Authored by: Carolyn Crandall, Chief Security Advocate, Attivo Networks – Active Directory (AD) is a high-value target for attackers, who frequently attempt to compromise it to escalate their privileges and expand their access. Unfortunately, its operational necessity means that AD must be easily accessible to users throughout the enterprise—making it notoriously difficult to secure. Microsoft has stated that more than 95 million AD accounts come under attack every day, underscoring the seriousness of the problem.
While protecting AD is a challenge, it is far from impossible—it just requires the right tools and tactics. Below are 10 tips that enterprises can use to more effectively secure AD against some of today’s most common attack tactics.
#1. Prevent and detect enumeration of privileged, delegated admin, service, and network sessions
Once an adversary has penetrated perimeter defenses and established a foothold within the network, they will conduct reconnaissance to identify potentially valuable assets—and how they can get to them. One of the best ways they do this is to target AD since they can disguise those as normal business activities with little chance of detection. The ability to detect and prevent enumerations of privileges, delegated admins, and service accounts can alert defenders to the presence of an adversary early in the attack cycle. Deploying deceptive domain accounts and credentials on endpoints can also trip up attackers and allow defenders to redirect them to decoys for engagement.
#2. Identify and remediate privileged account exposures
Users often store credentials on their workstations. Sometimes they do this accidentally, while other times willingly—usually for the sake of convenience. Attackers know this and will target those stored credentials to gain access to the network environment. The right set of credentials can go a long way, and intruders will always look to escalate their privileges and access further. Enterprises can avoid giving attackers an easy way into the network by identifying privileged account exposures, remediating misconfigurations, and removing saved credentials, shared folders, and other vulnerabilities.
#3. Protect and detect “Golden Ticket” and “Silver Ticket” attacks
Pass-the-Ticket (PTT) attacks are among the most powerful techniques that adversaries use to move laterally throughout the network and escalate their privileges. Kerberos’s stateless design strategy makes it easy to abuse, which means attackers can easily forge tickets within the system. “Golden Ticket” and “Silver Ticket” are two of the most severe types of PTT attacks that adversaries use to achieve domain compromise and domain persistence. Addressing this requires the ability to detect vulnerable Kerberos Ticket Granting Ticket (TGT) and computer service accounts, identifying and alerting on misconfigurations that could potentially lead to PTT attacks. Additionally, a solution like ADSecure can prevent the use of forged tickets at the endpoints.
#4. Protect against Kerberoasting, DCSync, and DCShadow attacks
A “Kerberoasting” attack is an easy way for adversaries to gain privileged access, while DCSync and DCShadow attacks maintain domain persistence within an enterprise. Defenders need the ability to perform a continuous assessment of AD that provides real-time analysis of AD attacks while alerting on the misconfigurations that lead to those attacks. Furthermore, a solution capable of leveraging endpoint presence to prevent bad actors from discovering accounts to target can inhibit their ability to carry out these incursions.
#5. Prevent credential harvesting from domain shares
Adversaries commonly target plaintext or reversible passwords stored in scripts or group policy files stored in domain shares like Sysvol or Netlogon. A solution like ADAssessor can help detect these passwords, allowing defenders to remediate the exposures before attackers can target them. Mechanisms like those in Attivo’s Endpoint Detection Net (EDN) solution can also deploy deceptive Sysvol group policy objects in the production AD, helping to further disrupt the attacker by misdirecting them away from production assets.
#6. Identify accounts with hidden privileged SID
Using the Windows Security Identifier (SID) injection technique, adversaries can take advantage of the SID “history” attribute, allowing them to move laterally within the AD environment and further escalate their privileges. Preventing this requires detecting accounts set with well-known privileged SID values in the SID history attribute and reports.
#7. Detect dangerous access rights delegation on critical objects
Delegation is an AD feature that allows a user or computer account to impersonate another account which is helpful in many instances. For example, when a user calls a web application hosted on a web server, the application can mimic the user’s credentials to access resources hosted on a different server. Any domain computer with unconstrained delegation enabled can impersonate user credentials to any other service on the domain. Unfortunately, attackers can exploit this feature to gain access to different areas of the network. Continuous monitoring of AD vulnerabilities and delegation exposures can help defenders identify and remediate these vulnerabilities before adversaries can exploit them.
#8. Identify privileged accounts with delegation enabled
Speaking of delegation, privileged accounts configured with unconstrained delegation can lead directly to Kerberoasting and Silver Ticket attacks. Enterprises need the ability to detect and report on privileged accounts with delegation enabled. A comprehensive list of privileged users, delegated admins, and service accounts can help defenders take stock of potential vulnerabilities. In this instance, delegation is not automatically bad. It is often necessary for an operational reason, but defenders can use a tool like ADSecure to prevent attackers from discovering those accounts.
#9. Identify unprivileged users in AdminSDHolder ACL
Active Directory Domain Services (AD DSs) use the AdminSDHolder object and the Security Descriptor propagator (SDProp) process to secure privileged users and groups. The AdminSDHolder object has a unique Access Control List (ACL), which controls the permissions of security principals that are members of built-in privileged AD groups. To enable lateral movement, attackers can add accounts to the AdminSDHolder, granting them the same privileged access as other protected accounts. Organizations can prevent this activity with a tool like ADAssessor to detect and alert on the presence of unusual accounts within the AdminSDHolder ACL.
#10. Identify recent changes to Default Domain Policy or Default Domain Controllers Policy
Within AD, organizations use group policies to manage several operational configurations by defining security settings specific to the environment. These often configure administrative groups and include startup and shutdown scripts. Administrators configure them to set organization-defined security requirements at each level, install software, and set file and registry permissions. Unfortunately, attackers can change these policies to achieve domain persistence within the network. Monitoring changes to default group policies can help defenders quickly spot these attackers, mitigating security risks and helping to prevent privileged access to AD.
Putting the Right Tools in Place
Understanding the most common tactics adversaries use to target AD can help enterprises defend it. When developing tools like ADAssessor, ADSecure, and EDN, we considered a wide range of attack vectors and identified how best to detect and derail them. With these tools in place, today’s enterprises can effectively identify vulnerabilities, detect malicious activity early, and remediate security incidents before intruders can escalate their privileges and turn a small-scale attack into a major breach. Protecting AD is a challenge, but it is not an insurmountable one, thanks to today’s AD protection tools.