How To Minimize Your Active Directory Attack Surface
How To Minimize Your Active Directory Attack Surface
When newly installed, Active Directory’s (AD) default configuration is designed to be easy to use. As a result, attackers can exploit AD to take
over your entire network with relative ease. Here’s what you can do to further protect your organization by reducing your Active Directory
attack surface.
Securing beyond the default settings to reduce Active Directory attack surface
Active Directory is a Microsoft Windows directory service that was first introduced in Windows 2000 towards the end of 1999. It allows IT
administrators to manage users, computers, printers, data, and other resources of an organization’s overall network.
However, because of its popularity and integration throughout the enterprise, it is a prime target for attackers, threat actors, and
cybercriminals. If a bad guy can gain access to your AD, they could potentially access all of your user accounts, applications, databases, and
other business information.
Microsoft typically touts how they’ve made its ‘default, out-of-box’ configurations more secure over the years, especially for reducing Active
Directory attack surface. So why should you make your fresh install of AD more secure? Because hackers can utilize the out-of-the-box AD
defaults and discover easily exploitable ingresses in a standard configuration. Therefore, it is vital to review your AD configuration and update
it to match your organization’s security and compliance guidelines.
CISA / NSA issues guidance on common cybersecurity misconfigurations
CISA and the NSA have issued guidance on addressing the most common cybersecurity misconfiguration in large government organizations.
These misconfigurations impact many organizations and pose systemic weaknesses. This includes most of the top configuration issues with
Windows Server and, you guessed it, AD.
The guidance provides mitigations and recommendations for IT pros, software developers, and software manufacturers to address AD
misconfigurations. The guidance aligns with the CISA and NIST-developed Cross-Sector Cybersecurity Performance Goals (CPGs) and the
secure-by-design and secure-by-default development principles.
The most important recommendation is that organizations test and validate their security controls and programs against the most common
threat behaviors mapped to a specific framework – the MITRE ATT&CK Enterprise framework.
Consider Server Core installation option for DCs to reduce your Active Directory attack surface
One of the most effective methods to reduce your Active Directory attack surface is to install Windows Server using the Server Core option
during Windows Setup. Server Core includes only a command-line interface with an extremely limited GUI. Removing the entire Desktop
Experience from Windows Server makes it more secure – there are countless ingress points that will no longer exist.
IT pros either log in to the server and use the command line or PowerShell interfaces, or they can use remote access tools to manage and
configure the server. The Remote Server Administration Tools (RSAT) and Windows Admin Center are the best tools when it comes to being
efficient and not logging in to your domain controllers (DCs) at all.
Let me show you an example of the Windows Admin Center. The image below is the main page showing the servers I have set up for
management.
https://petri.com/active-directory-attack-surface/?_hsmi=292552627 1/5
2/5/24, 9:25 AM How to Minimize Your Active Directory Attack Surface - Petri IT Knowledgebase
Group Policy allows us to enable virtualization-based security to reduce Active Directory attack surface
Here I am showing you the Group Policies that you can use to create a new GPO and link it to your ‘Domain Controllers’ Active Directory
Organizational Unit (OU). Device Guard uses VBS to verify that only signed drivers can be loaded. This helps to prevent malware from loading
unsigned drivers that could be used to compromise the system.
Hypervisor-Protected Code Integrity (HVCI) uses VBS to prevent malware from injecting malicious code into the kernel. This helps to protect
the Windows kernel from attack and makes it more complicated for unwanted code to infect or compromise the system.
Domain controller patch management
Although it may seem counterintuitive, you should patch domain controllers and other critical infrastructure components separately from your
general Windows infrastructure. By separating patch and systems management for domain controllers from the general population, you can
reduce the amount of software installed on domain controllers, in addition to tightly controlling their management.
Also, don’t install Windows patches directly on domain controllers. Use an enterprise patch management solution, like Windows Server
Update Services (WSUS) to push patches. The less you do ‘on’ your DCs, the better.
What is KRBTGT and why you should reset the account password
The KRBTGT account is a default disabled account in Active Directory that is created when a new domain is created. It is a service account for
the Key Distribution Center (KDC) service. The KRBTGT account is used in conjunction with the Kerberos authentication scheme to sign all
Kerberos tickets for validation.
I recommend you reset the password of the KRBTGT account periodically to prevent attackers from using compromised passwords to create
Kerberos tickets and gain unauthorized access to your domain. The reset process should be performed on all writable domain controllers in
the domain every month or quarter. Semperis’ own Jorge De Almeida Pinto maintains a popular script to minimize the effort needed to reset
the KRBTGT password.
With Kerberos, attackers stealing a user password can potentially use it to further spread through the network – but with the NTLM hash of the
KRBTGT account, they will have the ability to forge new tickets. This will enable them to execute a Kerberos Golden Ticket attack.
Managing privileged Active Directory groups: Enterprise Admins, Domain Admins, and Schema Admins
The Enterprise Admins, Domain Admins, and Schema Admins groups in Active Directory are extremely powerful. Administrative accounts in
these groups need to be carefully monitored. A user account in these groups can perform almost any task in Active Directory including creating
a child domain, modifying the security settings via Group Policy, and many other scary items. I highly recommend restricting the membership
of these groups via Group Policy. Let me show you how.
In Group Policy Management, create a new GPO at your Domain Controllers container (Organizational Unit, or OU).
https://petri.com/active-directory-attack-surface/?_hsmi=292552627 2/5
2/5/24, 9:25 AM How to Minimize Your Active Directory Attack Surface - Petri IT Knowledgebase
https://petri.com/active-directory-attack-surface/?_hsmi=292552627 3/5
2/5/24, 9:25 AM How to Minimize Your Active Directory Attack Surface - Petri IT Knowledgebase
https://petri.com/active-directory-attack-surface/?_hsmi=292552627 4/5
2/5/24, 9:25 AM How to Minimize Your Active Directory Attack Surface - Petri IT Knowledgebase
Best practices include reviewing and amending default security settings, monitoring privileged accounts, implementing least privilege access,
and auditing and monitoring Active Directory changes. Additionally, it’s recommended to use a tiered administration model to protect privileged
AD credentials and limit access to lower-tiered staff.
Finally, you can scan for common AD misconfigurations using Purple Knight, a security assessment scanner that can help you identify and fix
security issues in AD.
https://petri.com/active-directory-attack-surface/?_hsmi=292552627 5/5