29.Hardening-active-directory

I. Hardening Active Directory

Step One: Document and Audit
- Annual (or more frequent) audits of:
  - Naming conventions (OUs, computers, users, groups).
  - DNS, network, and DHCP configurations.
  - GPOs and their application.
  - FSMO role assignments.
  - Application inventory.
  - Enterprise host locations.
  - Trust relationships.
  - Users with elevated permissions.
People
- Strong password policy (including password filters).
- Periodic password rotation for service accounts.
- Disallow local administrator access on user workstations.
- Disable the default RID-500 local admin account.
- Implement tiered administration.
- Restrict privileged group memberships.
- Use the Protected Users group.
- Disable Kerberos delegation for administrative accounts.
Protected Users Group
- Provides additional protections against authentication threats.
- Restrictions:
  - No constrained or unconstrained delegation.
  - No plaintext credential caching (CredSSP, Windows Digest).
  - No NTLM, DES, or RC4 authentication.
  - No caching of long-term keys or plaintext credentials after TGT acquisition.
  - TGT renewal limited to the original 4-hour TTL.
Processes
- AD asset management policies.
- Access control policies (provisioning/de-provisioning, MFA).
- Host provisioning and decommissioning processes (baseline hardening, gold images).
- AD cleanup policies (stale accounts, records).
- Legacy OS/service decommissioning processes.
- Scheduled user, group, and host audits.
Technology
- Periodic AD reviews for misconfigurations and threats.
- Use tools like BloodHound, PingCastle, and Grouper.
- Prevent storing passwords in AD account descriptions.
- Review SYSVOL for sensitive data.
- Use gMSAs and MSAs for service accounts.
- Disable unconstrained delegation.
- Harden jump hosts for DC access.
- Set ms-DS-MachineAccountQuota to 0.
- Disable the print spooler service.
- Disable NTLM authentication for DCs.
- Use Extended Protection for Authentication and Require SSL for CA services.
- Enable SMB and LDAP signing.
- Take steps to prevent enumeration with tools like BloodHound.
- Regular penetration tests/AD security assessments.
- Test backups and review disaster recovery plans.
- Restrict anonymous access and null session enumeration (RestrictNullSessAccess registry key).

II. Protections by Section (MITRE ATT&CK)

External Reconnaissance (T1589)
- Minimize publicly released information.
- Scrub documents before release.
Internal Reconnaissance (T1595)
- Monitor network traffic for suspicious activity.
- Use firewalls and NIDS.
- Implement SIEM.
- Tune Windows Firewall and EDR to block unwanted traffic (e.g., ICMP).
Poisoning (T1557)
- Use SMB message signing.
- Encrypt traffic.
Password Spraying (T1110/003)
- Enable logging and monitoring (Event IDs 4624, 4648).
- Implement strong password policies.
- Use account lockout policies.
- Implement MFA.
Credentialed Enumeration (TA0006)
- Monitor for unusual activity (CLI usage, RDP, file movement).
- Use network heuristics and segmentation.
Living Off the Land (LOTL)
- Establish network traffic and user behavior baselines.
- Monitor command shells.
- Implement AppLocker policies.
Kerberoasting (T1558/003)
- Use strong encryption (not RC4).
- Enforce strong password policies.
- Use gMSAs.
- Periodically audit user account permissions.

III. MITRE ATT&CK Breakdown

Explains the structure of the MITRE ATT&CK framework (Tactics, Techniques, Sub-techniques).
Provides an example using Kerberoasting (TA0006/T1558.003).

IV. Key Takeaways

A layered approach to AD hardening is essential.
Understanding and implementing best practices for People, Processes, and Technology is crucial.
Regular audits and assessments are necessary.
The MITRE ATT&CK framework provides valuable insights into attack techniques and mitigations.
Having a strong baseline security posture is more important than just buying more security tools.

Previous11.Defensive Considerations Next30.Additional AD Auditing Techniques

Last updated 12 days ago

29.Hardening-active-directory

I. Hardening Active Directory

Step One: Document and Audit
- Annual (or more frequent) audits of:
  - Naming conventions (OUs, computers, users, groups).
  - DNS, network, and DHCP configurations.
  - GPOs and their application.
  - FSMO role assignments.
  - Application inventory.
  - Enterprise host locations.
  - Trust relationships.
  - Users with elevated permissions.
People
- Strong password policy (including password filters).
- Periodic password rotation for service accounts.
- Disallow local administrator access on user workstations.
- Disable the default RID-500 local admin account.
- Implement tiered administration.
- Restrict privileged group memberships.
- Use the Protected Users group.
- Disable Kerberos delegation for administrative accounts.
Protected Users Group
- Provides additional protections against authentication threats.
- Restrictions:
  - No constrained or unconstrained delegation.
  - No plaintext credential caching (CredSSP, Windows Digest).
  - No NTLM, DES, or RC4 authentication.
  - No caching of long-term keys or plaintext credentials after TGT acquisition.
  - TGT renewal limited to the original 4-hour TTL.
Processes
- AD asset management policies.
- Access control policies (provisioning/de-provisioning, MFA).
- Host provisioning and decommissioning processes (baseline hardening, gold images).
- AD cleanup policies (stale accounts, records).
- Legacy OS/service decommissioning processes.
- Scheduled user, group, and host audits.
Technology
- Periodic AD reviews for misconfigurations and threats.
- Use tools like BloodHound, PingCastle, and Grouper.
- Prevent storing passwords in AD account descriptions.
- Review SYSVOL for sensitive data.
- Use gMSAs and MSAs for service accounts.
- Disable unconstrained delegation.
- Harden jump hosts for DC access.
- Set ms-DS-MachineAccountQuota to 0.
- Disable the print spooler service.
- Disable NTLM authentication for DCs.
- Use Extended Protection for Authentication and Require SSL for CA services.
- Enable SMB and LDAP signing.
- Take steps to prevent enumeration with tools like BloodHound.
- Regular penetration tests/AD security assessments.
- Test backups and review disaster recovery plans.
- Restrict anonymous access and null session enumeration (RestrictNullSessAccess registry key).

II. Protections by Section (MITRE ATT&CK)

External Reconnaissance (T1589)
- Minimize publicly released information.
- Scrub documents before release.
Internal Reconnaissance (T1595)
- Monitor network traffic for suspicious activity.
- Use firewalls and NIDS.
- Implement SIEM.
- Tune Windows Firewall and EDR to block unwanted traffic (e.g., ICMP).
Poisoning (T1557)
- Use SMB message signing.
- Encrypt traffic.
Password Spraying (T1110/003)
- Enable logging and monitoring (Event IDs 4624, 4648).
- Implement strong password policies.
- Use account lockout policies.
- Implement MFA.
Credentialed Enumeration (TA0006)
- Monitor for unusual activity (CLI usage, RDP, file movement).
- Use network heuristics and segmentation.
Living Off the Land (LOTL)
- Establish network traffic and user behavior baselines.
- Monitor command shells.
- Implement AppLocker policies.
Kerberoasting (T1558/003)
- Use strong encryption (not RC4).
- Enforce strong password policies.
- Use gMSAs.
- Periodically audit user account permissions.

III. MITRE ATT&CK Breakdown

Explains the structure of the MITRE ATT&CK framework (Tactics, Techniques, Sub-techniques).
Provides an example using Kerberoasting (TA0006/T1558.003).

IV. Key Takeaways

A layered approach to AD hardening is essential.
Understanding and implementing best practices for People, Processes, and Technology is crucial.
Regular audits and assessments are necessary.
The MITRE ATT&CK framework provides valuable insights into attack techniques and mitigations.
Having a strong baseline security posture is more important than just buying more security tools.

Previous11.Defensive Considerations Next30.Additional AD Auditing Techniques

Last updated 12 days ago