As The Active Directory is identified as one of the most business critical applications whose any outage can cause downtime of users and services so it need special care and high attention in terms of security , backup and health , and every day as I visiting customers there is a frequent question that I keep receiving :
How I can secure my AD infrastructure?
The truth here that AD itself is not the actual target of the attacker but it’s the way that will enable him reaching his target whether to steal confidential data , cause an outage , gain reputation or bargain for money, …etc.
Also something I like to mention that some customers still think that as long as they have a firewall and they have security mitigation on the network level they are already protected , believe me you are not ! ,modern attacks can cross this line, so you need to follow the defense on depth concept all your layers need to be secured, network, servers, applications specially now with the cloud and integrations between companies and services your users and data will be always in mobility and you need to maintain its security.
So through these series I’m going to answer this question and I will try to simplify this as much as I can , as having secure AD infrastructure is long way to go but at least we need to maintain the basics of security and keep going step by step till we can say , okay my AD infrastructure is secured!
First let me give you quick introduction why we need to secure our AD, and the answer is so simple because it’s the repository of all identities so for the attacker to be able to gain access to his target he needs to compromise a domain account, and there is a lot of ways now to do that, you must heard about pass the hash, pass the ticket, golden ticket attacks .. etc , it’s all based on the attacker gain access to machine inside the network then tries to extract the hashes inside the RAM and move laterally till he be able to get hash of domain admin account then the whole forest will be under his control and this why we need to make this task (obtaining domain admin account) very difficult to him by securing our identities.
So here I’m going to talk about one of the main Active Directory Security mitigations:
Secure Privileged Accounts:
As as we mentioned for the attacker to gain access to his target he needs an account with a privilege, so we need to harden this task for him, here how we can do this:
1. Patch Patch Patch till the end of the world
- 99% of incidents in 2014 involved vulnerabilities for which patches were released in 2013 or earlier.
- 90% of incidents in 2013 involved vulnerabilities which were patched in 2007.
- Patching does not guarantee 100% security! but its mandatory if you want to maintain the basics of security.
2. Credentials Partitioning
- Never use the same account for your daily task and administrative tasks.
- Your admin account should be restricted from connecting to internet, email, LOB applications.
- Maintain the tier Model which based on divided your admin accounts into three tiers, and block access between these tiers to prevent privilege escalation.
- If you have small team that manage all tiers in that case every one of the team will need dedicated account for every tier , so we can guarantee that even if one of these account was compromised the attacker will be locked into that tier and will not be able to escalate his privilege to the higher tiers.
3. Privileged Access workstation (PAW)
- Use dedicated hardened workstation for the administrative tasks.
- Must not connect to the internet, Email any LOB Application.
- Hardened using APP whitelisting, IPsec, firewall…etc.
- Dedicated PAW per Tier per administrator.
- Block access between tiers.
4. Least Privilege
- Minimize the number of high privilege groups as every member increase attack surface.
- Maintain proper delegation model based on least privilege concept.
- Use “privilege Access management” feature available in windows sever 2016 to give temporary privilege for users and the privilege will be revoked automatically after specific amount of time.
- Build workflow for approvals to join specific groups and this can be done by using MIM.
- Give special attention to service accounts as they usually member of high privileged groups with password never expire, make sure they really need this privilege otherwise give them the least privilege they need to accomplish the task .
so that is all for now, our next blog will be about how we can mitigate the lateral movement of the attacker inside the environment, stay tuned.