Microsoft Active Directory (AD) serves many purposes. The most important role it provides is authentication. To make authentication painless, Windows (and non-Windows) systems use AD to authenticate user accounts and computer accounts.
Partner with Microsoft experts you can trust
If it’s time to take that first step toward leveling up your organization’s security, get in touch with Ravenswood to start the conversation.
With many large organizations relying on AD for authentication, it has become a very attractive target for bad actors. If AD becomes compromised, virtually the entire network is affected. Therefore, securing Active Directory is critical to protect against common attack methods to reduce the chances of AD becoming compromised.
What is Hardening in Active Directory?
Active Directory hardening is the process of implementing security measures to help prevent compromise of AD. The threats that can lead to compromise include malware, insider threats, technical debt, improper user training, deficiency of monitoring, and lack of having a patching strategy.
When AD is compromised, there are many possible negative outcomes. Financial fraud can be committed by a bad actor impersonating someone important in the organization, such as the CEO, to authorize payments to a bank account controlled by the bad actor. A bad actor can deploy ransomware which is used to interrupt business and demand payment to the attacker before business might return to normal. Data can be exfiltrated to gather sensitive information such as intellectual property e.g., blueprints for manufacturing a desired product, sensitive information such as government secrets, personally identifiable information of employees or customers. These attacks can make it difficult or impossible to do business with customers. News of an organization becoming compromised can tarnish their reputation and negatively impact the bottom line.
Overview of the Hardening Process
To decrease the chances of a breach, here are 4 important steps to take.
Step one: Perform an AD security assessment using tools like Ravenswood AD Health Check, Semperis Directory Service Protector, or Trimarc Active Directory Security Assessment.
Step two: Once weaknesses have been identified in penetration testing and outlined in a report, develop a strategy to mitigate the vulnerabilities. Examples of action items to address findings on such a report include securing administrative accounts, monitoring and auditing AD activities, and implementing network security measures such as firewall rules.
Step three: Other measures that should be taken include removing obsolete protocols, updating security policies, educating Active Directory users and administrators, and regularly performing security assessments and penetration tests.
Step four: Lastly, monitor the environment for changes that can make the environment less secure and monitor for abuse to detect bad actors. This process should be iterative, not a one-off task, as new threats are constantly being discovered. These strategies should be performed in an ongoing cycle in a hardening process as illustrated in Figure 1.
Figure 1 – Hardening process
Cyber Attacks Targeting Active Directory
Bad actors rely on several different attack methods that can lead to AD becoming compromised. These attackers leverage credential theft (usernames and passwords are obtained) and credential relaying (usage of intercepted authentication tokens) to gain footholds in the environment. From there, they leverage privilege escalation to gain new footholds with more permissions, until they obtain the highest-level of privileged access in the environment.
Here are some examples of common attacks against AD. Keep in mind that new attack types and approaches are constantly being developed.
Credential Theft and Relaying
There are several well-known credential theft and credential relay attacks that bad actors rely on.
NTLM Weaknesses
Pass the hash, DCSync, and brute-force attacks can be used to capture a domain user’s NTLM password hash. From there, the password hash can be cracked (or re-used in the case of pass the hash) because NTLM is an outdated and weak authentication protocol. Bad actors have several free, open-source tools at their disposal that can crack an NTLM password hash.
NTLM Relay is another attack method used by bad actors. Since NTLM doesn’t have a way to validate the identity of a server, a bad actor can re-use or “relay” validated authentication requests to access resources on the network the user has been authorized to access.
NTLM v1 is significantly less secure than NTLM v2, but the entire NTLM protocol is considered too weak to use at this point. To mitigate this attack method, several things can be done, including disabling SMB v1, requiring SMB signing and RDP restricted admin mode, and adding Local security Authority (LSA) protection and Credential Guard.
Minimizing and eventually eliminating NTLM usage should be a goal. One thing that can be done to reduce usage of NTLM is not to use IP addresses when connecting to remote systems (i.e., Remote Desktop) and instead use DNS addresses. Admin accounts should be added to the Protected Users security group, which prevents NTLM usage and therefore eliminates this attack path for those accounts.
Kerberoasting
Kerberoasting attacks can be used by a bad actor to get a domain controller to issue Kerberos tickets for purposes that were not authorized by the victim’s account and ultimately obtain the user’s password. A bad actor can use this attack vector when accounts that have service principal names (SPNs) and weak encryption ciphers are allowed to be used in the environment, such as RC4 and DES, or password policies that allow weak passwords to exist unchanged for very long durations. When a bad actor has obtained a Kerberos ticket, if a weak encryption cipher is used, the bad actor can Kerberoast the ticket, providing the victim’s password to the attacker. This is especially effective since service accounts frequently do not follow the principle of least privilege. The attacker may then have elevated access to the system(s) where that service account is being used.
To mitigate this attack method, remove RC4 and DES as options for encrypting Kerberos tickets issued by domain controllers on accounts that have Service Principal Names (SPNs). The only encryption ciphers that should be available to encrypt Kerberos tickets are AES ciphers. Additionally, reset the passwords of all accounts with SPNs to have a randomly generated 20-plus character password, or use a group-managed service account (gMSA), which uses long, complex passwords that rotate automatically by default every 30 days. Lastly, remove SPNs from privileged accounts.
Kerberos Relay
Like NTLM relay attacks, Kerberos relay attacks can be leveraged by a bad actor to re-use a Kerberos ticket in the environment for unintended purposes. There is a multitude of freely available open-source attack tools that can be used to gain access to resources across a network. Relay attacks are effective because there is no server validation of the signature used for authentication that is native to Kerberos.
To mitigate this attack method, use a solution that can detect the early stages of this attack, such as Microsoft Defender for Identity. Also, ensure LDAP signing and LDAP channel binding are required. When LDAP signing is required, the server validates the signature before an authentication token is granted. LDAP channel binding closes a loophole with LDAP encryption in that it binds the TLS tunnel to the LDAP application. Lastly, restrict undelegated accounts from being able to domain-join devices by setting the ms-DS-MachineAccountQuota attribute to 0 to prevent bad actors from creating rogue computer accounts and relaying Kerberos tickets.
Other Attacks
Another attack vector includes cracking weaker passwords against an AD backup. A bad actor can perform this type of attack without raising any alerts from monitoring systems since the backup itself cannot be monitored in the same manner that the in-use AD database can be. Access to AD backups must be tightly controlled and treated in the same manner as access to domain controllers. Similarly, restrict access to hypervisors that contain domain controllers.
Some other attack methods rely on NetBIOS, Link-Local Multicast Name Resolution (LLMNR), Group Policy Object (GPO) Preferences cPasswords, and password spraying. To mitigate these attack methods, disable LLMNR and NetBIOS over TCP/IP, remove all instances of cPasswords from GPOs, implement an AD monitoring and alerting solution such as Microsoft Defender for Identity, and implement a password policy solution such as Microsoft Entra Password Protection to prevent usage of weak passwords.
Privilege Escalation
Privileged escalation attacks are a different type of attack that allows a bad actor to perform actions of a privileged account indirectly or directly. Some of those include:
- AD Certificate Services attacks
- Overprivileged and unmanaged service accounts
- Domain Admin accounts used for everyday tasks
- Unpatched vulnerabilities
The following sections will go into more detail on these attacks.
AD Certificate Services Attacks
Misconfigured certificate templates can allow bad actors to become Domain Admin very quickly. A bad actor that has a foothold in the environment can request a certificate from a certification authority running AD Certificate Services (AD CS). If that certificate is misconfigured by an administrator (has an ESC identification), the bad actor can immediately become a member of the Domain Admins group. To mitigate this attack vector, run an AD CS assessment tool, e.g., Locksmith, to identify and then remediate any findings.
Overprivileged and Unmanaged Service Accounts
Service accounts are a common target for bad actors because they are typically exempt from policies that are meant to keep accounts in an organization secure. Common weaknesses encountered with service accounts are:
- Passwords that are short (less than 15 characters) and easily guessed
- Passwords that have not changed in years
- Passwords allowed to use weak encryption ciphers for Kerberos authentication
- Giving system administrative access too freely to systems or AD either as a quick fix to get something working or are documented improperly as requirements by a vendor
To resolve these issues, follow the principle of least privilege, reset service account passwords so they are long and complex, ensure passwords are refreshed regularly, and remove the ability to use legacy encryption ciphers such as RC4 and DES.
Domain Admin Accounts Used for Everyday Tasks
One of the first things that bad actors do in an Active Directory environment where they’ve established a foothold is map attack paths to membership in the Domain Admins group. If a bad actor has discovered the password hashes of domain admins on systems that are commonly used for performing tasks on the Internet, they have an extremely quick and direct attack path to becoming a domain admin.
Accounts that are members of the Domain Admins group should only be used for administering AD and nothing else. To enforce this behavior, implement a tiering model.
Unpatched Vulnerabilities
All devices on the network require regular patching to address known vulnerabilities. An unpatched vulnerability is one that is actively being exploited by bad actors and there is a patch available that addresses the vulnerability and has not yet been installed. Bad actors will use these unpatched vulnerabilities to gain new footholds and escalate their privileges across the network.
To mitigate this attack vector, use a scanning tool to identify devices that are vulnerable to attacks that can be mitigated by installing patches. Implement a wholistic patching strategy to prevent this attack vector in the future.
Best Practices to Harden Active Directory
Developing strategies to address these types of attacks is key to hardening AD. Having a hardened AD environment will increase the effort it takes for a bad actor to move laterally, allowing an organization more time to detect the bad actor.
Back up AD and restrict access to the AD backups. AD is a tier 0 asset, and backups of tier 0 assets must be treated and protected in the same manner. By backing up AD and having a documented disaster recovery (DR) plan that is tested is important to responding incidents to minimize impact to the organization. This is essentially an insurance policy to protect the organization in the instance a bad actor takes over the environment using any of the attack vectors mentioned previously.
Patch domain controllers and various other components on the network on a standard cadence. Malicious actors are constantly looking for unpatched systems to escalate their privileges. Reduce and eliminate technical debt. A device that is considered technical debt is hardware or software that is no longer supported by the vendor and therefore is no longer receiving security updates and no longer supports modern security features and protocols. Devices on the network that make the environment less secure are attractive targets to bad actors which enable them to escalate privileges faster and easier.
Implementing security baselines ensures best practices are being used from a security controls perspective, which will increase the level of effort required by bad actors to escalate their privilege. Baselines restrict usage of vulnerable protocols and help prevent lateral movement by enforcing encryption and signing.
Monitor for malicious actors in the environment before they can do any damage. Ensure the monitoring system is actively being tuned to alert on existing and new attacks and reduce noise so that admins do not get alert fatigue and miss important alerts. There are many mature tools that are pre-tuned to detect insecure configurations and lateral movement.
Clean up AD to enhance the organization’s security posture. With AD being administered by multiple admins, and not many automation features to keep it clean, things can get very unorganized very quickly. A lack of organization fosters complexity, and complexity is bad as it will very likely cause misconfigurations in policy being applied.
Conclusion
AD hardening is critical to maintaining a secure network. Monitoring, planning, training, patching, and implementing policies are all critical to hardening AD. Bad actors are persistent in finding new ways to gain footholds and escalating their privileges and take over AD, for financial gain or to exfiltrate data.
Ravenswood Technology Group offers services that address many of these components. Reach out to us to inquire how we can help!
