This document discusses securing Active Directory without spending money. It describes Active Directory and why access control is important. Privilege creep can occur over time as user accounts gain more access to objects like computers, groups and other users. This expands the attack surface for attackers. The document outlines Microsoft's Enhanced Security Administrative Environment (ESAE) solution in 3 stages with 14 steps to better separate administrative duties and limit administrative access. It provides an example of how a breach could occur if an unpatched public web server is compromised, allowing an attacker to gain domain administrator access. The document recommends two initial steps: 1) limit the number of administrative users and 2) create separate administrative accounts to better restrict administrative privileges.

1. Secure Active Directory
in one day without spending
a single dollar
1
David Rowe @customes
david [@] secframe.com
#infosec #nercomp #security
©2019

4. What is Active Directory?
Active Directory is a hierarchical structure that stores information
about objects on a network
• Users
• Computers
• Groups
Dictates security through object ownership and group membership

5. Why access is important
Active directory is set up as a discretionary access control model
• Based on the individual
• Each person has an account
• Accounts have access to objects

6. Why access is important
RBAC
• As administrators shift and rotate roles, they create different role
groups with different access across the domain(s)
• Ex: Helpdesk – reset passwords
• Ex: Server Team – log on to servers
Privilege creep
• Over time accounts gain more and more to objects.
• The rights are often overlooked and unknown by owners of AD

7. Why access is important
With users gaining more and more access to objects; computers,
groups and other users, attackers have more areas to exploit

8. A.D. – What usually happens
More and more users on the domain have privileges
User rights sit idle and can be used by anyone with access to that
account, group, or computer

9. Microsoft’s Solution – ESAE
Enhanced Security Administrative Environment
• Helps prevent compromise of administrative credentials from
cyber-attacks
• Thwart attacks by limiting exposure of admin credentials
(Cached Credentials)
Source:
https://goo.gl/UqHTJA

11. Microsoft’s Solution – 3 Stages, 14 steps
Stage 1:
• Separate Admin accounts for
Workstations
• Separate Admin accounts for
Servers
• Separate Admin accounts for
Domain Controllers
Stage 2:
• Privileged Access Workstations
for Admins
• Unique Local Passwords for
Servers & Workstations
• Time Bound Privileges
• Just Enough Administration
• Lower Attack Surfaces of DCs –
Limit Admin Count
• Attack Detection
Stage 3
• Modernize roles and delegation
model to be compliant with the
tiers
• Smartcard authentication for all
admins
• Admin Forest for AD admins
• Windows Defender Device
Guard
• Shielded VMs

12. 1 Day Security Solution
Slides available for
download at
Secframe.com/presentations

13. Microsoft’s Solution – 3 Stages, 14 steps
Stage 1:
• Separate Admin accounts for
Workstations
• Separate Admin accounts for
Servers
• Separate Admin accounts for
Domain Controllers
Stage 2:
• Privileged Access Workstations
for Admins
• Unique Local Passwords for
Servers & Workstations
• Time Bound Privileges
• Just Enough Administration
• Lower Attack Surfaces of DCs –
Limit Admin Count
• Attack Detection
Stage 3
• Modernize roles and delegation
model to be compliant with the
tiers
• Smartcard authentication for all
admins
• Admin Forest for AD admins
• Windows Defender Device
Guard
• Shielded VMs

14. The Breach
• An unpatched public facing web server was compromised
• An attacker exploited a vulnerability, granting admin
access to the server
• The attacker dumped the cached credentials on the
server
• Finds a local administrator password identical across
machines
• Attacker moved laterally across the domain probing
servers until he/she finds a computer where a domain
administrator (DA) credential was stored
• Attacker dumps DA hash from machine and cracks it
• The attacker now as full administrative access on the
domain

15. Step #1 Limit Admins

16. 1. Limit Admins

17. Built-in Groups’ Rights Overview
• Account Operators: Read LAPS attribute, administer
domain user and group accounts
• Administrators: God-mode
• Backup Operators: Override security restrictions. Allow
logon Locally, log on as batch job, shut down the system
• Domain Admins: member of every domain-joined
computer’s local Admin group
• Enterprise Admins: Member of every domain’s
Administrator group
• Group Policy Creator Owners: Can create and modify
GPOs on the domain
• Server Operators: can administer domain servers
• Remote Desktop Users: Remotely log on to domain
controllers in the domain.
• Exchange Groups: writeDACL on root of domain

18. What is a Shadow Admin?
shadow admin
sensitive privileges.
granted directly using ACLs on AD objects.
Slides available for
download at
Secframe.com/presentations

19. Finding Shadow Admins

20. Why find and limit # of admins

21. Step #2 Separate Admin Accounts

22. Tiered Guidelines
Accounts which have the ability to manage identity and permissions
enterprise-wide.
Objects: Domain Controllers and systems that manage DCs
Tier 0
Domain
Admins
Tier 1
Server
Admins
Accounts with control over resources or that manage critical data and
applications.
Objects: Servers
Tier 2
Workstation
Admins
Accounts with administrative privileges over standard user
accounts and standard-user devices.
Objects: Workstations

23. Step #2: Block Admins

24. Block Admins: The GPO: Servers
Slides available for
download at
Secframe.com/presentations

25. Questions?
https://github.com/davidprowe/AD_Sec_Tools
@customes
david [@] secframe.com