Top 10 Actions to Repel and Recover from Active Directory Attacks
By Sean Deuby, Director of Services, Semperis
Active Directory is foundational to on-premises and hybrid identities that are everywhere in enterprise environments and the cloud today. It is also key to a zero-trust security architecture. As a result, it’s a primary target of a cyberattack: Security company Mandiant says that Active Directory is involved in 90% of attacks that it is called in to investigate.
Here are 10 actions to take now to protect your organization against Active Directory attacks.
- Implement good identity lifecycle processes
Protecting identities and access in your environment is essential to maintaining a secure environment. There are some incredible tools out there to help with this, but you can improve your identity lifecycle processes with something as simple as a calendar. Set review dates, audit access, and run a regular process to:
- Remove inactive users and computers
- Regularly review privileged access, especially paths to Tier 0 accounts and systems
- Regularly update service accounts with long, strong, random passwords
These actions help avoid attacks such as Kerberoasting, which enables attackers to elevate their privileges by gaining access to passwords for service accounts on the domain.
- Adopt trust security
Consider how best to establish trust in your environment. Within a single forest, all domains trust each other, and you can escalate from one compromised domain to all the others. An Active Directory Forest can be used to create separate areas of trust and access control. Implementing selective authentication forces, you to make security decisions about who has access rather than using a “trust everyone” approach. To be successful, keep the following in mind:
- Ensure SID filtering is active across all trusts between Active Directory forests.
- Consider enabling selective authentication to create a “default deny” trust rather than a “default allow”.
- Prioritize backup and recovery
Backup and recovery plans and processes are essential to implementing a solid recovery plan. Make sure that your plan is documented and practice it annually, at least; there is no IT procedure whose success depends more upon constant practice than disaster recovery. Time is critical in a crisis, and that’s not the time you want to be relying on an outdated process (or worse, your memory) to restore your critical systems. Most IT professionals document steps they plan to take during regular maintenance windows. Why would you have anything less in place to use when disaster strikes? Doing a dry run also helps ensure that you are correctly following the supported backup methods required by services like Active Directory. (Pro tip: screenshots are not the thing to use here.) Fixing a faulty process is always easier when you are not in crisis mode. Here are some essentials to keep in mind when considering your backup and recovery process:
- Back up every domain, especially the root.
- Back up at least two domain controllers per domain.
- Test your backups regularly. This means actually recover AD from them; “backup successful” messages are not tests.
- Use supported backup methods. Virtualization checkpoints or snapshots don’t count.
- Ensure backups are malware-free.
- Don’t forget to keep offline copies of backups. Offline storage is essential to protect your backups from malware and ransomware. Many an attacked organization has found that its online backups were also attacked and disabled.
- If administration of your backup application is AD integrated, have a “break glass” emergency access method for when AD is unavailable.
- Consider your Kerberos security
Kerberos (the primary security protocol used in AD) attacks are on the rise. Here are some steps to take to enhance your Kerberos security:
- Every Active Directory Forest has a KRBTGT account that’s used to encrypt user Kerberos ticket-granting tickets (TGT). Protecting the KRBTGT account is an essential piece of protecting the security in your AD environment. Annually reset the KRBTGT account in every domain to mitigate Golden Ticket attacks. My colleague Jorge de Almeida Pinto maintains a widely used KRBTGT reset script.
- Take advantage of recent Kerberos security enhancements and patches. For example, upgrade your Windows Server 2019 domain controllers to take advantage of AES encryption over the older RC4 encryption algorithm (post-upgrade steps are required).
- Remove Service Principal Names (SPNs) assigned to admin accounts. This step eliminates a favorite Kerberoasting path to domain dominance.
- Eliminate unconstrained delegation, which gives a compromised server the ability to act widely on behalf of unsuspecting users.
- Deter lateral movement
Deterring lateral movement helps prevent an attacker from moving through systems from computer to computer or across forests. Take these steps to make lateral movement more difficult:
- Where possible, remove local administrator rights from client user accounts. For some users, this action might require a privileged access management (PAM) solution.
- Implement local administrator password solution (LAPS) on all member servers and client computers.
- Restrict local administrator group membership to the smallest number possible.
- Actively manage privileged users and group security
In light of recent highly publicized malware and ransomware attacks, organizations should actively manage who has privileged access in AD and enforce least privilege across the forest. Although explaining why access rights must be reduced can be difficult, the change is essential for good governance. Here are some steps to take:
- Minimize privileged group membership. Operators should not require Domain Admin rights.
- Remove administrative permissions granted to service accounts. Applications should not require Domain Admin rights.
- Delegate least privilege access to the lowest level required.
- Monitor for permission changes on the AdminSDHolder object. (If you see a change here, the account has likely been compromised.)
- Secure your dependencies
As you think about the security of your environment and Active Directory, consider all the abstraction layers and how they are secured. Each one of those layers expands your attack surface, so take the time to understand how they are protected and consider adding security to them. Take these steps to get started:
- Limit hypervisor admin privileges.
- Restrict access to storage that contains copies of the Active Directory .dit database file, such as backups and IFM (install from media) AD copies.
- Audit management tools and services with elevated access.
- Evaluate PAM tools.
- Harden your domain controller
In addition to the other functions it performs, your domain controller provides the physical storage for the Active Directory database. Just as abstraction layers can be abused by an attacker, so can your domain controller. If your domain controller is compromised, your Active Directory forest is considered untrustworthy until you can restore a clean backup and ensure that the gaps that led to the compromise are closed. Take these steps to harden your domain controller:
- Upgrade your domain controllers to a minimum Windows Server 2019 OS level with AES encryption configured.
- Remove unnecessary server roles and agents.
- Disable the Print Spooler service on all domain controllers.
- Consider using server core to reduce the DC’s attack surface.
- Harden privileged access
Hardening accounts that have privileged access reduces AD’s attack surface and lessens the likelihood of potential compromise of these accounts. Here are some steps you can take to protect privileged accounts:
- Implement an MFA service designed to support AD.
- Use separately named admin accounts and lock them down for administration purposes only.
- Create break glass accounts to use in case of emergency.
- Deploy a tiered administrative model, focusing on protecting access to Tier 0 accounts and systems.
- Use a PAM solution to enable just-in-time access to privileged accounts.
- Use privileged access workstations that are specially hardened to limit the potential for being used as an attack entry point.
- Monitor for unusual activity
You can’t secure what you can’t see! Monitoring is essential for understanding shifts in your security posture and finding the earliest indicators of compromise. Consider these aspects when developing your monitoring strategy:
- Implement a security incident and event management SIEM) solution with user and entity behavior analytics (UEBA) capabilities.
- Monitor privileged groups for membership changes.
- Watch for access control list (ACL) changes to sensitive objects.
Prevention and the path to recovery
With these 10 actions, organizations of any size can significantly reduce their attack surface and protect their Active Directory instances. Why is securing Active Directory so important? It’s central to establishing and maintaining trust in your environment. It’s also central to attackers gaining control. Successful attacks center on an attacker’s ability to steal AD credentials or compromise an AD account with malware. Once they have that, they can escalate privileges to gain access to anything in your systems. Anything you can do to prevent that access and ensure that you have a path to a faster recovery if something does happen is well worth it.
One quick and painless way to assess your AD security stance is to download and run the free Purple Knight utility. The tool doesn’t require any special permissions, giving you an “attacker’s view” of your Active Directory—and any gaps that might admit malicious actors. You get an overall security score as well as individual scores across several categories, including Kerberos, Group Policy, and account security. Plus, Purple Knight returns a list of security indicators—both indicators of exposure and indicators of compromise—so that you know where to focus efforts to beef up your defenses.
Anything you can do to prevent malicious access to AD and ensure that you have a path to a faster recovery if something does happen is well worth the time spent.
About the Author
Sean Deuby brings 30 years’ experience in enterprise IT and hybrid identity to his role as Director of Services at Semperis. An original architect and technical leader of Intel’s Active Directory, Texas Instrument’s NT network, and 15-time MVP alumnus, Sean has been involved with Microsoft identity since its inception. Since then, his experience as an identity strategy consultant for many Fortune 500 companies gives him a broad perspective on the challenges of today’s identity-centered security. Sean is an industry journalism veteran; as former technical director for Windows IT Pro, he has over 400 published articles on AD, hybrid identity, and Windows Server. Sean can be reached online at seand@semperis.com, @shorinsean and at https://www.semperis.com/.