Quick Wins To Enhance Your Active Directory Security

so before I get started we all know Windows Active Directory right everybody thinks it's very insecure they're in a lot of ways it is right and when we talk about trying to secure it you get this monolithic amount of stuff that people tell you you know you need to have credential management you need to use two-factor off you need to have backup plans need to have oh geez everything under the Sun and then maybe maybe you'll be secure right well I've been doing you know red team and pen testing for the last year and I've noticed a couple of common misconfigurations out there some default settings that I see over and over again right and so I've

picked up my top three that I want to cover that actually are very easy to correct and we'll give you a big step forward when people come in whether they're attacking you because you've asked them to or they're attacking you because they want to all right so three things and added that monolithic list before I start my name is Eric keen I worked for a company secure ideas I've been there started in January but before that I've actually had 20 years of IT experience which is very hard for me to say to think that I've been doing this for 20 years but I have and 17 of those actually have been revolving around Active Directory alright I was lucky

enough to get on a project you know when ad started in Windows 2000 I got started there and I never really looked back because I enjoyed it all right before I started with secure ideas I worked for a small financial company based out of Charlotte called Bank of America you might know that one I say that I was responsible for the well I say thee some people say one out but I say the largest and most complex ad environments that's out there in the world right I'm talking 252 main controllers across the world and I'm not talking like a little server I'm talking about a 16 core 32 gig of ram server hosting massive amounts of

data we do did a billion transactions a day through our domain controllers alright huge amounts of data some big numbers just to wow you right we're talking about 400,000 users 2.1 million groups 44,000 OU's 52,000 GPOs right lots and lots of stuff we had servers window Lenox UNIX mainframes everything was riding off of my directory all right kind of important kind of big so did that for 11 years before that I got to do Active Directory for Walt Disney World out of Orlando also pretty fun not nearly as big but lots of fun when I'm not working I do have some hobbies I'm a movie enthusiast I actually you know my major was not IT it was film and audio

with an acting minor right but I fell into computers because of my wife when I'm not doing that watching movies which I love to do you I like to play games board games video games etc unfortunately I have four kids right and they've all gotten to the point what they'd like to do things so really my hobby is taking them to their hobbies the ubiquitous slide right my company is very nice enough to pay for me to be here so I put it up there we're security consulting firm we do lots of things I think we're pretty good at it some quick notes I said we're going to talk about how to secure Active Directory three

things right everything I'm gonna talk about is basic window stuff I'm not trying to sell you a product I'm not trying to sell you anything all right all of these do kind of rely on Active Directory or Windows 2012 r2 not all of them but most of them that seems kind of hard to swallow by some people 2012 r2 has been out for four years now if you're not there for your domain controllers I would really really really urge you to try and upgrade them you all need to upgrade your domain controllers not every server right and some of the principles we talked about actually work for everything Windows but hey we'll start with ad attacking ad itself is

really hard okay domain controllers are secure by nature unless someone has decided to install something else like Oh a web server or sequel or something else on there or you've downgraded security settings that Microsoft is put in by default it's it's really secure it's hard to deal with right so attackers they come in and they know they can't get to make control by default so they start with a weaker system like a workstation right they get some credentials they kind of move around they look they try and figure out where your domain admin credentials are find that steal them and then they get everything right they own you because they can do anything they want

you may or may not have heard of the golden ticket it's a wonderful thing out there that an attacker can get that says I have unfettered access to your directory for ten years and you will never see me alright that's pretty much what it is there are some detections but not it does rely on getting domain admin so what does that mean when we're talking about the first step here the biggest thing is protecting your domain admin credentials so we all know the weakest part of our network is the workstation or your laptop right it's the weakest thing people can get phished you can somehow lose access to it and let's say you're a very

security-conscious company and you've loaded everything you could ever find on those laptops you have o CrowdStrike and bit 9 and antivirus and who knows what else and that thing is locked down people can barely open word because it takes 40 minutes for the load that's how much stuff you have on there believe it or not by default I can bypass that immediately now I forgot to say I have live demos because I'm a glutton for punishment so we're gonna see how this works but I'm gonna try and show you how easy it is to bypass this

so all I have here I set up a little Windows 2012 r2 domain I have my windows box Windows 10 pretty basic I think everybody is familiar with how you bypass this I'm just gonna come in here I'm gonna say hey you know what let me join the domain I did manage to get a user account somehow right so I'm an attacker I came in I got your workstation but I found it I couldn't run anything but I have this info so here I am I'm user one and I'll show to you oops

so I said hey lab and I'm user one and I'll show you this idea in just a second to show you that I have no rights to anything oh hey look at that I just joined your domain I now have my own Windows 10 box out there that has no antivirus none of your controls nothing stopping me from doing whatever I want but before I restart I want to make this even better alright I want to make sure that hey this box is going to stay mine so I come in here oops and I go to users and groups once again I've done nothing except use Windows I'm gonna take this guy out because I don't want domain admins to

have rights I'm gonna put myself back in here so I do well promise me no big deal

there we go now I'll let it reboot once again I now have a box that I'm an admin well how the heck did that just happen let me start my slide again like I said so hey I joined it no problem it was easy I'm not gonna remove the SPN so I'll cover why those are important a little bit but like I said I've windows box it's mine to do whatever I want how did this happen because by default Microsoft included this setting that says hey add workstations to the domain can you see that it's in the GPO it's in the default domain controllers GPO it's there it might sound like this is what you need to be part of to join

workstations or computers to the domain but you don't alright this is an extra setting and by default you might see right here it says authenticated users that means anybody in the forest not just your domain can do this alright so maybe you haven't gone through and done delegation to say users can you know my IT department can go in and create computer objects in the O you or something like that change this go to your default domain controller policy change it from authenticated users to the group who should be doing this work please don't leave it open now the other thing that I have on here another way of quick win is change where that computer

gets moved to when you join it right by default they get joined to the computers container what does that mean it means it sits there right underneath the root of your domain and there's no policies assigned to it except the high level stuff which is typically like your password policy no nothing else is being pushed to it probably no controls with this reader command you can move it to some special oh you in your directory alright something like one of our clients did to us because I did this trick to him they're very security conscious company but they still had this for some reason we showed him hey look what I can do and then suddenly

they changed it to they pointed me to this nice little oh you where the computer it had a script and the GPO so the computer booted up and it said oh just shut down so all my computer did at that point is it just shut down the student that started right you don't need to go to that level but you could put it to an oh you where you get to do things like oh push all of your antivirus and CrowdStrike in bit 9 immediately right it is unusable to me at that point so quick win easy to do like I said check this out it's amazing I didn't think this would be popular but since I

started in January I'd say about 80% of the clients that I've gone to and the other people have secure ideas have gone to have had this opening because it's easily missed and forgotten so that's one next up this is another one that's really really big and it's not actually an attack against a domain controller right because I said that's really hard to do this is actually going to hit your member servers right there's something called an SMB relay is anybody or is everybody familiar with the past the hash technique that attackers like to do right where you get some credentials you store them and then you log in with those offline you don't have the actual

ID but you have the hash the SMB relay is even cooler than that okay because typically pass the hash doesn't work with ntlm v2 right it gets downgraded it only works with ntlm v1 an older protocol that microsoft says is really really bad SMB relays work with any version of ntlm so here we go danger time demo number two what does this look like

it's important I'm using something I'm using something from responder to set this up okay but there are lots of different tools that do this right this is just one I use because it lets me do some other things later but all it is is once again you get your attacker that comes in and he says hey I've seen that it looks like things are not working right and I can get credentials but I'm going to set this up and all I've done is I've said I've picked a target and I said I want you to run a command if somebody comes through this network right and touches me tries to log into this device and

this is waiting here and then suddenly we'll just I'm gonna use a domain admin because hey everything runs is domain admin right

it happened so fast because I only have one screen you didn't see it all I did is I just browsed to this computer my attacking device I said hey look at that I found this ID it tried to connect to me I'm gonna try and connect to that target you picked its an administrator that's great hey you have shell well I forgot a command it's gonna fall now anyways so how did this one work

well like I said it relies on ntlm authentication I said remember in the beginning I'm gonna put my windows host out there and I'm gonna remove some SPNs SPMS are an applications identification in the directory for Kerberos authentication Kerberos is really hard to break through because it's ticket based right it's like a certificate the directory says hey you can access this here's your cert give it to the device kind of hard to break through that ntlm v1 v2 or land man if you're still using it is much easier it's challenge response right so you're this this host over here and you said I'm gonna access the file server so your host sends it on and says hey can I access that that

document the server responds back and says well let me make sure you're actually who you say you are so encrypt this little bit of data your workstation does it sends it over in the services yep I agree your you come on in have a nice time pass the hash works with I find those hashes I store them and I log in later well an SMB relay works a little bit different like I said I have an attacking device and I put it on your network compromised toast maybe the one I just joined to your domain a little while ago right what happens is something comes by and attaches to it big picks would be Oh like your config

management system or your vulnerability scanning system that has admin to everything right it just sits there waiting for these credentials to come by and touch it so it says it sits there that will say oh let's use an SS message comes over and finds this devices hey what's can you can I have access the device says hold on let me forward this request on to my target server that my attacker picked the server says hey do you have access encrypt this for me sends it to the host the attacking device the attacking device sends it right back to the Venessa server says hey encrypt this for me the nest of servic does it nicely for you and once

again we Ford that on and suddenly we have admin access and the necessary just gets an invalid access or something you have access over here you have ever you want to do downside is it's only one host at a time but that's not really a big deal right and actually this works well for pen testers too but it's better for a real attacker because pen testers we have a week right we have to be kind of noisy trying to get access attackers can sit there forever just waiting for that scan to come through the other thing is I said it waits for something to touch to it you don't have to actually wait for someone to browse

right there's all these wonderful tools like responder and inve all the land man poisoners that you can run that just start grabbing credentials as they go across the wire they link in right to a multi relay or any one of these tools grab it try them every time they see one of these hashes it tries the access and if it picks one once again you win right so it doesn't take an automated process it can just be sitting on your network waiting how do you protect yourself in this one there are two ways to do it this is the oldest method and you could do automatically right called SMB signing all right SMB signing basically says that your

server that you're accessing when you're trying to access a file share is going to check every single packet of data and validate it's actually coming from who it's supposed to come from as you would guess this kind of causes some overhead Microsoft says fifteen percent and that I think is being very generous okay I've seen file copies get exponentially longer if you turn this on all right doesn't sound good but it is an option it's two parts like everything with Microsoft a client in the server part the good news is the client part it's already enabled by default everything in your domain since 2008 by default says I will do SMB signing the server side is

only enabled on DC's you have to choose to enable it otherwise now very important if you've gone into your default domain controller policy and you have turned off SMB signing on your domain controllers please turn it back on right because once again this is probably the only thing stopping an SMB relay from hitting your controller right off the bat your demand controller shouldn't be doing huge file copies so it shouldn't impact it very much right so turn it back on how do you do it via GPO or local security policy with that digitally signed communications always right or you can do it via the registry if you want this is the way I'd recommend but there's a problem with it

it's only available if you're running Active Directory 2012 r2 domain functional level right it's a bummer but if like I said it's been out for four years if you haven't done it please try not grade your domain controllers to it it's a protected users group it's a great thing that Microsoft put in right it has a whole bunch of features that were not really focused on up at the top that work automatically even if you're not 2012 r2 functional but the big one down here is that no ntlm authentication right if you're running 2012 r2 dfl these accounts the accounts that are in this group can only use Kerberos and on top of that they actually can't even get

delegated Kerberos that means if you have something called the Kerberos double hop in your environment which is instead of having your website use a service account to connect to a database you connect to the website it forwards your ticket on to the database it's a double hop that won't work this group is not meant for normal normal users it's meant for admin accounts and that's it okay Microsoft says don't put service accounts in here for a variety of other things it wouldn't break them but I wouldn't necessarily recommend it it is meant for your domain admins your server admins workstation admins whatever it is if you are running 2012 r2 for a domain level put in a domain admin give it a

try it should work it shouldn't break anything because your domain admin account should just be doing that you know RDP access to a domain controller or admin functions they shouldn't need it very important thing that I don't have on here don't put any accounts in this group that haven't changed their password since 20 since you upgraded your domain to 2008 domain function level Microsoft in the background at that point actually is 2008 r2 switched encryption methods on the password and AD before that point in time it used something a little less secure when you're in this group it can't accept that encryption level so if you put your ID in there and you haven't changed your

password since oh like 2008 you know you will get locked out immediately just lock you out alright so this is absolutely wonderful and if you want I could demo with showing you not working but it will give you an access tonight because once again you can't use until an authentication it breaks that whole challenge response so last bit of thing this is probably that the most difficult one to talk about right avoid the masses I have segmenting accounts when security folks come in they talk about segmenting your network right keep your PCI data away from your normal corporate network or your hippo or whatever it is what they don't always talk about is account separation and that's what this is about

this is probably the most common thing we see out there right we have our normal accounts and then everybody has an admin account and that admin account is used on everything right workstations or servers or domain etc heck there are some places who still just have one account right we all know that's kind of bad but still - and then they do things like oh I'm on my workstation I log in and then I do a run as from my workstation right to my domain or my admin account and move on that is not enough separation and I'll kind of go into why a little bit later you really need to start thinking in tiers

this is a Microsoft term you know tearing here's a just a rough sample right you have your workstations we know are insecure your normal user accounts and then you have accounts that administer or admins on workstations and then you have server or accounts that are administrators on app servers and then ones on infrastructure servers and then one that are your domain admin accounts it's important to separate to think about our devices this way and separate our accounts into this manner so we can block the wonderful ability for attackers to pivot and escalate right you look at those tears and you say well I need to have multiple accounts and they need to have different passwords please don't

use the same password right but when we're talking about somebody who is a domain admin it moves them to lots of accounts I know it right you have your as I said your server admin account because you probably do that your general user account one that does ad admin functions such as creating new OU's or subnets and then you have your domain admin account that's used for doing really really special stuff like promoting a new domain controller demoting a domain controller something that requires that level and it's only used at that time right we need to stop running around with domain admin credentials all the time and I have removed comment service accounts this is

a toughest one okay because Microsoft and everybody says just throw it in domain admins right throw all those accounts in so it has rights well I showed you before right when I built my workstation I removed domain admins out of that group you don't need to use domain admins you can use anything you want as a server administrator because it's held at the server level but that also goes to service accounts all right just because you have locked down your domain account for your users and it has two-factor off and has all this stuff right if you're using service accounts cert service accounts that run with domain admin privileges they're sitting on your devices in-memory waiting for

someone to get them right and then you go through your tearing you have your multiple accounts and this is the biggest one never ever ever use an account with more permissions on a lower less secure device that's interesting so why do I say we need this this whole idea of the account separation is important because as I said we can't attack ad directly right we need to do something and there are these great tools that sit out there to help us the first one I show over there something called bloodhound it's a great little tool where basically you get on a network you get regular user credentials and you start scanning the environment to see where those domain admins sit and

then it gives you a beautiful little chart that says for you to go to domain admin go to this workstation where you can escalate yourself to administrator to get those credentials now move to this server where you can now escalate then move to domain admin it gives you a nice little follow the path yellow brick road alright if you separate your accounts into different tiers there's essentially a wall it's impassable right if your domain admin accounts only are used on domain controllers there is no way for me to get them okay same thing with server admin we see it constantly over and over again where it just takes moving to one server and then you get to move on which is why you

separate them because you have things like you know me me cats that can dump credentials from memory I do suggest once again only logging into the devices that you should with these accounts I have something called a secure admin host Microsoft calls it a PHA privileged access workstation I don't like it because that gives the intention that you have a device sitting next to your laptop on your desk that you do admin work with right I like to have my secure device be with my servers because of those Landman poisoners right once again workstations insecure that means your workstation network is insecure because it's always passing your credentials across the network and I can grab them I

may not be able to use them but if you use am insecure password like Summer 2017 or we're in winter now right winter 2017 I'll probably crack it in eight hours all right so you separate them out you put your secure admin host next to your servers and you only login with the IDS that should be there so the reason once again is all because of me me cats right i sat there oh and I said and what I did before right with the SMB relay is I actually made a connection to this device right here right this server and just because I felt goofy I logged in and I ran did as the common technique right you log

into your workstation you do a run as to an elevated account that means it logged in right it's sitting on that device right now so because I used responder it's wonderful in it well let me run me me cats just like that and if we kind of go back up through here which is kind of hard to scroll with will eventually fine Hey well here's the server admin account in memory because he's logged in right now doing work and here's this password it's very secure password one but if I didn't want to use that I can also just grab his his credentials write his hash

I'll come back to DA two in a minute scrolling is not working as well as I would like here's essay 1 again because there is so here's my domain admin account that I found also you're using an incredibly secure password right da one I should show the accounts in a minute to prove but here's the important one and why I kept bringing up protected users and it does other things we go even further I have domain admin to also did a run as on this box inappropriately he shouldn't but you'll notice some things we don't see his password we don't see his ntlm hash and that's because he's a member of the protected users group right if we go

in and we can look protected users just sits in the users group it appears and we have domain admin - sitting in that box setting in the screw so we get some extra protections now it's not perfect because hey it has some information harder to crack but it's still there right protected users gives you a big jump separating it out so that we didn't even have the ability to get these credentials from the server is even better now when I talked about you need to secure and I showed all those wonderful different levels right hey you need to have separate accounts for each one of these alright that might be a little tough I get it that takes a

little bit more work but going in right now and creating a new domain admin account don't use one that already exists creating a new domain admin account for your domain admins and only using it on two main controllers and removing that rights from your other accounts is a big step forward right it's all about that separation so yes doing the tearing doing the entire segmentation hard new account for domain admins very easy so in review kept this short because I know everybody wants to go to lunch right three things you can do really fast remove authentication users right from the add workstations to domain that one's really easy if you don't have it do it please change it if you want to

keep it because you haven't done the the delegation with writes and I can go into that later if you'd like just change it to the group that actually needs that ability okay don't leave it that way protect yourself from SMB relay attacks these are great because it works on almost every Windows environment right SMB signing really hard to deal with maybe that one can be tough right use protected users if you can please that is a great group it's a great security enhancement I don't have segment your IDs but that's the other part right and then yes have a separate domain admin account that only logs in to domain controllers or a specific admin host to do those functions this

includes service accounts and never ever do run as and the service accounts people ask me all the time does this mean I needed a separate patching environment for my domain controllers my answer is maybe I don't know what your setup is right but if you run a type of system like nessus or something else or whatever it might be typically you can specify different credentials in that application to connect to your different devices right so if it is very secure you treat it as a domain controller where only bit you know highest level permissions can log into that device itself for that application and it connects into lower secure devices with a different ID you are better off than

you are right now running with that service account as a domain admin so that's it 31 minutes like I said I want to get people out to lunch so I kind of ran through it fast but does anybody have any questions about this or anything else with AD really cuz I'll try and answer it yes sir oh absolutely so I don't cover it because that one could be a little bit more impactful but yes I mean really the best practice is you should have everything you know use right and you can deny logins and deny the ability to do interactive or service or any other for any group I would definitely push that in via GPO right wherever your

workstation sit I would push that down that they cannot login yes any other persons yes we have I mean but typically we don't need to write that that's yeah I mean because once again even if they don't do run as on their workstations they're on a server right and jumping from a workstation to a server is not very hard right it doesn't take a lot to move that one level but in a lot of places we still see the run ass because the thought is I'm using two-factor off I'm set I'm good right because I can't use my credentials because I'm using two-factor off it's not right heck but depending on your setup your hash right your actual hash password

hash or ntlm hash all that good stuff is only set at the first time you change your password and you put it on the smart card right it's changed when you change your password so that means some things like me me cats that are really good at this stuff I can still take that hash that you thought was encrypted and using two-factor off and just move right on with it and you won't know it I don't need the token I don't need the smart card to move on all right it depends on your implementation what else yes oh well absolutely I mean yes I mean yeah yeah the best thing is to have credentials that you make admin on that

device at that moment right you know and there also some some pretty good tools out there that can just be lying and wait for you to do things anonymously in the background yes sir that's like a loaded question all right so it depends at what level you're at okay everybody knows about ArcSight right the big credential management systems okay that sit out there which are pretty good the problem with all those systems are is that you still need something to base your authentication off of and people people tend to pick ad right so I use my ad account to log into this offline source to get my admin account so I just need to compromise my ad account to get

access or oh my goodness somebody was malicious they came and they trashed my ad environment I can't get to my passwords anymore right not this really a good thing they're good don't get me wrong but it's all about your implementation Microsoft recently released something based on Server 2016 that is actually a pretty good solution if you have time to invest in it it does it is based upon their mo em I is for their credential management system it works really well and it's it's whole its entire existence is at Bastion forest where you put your admin credentials it does mystical stuff in the background to give you permissions for a very short period of time in your

primary forest and then it revokes them immediately everybody probably knows Windows typically when you log in at that moment your token is sealed right so if you're an admin when you log in even if the background somebody removes you from those groups you still are in the admin that's great not with this solution it does things with shadow groups and all this other wonderful stuff that when your time expires your permissions are gone it's definitely worth looking at so Microsoft calls it the bastion forest or Pam privileged access management they change the name like every month and a half just to make life interesting for you but it's definitely worth doing so remove them from memory reboot yeah

unfortunately I mean they'll eventually leave themselves you know memory cleanup eventually happens but not fast enough so what else everybody wants to go to lunch yes so those will always be a problem and I didn't show that but if I go back to protected users I know I keep going back to it because I honestly love the protected users group yeah you'll see those are blocked it won't put them it won't store them there that does mean right that if you're not on the domain you're not going login but it's an admin account you shouldn't need it right and there all sorts of other wonderful things if you own it's not in here but if you haven't looked at their admin

credential solution laughs that's a good one to look at to please yes the domain controllers group policy targets the many you know so this is the if you're using a Windows 10 host or actually Windows 8.1 or newer it doesn't catch your credentials it won't it they are not they are not on they're only kept in memory when you're using it yep

then you don't get all other protections it still tries to do stuff but you it once again depending on your functional level it's not as useful so what else come on give me a tough one no all right well thank you for your time I appreciate it hopefully you learned something kinda interesting and like I said that that first one check that both indicated users I harp on that because I couldn't believe how often I can do this and it's great because they say their workstations are protected but then I have my own Windows host that I can do whatever I want with thank you [Applause]