This document discusses recommendations for improving the security of Domain Administrators (DAs) and Domain Controllers (DCs) in Active Directory. It begins with an introduction and survey of the audience. It then provides 10 recommendations to test new DAs, limit the number of DAs, separate DA and everyday accounts, set separate DA password and logon policies, disable cached credentials, be careful with DA service accounts, use Microsoft Security Compliance Manager, address null sessions, and obtain offensive security training. The document concludes by thanking the event organizers and providing a link to additional resources.
3. Goals
• Provide immediately useful content re: the defense of
your Domain Admins (DAs) and Domain Controllers
(DCs)
• Give you projects you can implement in one month or
less.
4. About
• Consultant at SynerComm
• Passions: Dev (C#/PS/PY), InfoSec, Woodworking
• Twitter: @curi0usJack
• Blog: http://project500.squarespace.com/
5. Survey
• How many of you work in a large enterprise?
• How many work in an old enterprise (25+ yrs old)?
• How many in some kind of AD security?
• How many had a pentest some time in the last 12
months?
22. #7 - Service Accounts
• Delegate Delegate Delegate!
• If you must have DA service accounts:
• Treat task server like a DC
• Service Account can only login to that server
• Shut off cached creds
This is a defense talk. No sexy AD 0days here.
Geared towards Enterprise.
Assuming AD experience
Focused intentionally on DA accounts.
Many people in this field way smarter than me!
This was a wake up call.
We had always known that we (DAs) were targets, but it never really sank in.
Notice end = “Domain Admin”
DAs are targets!
Want to give 10 things you can do quickly to make serious improvements in your AD’s security.
Used by permission from Matt Weeks. The diagram can be purchased here: http://www.zazzle.com/network_intrusion_process_poster-228004714653088200
“Everything rises and falls on leadership.” - John C Maxwell
Sam’s Story
Testing is a proving ground for trust.
Previous Job: 1500 users & 35 DAs. Current job: 20K users, 5 DAs.
Less DAs = less risk.
If you don’t test and you don’t limit, you end up with DAs like me <grin> (my fail story).
Yeah….
Intrepid DA knows this is a Computer GPO setting
MS Fine Grained Password Policies to the rescue! Introduced in Server 2008
Super easy in powershell!
In an enterprise, little reason to have this on for any server.
Certainly turn it off for DCs or any server a DA has to login to!
<TrustedSec DA password story>
<Oncall TrustedSec story>
- Shutting off cached creds can break Scheduled Tasks that use Domain Accounts. Set “Run whether user is logged on or not” option to fix.
Free tool for creating highly secure GPOs very quickly.
http://www.microsoft.com/en-us/download/details.aspx?id=16776
So easy to say “get rid of null sessions”.
Tricky in an enterprise because legitimate apps may be making use of them.
Here’s some code to help.
- All this does is get null sessions on any of your DCs and write them to the screen. Requires AD cmdlets
I don’t necessarily mean Offensive Security, but they are indeed awesome!
Only way to truly understand what you’re up against.
Need a way to get better Windows Security (particularly AD security) into blue team’s hands.