Hardening Active Directory
Notes from Hack The Box Active Directory Enumeration & Attacks Module
Hardening effort should be concentrated in three areas: People, Process and Technologies.
People
Implement a strong password policy. The password policy should prevent users to choose common words such as season, name of the company, welcome and password.
Rotates password for services accounts
Local administrator should be granted access on user workstations.
Local administrator should be subject to LAPS password rotation.
Restrict the number of users in highly privileged group. Perform regular clean-up.
Highly privileged accounts should be members of the Protected Users group.
Disable Kerberos Delegation for administrative accounts.
Do not provide details on the internal equipment/technology in job posting.
Scrub metada in public documents.
Technology
Periodic audit of security misconfiguration using PingCastle or BloodHound.
Ensure that no passwords are stored in the user account Description field.
Ensure SYSVOL does not contain credentials or others sensitive information
Restrict servers with Unconstrained Delegation enabled
Uses gMSA or MSA for services accounts
If possible users should not be able to join computer account to the domain. Set the
ms-DS-MachineAccountQuota
attribute to0
.PrintSpooler shoud be disabled whenever possible
Disable NTLM authentication for the domain controller.
Only allows connection over HTTPS for the Certificate Authority Web Enrollement and the Certificate Enrollment Web service.
LDAP and SMB signing should be enabled.
Prevent Null Session authentication by setting the
RestrictNullSessAccess
registry key to 1.Perform regular audits and Intrusion testing.
Implement Multi Factor Authentication on external services.
Monitor suspicious network traffic and unusual activities.
Implement a proper network segmentation.
Get a baseline of network traffic and usual activity. Can be used as a reference point.
Implement an efficient AppLocker Policy
Set proper firewall rules coupled with a SIEM/EDR solutions.
Block ICMP traffic if possible.
Monitor
Event IDs 4624
and4648
for excessive authentication attempts
Process
Process to keep track of users, assets, etc. Proceed to assets inventory regulary.
Process for decommissioning old operating system and services.
Process for commissionning/decomissionning hosts.
These elements should be tracked and documented
Naming conventions of OUs, computers, users (with and without elevated permission) groups, trust relationships;
DNS, Network and DHCP configuration;
A description of GPO applied;
Application;
Location of all enterprise hosts.
Protected Users Group
The Protected Users group is a security groups offering a set of protection to hardened high Active Directory security. It get introduced in 2012 to prevent credentials attack for high privileges users. Members of that groups are restricted in what they can perform in the domain. This aim to reduce the likelihood of compromise for a high privilege domain account, or to reduce the damage if already compromise.
For example, Protected Users group members can't:
use NTLM authentication;
use DES or RC4 Kerberos pre-authentication;
renew the TGT longer than the 4-hour lifetime;
get delegated (unconstrained or constrained)
Moreover, members of the Protected Users group won't have their plain text credentials (CredSSP, Windows Digest & NTLM) cached. After requiring a TGT, the user clear text password and long-term key won't be cached either.
List all members of the Protected Users group
Last updated