Active Directory

Security Deep-dive
Master Class

Derek Melber, MVP

Chief Technology and Security Strategist

[email protected]
@derekmelber
 ABOUT THE SPEAKER

Derek Melber
● Chief Technology and Security Strategist
● 18X Microsoft MVP (AD, GP, Security)
● Speaker in over 35 countries
● Author of 16 books

[email protected]
LinkedIn: @derekmelber

2
Agenda
• Domain Controllers
• AD Security Overview
• Windows Security Model
• PowerShell and AD
• Privileges in AD
• Stop Thinking Like an Admin to Protect AD!
• Top AD Security Settings
Domain Controllers
 Domain Controllers
• Main Function
• Authenticate users and computers
• Deploy Group Policy and scripts
• Replication and Convergence
• Intra-site replication
• Replication between DCs in same site
• Default is immediate
• Inter-site replication
• Replication between DCs in different sites
• Default is 180 minutes
• Minimum is 15 minutes
• Inter-site Change Notification
• Default is immediate
• CMD: repadmin /replsummary
 Domain Controllers
• Not all DCs are equal
• Flexible Single Master Operators
• Relative ID (RID) Master
• PDC Emulator
• Infrastructure Master
• Domain Naming Master (per forest)
• Schema Master (per forest)
 Domain Controllers

• PDC Emulator
• Password changes performed by other DCs in the domain are
replicated preferentially to the PDC emulator.
• If a logon authentication fails at a given DC in a domain due to a bad
password, the DC will forward the authentication request to the PDC
emulator to validate the request against the most current password. If
the PDC reports an invalid password to the DC, the DC will send back a
bad password failure message to the user.
• Account lockout is processed on the PDC emulator.
 Domain Controllers

• PDC Emulator
• Immediate replication to PDC Emulator from another DC
• Lockout of an account
• Account is unlocked
• Password reset on account
• “User Must Change Password at Next Logon” manually set for user
• Modification of Local Security Authority (LSA) secret
• State changes of the RID Manager
 Active Directory security
overview

© ALSID
 Active Directory Security Overview
Privileged Accounts
This includes built-in users and
groups with privileges, but also
newly created users and groups
that are granted privileges.
Service Accounts
These include accounts that are
used to support applications,
services, scripts, schedule tasks,
and more.
Password Policy
Either via Group Policy or FGPP,
the details of the Password
Policy need to be configured
correctly.
Network Protocols
Backward compatible network
protocols leave the network and
AD open for attack, SMB and
NTLM need to be secured.
Permissions
Both AD and SYSVOL have
permissions that provide
granular control, but
misconfigured can expose AD to
an easy attack.
Trusts
Domain and Forest trusts have
many caveats and configurations
that often go misconfigured and
open to attack.
 Active Directory Security Overview
AD Processes
Processes such as SDProp,
Kerberos authentication, and
Kerberos ticketing need to be
secured.
User Rights
Each Domain Controller has
special privileges that can grant
power over the server and even
AD.
User Attributes
Controls such as SPNs,
Kerberos delegation, Primary
Group ID, SIDHistory, etc. need
to be secured.
AAD Connections
Settings within the on-prem AD
that allow for communications
and synchronization with Azure
AD need to be secured.
Unsecure Users
These accounts are those that
have not logged or changed their
password in a long time, as well
as those with non-expiring
passwords.
Computer Attributes
Kerberos delegations and group
membership can provide an
unmonitored attack surface and
every attacker looks for these.
Windows Security Model
 The Windows Security Model
• SIDs
• Tokens
• Object-based Access Control
• User Authentication
 SIDs
• User and computer account = 1 single object in AD
• A user/computer account only exists one time in AD
• User/computer accounts can have membership in many groups
• Security Identifiers (SIDs)
• Users
• Groups
• Computers
Domain SID RID

• PS: Get-aduser derek –properties sid

 Authentication Tokens
• Given out by Domain Controller at user logon
• Contents
• User SID
• Group SIDs
• Privileges
• CMD: whoami /all
• Only refreshed with user logoff/logon or computer restart
 Object-based Access Control
• ACL – Access Control List – Security tab
• Associated with Windows security objects
• Entries can include: users, groups, computers
• Defines the access per security principal
• ACL is list of SIDs
• GUI translates
• Orphaned SIDs
• Objects with ACLs
• Files and Folders
• Registry keys
• Printers
• AD Objects
• Services
User Authentication
PowerShell and
Active Directory
 The Powershell Environment

Powershell Console Powershell ISE

19
 Useful AD Powershell CMDlets

Install-Module NTFSSecurity
Installs the NTFS Security Module from the Microsoft Powershell Gallery.

Get-ADUser –Filter * -Properties *

Retrieves all readable properties of all users in Active Directory

Get-ADGroup –Filter * -Properties *

Retrieves all readable properties of all groups in Active Directory

Get-ADComputer –Filter “CN=Server,OU=CT,DC=MyCompany,DC=Corp”

Retrieves all computers in the Server container of the CT OU in the
mycompany.corp domain

20
 Export Info in Multiple Formats

21
 Powershell for AD Enumeration
The following are a few examples of Powershell cmds that an authenticated,
non-privileged user can easily run and that attackers leverage:

Get-ADUser –Filter {Name –like “*admin*”}

Retrieves all users the admin in the username.
Get-ADUser –Filter {serviceprinciplename –ne “$null”}
Retrieves all users that have an SPN
Get-ADDefaultPasswordPolicy
Retrieves Domain Password Policy located in default domain policy
Get-ADGroup | select name
Retrieves all AD group names
Get-ADDomain
Gets Domain info including DC info
Get-ADDomainControllerReplicationPolicy
Retrieves DC replication info
Get-GPO (or even better Get-GPOReport)
Retrieves all GPOs. Get-GPOReport will even export them as an
XML or CSV

22
Privileges in
Active Directory
Privileged Groups
 Admin/Privileged Domain Groups
• Domain Admins
• Administrators
• Cert Publishers
• DHCP Administrators
• DNSAdmins
• Group Policy Creator Owners
• Account Operators
• Backup Operators
• Protected Users
• Pre-Windows 2000 Compatible Access
 Protected Users
• The Protected Users group entails the following restraints on its members:
• The CredSSP and WDigest security providers will no longer cache, in memory, the passwords in clear text of the logged-on
accounts, even if the Allow delegating default credentials strategy is enabled. Accordingly, the accounts will not be allowed to use
delegation of authentication to connect to other systems in a transparent way (internal SSO of Windows).
• The NTLM provider will no longer cache the password's hash of the authenticated accounts in memory.
• No delegation of authentication will be available anymore for the accounts, neither constrained nor unconstrained delegation.
• Kerberos pre-authentication usage will be limited to high encryption algorithms such as AES, and the support for DES and RC4 will
be disabled.
• The default lifetime of Kerberos tickets (TGT only) will change from 10h to 4h. Moreover, they will not be automatically renewed.
• The feature related to the use of the local cache of the domain will be disabled. As a result, if domain controllers are not available
to query, accounts will not be able to log into any computers anymore.
• The NTLM protocol cannot be used anymore for user authentication, limiting the authentication protocol to Kerberos only.
 Additional Admin/Privileged Domain Groups
• Service and Application Groups
• Exchange
• Sharepoint
• “Acme” application
• Custom Groups
• Usually created by admins for ease of naming and used for administration
• Be sure to document all group names
 Admin Forest Groups
• Forest Root Domain
• Schema Admins
• Enterprise Admins
 Working With Groups
• Group nesting
• Ideal for organizing “who” can do “what” to an “asset”
• Horrible when it comes to “Effective permissions/access”
• Horrible when it comes to “recursive group members”
• PS: get-adgroupmember administrators -recursive
User Rights
 User Rights
• Computer wide configurations that control what users can do to/on that computer
• User rights are unique from computer to computer
• User rights are configured centrally using Group Policy
• If not centrally, then local policy configures computer user rights
• User rights override security permissions
• IE. If user has denial permission to a folder, can still back it up with Backup and
Restore user right
 User Rights
• Domain controllers
• Obtain more secure configuration at promotion
• Default Domain Controllers Policy configures user rights
• Server
• Joining AD domain does not enhance user right security
• No GPO configures servers user rights by default
 User Rights
• Shut down the system
• Force shutdown of remote system
• Log on as a batch job
• Log on as a service
• Log on locally
• Act as part of the OS
• Backup and Restore files and directories
 User Rights
• Enable trusted for delegation
• Generate security audits
• Load and unload device drivers
• Manage auditing and security log
• Replace process level token
• Synchronize directory service data
• Take ownership of files and other objects
Stop Thinking Like and
Admin to Protect AD!
 AD/Windows Issues and Attacks
• Entry Points
• Too many vulnerabilities and mis-configurations to secure
• EDR/XDR/…. – too many ways to bypass them
• Privileged access to easy to obtain
• Cached credentials easy to obtain
• AD Recon
• Any user with “read access” can enumerate AD!
• All (nearly) aspects of AD can be enumerated and analyzed
 AD/Windows Issues and Attacks
• Privileged access to easy to obtain
• With privileges tools can be installed and run
• Local services and security can be altered
• Local cache can be accessed
• Cached credentials easy to obtain
• Usernames and password hashes
• Crack the hashes
• Use hashes in Pass-the-hash attacks
 Enumeration – Determine Privileged Accounts
2. Query AD privileges

1. Run installed tools

3. Get users with privileges

What Attackers Have What Attackers Obtain

● Mined credentials from 4. Compare ● List of users that have
local cache(s) mined privileges in AD
credentials
against AD
privileged
accounts

39
 Enumeration – Attack Accounts
2. Query AD accounts

1. Run installed tools

3. Get users with exploitable
attributes
What Attackers Have What Attackers Obtain
● Ability to Enumerate AD ● List of users/computers
that have exploitable
attributes
4. Attack users/computers
to gain privileges

40
Top AD Security Settings
 Vulnerability Management
Defensive Actions Secure privileged users
Vulnerability Management Secure service accts
LAPS Secure computer accts
Unique passwords Clean up old security Vulnerability Management
Vulnerability Management Common passwords Password spray detect DCSync detect
AV Change PW often Brute force detect DCShadow detect
EDR Strong Password Policy LSASS detect Golden Ticket detect
Educate users
Least privilege Password spray detect DCSync detect LSASS detect
Email security
User is not local Administrator Brute force detect DCShadow detect SIDHistory modification
Application Restriction MFA SPN modification Primary Group ID
UEBA PAM Kerberos delegation mod modification

0 2 4 6 8

1 3 5 7

Target Initial Entry Point Company’s Credentials replay on Post exploitation

recognition Phishing and compromise infrastructure privileged accounts (persistence,
Lateral Privileges
exploits Local privilege cartography backdooring)
movement Escalation
Attacker Tactics

on selected targets escalation

on AD
SPN/Kerberoasting Set user attributes
Mine credentials
Kerberos delegation Modify group members
Phish users Mine credentials Password spray
Password spray Set user rights
Exploit Vulnerabilities Install enumeration tool Brute force
Brute force Modify group policy
Exploit Enumerate AD Cleartext password
Cleartext password Create Golden Ticket
Misconfigurations Exploit Vulnerabilities No password required
LSASS credential dump adminSDHolder
Exploit Vulnerabilities
Exploit Vulnerabilities Exploit Vulnerabilities
• AD Recon and Lateral
Movement
 Password Policy(s)

- Availability : In every AD domain

- Level of Threat : Critical
- Attack Method : Spray, Brute force, Kerberoasting
- Commonality of being misconfigured : Near 100%
- Ability to secure : Yes
- How to secure: Solid password policy, FGPP, MFA

44
 Password Required

- Availability : In every AD domain

- Level of Threat : Critical
- Attack Method : Impersonation, Privilege escalation
- Commonality of being misconfigured : Near 100%
- Ability to secure : Yes
- How to secure: Ensure every user account requires a password

45
• Immediate Privilege Escalation
 Privileged Groups

- Availability : In every AD domain

- Level of Threat : Critical
- Attack Method : Privilege escalation
- Commonality of being misconfigured : Near 100%
- Ability to secure : Yes
- How to secure: Ensure group members are correct

47
 Primary Group ID

- Availability : In every AD domain

- Level of Threat : Critical
- Attack Method : Privileged Escalation
- Commonality of being misconfigured : Near 100%
- Ability to secure : Yes
- How to secure: Set primaryGroupID to 513

48
 GPO Permissions

- Availability : In every AD domain

- Level of Threat : Critical
- Attack Method : Privileged Escalation, Ransomware deployment
- Commonality of being misconfigured : Near 100%
- Ability to secure : Yes
- How to secure: Ensure GPO permissions are correct

49
 adminSDHolder

- Availability : In every AD domain

- Level of Threat : Critical
- Attack Method : Privileged Escalation
- Commonality of being misconfigured : Near 100%
- Ability to secure : Yes
- How to secure: Remove users from AdminSDHolder ACL (via groups too)

50
• Attack to Gain Privileges
 Kerberos Delegation

- Availability : In every AD domain

- Level of Threat : Critical
- Attack Method : Impersonation
- Commonality of being misconfigured : Near 100%
- Ability to secure : Yes
- How to secure: Configure contrained delegation

52
 Service Principal Name

- Availability : In every AD domain

- Level of Threat : Critical
- Attack Method : Kerberoasting
- Commonality of being misconfigured : Near 100%
- Ability to secure : Yes
- How to secure: Remove SPN users from privileged groups

53
 KRBTGT User Password

- Availability : In every AD domain

- Level of Threat : Critical
- Attack Method : Kerberoasting, Golden Ticket
- Commonality of being misconfigured : Near 100%
- Ability to secure : Yes
- How to secure: Reset KRBTGT password 2X/year

54
 AD Root Permissions

- Availability : In every AD domain

- Level of Threat : Critical
- Attack Method : DCSync
- Commonality of being misconfigured : Near 100%
- Ability to secure : Yes
- How to secure: Ensure AD root permissions are correct

55
Questions?

Derek Melber, MVP

[email protected]
 Thank You!!!

Derek Melber, MVP

Chief Technology and Security Strategist

[email protected]
@derekmelber
 Introducing
Darryl Baker Tenable.ad
Craig Birch
Derek Melber