29.Hardening-active-directory
I. Hardening Active Directory
Step One: Document and Audit
Annual (or more frequent) audits of:
Naming conventions (OUs, computers, users, groups).
DNS, network, and DHCP configurations.
GPOs and their application.
FSMO role assignments.
Application inventory.
Enterprise host locations.
Trust relationships.
Users with elevated permissions.
People
Strong password policy (including password filters).
Periodic password rotation for service accounts.
Disallow local administrator access on user workstations.
Disable the default RID-500 local admin account.
Implement tiered administration.
Restrict privileged group memberships.
Use the Protected Users group.
Disable Kerberos delegation for administrative accounts.
Protected Users Group
Provides additional protections against authentication threats.
Restrictions:
No constrained or unconstrained delegation.
No plaintext credential caching (CredSSP, Windows Digest).
No NTLM, DES, or RC4 authentication.
No caching of long-term keys or plaintext credentials after TGT acquisition.
TGT renewal limited to the original 4-hour TTL.
Processes
AD asset management policies.
Access control policies (provisioning/de-provisioning, MFA).
Host provisioning and decommissioning processes (baseline hardening, gold images).
AD cleanup policies (stale accounts, records).
Legacy OS/service decommissioning processes.
Scheduled user, group, and host audits.
Technology
Periodic AD reviews for misconfigurations and threats.
Use tools like BloodHound, PingCastle, and Grouper.
Prevent storing passwords in AD account descriptions.
Review SYSVOL for sensitive data.
Use gMSAs and MSAs for service accounts.
Disable unconstrained delegation.
Harden jump hosts for DC access.
Set ms-DS-MachineAccountQuota to 0.
Disable the print spooler service.
Disable NTLM authentication for DCs.
Use Extended Protection for Authentication and Require SSL for CA services.
Enable SMB and LDAP signing.
Take steps to prevent enumeration with tools like BloodHound.
Regular penetration tests/AD security assessments.
Test backups and review disaster recovery plans.
Restrict anonymous access and null session enumeration (RestrictNullSessAccess registry key).
II. Protections by Section (MITRE ATT&CK)
External Reconnaissance (T1589)
Minimize publicly released information.
Scrub documents before release.
Internal Reconnaissance (T1595)
Monitor network traffic for suspicious activity.
Use firewalls and NIDS.
Implement SIEM.
Tune Windows Firewall and EDR to block unwanted traffic (e.g., ICMP).
Poisoning (T1557)
Use SMB message signing.
Encrypt traffic.
Password Spraying (T1110/003)
Enable logging and monitoring (Event IDs 4624, 4648).
Implement strong password policies.
Use account lockout policies.
Implement MFA.
Credentialed Enumeration (TA0006)
Monitor for unusual activity (CLI usage, RDP, file movement).
Use network heuristics and segmentation.
Living Off the Land (LOTL)
Establish network traffic and user behavior baselines.
Monitor command shells.
Implement AppLocker policies.
Kerberoasting (T1558/003)
Use strong encryption (not RC4).
Enforce strong password policies.
Use gMSAs.
Periodically audit user account permissions.
III. MITRE ATT&CK Breakdown
Explains the structure of the MITRE ATT&CK framework (Tactics, Techniques, Sub-techniques).
Provides an example using Kerberoasting (TA0006/T1558.003).
IV. Key Takeaways
A layered approach to AD hardening is essential.
Understanding and implementing best practices for People, Processes, and Technology is crucial.
Regular audits and assessments are necessary.
The MITRE ATT&CK framework provides valuable insights into attack techniques and mitigations.
Having a strong baseline security posture is more important than just buying more security tools.
Last updated