You wouldn’t leave the front or back door of your house unlocked and wide open, would you? Then why aren’t you as diligent with your work environment? Idle permissions and forgotten accounts – which often aren’t cleaned up – are two key areas ripe for compromise in your identity system. Learn how: - An attacker can use back doors into your Active Directory environment to gain access to your systems, applications, and confidential information. - Having your administrators make a few minor changes, can increase your security footprint and lower your attack surface. Session Outcomes: - Learn 5 free methods to secure your Active Directory. - Deploy validated and tested policies that enhance your security footprint. - Identify and define privileged groups in your organization.

1. Idle Permissions and
Forgotten Accounts
AREAS RIPE FOR COMPROMISE
I s t h e D o o r t o Yo u r A c t i v e D i r e c t o r y
W i d e O p e n a n d U n s e c u r e ?
© 2 0 1 9 : : D a v i d Ro w e : : S e c f ra m e . c o m

2. A Cached Story
How many stored passwords is too many?
How long are they stored?
1
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

3. David Rowe, CISSP
 Owner of Secframe.com
 Cloud Security Lead at Boston Children’s
 Info today from: Security research @ Harvard
 Incident response on multiple nation state attacks
 Custom vulnerability assessments for A.D.
 520,000+ objects audited, 1300+ Group Policies
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

4. David Rowe, CISSP
Secframe.com
/in/davidprowe
@customes
davidprowe
david@secframe.com
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

5. Today:
 What is Active Directory?
 Why is Access Important?
 Microsoft ESAE
 5 Step Install - $0.00
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

6. What is Active
Directory?
2
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

7. Object Information Store
A.D. stores information about OBJECTS
on a computer network
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

8. Object Information Store
Hierarchy: Parent/Child
Common Object Types:
Users
Computers
Groups
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

9. Security Defined Through:
Via ACLs; Ownership, & Membership
Objects authorized to perform actions
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

10. Hierarchy:
So urce:
https://www.secframe.com/blog/account-operators-what-can-they-control
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
Ex: Account Operators

11. Why is Access
Important?
3
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

12. -Margaret Rouse
Techta rget. co m
Privilege creep is the gradual
accumulation of access rights
beyond what an individual needs
to do his or her job
“

13. Privilege Creep
As users shift and rotate roles, the
administrators create different role groups
with different access across the domain(s).
Those groups keep getting added to users
with no checks in place.
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

14. Over time accounts gain more access to
objects
The rights are often overlooked
Often user permissions are unknown to
the owners of AD
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
Privilege Creep

15. Privilege Creep 1:
 Helpdesk
 Starts with reset password
 Over time:
 Log into servers / workstations
 Change file share permissions
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

16. Privilege Creep 2:
 Server Team
 Starts with 2 or 3 standard users
 Over time:
 Added to domain admin – God-mode
 Can edit anything across entire network
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

17. Group Creep
 User starts in Help Desk
 Stays in role 2 years, gets promoted
 Gets access to more systems
 Help desk roles and permissions never removed
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

18. Excessive Group Creep
So urce:
Audit I performed for a client
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
Green Circle = User
Yellow Circles = Groups

19. Forgotten Accounts
Users on a domain continue to acquire privileges
User rights sit idle and can be used by anyone with
access to that account, group, or computer
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

20. Idle Permissions +
Privilege Creep
With users gaining more and more access to
objects; computers, groups, and other users,
ATTACKERS HAVE MORE TARGETS TO EXPLOIT
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

21. What can we do?
Click here to learn more!

22. Microsoft ESAE
4
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

23. Microsoft’s Solution ESAE
Enhanced
Security
Administrative
Environment
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

24. Microsoft’s Solution ESAE
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
Where to start:

25. • An unpatched public facing web server was compromised
• An attacker exploited a vulnerability, granting admin access
to the server
• The attacker dumped the cached credentials on the server
• Finds a local administrator password identical across
machines
• Attacker moved laterally across the domain probing servers
until he/she finds a computer where a domain administrator
(DA) credential was stored
• Attacker dumps DA hash from machine and cracks it
• The attacker now has full administrative access on the
domain
The Breach
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

26. Microsoft’s Solution ESAE
Helps prevent compromise of administrative
credentials from cyber-attacks
Thwart attacks by limiting exposure of admin
credentials (Cached Credentials)
Microsoft’s recommended baseline to remediate pass
the hash
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

27. ESAE: 3 Stages, 14 Steps
Stage 1:
Separate Admin accounts for
Wo rks ta tio ns
Sepa ra te Admin a cco unts fo r Servers
Sepa ra te Admin a cco unts fo r Do ma in
Co ntro llers
Stage 2:
Privileged Acces s Wo rks ta tio ns fo r
Admins
U nique Lo ca l Pa s s wo rds fo r
Servers & Wo rks ta tio ns
T ime B o und Privileges
J us t E no ugh Adminis tra tio n
Lower Attack Surfaces
o f DCs : Limit Admins
Atta ck Detectio n
Stage 3
Mo dernize ro les a nd delega tio n
mo del to be co mplia nt with the tiers
Sma rtca rd a uthentica tio n fo r a ll
a dmins
Admin Fo res t fo r AD a dmins
W indo ws Defender Device Gua rd
Shielded V Ms
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

28. 5 Step Install
5
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

29. $0.00 Solution:
In an hour you can implement
100% of Stage 1
50% of Stage 2
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

30. ESAE: 3 Stages, 14 Steps
Stage 1:
Separate Admin accounts for
Wo rks ta tio ns
Sepa ra te Admin a cco unts fo r Servers
Sepa ra te Admin a cco unts fo r Do ma in
Co ntro llers
Stage 2:
Privileged Acces s Wo rks ta tio ns fo r
Admins
U nique Lo ca l Pa s s wo rds fo r
Servers & Wo rks ta tio ns
T ime B o und Privileges
J us t E no ugh Adminis tra tio n
Lower Attack Surfaces
o f DCs : Limit Admins
Atta ck Detectio n
Stage 3
Mo dernize ro les a nd delega tio n
mo del to be co mplia nt with the tiers
Sma rtca rd a uthentica tio n fo r a ll
a dmins
Admin Fo res t fo r AD a dmins
W indo ws Defender Device Gua rd
Shielded V Ms
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
h t t p s : / / g i t h u b . c o m / d a v i d p r o w e / A D _ S e c _
To o l s / t r e e / m a s t e r / C r e a t e % 2 0 T i e r s

31. #1 Separate Admin
Accounts
i. Separate admin accounts for tiers
ii. Block login access across tiers
iii. Move Admin users and groups to Admin OU
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

32. What are tiers?
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
Accounts which have the ability to manage identity and permissions
enterprise-wide.
Objects: Domain Controllers and systems that manage DCs
Tier 0
Domain
Admins
Tier 1
Server
Admins
Accounts with control over resources or that manage critical data and
applications.
Objects: Servers
Tier 2
Workstation
Admins
Accounts with administrative privileges over standard user accounts
and standard-user devices.
Objects: Workstations

33. Tiers: Further Reading
Secframe.com Blog Posts
What are tiers and who holds the keys to
the kingdom?
What is Microsoft ESAE and Red Forest
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

34. Block logins across tiers
 Start by blocking Domain Admins (DAs)
logins
 They should not be able to log into
workstations or servers
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

35. Block DAs: The GPO
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

36. Block logins across tiers
 6+ months: Continue with Tier 1 and
Tier 2
 Stage 3, step 1: Modernize roles and
delegation
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
h t t p s : / / g i t h u b . c o m / d a v i d p r o w e / A D _ S e c _
To o l s / t r e e / m a s t e r / C r e a t e % 2 0 T i e r s

37. Centralize Admins
Blog post:
Why aren't your administrators in one
place?
 https ://gallery. technet.micros oft. com/Privileged -
Acces s -3d072563
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

38. ESAE: 3 Stages, 14 Steps
Stage 1:
Separate Admin accounts for
Wo rks ta tio ns
Sepa ra te Admin a cco unts fo r Servers
Sepa ra te Admin a cco unts fo r Do ma in
Co ntro llers
Stage 2:
Privileged Acces s Wo rks ta tio ns fo r
Admins
U nique Lo ca l Pa s s wo rds fo r
Servers & Wo rks ta tio ns
T ime B o und Privileges
J us t E no ugh Adminis tra tio n
Lower Attack Surfaces
o f DCs : Limit Admins
Atta ck Detectio n
Stage 3
Mo dernize ro les a nd delega tio n
mo del to be co mplia nt with the tiers
Sma rtca rd a uthentica tio n fo r a ll
a dmins
Admin Fo res t fo r AD a dmins
W indo ws Defender Device Gua rd
Shielded V Ms
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
h t t p s : / / g i t h u b . c o m / d a v i d p r o w e / A D _ S e c _
To o l s / t r e e / m a s t e r / C r e a t e % 2 0 T i e r s

39. #2 Limit Admins
Boot people out of admin groups
Boot Service Accounts out of groups
Boot groups out of groups
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

40. What are the admin groups?
Built-in Groups
 B lo g Po s ts :
 T he Da ngers o f B uilt-In Gro ups
 Fo rget- me - not lis t: privileged gro ups to a udit to day
Shadow Admins
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

41. Built-In Groups: Permissions
Overview
 Acco unt Opera to rs : Rea d LAPS a ttribute, a dminis ter
do ma in us er a nd gro up a cco unts
 Adminis tra to rs : Go d - mo de
 B a ckup Opera to rs : Override s ecurity res trictio ns . Allo w lo go n Lo ca lly,
lo g o n a s ba tch jo b, s hut do wn the s ys tem
 Do ma in Admins : member o f every do ma in - jo ined co mputer ’s lo ca l Admin
gro up
 E nterpris e Admins : Member o f every do ma in’s Adminis tra to r gro up
 Gro up Po licy Crea to r Owners : Ca n crea te a nd mo dify GPOs o n the
do ma in
 Server Opera to rs : ca n a dminis ter do ma in s ervers
 Remo te Des kto p U s ers : Remo tely lo g o n to do ma in co ntro llers in the
do ma in.
 E xcha nge Gro ups : writeDACL o n ro o t o f do ma in
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

42. What is a Shadow Admin
A shadow admin is an account in your network
that has sensitive privileges. Typically
overlooked because the account is not in a
privileged group, permissions for this account
were granted directly using ACLs on AD
objects.
These accounts are highly desirable because
they provide admin privileges needed to
advance an attack. They are less likely to be
watched by audit and logging systems
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

43. Shadow Admins on a Domain
* D O M A I N I T U S E R S
* D O M A I N H R U S E R M A N A G E M E N T
* D O M A I N I T - H E L P D E S K
* D O M A I N A C C O U N T M A N A G E M E N T
* D O M A I N I T E x c h a n g e
* D O M A I N I T U s e r P a s s w o r d R e s e t s
* D O M A I N I T S E R V E R A D M I N S
* D O M A I N E n t e r p r i s e S e r v i c e s
* D O M A I N O f f i c e d e p t A d m i n s
* D O M A I N B a s e A d m i n s
* D O M A I N C o m p M a n a g e m e n t
* D O M A I N E M A I L A D M I N S
* D O M A I N C O N TA C T C R E A T O R
* D O M A I N C o n t a c t M a n a g e m e n t
* D O M A I N C r e d i t _ S U P P O R T
* D O M A I N W e b A d m i n i s t r a t i o n
* D O M A I N M A I L B O X M G M T
* D O M A I N S e r v i c e D e s k
* D O M A I N O A D M I N S
* D O M A I N V P N A d m i n i s t r a t o r s
* D O M A I N A D U s e r C l e a n u p
* D O M A I N R & D A D M I N S
* D O M A I N E p s i l o n A d m i n s
* D O M A I N Z o n e A D M I N S
* D O M A I N A D W R I T E R S A d m i n s
* D O M A I N F i l e S h a r e A D M I N S
* D O M A I N R d r i v e A D M I N S
* D O M A I N O d r i v e A D M I N S
* D O M A I N S A N A d m i n s
* D O M A I N C l o u d a p p s A D M I N S
* D O M A I N S E R V I C E N O W A D M I N S
* D O M A I N S E R V I C E N O W O U A D M I N S
* D O M A I N S E R V I C E N O W G r o u p A D M I N S
* D O M A I N I T O U A D M I N S
* D O M A I N N e t w o r k Te a m
* D O M A I N C l u s t e r 2 A d m i n s
* D O M A I N D a t a b a s e D i s k A d m i n s
* D O M A I N C l u s t e r A d m i n s
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

44. Finding Shadow Admins
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
https://github.com/davidprowe/AD_Sec_Tools

45. Why Find and Limit
# of Admins?
Click here to learn more!

46. Forgotten Accounts + Privilege
Creep
The accounts the attackers are targeting
The credentials they want
Credentials laying dormant on systems
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

47. ESAE: 3 Stages, 14 Steps
Stage 1:
Separate Admin accounts for
Wo rks ta tio ns
Sepa ra te Admin a cco unts fo r Servers
Sepa ra te Admin a cco unts fo r Do ma in
Co ntro llers
Stage 2:
Privileged Acces s Wo rks ta tio ns fo r
Admins
U nique Lo ca l Pa s s wo rds fo r
Servers & Wo rks ta tio ns
T ime B o und Privileges
J us t E no ugh Adminis tra tio n
Lower Attack Surfaces
o f DCs : Limit Admins
Atta ck Detectio n
Stage 3
Mo dernize ro les a nd delega tio n
mo del to be co mplia nt with the tiers
Sma rtca rd a uthentica tio n fo r a ll
a dmins
Admin Fo res t fo r AD a dmins
W indo ws Defender Device Gua rd
Shielded V Ms
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
h t t p s : / / g i t h u b . c o m / d a v i d p r o w e / A D _ S e c _
To o l s / t r e e / m a s t e r / C r e a t e % 2 0 T i e r s

48. #3 Cached Creds GPO
Create GPOs to remove the cached credentials from
computers
…then reboot
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

49. Cached Credentials?
 Computer level setting
 Interactive logon: Number of previous
logons to cache [store in memory] (in
case domain controller is not
available)
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

50. Cached Credentials Defaults
 Value indicates stored users
credentials on device – (10)
 Default stored as RC4 hash on system
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

51. Vulnerabilities
 Targeted Pass-the-hash -If you can’t
crack it, encapsulate and pass it
 RC4 Nomore – one type of RC4 Exploit
– 52 Hrs to crack
 One incident I observed evidence a
plaintext password 9 minutes after the
hash was compromised
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

52. Playground: Exploit Tools
Mimikatz, Impacket, JtR, Hashcat,
Ophcrack, Taskmanager… + lsass.exe,
Pwdumpx + passwordPro
Google for more!
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

53. No Cached Creds: The GPO
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

54. Reporting on Cached Creds
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
 Find machines on the domain that have
cached creds enabled
 AD_Computer_CachedCredsFind
Computers without
Cached Cred GPO.ps1

55. Reporting on Cached Creds
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

56. #4 LAPS
Local Admin Password Solution – ms-mcs-admpwd
Unique passwords for all workstations and servers
Prevents lateral movement between machines
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

57. 4 Steps to LAPS
Extend schema to support LAPS *
Allow computers to write to LAPS attribute
Software must be installed on workstations/servers
GPO to deploy password settings
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

58. LAPS Steps 1 & 2
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

59. LAPS Steps 3 & 4
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

60. ESAE: 3 Stages, 14 Steps
Stage 1:
Separate Admin accounts for
Wo rks ta tio ns
Sepa ra te Admin a cco unts fo r Servers
Sepa ra te Admin a cco unts fo r Do ma in
Co ntro llers
Stage 2:
Privileged Acces s Wo rks ta tio ns fo r
Admins
U nique Lo ca l Pa s s wo rds fo r
Servers & Wo rks ta tio ns
T ime B o und Privileges
J us t E no ugh Adminis tra tio n
Lower Attack Surfaces
o f DCs : Limit Admins
Atta ck Detectio n
Stage 3
Mo dernize ro les a nd delega tio n
mo del to be co mplia nt with the tiers
Sma rtca rd a uthentica tio n fo r a ll
a dmins
Admin Fo res t fo r AD a dmins
W indo ws Defender Device Gua rd
Shielded V Ms
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
h t t p s : / / g i t h u b . c o m / d a v i d p r o w e / A D _ S e c _
To o l s / t r e e / m a s t e r / C r e a t e % 2 0 T i e r s

61. #5 Audit & Alert
Domain Admin logon
Alert of vssadmin create shadow
Install Security Tools
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

62. Audit
MS Audit Policy Recs: https://goo.gl/uGUL4a
Sample:
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

63. Alert
Domain Admin logons
Vssadmin create shadow on domain controllers
*Protect the NTDS.dit
*Move the NTDS.dit
Domain dumps often start with the vss copy
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

64. Install Security Tools
Endpoint Protection
Microsoft Advanced Threat Analytics (ATA)
Gartner link https://goo.gl/NgWuGK
Crowdstrike, CarbonBlack, Cylance, Sophos, Fireeye
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m

65. ESAE: 3 Stages, 14 Steps
Stage 1:
Separate Admin accounts for
Wo rks ta tio ns
Sepa ra te Admin a cco unts fo r Servers
Sepa ra te Admin a cco unts fo r Do ma in
Co ntro llers
Stage 2:
Privileged Acces s Wo rks ta tio ns fo r
Admins
U nique Lo ca l Pa s s wo rds fo r
Servers & Wo rks ta tio ns
T ime B o und Privileges
J us t E no ugh Adminis tra tio n
Lower Attack Surfaces
o f DCs : Limit Admins
Atta ck Detectio n
Stage 3
Mo dernize ro les a nd delega tio n
mo del to be co mplia nt with the tiers
Sma rtca rd a uthentica tio n fo r a ll
a dmins
Admin Fo res t fo r AD a dmins
W indo ws Defender Device Gua rd
Shielded V Ms
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
h t t p s : / / g i t h u b . c o m / d a v i d p r o w e / A D _ S e c _
To o l s / t r e e / m a s t e r / C r e a t e % 2 0 T i e r s

66. Now what do I do?
D e p l o y t h e 5 f r e e s t e p s
G u i d a n c e o n F ra m e w o r k s a n d To o l s
S e c u r i t y A u d i t s & Ro a d m a p s
Secframe.com/about

67. Special Thanks
M a r i e D i R u z z a
L i s a D i M a u r o
N e r c o m p : A m y, A n a n d a , A n d r e a
Secframe.com/about

68. Slides available for
download at:
Secframe.com/presentations