Recommended
Recommended
More Related Content
What's hot
What's hot (10)
Viewers also liked
Viewers also liked (20)
Similar to Active Directory - Real Defense For Domain Admins
Similar to Active Directory - Real Defense For Domain Admins (20)
Recently uploaded
Recently uploaded (20)
Active Directory - Real Defense For Domain Admins
- 1. Active Directory: Real Defense for Domain Admins Jason Lang
- 2. Disclaimer
- 3. Goals • Provide immediately useful content re: the defense of your Domain Admins (DAs) and Domain Controllers (DCs) • Give you projects you can implement in one month or less.
- 4. About • Consultant at SynerComm • Passions: Dev (C#/PS/PY), InfoSec, Woodworking • Twitter: @curi0usJack • Blog: http://project500.squarespace.com/
- 5. Survey • How many of you work in a large enterprise? • How many work in an old enterprise (25+ yrs old)? • How many in some kind of AD security? • How many had a pentest some time in the last 12 months?
- 6. Did it go something like this?
- 8. Uh-oh
- 10. #1 - Test your new DAs
- 11. #2 - Limit the number of DAs
- 13. #3 - Separate DA accounts from “everyday” accounts
- 14. #4 - Separate DA password policy
- 15. No Excuses!
- 16. #5 - Set DA logon restrictions DCs only!
- 19. #6 - Disable Cached Creds
- 21. #7 - Be careful with DA service accounts
- 22. #7 - Service Accounts • Delegate Delegate Delegate! • If you must have DA service accounts: • Treat task server like a DC • Service Account can only login to that server • Shut off cached creds
- 24. #8 - Microsoft Security Compliance Manager
- 26. #9 - A quick word about null sessions
- 28. #10 - Get offensive security training!
- 30. Fail
- 32. Win
- 37. Questions?
- 38. Huge Thank You’s: @DerbyCon @TrustedSec
Editor's Notes
- This is a defense talk. No sexy AD 0days here. Geared towards Enterprise. Assuming AD experience Focused intentionally on DA accounts. Many people in this field way smarter than me!
- This was a wake up call. We had always known that we (DAs) were targets, but it never really sank in.
- Notice end = “Domain Admin” DAs are targets! Want to give 10 things you can do quickly to make serious improvements in your AD’s security. Used by permission from Matt Weeks. The diagram can be purchased here: http://www.zazzle.com/network_intrusion_process_poster-228004714653088200
- “Everything rises and falls on leadership.” - John C Maxwell Sam’s Story Testing is a proving ground for trust.
- Previous Job: 1500 users & 35 DAs. Current job: 20K users, 5 DAs. Less DAs = less risk. If you don’t test and you don’t limit, you end up with DAs like me <grin> (my fail story).
- Yeah….
- Intrepid DA knows this is a Computer GPO setting MS Fine Grained Password Policies to the rescue! Introduced in Server 2008 Super easy in powershell!
- In an enterprise, little reason to have this on for any server. Certainly turn it off for DCs or any server a DA has to login to! <TrustedSec DA password story> <Oncall TrustedSec story>
- - Shutting off cached creds can break Scheduled Tasks that use Domain Accounts. Set “Run whether user is logged on or not” option to fix.
- Free tool for creating highly secure GPOs very quickly. http://www.microsoft.com/en-us/download/details.aspx?id=16776
- So easy to say “get rid of null sessions”. Tricky in an enterprise because legitimate apps may be making use of them. Here’s some code to help.
- - All this does is get null sessions on any of your DCs and write them to the screen. Requires AD cmdlets
- I don’t necessarily mean Offensive Security, but they are indeed awesome! Only way to truly understand what you’re up against.
- Need a way to get better Windows Security (particularly AD security) into blue team’s hands.
- - DomainLockDown deathblossum mode.
- - Be sure to check out the README.