Active Directory Security: Configuration and Defense

hi everybody welcome hope you are enjoying the conference it's really great to be in front of a local crowd and this is a terrific turnout I'm very happy to be presenting with Joe he's gonna be smart and I'm gonna be this smartass okay Joe knows a hell of a lot about Active Directory it's the case of what he's forgotten is more than what most of us will probably learn in a lifetime and I'm gonna share more or less my high-level overview and experiences with what can go wrong when you don't do things right with Active Directory so that's why I'm here that's why Joe's here great okay so this works all right so you think you know Active

Directory right anybody's had to work with it knows you can never know enough about this it is a lifelong learning experience especially when you have to learn hard lessons I've currently witnessed some pretty ugly scenarios involving what goes wrong with Active Directory you could call it when bad things happen to good Active Directory except that it wasn't good it's it's in the configuration so we want to talk about how to get you set up in 25 minutes or less with the basics so that when you leave here today you'll have an appreciation for what it is you should know do not really know and what you could do about it when you get back to

your own configuration to improve upon that we want to set you up for success there's a lot of stories out there about default but we're gonna give you examples layer by layer of how to do this well not perfectly it's always going to be a learning experience you're always going to need to build on your knowledge and stay on top of things but we will show you the stuff that you may very well have been missing through this whole process okay all right so there you go that's active directory right essentially this is this is the heart of active directory and I'm gonna give you one lesson think of when you were a kid and you had peas and potatoes corn meat

and gravy on your plate not being touched right that's in the center of your plate nothing should touch that that is what you are protecting that's the core those are your central domain controllers that is the key repository active directory what it is is a repository of authentication and authorization information and as you know dependent no matter what size or scale that you're managing it's an enormous amount of information that is coming in there and you have to be the gatekeeper of that and it starts with the core so you're going to put a perimeter a safety zone around this as you layer out to make sure that nothing ever really gets to speak directly to

Active Directory

let me think there's anything else I want to add okay yeah we're good domi first everybody for you and you and you for all of us right is this your reality oh my god because everybody wants domain admin right because it just makes life easier because the execs want it because the guys in marketing needed everybody has a reason why they need to have domain admin we want to do this we want to we want to be able to be nimble and it suits a business and we're business profit driven and we want to be agile there's so many reasons around it and there's so many reasons why we do not want to do this I'm sorry you are not

all special slow snowflakes so we're gonna just we're gonna just say no we have to you cannot have domain admin you cannot be signing on with your domain admin credentials to do stuff that's how you get pwned but people keep forgetting that and it keeps happening so this is where we teach you when you start at the very beginning with that little center triangle on your plate and you segregated from everything else it's much easier to build in the ability to say no and you have to so we're gonna scale it back because there's another factor around Active Directory it is not secure out of the box there's a lot of default stuff there's a lot of settings

and the bottom line is your success with Active Directory and security is only going to be as good as the investment of time that you put in to to managing and manipulating the configurations it can be an amazing tool but only if you take the time to learn what you can set up about it and what you have to stay on top of case in point if you have somebody who goes after your systems oh and a werewolf attack not that this has ever happened and they wipe out all of your drive is because they are really mad because you can to them and you were not keeping good logs and your backups are you have a

problem and then when you try to turn the services back on you've Rhian abled all the settings all the default settings and the werewolf was actually waiting for you to do that because he knew you weren't going to go back and can't close it down using GPO so he got back in again and he took everything away that you actually managed to restore this is why you want to pay attention and understand where the default settings are what you need to lock down which is pretty much everything from the beginning and stay on top of it I mean the first sort of security consideration that you need to deal with your domain controllers is the

physical security side treat your domain controllers well like what they are they get one of the keys to the kingdom right make sure that they're encrypted if you're using virtual machines make sure that the the virtual machine images are isolated from the rest of the environment and heavily audited make sure that all your backups of all your domain controllers are also backed up and it's significantly controlled if you have an image of a domain controller you have the domain redundancy is also very a very key consideration make sure that you diversify your domain controllers typically want at least a minimum of three two different networks or at least three three different networks three different domain controllers in two

geographic locations okay because you want to avoid the inverted pyramid a pain I'm very important lesson learned by the way single disk controller go on all domain controllers daily business continuity as also one of the very very fundamental consideration that you need to take into consideration up front okay machine level backup and recovery but you also need object level backup and recovery within the context of your domain it's vitally important that you can refer back to what the value or attribute of an object was two weeks ago and attacks are unavoidable before even deploying your Active Directory have a plan and play over starting as part of your design and your build make sure you

have a plan as to how to recover it when it is compromised reduce the footprint Active Directory by default there's a lot of ports it's wide open has a lot of problems leverage VLANs isolated the domain controllers from other domain members grouped like things with like security postures together consider using to read only domain controllers it's a fundamental design consideration for dealing with untrusted or less trusted domain members limit your ro DC's themselves if you choose to use them you can have from domain controllers that don't contain your domain admin type credentials which is vitally important when it does get hacked that's the one that's exposed and it's not exposing or Core credentials and then monitor monitoring is very

important blogging bug everything from your domain controllers make sure that you're analyzing it on an ongoing basis there are many tools in the space that can help you with that if you don't have your own sim today but one of the also critical systems is one of the fundamental things that Windows has out of box is the ability to do wack which is a Windows Event log collection for your non-critical domain member critical machines in your domain it might be a bridge that you can consider and ETA I have yet to see a good sim that does pass the hash detection ata is a great tool that's part of the Microsoft framework that can help you identify pass the hash attacks

in your environment and up front before you get too far take some considerations in terms of your forest domain and site definitions all right interest of time we talked to then shinned the fact that we had ro DC's or I suggest ro DC's ro DC's are great because they can limit the scope of your attack surface that you're presenting from your end-users it does have some limitations all which cannot be overcome easily you don't necessarily domain the domain in the same way you go through an offline domain join process you can still change your password there are other sort of limitations of ro DC's well some consider them limitations others don't like BitLocker all right

you can't write the BitLocker key to the machine so you have to deploy in them if you're using ro DC's however one of the awesome things that nvm gives you is reporting capabilities you know every device and what it's the status of encryption is and that's just phenomenal when you're having to deal with incidences of lost laptops you improve ibly say that that was encrypted so I don't consider it so much of a limitation as a benefit privileged management I guess is the next topic we should talk about don't manage Active Directory from machines that you don't dedicate and manage or and and treat as a management platform time and time again I see machine domains being

compromised because they're managing Active Directory from their desktops and they're using a lot to do all their web surfing and everything else all right [Laughter] sure a read only domain controller sorry thank you I will do that all right all right which okay I'm gonna get there in a second all right harden your systems all right do not cascade the same credentials across every machine right just as lateral movement that's a really bad thing okay use GPOs group policy objects and those are basically policies that you can apply to machines security policies they're great for hardening things I actually get to the point where I'm trying to i don't ever touch a machine to make a configuration change I go in I

apply a GPO and on the next cycle for the GPO update in my environment that's a very 15 minutes that's how long it takes to propagate in whether that's a local far wall rule or tweaking something GPIOs have the capability of actually preventing settings from being changed on the physical machine so even if the machine is compromised those cannot be changed and if they somehow figure out how to change it it gets reverted back as soon as it's done that as soon as the next cycle goes through

all right so yes so GPIOs are great so you can actually put GPOs and offline notes you can take the same GPO that you would apply you can export them into an offline mode and you can apply them to a machine even if they're not on the member of a member of a domain or even there they're not connected to the domain so you want to be able to update them on a regular basis you still need the machine to call home every once in a while ok as part of your management platform consider using tools like Microsoft security and compliance manager to measure your GPOs and your security settings against industry best practices it's a free tool from

Microsoft it's great it's great starting point you'll always want to do something more but but it's a good starting point for you and patch patching is vitally important in the context of Active Directory yes thank you all right I'll push forward faster hey don't forget to harden your GPOs as well right if your security policies are what's what's protecting your environment make sure that you have versioning version control and and that sort of thing Hardin group membership by default Active Directory and every member of every group is public to everybody in Active Directory consider you removing authenticated users and self from every group that you don't need to expose ok secure the communications right Active Directory by

default and all its communications are in the clear its authentication uses Kerberos tokens but all the authorization data is in the clear by default all of your RDP sessions use self-signed cert s-- putting RDR CAS in your environment will definitely help you deal with that from a group policy without manual intervention all right separate your user and your device certificate certificate authorities they have different attack profiles and different levels of privilege so it's vitally important that they are not the same and please use an HSM or some sort of offline route for your master that's vitally important okay okay so we were talking about how nothing gets to touch the heart and center the goal of the game is this has

no access from the outside world you're gonna have people coming in untrusted services untrusted users basically the watch right here is untrusted you do not trust anything or anybody trying to access Active Directory so what you're gonna do is set it up as a one-way communications flow wherever possible why because it's so much easier to manage something when you give yourself control rather than you give everybody else what they want and then you lose control because once we all know the rule here once you give it out you cannot rein it back in that's the problem and then it then it will spawn because like that terrible terrible shampoo commercial she told two friends and they told two friends and so on and

so on and pretty soon everybody knew what the admin password was that's that's a sad reality so we're gonna talk about securing Active Directory from also I do a lot of work with red Intel from a threat Intel perspective one of the things that we really value is visibility can you see your network from end to end what have you done to set yourself up for visibility visibility means you know who is using what when so yes logging is essential who has the highest level of control and what can they do with that control who has the ability to generate user accounts who has the ability to set up domains you need to be aware of that and ideally

you are the person who is controlling that and administrating that this level of control when something goes wrong you can actually pinpoint it and handle the situation as opposed to being at a loss you'll also be in a far better position because you can restore things and lock them down to secure them all right so one of the things that we're going to talk about is remote RDP everybody wants to connect remotely that's a big problem a big challenge and so when we set up Active Directory we go through Rd G which is the Remote Desktop gateway that is your intermediary you have to have intermediaries in this process that you govern through policy policy is often a

dirty word in our world but policy is essential in terms of setting up the processes to ensure the security and how things get done and Active Directory how offers you a lot of choices in terms of automating these processes and policies you put them in place it will run them for you and you have your sentries at the gate you are the gatekeeper Active Directory can help you do that work but you have to put it in place and you have to understand how it works and nobody ever gets here you just you if you keep that in mind you're building security from the inside out layer by layer like Joe was explaining it earlier another

tool that you can use is your network access control so the network policy server are a bridge and those are the conduit through which all of our remote workforce and it's a growing trend we know this we love to work from home I love to work from home we have to be able to enable that flexibility in business so we serve at the pleasure of business how we can do this is by setting up things like VPNs okay we'll do next all right we'll move on to the next level okay so we're gonna talk about Federation's I wanted to talk about the United Federation of Planets which is my favorite one but that is not the talk

for today so Active Directory Federation services allows you to have control over the untrusted entities individuals or services that want to gain access to your central repository you can enable this set it up use policies to govern and control centralize again one place all of the identities of the people who are coming in because this is how you're going to control the forest through the trees is anybody here familiar with the term of LDAP yeah okay again this is something we we need to use we have to understand it better it is a lightweight directory access protocol that runs above Active Directory so that we can search through all of that information and it will help us with things like

patching Identity Management to a degree the things we need to manage the information but it is not in and of itself security it is a tool and understanding it in that way will help you to secure better ok so we talked about a Active Directory and we've talked about some of the things that you need to consider and securing it but we haven't actually put any people in it yet alright and that is one of the things that we need to take into consideration last right you only want to bring in identities into Active Directory that you manage leverage you know different classes of identities you know you have your personal accounts your your privileged accounts your your

functional accounts or service accounts and you want to make sure that you're controlling those in a secure manner leverage identity assurance practices either NIST or the Canadian identity assurance and credential assurance practices to help you and deal with what is an identity and how to manage it have different identity managers or inside and outside as vitally important they have different attack profiles and services have a self-service Password Reset to reduce your your footprint of what you have to deal with from a helpdesk perspective but make sure that when you're building those things you're doing it in a secure manner multi-factor authentication type resets to try to stay away from Q&A type questions unless you're willing to go as far as say I

don't know what was the value of your last bank statement or something along those lines that's dynamic everything else is you can find on Facebook right group management that's another big topic try they need to as an industry move away from manage manually managing groups bring that information in via HR systems and those sort of things and try to build it and then build upon those to give better accuracy into who should have access to what services ok privileged Identity Management this is an art unto itself and a whole talk unto itself I just wanted to skim over this very quickly it is vitally important that you're managing or privileged accounts whether this is you know just in time

delivery from Microsoft thank you or something more advanced like cyber-ark or some of the other things make sure that you're making sure that you're ensuring that the accounts are managed and changing regularly and that will lower your attack profile strong authentication will not save you and this is vitally important to understand you know using certificate based management is not a full-blown replacement for actually doing proper security because underneath it's the same token in the same hash it's still vulnerable to pass the hash attacks even when you do those sort of things okay so wrapping it all up this is the big picture there is a lot to manage when you're doing Active Directory a lot of

pieces are required but the bottom line is you need to be that central point of control not everybody gets to be Central's you know special snowflakes you need to say no there is no need for domain admin for everybody so secure the forest through the trees and you won't be prey for the Wolves thank you [Applause]