Metcalf (@PyroTek3) TrimarcSecurity.com
Security Privileged Access Roadmap: Stage 1

Sean Metcalf (@PyroTek3) TrimarcSecurity.com


Security Privileged Access Roadmap: Stage 2

Sean Metcalf (@PyroTek3) TrimarcSecurity.com


PAW Update:
O365 Global Admin Role = Tier 0

https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/privileged-access-workstations
Sean Metcalf (@PyroTek3) TrimarcSecurity.com
Lower attack surface of Domain & DCs:
What’s Missing?
• Clear guidance on recommended GPO security settings beyond default.
• Protocol/feature reduction/lockdown
• Implementation guidance for implementing Admin systems (PAWs,
Admin/Jump servers, etc) to limit management protocols.
• Beyond RDP: Limit WMI, WinRM, etc
• AppLocker on DCs…
• The last 4 - 5 items are focused on preventing DC internet access. Use a
host firewall/IPSec rule and reinforce on perimeter firewalls and call it a
day.
Securing Domain Controllers to Improve Active Directory
Security
Sean Metcalf (@PyroTek3) TrimarcSecurity.com
https://adsecurity.org/?p=3377
Lower attack surface of Domain & DCs

Sean Metcalf (@PyroTek3) TrimarcSecurity.com


Attack Detection: What We Need

Sean Metcalf (@PyroTek3) TrimarcSecurity.com


Attack Detection: What We Need

Sean Metcalf (@PyroTek3) TrimarcSecurity.com


Attack Detection: What We Need

Sean Metcalf (@PyroTek3) TrimarcSecurity.com


Attack Detection: Password Spraying

Sean Metcalf (@PyroTek3) TrimarcSecurity.com


Attack Detection:
Kerberoast Detection
• Event ID 4769
• Ticket Options: 0x40810000
• Ticket Encryption: 0x17
• Need to filter out service
accounts (Account Name) &
computers (Service Name).
• Inter-forest tickets use RC4
unless configured to use AES.
• ADFS also uses RC4.
Sean Metcalf [@Pyrotek3 | [email protected]]
Security Privileged Access Roadmap: Stage 3

Sean Metcalf (@PyroTek3) TrimarcSecurity.com


Let’s Talk Tiers!

Sean Metcalf (@PyroTek3) TrimarcSecurity.com


AD Admin Tiers

https://technet.microsoft.com/en-us/library/mt631193.aspx Sean Metcalf (@PyroTek3) TrimarcSecurity.com


AD Admin Tiers

https://technet.microsoft.com/en-us/library/mt631193.aspx
Sean Metcalf (@PyroTek3) TrimarcSecurity.com
Achieving Tier 0: AD Admin & DCs
• DCs have separate management and patching system than other
tiers (ex. WSUS or SCCM).
• All admin systems for DCs and other systems in Tier 0 only exist
in this tier.
• All AD admin accounts use PAWs.
• All privileged AD service accounts are only on Tier 0 systems.
• Requires all relevant systems to exist in this tier.
• Domain Controllers
• ADFS
• Azure AD Connect Server
• Virtualization Platform servers

Difficulty Level: High


Sean Metcalf (@PyroTek3) TrimarcSecurity.com
Achieving Tier 1: Servers & Server Admin
• Servers have separate management and patching
system than other tiers (ex. WSUS or SCCM).
• All admin systems for Servers only exist in this tier.
• All admin accounts use PAWs.
• All privileged AD service accounts are only on Tier 1
systems.
• Requires all relevant systems to exist in this tier.

Difficulty Level: High


Sean Metcalf (@PyroTek3) TrimarcSecurity.com
Achieving Tier 2: Workstations & Administration
• Workstations have separate management and
patching system than other tiers (ex. WSUS or SCCM).
• All admin systems for Workstations only exist in this
tier.
• All admin accounts use PAWs.
• All privileged AD service accounts are only on Tier 2
systems.
• Requires all relevant systems to exist in this tier.

Difficulty Level:
Medium-High
Sean Metcalf (@PyroTek3) TrimarcSecurity.com
What’s Missing?
• Removing local admin rights from users.
• Limiting broad system access
• Workstation Admin
• Server Admin
• Limiting network access from any system to any system
(host-based firewall with default block inbound rule.
• Practical guidance on achieving each tier with case
studies.
• Service Account risks
Sean Metcalf (@PyroTek3) TrimarcSecurity.com
Red Forest aka ESAE
Separate forest for Active Directory Administration
Sean Metcalf (@PyroTek3) TrimarcSecurity.com
Admin Forest
aka Enhanced Security Administrative Environment
(ESAE)

Sean Metcalf (@PyroTek3) TrimarcSecurity.com


ESAE Key Components
• New Windows Server 2016 AD Forest with high security configuration.
• ESAE forest is isolated from the production network with strong network
controls and only allows encrypted communication to production DCs & select
AD Admin systems.
• 1-way trust with Selective Authentication (production AD forest trusts ESAE).
• Production AD admin groups are empty, except group for ESAE admin groups.
• No production AD admin groups/accounts in ESAE have admin rights to ESAE.
• All systems run Windows 10/ Windows Server 2016.
• Auto-patching by ESAE management/patching system.
• Production AD admin accounts in ESAE should not retain full-time Production
AD admin group membership and require MFA for authentication.
• ESAE should be carefully monitored for anomalous activity.
Sean Metcalf (@PyroTek3) TrimarcSecurity.com
ESAE/Red Forest Implementation
• Assume Breach
• Before deploying, check the environment
• Start clean, stay clean
• If the production AD environment is compromised,
what does ESAE buy you?
• What should be done first?

Sean Metcalf (@PyroTek3) TrimarcSecurity.com


Red Forest Limitations
• Expensive to deploy
• Greatly increases management overhead & cost.
• Duplicate infrastructure.
• Requires physical hardware
• Requires PKI Infrastructure.
• Doesn’t fix production AD issues.
• Doesn’t resolve expansive rights over workstations & servers.

Best Case: Isolates AD Admin accounts

What about domain privileged Service Accounts?


Sean Metcalf (@PyroTek3) TrimarcSecurity.com
Wrapping It Up

Sean Metcalf (@PyroTek3) TrimarcSecurity.com


Things that Matter
• Ensure local admin passwords are unique and change regularly.
• Install/enable host firewall on all workstations to prevent lateral
movement by attackers and ransomware.
• Host firewalls on servers and Domain Controllers.
• Reduce AD admin group membership.
• Limit service account privileges.
• Ensure AD admins only use AD admin systems (PAW).
• Breaking bad - disabling old & uncommon features and protocols
to reduce the Windows attack surface
• LM, NTLM, SMBv1, LLMNR, WPAD, NetBIOS, etc.
• Control Office macros.
Sean Metcalf (@PyroTek3) TrimarcSecurity.com
Key Recommendations
• Identify who has AD admin rights (domain/forest) & isolate them to Admin
systems. Reducing membership in Domain Admins is only the beginning.
Reducing accounts with domain-level privileges is critical.
• Ensure AD & Cloud Admins use PAWs.
• Scan Active Directory Domains, OUs, AdminSDHolder, & GPOs for inappropriate
custom permissions.
• Identify and reduce legacy permissions on Active Directory objects.
• Regularly rotate admin credentials (includes KRBTGT, DSRM, etc)
quarterly/annually & when AD admins leave.
• Ensure service account password changes occur annually.
• Gain visibility by flowing the most useful security & PowerShell events into
SIEM/Splunk.
Sean Metcalf (@PyroTek3) TrimarcSecurity.com
Sean Metcalf (@Pyrotek3)
s e a n [@] TrimarcSecurity.com
www.ADSecurity.org
TrimarcSecurity.com

Slides: Presentations.ADSecurity.org
Sean Metcalf (@PyroTek3) TrimarcSecurity.com

You might also like