this is how to harden active directory to prevent cyber attacks so real quick um I put in Easter egg I thought you know I'm doing all these slides and all this work I thought it'd be kind of interesting or funny um to kind of put some uh an Easter egg in this okay so there's a there's a picture of Waldo somewhere in the slides so I've got a picture of Waldo somewhere in the slides I've hidden it somewhere I'm not going to tell you where it is uh but the first people are first couple people to take a screenshot of the slide and send it to me on on Twitter or LinkedIn or like tag me in on social uh I'll send you a sticker and that's that NSA sticker that I created uh it's on my Etsy store right now so a little little Easter egg little little fun little little thing so how do you harden act directory right um I started to think about this I'm like well how do you build a house right and I think that's a simple analogy that we can all relate to is how do you how do you build a house right you start from the roof uh or yeah do you start with the roof do you start with the fence do you put the alarm system in do you put the windows in uh first in in you know how you build a house is kind of how I like to think about building active directory uh you know where do you put the windows when there's no frame built right so you start with the foundation obviously um a good foundation uh sets you up for Success right then you put the walls in you put Windows in uh you've get you got the electrical the plumbing um all that stuff and once the house is kind of the frame is built you put the roof on and I have on the screen some kind of um analogies here for some of those different things right so like the windows and the doors are your access control your foundation is your ad infrastructure your domain controllers and certificate Services uh the grass and the lawn in the yard that's like the maintenance and the upkeep um the fences and and things like that and alarm systems those are your firewalls your IDs your EDR things like that so my point is you kind of build from the ground up you start small and you start slow and you kind of build over time um and eventually if you build it well it's much harder to blow the roof off uh and there was a funny video I saw on Tik Tok just recently that illustrates this is has anyone seen like those tornado Chasers excuse me on Tik Tok um I forget what the name of the the the people who do it they've got like this name for their for their truck and they've got like this drone well anyways they're driving through and uh they're in Texas just recently and there's this video yeah the Dominator the Dominator they have super cool videos about chasing tornado so they're driving through this town in Texas they're like going down this road and there's they're in the middle of a tornado and there's a house and it's like whipping around and the house was like stable it was just stuck there some some shingles were flying off there was some stuff flying but the house was like relatively stable for like hundreds of miles an hour wind or whatever crazy winds they are with those nasty tornadoes and that's kind of what made me think about like this analogy is like you know if you build it right and you do it well um you can hopefully prevent some some damage down the road yeah Reed Timmer thank you yeah super cool videos if you're like a weather nerd or anything they've got like super cool you know nerdy stuff okay so before we get too far who am I uh my name is Spencer Alie for all you joining just now and and for for those of you who don't know me or haven't seen me I seen the Twisters yeah my name is Spencer LSC uh I'm a pentester at secure it360 um I primarily focus on internal pentesting assume breach Windows Active Directory internal networks and that kind of thing um I come from help desk so my background is in help desk and systems Administration I spent you know close to 10 years administering act senior thanks same thanks I always forget that senior senior pentester here at security it360 uh thanks Jake uh so I I used to administer actor directory all the time I went through all these same struggles that I'm going to kind of talk to you guys about today um but I I administered it I went through those pain points I've gone through a lot of those struggles and I have a lot of um stories that we can probably relate to and we have similarities there with with background so I used to be a CIS admin I'm a recovering CIS admin as I sometimes will say um but now I am a guest Enterprise admin as you see in that shirt designed there so uh essentially my goal now what I do is I help s admin secure their internal networks and active directory um I you know try to attack or approach security from like a hacker perspective and kind of using curiosity Ingenuity resourcefulness and kind of think trying to think about uh things in a different way um but ultimately I'm a Defender as Jake will will tell you uh I'm red with blue stripes or maybe blue with red stripes if you will um but my goal really is to help organizations be a little bit more secure today than they were yesterday um so in in all the content that I do in the podcast and and this webinar I hope that you get you know a little piece of knowledge some nugget of information you can kind of take back and help your organizations be a little bit more secure and I hope this presentation delivers on that value uh I've got some certifications and whatnot uh like I said we've got a podcast the Cyber threat perspective um where we talk about different security topics uh every week and uh I also make some free tools that you'll see in this webinar and and elsewhere uh so do a a little bit that on the side obviously content all of you who are here have probably seen me posting um content stuff on social media and then of course swag on my Etsy store where I make t-shirts and stickers and and fun stuff that comes to my mind so uh what's a typical attack look like right so kind of setting the stage for hardening active directory let's look at kind of a highle typical attack right uh this is a little bit overgeneralized right um but it kind of gets the sense of what we're looking at and kind of sets the stage so initial access right a thread actor gets initial access um they get admin credentials from that host right maybe um the user is a local admin or they they were able to elevate their privileges in some way so they get admin credentials right uh maybe it's the local admin account and then they use that to spread laterally right they spread to the file server backup servers Etc um they find sens of dat data or maybe they find um company data that they want to ransomware or anything in between they xfill that data and then they ransomware and extort right they double dip um and kind of you know go after it two ways so this is from uh Christmas Eve last year and this is this report is on the defer report for anyone uh wanting to check it out but essentially kind of what a a highle attack typically looks like right admin credentials they move laterally find data exfill it ransomware right so they start with credentials so the success of that thread actor's operation relies on their ability to obtain credentials right um not always right sometimes they don't need admin rights to ransomware an environment or to get access to sensitive data that happens but most of the time they need credentials right they need admin credentials to move laterally to get to access to servers to access domain controllers so that they can DC sync or dump credentials from memory Etc so they need credentials and they need credentials that provide them access access to systems and resources that contains sensitive information critical information information um that they're going to use to extort the organization um or sell on the dark web that kind of thing so they need access right they need access to systems with that information and then ultimately they want to control the environment through you know using their C2 channels through disabling uh security products or abusing group policies um abusing authentication protocols like element and using certificate services so they essentially want to seek control over the network so they can deploy the ransomware right and then like I said double dip extort and all those things so they need credentials they need access and they need control and that's kind of the framework that I'm going of be working from with this webinar and kind of what I'm going to be referring back to often is credentials access and control and kind of looking that looking at that from a hardening standpoint so naturally I say the heck with that right uh let's not give that threat actors the opportunities to get credentials let's not make it E too easy for them uh let's restrict what they have access to right let's not let them move laterally let's restrict you know what systems they and resources they can access let's eliminate the potential for attacker control right let's get rid of some of that low hang fruit that allows them to um control authentication or control access to systems um and you know ultimately let's not make it too easy for them you know so the game plan uh so this is kind of like I said the game plan uh in the framework for kind of setting the stage for the controls and the hardening aspects of this webinar so step number one is identify misconfigurations um Time and Time time and time again we go into pentests or recurring pentest and we see the same findings the same issues even back toback from from clients year after year and um the goal here for this step number one is to identify the low hang fruit get rid of it and like I said don't make it easy on them right make them have to work hard at it make them have to use novel approaches or new techniques or burn kind of more sophisticated uh tools and techniques uh in order to kind of you know exploit your organization or compromise things so step number one is identify misconfiguration step number two is Implement what I call AD security 101 uh so this is kind of the the the base level hardening aspects or the base level hygiene and hardening that you need to do to to secure active directory and then step number three is the 2011 things these are things that are bigger projects they're a little bit harder um which I'll show here in a minute they're a little bit harder to do um they take more coordination more configuration more structure more documentation um but certainly very worthwhile efforts and those are the three things that I'm going to get into today and each one of those things yeah step four profit thanks Jonathan and pink castle is great uh so as I'll show um each one of these phases has very specific things I'm going to mention in this webinar and this is not meant to be all-encompassing there are obviously things outside of this but I think these are some of the bare minimum things that we need to do uh to really Harden our our environments make pentesters cry make thread actors cry and ultimately make them you know choose another organization to Target and kind of move on give up uh and then you repeat right so you repeat the cycle because as we know we get new IT staff we have turnover we have new technologies we Implement um we have new software that gets uh installed and so this is a process that we need to be kind of doing on a recurring basis you know some of these security things with like the 2011 area once you set it up it's it's you know it's relatively straightforward you just kind of have to maintain it and make sure it's uh continues to be implemented correctly but with misconfigurations and some of this introductory stuff this is going to happen time and time again so it's important to have a process to kind of re review this every so often so I apologize ahead of time um this webinar might give you some work to do uh I hope it helps you uh think about things in a different way or helps provide you with some insights that you can take away but um you might walk away from this webinar with some with some homework um the very first thing is documentation documentation is is crucially important and uh again like I said this is going to focus on very specific things this webinar is not all-encompassing of every single hardening measure that you can Implement in active directory uh I've tried to include the ones that I think are most impactful and will be um most appc to most everybody that is attending this webinar right now and like I said remember credentials Access Control thread actors need credentials they need access and they want to control the environment so that's what we're going to focus on from a hardening security standpoint so first misconfiguration is credentials uh PL text credentials on file shares um keypass databases that have weak passwords that are easily crackable um world readable shares with passwords on them um web.config files and scripts and VNC configs and M remote config files and unattend files there's a whole bunch of these unsecured credential files that you can go out and look for um I have tools that that can find some of those things there are other tools that you can use which I'll show in a minute um I'll show an easy mode and hard mode aspect of it but unsecured credentials are the number one finding on internal pentest it's something is ubiquitous across every organization large and small no matter the vertical this is a big problem for organizations and so many times all it would take is just going out and looking running a script or you know writing a Powershell script to automate this every so often to to crawl the shares to look for these things um and this would be you know completely eradicated if that were the case hey Italy what's up yeah apis are just longer passwords exactly API Keys is another one um that's a really good really good one what's up from Italy hey how's it going thanks for joining I appreciate it what time is it in Italy that's interesting is that Italy like okay sorry distracted uh oh cool 18006 nice cool well happy evening to to Italy folks uh so password use if you're not using laps or something similar you're probably reusing passwords um this is also common issue with new user setup passwords right 2 a.m. in Australia wow well thanks for being here 2 a.m. in in Australia so new user setup passwords I'm on an engagement uh just this week where um you know I'm going through shares and document Management systems and stuff and there's a new user setup password that's a default password uh and that's probably very common for many organizations the problem is if you discover that password if it's a weak password uh if you find that anywhere uh and there's still users using that password you can kind of use that to Pivot and move uh in the environment and of course shared service accounts this is very common uh and then lastly uh costable admin accounts admin accounts that have no reason having having an SPN right maybe it was used to set up a service or or configure something and then it wasn't actually removed afterwards um we crack admin accounts all the time from Curb roosting we did it last week on an engagement that Darius had uh I'm working on an engagement this week where I'm I'm literally cracking passwords right now hopefully cross my fingers um that I crack them but this is is a very common issue and very very avoidable uh so UNC unsecured credentials easy mode uh my recommendation is when you first start doing this is just go out to your file shares go out to your document repositories where it's Dropbox or one drive or SharePoint file shares and just search for some common phrases like pass W or password or login um or web.config or unattend and just go out and search for them and that's step number one once you get beyond that and get a little bit more advanced and want to automate it you can write a Powershell script there are additional tools that you can automate but this is step one if you haven't done it at all or if you're just kind of want to to see what's out there do this first then you can use tools like snaffler snaffler is super cool it's a great tool um I would recommend reading the readme because it's more like hard mode as I call it um if you just run it in its default configuration it won't actually do anything um but it will look like it is um so read the documentation but this is a great tool that you can use to kind of automate some of the things and do like do searching with like regular expressions and do some more advanced searching yeah searching gpos as well for sure um interesting enough another tool that I'm going to mention uh does search for those things couple of them so Kerber Roo will admin accounts uh when you this is so curb roasting for those that aren't familiar it's when you request a service ticket um and for a specific service account um and that uh that service ticket is encrypted um with uh the Ser with the password hash of that service account and what you can do is you can take that um take that uh hash offline you can try and BR for it you can try and crack it um and potentially reveal the pl text password and so if you have an ad account that has an SPN on it you can Kerberos it and potentially get the password for that so that would that's pretty dangerous um so that's something we want to prune uh now moving on to access remember credentials access and control so access uh this is uh also something that's super common is lack of separation and privileged accounts so local admins being the same on all the machines uh overly permissive ACLS uh I talked about this a little bit already um but this is file shares one drive box you know your document repositories that are just kind of wide open to everyone when they don't necessarily need to so step number one in this in this framework is you know pruning those permissions pruning those those shares and those ACLS um and thinking about from least privilege what are the least amount of groups or the least groups that that need it uh only allowing groups and users that need access to that to to do their job and then delegation so this is like granting help desk ability reset passwords but you accidentally give them permission to resell reset every password right uh instead of specify specifying those permissions on a specific OU you specify at a domain level and now help desk can reset you know like the domain admin password which is pretty dangerous um so that's what we're going to end identify in this phase as well and then lastly control so this is where you know help desk is a member of IT Services Group Group which is a member of account operators for example or where you know all users can modify group policies or modify files that are deployed by Group Policy um this is where log on scripts are misconfigured such that you're mounting shares that don't exist um or you're deploying files in those login scripts that are modifiable by users so this is the control area so credentials Access Control if they're able to control group policies or log on script or Security Group membership or authentication now we can kind of um exploit that control over the network as an attacker and again these are authentications like spooler and webdb and elementar these are kind of authentication protocols or um protocols that you can use to exploit control over the network and so when I was thinking about this presentation I'm like well you know Superman Metropolis has Superman right Gotham has Batman star city has the Flash and I'm like well what is this admans have well sis admin have the fabulous four so um The Fabulous four to me are script centry A delegator locksmith and pink castle these are like the four free tools that you need to run in your environment on a regular basis all the time run them fix the issues that that you find from them and your environment will be much much more secure um so a little yeah locksmith what's up Rob uh so so this is the fabulous four right so just a quick sidebar this isn't this webinar isn't you know solely dedicated to these tools but this is step one right finding the misconfigurations uh in kind of identifying the low hang fruit fixing those things that's step number one because honestly a lot of times when we go and we do a pen test I use these tools and I find these things and I use them to get administrative rights I use them to Pivot to servers where there's backups or there's sensitive data I literally use the results from these tools to kind of exploit and you know attack organizations all the time so why not use them for defense right and that's what you know all these tools by the way are not offensive security tools none of these tools do exploitation none of them are a post exploitation tool these are tools for Defenders right um so that's a very important thing that that I like making a distinction of so script Sentry it's a tool I created to find misconfigured and dangerous log on scripts so log on scripts that have credentials in them log on scripts that have unsafe permissions like you can actually modify the log on script and there's a whole bunch of issues I did a lot of research into this um and you can go out to the to that GitHub repo where there's a lot more information on this but essentially dangerous misconfigured log on scripts we see all the time and script symetry can help you identify that so run script Sentry in your environment fix the issues that you find a delegator is kind of a wrapper around another pretty cool tool called aelig uh ad delig is just kind of a graphical user interface for delegations um I don't know of many other tools that show you kind of delegations in this way and it is set up to kind of resemble ad users and computers or aduck um for those so what you can do and what I recommend is you run a delag and you use a delegator it's going to go through all of your delegations that it can find and it's going to look for where a high privileged user uh or sorry where a low privileged trustee has access over a high privileged resource or vice versa so let me explain High privileged resource would be things like tier zero groups and users so domain admins domain controllers um jump boxes right Jake or pause uh it admin workstations critical servers so those are high privileged resources low privileged trustees are things like the everyone group or authenticated users um non-administrators group you know domain users end user computers so you want to look for where low privileged trustees you know like everyone like it shows in the screenshot has you know High has access or uh unsafe permissions unsafe delegations over high privilege resources so um you want to look for those things and insecure permissions or insecure delegations would be like you know like it shows in the screenshot write all properties or generic all or generic write and there's a lot of these unsafe properties that this script looks for so a delegator runs a deleg creates a report checks for these misconfigurations and then calls those out and says hey you have misconfigured permissions here you should go look at them so this another great free tool um I find find I've found a number of issues uh on engagements using uh this tool and it's really great for for finding those things so again it helps you find where low privileged trustees has access to high privileged resources yeah Microsoft should think about heing to their tier model I'll get to that yeah yeah thank you for posting that link there's somebody post morat posted a link to uh tier zero in the modern way and I'll get to that yes it will show some deny ACLS yep so ad delig in its default view um it will show deny um if you go to like view there's different options that you can configure there and and you can show different things you can show the built-in um delegations and things like that so it's a really cool Tool uh hasn't been updated in a few years uh so if anybody knows uh rust I think this is written rust so if anybody knows rust and wants to work on new features or updates to this um this hasn't been updated in a couple years um but still works really good locksmith um probably probably one of the best open- source security tools right now um e even above all all of the ones that I have written and and show you this one is is really really awesome for a couple reasons one it finds misconfigured certificate issues in certificate templates specifically um it finds all the the kind of the modern certificate template mistakes that you'll see and the re the other reason that it's really cool is it gives you these Snippets to actually go out and fix those templates so if it's a permission issue or something else there's a little snippet that you can copy and run yourself um to fix that issue and uh this is kind of surge in popularity this is create this was created by um Jake hrth who works at trar um who might be in in chat right now um I selfishly U plug for myself I I help Jake contribute to this I've contributed just a very small amount of code to this um but really such an awesome tool to find misconfigured certificate issues uh to find these templates I run this on every pentest you'll see the screenshots in all my reports um and uh it's just a really great tool and it shows the information very nicely in in a nice easily digestible way and again gives you like a remediation snippet to go out and fix it uh and again it's free um I can't believe Jake doesn't charge for it but uh you know maybe someday he'll have a commercial version or something so he can get some get some rewards from it but super great tool pink castle so this rounds out kind of like my misconfiguration you know fabulous 4 uh and that's pink castle pink castle has 177 even more now cuz they've introduced a couple more rules recently there's 177 rules in pink castle right so 177 different misconfigurations hygiene items that you can look for uh a lot of these I would say maybe I never thought about it but maybe 20 to 30% of these are things that you know would allow a thread actor to immediately become domain admin or immediately kind of get credentials or obtain control over the network maybe more than that um so um so definitely a great tool um it gives you a way to show improvement with like these indicators and these scores um so you can show the ROI of kind of going through this process and fixing it um so really cool tool um this is by uh Vincent to I I don't know if I'm saying the last name right um but he's a contributor of mimic cats um super cool great great Tool uh and also free to run for yourself in your own environment if you're an auditor or like consultant or something need a license to to use it but like as yourself as a just a regular person in you know it guy in in an organization you can go download this and use it uh so the last stage of this misconfiguration uh section is a risk register or you know documentation in general so you're going to go through this process you're going to find all these things you need some way to kind of document them and and prioritize them and and assign them to people right so my recommendation is just create a risk register or some Excel sheet where you're like okay we've got unsecured credentials we've got uh you know misconfigured log on script we've got you know non-unique local admin accounts or passwords and you kind of go through and you document them brief description what it is how to remediate it you know assign it to somebody have a status on it right and then you meet once a week or every other week or whatever your Cadence you know works for you guys you meet and talk about those things specifically are there any Hang-Ups are there things that are getting in the way um you know if maybe it's you know some some uh Forest functional level upgrade that we need that's going to be a bigger lift so we have to document that and plan that but document it meet on a regular basis tackle these things that's kind of the core of this and again remember credentials Access Control we want to focus on things that um mitigate credential credential opportunities mitigate you know lateral movement and access in the environment and mitigate uh attack or control in the environment write down all your vs Yeah Yeah Tim yeah if you're going to document it obviously don't put it in a file share that H that's World readable I think that would be great um so next is security ad security 101 so we've got some of those misconfigurations identified right um we've identified some of the low hanging fruit we're starting to tackle it we're documenting it right and more importantly uh we're we're taking action on those things so we don't wait till we have everything documented uh and and have everything have all our duction we just start working on some of this making progress on some of this nice good summary um so ad secur security 101 uh so this is where uh we're going to kind to go a little bit more in depth we're going to do a little bit more pruning and certainly more documentation right so step number one identify misconfigurations start tackling those things right away step number two is we're going to start cleaning stuff up right we're going to remove unnecessary files folders scripts we're going to clean up our shares we're going to tidy things up right the more organized we be uh we can be the more uh clean we can make our shares in our environment the easier it's going to be when we want to kind of like prune things and configure things and and reorganize the structure right because there's going to be all this stuff that we can kind of get rid of we might have to update our schema um we might have to configure laps permissions applo group policies but um we're going to kind of uh start that cleanup process we're also going to deploy laps right if we're not using laps or something similar we're going to deploy laps everywhere servers workstations you name it um deploy laps configure it set the permissions set the gpos in a way you go it's really a three-step process it's not super scary once you've gone through it um but laps everywhere is is kind of a key key thing here because again remember credentials we don't want them getting credentials thread actors we don't want them getting access right so configuring our permissions correctly here is is really key we're going to remove password files we're going to store them in a secure place right we're going to go out and look for them we're going to storm a secure place and then we're going to educate users whether it's it um developers dbas end users uh what have you we're going to make sure that those passwords are strong so if we do find you know the password for a service account and we notice like hey maybe that's not the most strongest password we're going to rotate it we're going to change that password we're going to document it in our vault or wherever it is and we're going to rotate it right and a little Pro tip here um something that I would recommend is turn these credentials turn these accounts into canaries so if you find an account on a file share right in a in a text file or something and you're not using it anymore or if you just you know have admin accounts laying around that you're not using turn those into canaries put the password somewhere like in the description or the notes or kind of um you know there's a lot of different creative things you can do there but turn those into canaries because those are already out there kind of placed in a typical spot that that uh thread actors would look for them so turn those into canaries is a great great tip uh and then we're going to disable rc4 we're going to enforce AES and we're going to prune SPN so you're look at all of your admin groups all your tier zero groups account operators server um admins backup operators um you're going to look at all those groups and for all those users you're going to make sure that none of them have spns unless there's a really good reason for it right uh so remove prune spns you know remove the ability to curos those ensure those passwords are strong if you don't know what the password is you're going to change it and then make sure it's a strong password right um and that's uh that's what we're going to do at this phase at this step uh yes this will be recorded Mark for sure um we'll send out a link to through email or however you registered with slides and uh in the recording so credentials access what we're going to do is we're going to document so we're going to document our admin and service accounts we're going to document their group membership delegations the tasks that they have running services that are running under these accounts documentation is the most important thing it fixes almost every issue it doesn't need to be fancy you don't need to overthink it just start documenting and make sure that everybody knows where that documentation is and then make sure everybody is following those those same processes right um even if it's just making a small change right um Nathan who's a good good friend of mine um has has mentioned this to me before it's like just have a place where you document like Hey we're making this change here this is what it does like a brief you know High Lev thing like hey we're making this change so when something breaks or something doesn't work or we have a misconfiguration we can go back and we can figure out what we did why we did it who did it Etc so documentation is really really important uh for admin and service accounts we're going to document their kind of like their current access um and we're going to kind of work on our desired access at the next step but for admin a service accounts we're going to document what those permissions are and what those look like for file shares we're going to document their current access their desired access and this goes for SharePoint or wikis or things like that start documenting what users or groups or departments need access to what so you can kind of fine-tune that later on and um for lack of a better way you know Excel makes a uh for a really good way to to kind of document this right so feel free to use your own methods uh however you want to document wherever um but start document it in some way right document the account what it's used for what groups uh needs to be in the delegations especially same thing with service accounts right if that service account is is used to run a scheduled task on a server document it if it's running a service somewhere document it document the permissions that it needs um I think a lot of it and systems Administration is just documentation right if you have good documentation you can refer back to that at a later date because no one can remember what accounts need what permissions or where and why no one can remember all that way no one can remember all of that so it creates so much more headspace to think about other things uh if you can just document it so you don't have to remember it uh so this is for file shares so file shares not interactive yeah and that's a good point at some at some place documentation people's said there's a thing called um oh what's the word for it tribal knowledge as I hear I hear is a phrase a lot of times right there's people who are 15 year 10 year at an organization right and they're the only people that know how that thing works that is a vulnerability right um if you document it and you force the team to go about documenting it um not only not only can you address issues easier right because you know where to go to look for that information but somebody mentioned incidents right if you have an incident there's information there of of what that service is why where what the permissions are Etc um so documentation is annoying it's hard it's difficult and it's grueling and nobody likes doing it but it is foundational and that is really really important so file shares just documenting if it's a share if it's a Wiki what the resources who needs access and what what kind of level of access so I have an example here feel free to steal it but you know file share one it they need modifier right it's their share whereas accounting uh maybe there's some accounting documents or maybe it's a marketing department right just allow marketing to to use that that share and modify things in that share right there's no reason why we need to have other groups being able to modify or have full control on those shares so remember credentials access control so the control part of this is uh essentially out with the old disabled and not used and in with the new right so you're going to clean up security groups um you're going to clean up users in those groups if you have disabled accounts that are just s kind of sitting out there or um you know group policies that you don't use anymore that you know are just you know kind of left out there because you just haven't quite cleaned them up yet log on scripts I don't know how many times I've done a pen test and I go to the the CIS fall share and there's just like hundreds of log on scripts that aren't even used anymore right do a little clean up clean out those things out with the old in with the new right and of course document as you're going through this is a good opportunity to document things and then remove reduce your administrative burden um by disabling spooler on DCS and restricting older protocols like almanar and mbns um sb1 on DCS um certificates these are things that we're going to do at this stage using the tools that I mentioned previously so we're going to actually tackle those things here oh wow so the next phase is 2011 so remember credentials Access Control we've got the misconfigurations we're kind of finding the Ling fruit um we're getting rid of you know easy ways to get credentials we're moving we're restricting lateral movement right with laps with cleaning up shares um with cleaning up security groups and gpos and log on scripts and authentication protocols like the the ones that are easier low hang fruit so restricting access and control and now we're going to do the same thing we're going to look at credentials access and control uh we're just going to kind of take it up a notch and that is password we're going to start with password policies um password policies and fine grain passwords right um 12 to 14 I think is is a good starting point any any less than that I think it's just a little bit too weak that being said this is not the end all Beall right there are there's a reason we have layered controls right you can still have an a character password policy but still have a very defensible environment um but something that is not used often enough is fine grain password policies fine grain password policies are great because you can configure a specific password policy for specific OS so maybe it's your tier zero accounts or your service accounts or or help desk accounts or other admin accounts you can configure a password policy so that even if the it admin tries they can't set a week password on that account now I know what you're going to say for those that are clever you can kind of go into active directory and kind of cheat it right for those that know but you know in normal situations you can't if you have a fine gr password policy set says hey you need to use 25 characters it's not going to let you use eight so fine grain Pastor policies are are really really good uh stats for breaking 13 characters or less I have cracked uh 20 plus character passphrases um so it's it's definitely something to consider uh in my advice there generally is to instruct users to not use like dictionary words or words together in common language so everybody's probably heard correct horse battery staple that's a great password and concept um but in implementation that is actually a very bad password um now uh also kind of using Bible verses and songs and things like that um words that you would kind of commonly hear together um is is uh what I would recommend against but we've definitely cracked 20 character past phrases we've cracked 14 character passwords um we've crack all different sorts of things and the the main thing is entropy uh when it comes to passwords entropy is everything and you can have you know nine 10 character passwords that probably won't be cracked anytime soon just based on on entropy uh using password managers like bet Warden yes definitely um bit Warden um heck you know people people are going to bring up last pass but um delinia thycotic um whatever it is that that you feel comfortable with um definitely use those Solutions um find the the features that work best for you and use those yeah backups for sure um so password policies this is another great opportunity to use canaries right um find credent find accounts that you're not using anymore um you use uh user file shares but Implement some de deception deceptive Technologies um this is something that is very very underutilized but it's very high fidelity when those alerts go off you know that somebody is touching a file or doing something that they shouldn't uh if you go to thinks website Canary tokens uh you can find some really great free Canary tokens that you can use um so you can set up canaries when somebody clones the website you can create canaries when somebody launches a program or runs a specific command all sorts of fun things on top of like file shares and credentials and things so really good but we're going to take a look at some deception at this stage uh in the in the game and kind of implement some of those things so access 201 access this is tier security and protected users two of the most important features uh in in active directory one of those things is built in in the other uh is kind of more difficult to do because it's not just out of the box so not just out of the box is tiered security um this starts with the red forest model or the Enterprise access model that Microsoft has created somebody linked it earlier uh snaffler cool um and monach so Jake uh hrth mentioned Monash to me uh and I looking at I'm like wow this is really cool I like thinking about it as in terms of micro segmentation which I'll talk about in a second but uh so tiered security was kind of built on these models the monach Enterprise access model is is the one recently from monach University in Australia really good reading I highly recommend checking it out we're going to talk about tiered security and protected users just for a minute so protected users is built in you do need to be on uh domain function level of server 2012r to or later uh but the benefit is is really great um restricts lateral movement restrict privilege escalation more granular control of admin accounts right more granular auditing and things like that so uh in the monach uh Enterprise access model they talk about this idea of micro segmentation U Microsoft uh calls of different things it's called tiered security um leas privilege zero trust you know there's a lot of buzzwords for this this right but the idea is I like the the term micro seg segmentation it just kind of lands better in my head um but essentially you restrict what admins can control and where they can log in and not just admins right but service accounts users things like that you control where you control or administer what accounts can control remember credentials access control and where they can log in right access so credentials access control so I'm starting to kind of hopefully tie this together in some sort of framework that that maybe makes sense using tier security and micro segmentation and protected users and things so the idea here is you don't allow nor do you log in to a workstation right with a domain admin account right uh as we'll see with protected users that domain admin account will have its credentials crash crashed cached when you log in so that's a no no in micro segmentation tiered security world you also don't allow help desk to reset uh accounts that are higher tier than them right so help desk can only reset standard user accounts or or Accounts at the same level or below not other admin accounts right not domain admins not Enterprise admins nothing at a higher tier right nor can they manage resources in a higher tier right you don't want help Des to be able to manage um your secm server or uh your domain controllers or things like that so domain admin user generally has four or more accounts to as a normal working day yeah um the downside of this is you have multiple accounts right you have many accounts and you have to log into them and and use them for different purposes right I get it's it's frustrating and it's annoying and it's not an easy um proposition to say hey now you need all of these you know seven or eight different accounts to manage all these things and yeah like Jake says accounts are free breaches aren't that's a really really good point really good point uh so micro segmentation real real quick discourse on this right um I got some I got a lot of this information from a good friend Nathan uh who's also like a real whiz at active directory and tier security and has done this before many different times um but like I said step number one remember to document step number two start building out the structure right we organize into OU servers go into application groups or whatever makes sense for you uh desktops you can organize by site or Department um again whatever makes sense for you but build out a structure right start thinking about how we can segment these accounts segment the access segment the control and uh segment kind of uh the security so account this is just some examples right of accounts groups and computers and what that might look like right you have tier zero tier one tier two right domain admins server admins workstation admins Etc so the important thing to to know is this is not a prescriptive thing uh this is kind of a model that you can adapt and use in your environment so you have to figure out what works for you you have to figure out what your U structure looks like for you and for your organization um but this is kind of the model to build on regular user count workstation admin server admin yeah yeah that's great Mark yeah and there's there's that so that monach security model um they they talk about zones within uh zones within tiers so it's very very crazy and get very in depth right but at the bare minimum you know just starting out with you know tier zero tier one tier two is a great starting point right um and just start there and start building out some of this the structure um this is again just another screenshot or another example of what some of this would look like and kind of an example right um um with this user account you have your tier zero your tier one your tier two and your standard account um for group policies right you have your tier one uh OU server OU with a tier one group policy right you have your workstations OU or or many different ones and you have your tier 2 you know desktop admin accounts and then essentially you get to a point where you can delete you know domain admins from from local admins on workstations you can delete all those other members uh and just add the users that or groups that should have admin on those workstations hardened a.net I don't know if I know that yeah this will be recorded and and we'll be send the slides out um so that that's the next step right is kind of building out this this structure um and remember to document so as we kind of seg segue to protected users from tiered security the most important thing to take away is you know having separate accounts for separate things and thinking about I don't want low privileged users to have controller access to higher privileged things and I don't want High privileged users to be logging in uh or controlling low privileged uh systems and then take this and adapt it to your environment to your team to your culture and that kind of thing so protected users um another uh great presentation by Jake uh is he's got presentation he did recently besides charm he's done other places um there's a link here for the slides if you want to go check them out I highly recommend it uh but protected users so in order to like talk about protected users I think it makes sense to think about credentials access and control right that's why I made this presentation the way I did was admins like credential or thread actors like admin credentials right they they they thrive on them their their campaigns their operations depend on them being able to get credentials right and of course why if you're going to get credentials why not admin credentials um so this you get admin credentials from you know when like a domain admin logs in to a workstation right to help administer something or when your uh a domain admin is is configured a scheduled task to run under their account or when they have a service that's running you know they installed software and now there's a service running as that domain admin account Kerberos relaying attacks these are all things that that allow thread actors to get credentials get access and you know inact control on an environment protected users is a direct mitigation to this so with with protected users you can't authenticate with ntlm you can't use Des rc4 accounts can't be delegated and uh the keros ticket lifetime is is SE severely limited so that let's say an admin logs into a workstation and there's a curos ticket there I can't just grab that if it's after four hours and use it right stop doing risky things with your ad admin accounts uh yeah that's a good good advice I appreciate that um and like I said wherever they're logged in their credentials aren't cached which is a big big uh bonus to protected users um like I said Jake hildr has a really great presentation on this it goes into much more in depth on not only what protected users is why you need it why you should use it but also how to implement it what I like about his presentation is it it walks you through like how to prepare how to audit how to enact like it shows here is like check for the prerequisites Implement some auditing right figure out where you might have some insecure authentication used Mark the user as sensitive as kind of like a a cheat code to kind of like you know tip your toe dip your toes into it and then you know you can put that user in potent uh protected users group and test it uh also a plug Jake has a tool he's releasing sometime this fallish maybe um call called Power pug I believe it's essentially a tool to help you help people Implement protected users group um so I definitely recommend checking that out and following Jake on on GitHub and stuff for when he does that but protected users is a very very very powerful control it's built into Windows um and I definitely recommend checking out and trying to get some admin accounts there and getting to use that uh the last last section here with control is uh controlling authentication right specifically ntlmv1 and SMB and ldap right the reason why ntlm V1 is super super important is it is a very very serious issue in in many environments um that's because of something called an authentication downgrade attack essentially what you can do is the default setting like it shows here in the screenshot the default setting on domains is set to three which which means you can send which means clients send nmb2 responses only and uh but the DCS the domain controllers accept LM and nlm and ntlmv2 which means you can do something called an authentication downgrade which essentially means you can obtain uh an authentication request you can uh crack um that n for uh a computer account for example uh or you could use rainbow tables and once you have that you can you know DC sync you can do silver ticket attack you can kind of have your way um but essentially you capture an authentication you crack it or you use what's called rainbow tables to recover the Nash uh and then you know bad things can kind of happen from there uh especially if you capture uh authentication from a domain controller right and like it shows in the screenshot with this is not something I do on an internal pentest typically because of the time frame is is is restricted but you can use like 8 1080 rigs uh which are graphics cards in 6 days you can kind of crack it so I'm running uh short on time here so I'm going to wrap up so uh kind of going back to to the beginning here right uh it's kind of a cyclical process we identify misconfigurations we Implement ad security 101 ad security 2011 and we start you know start this process right we meet on a regular basis we we um tackle those things and we repeat lastly um how do you get support I think this is uh going to be a staple of most of my presentations but um include others ask for advice and honesty right so quick example um I was a young buck you know it guy security guy doing things um and you know I run a Nessa scan I I see that there's a system vulnerable to to some old XML or something like that and I just go to the app and I uninstall it right it's an old version I can't possibly be used right there's no way it's like it's like way out of date there's nobody using this well few moments later uh you know some people knock on my on my cubicle they're like hey um were you on the the app server did you do anything on that app server like oh yeah just uninstall old XML and they're like uh okay because like you know production system is down you know we can't do business like we're not getting paid we're we don't get we're not getting money in like the business is down and I'm like shoot that's bad uh so fortunately it was just something that I could reinstall right um so we reinstalled it and all was good but I say that to make an example to say include others and ask for feedback and advice and be honest right if you make a mistake own it and on the same token if you don't know what's going to happen or if you don't know something be honest transparent about it and ask ask for help or ask for advice one of the best ways to kind of bridge The Divide between kind of like a a senior tenur person who's been there for a while who has um you know seniority or has you know their systems that they want to maintain is ask for their advice if you want to implement something or if you need to configure something or if something is vulnerable you need to patch something or update something go to them and ask their advice like how would you approach this or like how can we tackle this um include them in the decision-making process include them in in that um in that process more or less and if you include them in instead of just alienate them and and kind of going about it yourself you're much more likely to to gain trust uh and to gain you know people on your side that are going to help you move forward uh with whatever it is you're trying to do and remember that active directory is a journey not a destination right I think that was a Ral Waldo Emerson quote um it's a it's a journey right this it's not an end State uh it's a constant tuning a constant pruning and constant process um so take it slow one step at a time document get people on your team you know work together um and hopefully you come out the other end with a with a more secure active directory environment so with that I'm done uh I'm going to go through chat now uh and look for questions if you need a jump I know it's top of the hour feel free but I appreciate everyone coming I appreciate everyone listening and the feedback in the chat it was super awesome to see everybody chatting and kind of chiming in and talking to each other so I really appreciate it and uh I'm super thankful that you're all here and I hope I hope you got one little nugget of information or value from this presentation so I appreciate everyone thank you