Lecture on Hardening Active Directory to Prevent Cyber Attacks

Introduction

• Mention of an Easter egg in the slides (Where's Waldo picture).
• Incentivizing participation with a sticker reward for those who find and tag the picture on social media.

Building a House Analogy

• Foundation: AD infrastructure, domain controllers, certificate services.
• Windows/Doors: Access control.
• Grass/Lawn: Maintenance and upkeep.
• Fence/Alarm Systems: Firewalls, IDS, EDR.
• Emphasis on building from the ground up, starting small and building over time.

Speaker Introduction

• Name: Spencer Alie, Senior Pentester at Secure It360.
• Background in help desk and systems administration.
• Goal: Helping sysadmins secure internal networks and active directory.
• Mention of content creation (podcast, webinars, free tools).

Typical Attack Sequence

1. Initial Access: Threat actor gains access, acquires admin credentials (elevated privileges or local admin account).
2. Lateral Movement: Spread to other servers and backup systems to find sensitive data.
3. Data Exfiltration and Ransomware: Steal and ransom data, sometimes extorting twice.

Key Vulnerabilities for Attackers

• Credentials: Acquiring admin credentials is crucial for attackers to move laterally and gain control.
• Access: Needing access to sensitive systems and resources.
• Control: Using C2 channels, disabling security products, abusing group policies, authentication protocols.

Defending Against Attacks: Steps to Harden Active Directory

1. Identify Misconfigurations:
   • Find low-hanging fruit, recurring vulnerabilities.
2. Implement AD Security 101:
   • Base level hardening and hygiene.
3. Advance to AD Security 2011:
   • Larger, more complex projects.

Detailed Steps

Step 1: Identify Misconfigurations

• Common Misconfigurations:
  • Plaintext credentials on file shares
  • Weak passwords on keypass databases
  • World readable shares
  • Logon scripts with sensitive information
• Password Reuse and Mismanagement:
  • Non-unique admin passwords
  • Shared service accounts
  • Costly Kerberoastable admin accounts
• Tools for Identifying Misconfigurations:
  • Easy mode: Manual search for sensitive keywords.
  • Hard mode: Automated tools like Snaffler.

Step 2: Implement AD Security 101

• Basic Security & Hygiene:
  • Clean up unnecessary files, folders, and scripts.
  • Deploy LAPS (Local Administrator Password Solution).
  • Store passwords securely and educate users on strong passwords.
  • Disable RC4, enforce AES, prune SPNs.

Advanced Measures: AD Security 2011

1. Password Policies:
   • Strong password policies (12-14 characters min).
   • Fine-grained password policies for specific OUs.
2. Deception Technologies:
   • Use canaries to detect intrusions.
3. Tiered Security & Protected Users:
   • Tier Security: Structuring access control and segmentation.
   • Protected Users: Preventing misuse of high-privileged accounts.
4. Control Authentication Mechanisms:
   • Restrict NTLMv1, SMB, and LDAP.
   • Mitigate authentication downgrade attacks and enforce modern authentication protocols.

Implementation Strategy

• Regular Reviews and Documentation:
  • Regularly identify and document misconfigurations.
  • Meet regularly to discuss and resolve issues.
  • Maintain updated documentation and repeat the hardening cycle.

Obtaining Support for Security Measures

• Involve Stakeholders: Ask for advice, gain buy-in from various departments.
• Be Transparent: Own mistakes and be honest about limitations.

Continuous Improvement

• Active Directory security is an ongoing effort.
• Regular updates, pruning, and tuning are essential.

Final Notes

• Emphasize teamwork and collaboration.
• Include continuous learning and adapting to new security challenges.

Q&A Session Follow-Up

• Open floor for questions and additional discussions.

Resources:

• Tools: Script Sentry, ADelegate, Locksmith, PinkCastle.
• Additional Reading and Webinars: Links provided within the lecture slides and material.