The document outlines strategies to secure Active Directory without financial investment, emphasizing the importance of access control and the risks of privilege creep. It details Microsoft's Enhanced Security Administrative Environment (ESAE) approach through three stages and fourteen steps to mitigate administrative credential compromises. The document also highlights the importance of auditing, alerting, and managing cached credentials to prevent unauthorized access and maintain security integrity.

1. Secure Active Directory
in one day without spending
a single dollar
1
David Rowe @customes
david_rowe [@] Harvard.edu
#infosec #nercomp #security
©2019

4. What is Active Directory?
Active Directory is a hierarchical structure that stores information
about objects on a network
• Users
• Computers
• Groups
Dictates security through object ownership and group membership

5. Why access is important
Active directory is set up as a discretionary access control model
• Based on the individual
• Each person has an account
• Accounts have access to objects

6. Why access is important
RBAC
• As administrators shift and rotate roles, they create different role
groups with different access across the domain(s)
• Ex: Helpdesk – reset passwords
• Ex: Server Team – log on to servers
Privilege creep
• Over time accounts gain more and more to objects.
• The rights are often overlooked and unknown by owners of AD

7. Why access is important
With users gaining more and more access to objects; computers,
groups and other users, attackers have more areas to exploit

8. A.D. – What usually happens
More and more users on the domain have privileges
User rights sit idle and can be used by anyone with access to that
account, group, or computer

9. Microsoft’s Solution – ESAE
Enhanced Security Administrative Environment
• Helps prevent compromise of administrative credentials from
cyber-attacks
• Thwart attacks by limiting exposure of admin credentials
(Cached Credentials)
Source:
https://goo.gl/UqHTJA

11. Microsoft’s Solution – 3 Stages, 14 steps
Stage 1:
• Separate Admin accounts for
Workstations
• Separate Admin accounts for
Servers
• Separate Admin accounts for
Domain Controllers
Stage 2:
• Privileged Access Workstations
for Admins
• Unique Local Passwords for
Servers & Workstations
• Time Bound Privileges
• Just Enough Administration
• Lower Attack Surfaces of DCs –
Limit Admin Count
• Attack Detection
Stage 3
• Modernize roles and delegation
model to be compliant with the
tiers
• Smartcard authentication for all
admins
• Admin Forest for AD admins
• Windows Defender Device
Guard
• Shielded VMs

12. 1 Day Security Solution

13. Microsoft’s Solution – 3 Stages, 14 steps
Stage 1:
• Separate Admin accounts for
Workstations
• Separate Admin accounts for
Servers
• Separate Admin accounts for
Domain Controllers
Stage 2:
• Privileged Access Workstations
for Admins
• Unique Local Passwords for
Servers & Workstations
• Time Bound Privileges
• Just Enough Administration
• Lower Attack Surfaces of DCs –
Limit Admin Count
• Attack Detection
Stage 3
• Modernize roles and delegation
model to be compliant with the
tiers
• Smartcard authentication for all
admins
• Admin Forest for AD admins
• Windows Defender Device
Guard
• Shielded VMs

14. The Breach
• An unpatched public facing web server was compromised
• An attacker exploited a vulnerability, granting admin
access to the server
• The attacker dumped the cached credentials on the
server
• Finds a local administrator password identical across
machines
• Attacker moved laterally across the domain probing
servers until he/she finds a computer where a domain
administrator (DA) credential was stored
• Attacker dumps DA hash from machine and cracks it
• The attacker now as full administrative access on the
domain

15. Step #1 Limit Admins

16. 1. Limit Admins

17. Built-in Groups’ Rights Overview
• Account Operators: Read LAPS attribute, administer
domain user and group accounts
• Administrators: God-mode
• Backup Operators: Override security restrictions. Allow
logon Locally, log on as batch job, shut down the system
• Domain Admins: member of every domain-joined
computer’s local Admin group
• Enterprise Admins: Member of every domain’s
Administrator group
• Group Policy Creator Owners: Can create and modify
GPOs on the domain
• Server Operators: can administer domain servers
• Remote Desktop Users: Remotely log on to domain
controllers in the domain.
• Exchange Groups: writeDACL on root of domain

18. What is a Shadow Admin?
shadow admin
sensitive privileges.
granted directly using ACLs on AD objects.

19. Finding Shadow Admins

20. Why find and limit # of admins

21. Step #2 Separate Admin Accounts

22. Tiered Guidelines
Accounts which have the ability to manage identity and permissions
enterprise-wide.
Objects: Domain Controllers and systems that manage DCs
Tier 0
Domain
Admins
Tier 1
Server
Admins
Accounts with control over resources or that manage critical data and
applications.
Objects: Servers
Tier 2
Workstation
Admins
Accounts with administrative privileges over standard user
accounts and standard-user devices.
Objects: Workstations

23. Step #2: Block Admins

24. Block Admins: The GPO: Servers

25. Step #3: Cached Creds GPO

26. Cached Creds Defined
Computer level setting:
Interactive logon: Number of previous logons to cache
[store in memory] (in case domain controller is not
available) 1
Value indicates stored users credentials on device – (10)
Default stored as RC4 hash on system

27. Cached Creds Vulnerabilities
Targeted Pass-the-hash -If you can’t crack it, encapsulate
and pass it
RC4 Nomore – one type of RC4 Exploit – 52 Hrs to crack
One incident I observed evidence a plaintext password 9
minutes after the hash was compromised

28. Common tools to exploit Cached Creds
Mimikatz
Impacket
JtR
Hashcat
Ophcrack
Taskmanager… + lsass.exe
Pwdumpx + passwordPro

29. Cached Creds: The GPO: Servers

30. Cached Creds: The GPO: Desktops

31. Report on your domain’s cache settings
Find machines on the domain that have cached creds enabled
*AD_Computer_CachedCredsFind Computers without Cached Cred
GPO.ps1

32. Report on your domain’s cache settings

33. Step #4: LAPS

34. LAPS

35. LAPS: Reqs #1 and #2

36. LAPS: Reqs #3 and #4

37. Step #5: Audit and Alert

38. Audit
https://goo.gl/uGUL4a

39. Alert

40. Security Tools
https://goo.gl/NgWuGK

41. Groups with ACL permissions on Domain
*DOMAINIT USERS
*DOMAINHR USER MANAGEMENT
*DOMAINIT - HELP DESK
*DOMAINACCOUNT MANAGEMENT
*DOMAINIT Exchange
*DOMAINIT User Password Resets
*DOMAINIT SERVER ADMINS
*DOMAINEnterprise Services
*DOMAINOffice dept Admins
*DOMAINBase Admins
*DOMAINComp Management
*DOMAINEMAIL ADMINS
*DOMAINCONTACT CREATOR
*DOMAINContactManagement
*DOMAINCredit_SUPPORT
*DOMAINWeb Administration
*DOMAINMAILBOX MGMT
*DOMAINService Desk
*DOMAINO ADMINS
*DOMAINVPN Administrators
*DOMAINAD User Cleanup
*DOMAINR&D ADMINS
*DOMAINEpsilon Admins
*DOMAINZone ADMINS
*DOMAINADWRITERS Admins
*DOMAINFile Share ADMINS
*DOMAINR drive ADMINS
*DOMAINO drive ADMINS
*DOMAINSAN Admins
*DOMAINCloud apps ADMINS
*DOMAINSERVICE NOW ADMINS
*DOMAINSERVICE NOW OU ADMINS
*DOMAINSERVICE NOW Group ADMINS
*DOMAINIT OU ADMINS
*DOMAINNetwork Team
*DOMAINCluster2 Admins
*DOMAINDatabase Disk Admins
*DOMAINCluster Admins

42. Excessive Group Membership Example:
Epic Sunflower

43. Questions?
https://github.com/davidprowe/AD_Sec_Tools
@customes
david_rowe [@] Harvard.edu