Hello Again , this our second blog about AD security best practices in our fist blog we talked about one of the most important security mitigation which is secured privileged accounts , you can find it in the following link ,
here we will talk about our second mitigation :
Slow Lateral Movement
Lets Explain first what is the lateral movement to understand why we need to prevent it , when the attacker succeed to gain access to one machine normally it will be user workstation and his target is a domain controller or any high privileged system so the first thing the attacker will do is extract the hashes inside the RAM to find one of high privileged accounts that can take him to his target or even higher tier and from there he can do the same till he reach the upper tier , so what we need to do is locked the attacker inside his compromised machine so he can’t escalate to higher tiers or even move laterally inside the same tier.
One example for that is the attacker may success to get the local administrator account and normally most organizations use same name same password for the local administrator in such case the attacker will be able to use this account to access all the machines then start moving laterally between them extract hashes till he get domain admin hash and all the kingdom will be under his control .
So here is how we can mitigate against the lateral movement and this of course side by side with secured privileged account practices that we discussed earlier :
- Do you have any business reason to allow communications between workstations ? ,so use firewall to block the traffic between workstations or allow only the required traffic between workstations and also between workstation and applications for example if you have SCCM allow only the required ports needed by the SCCM agent installed on the machines .
2. GPO Based Restrictions
- Use GPOs to restrict logon for the local administrator account through network ,so the attacker can’t use it to move laterally between workstations .
3. Unique Random Password for local administrator account
- use tools like LAPS to randomize local administrator password for endpoints so if the attacker succeed to compromise the local admin account of one machine he can’t use it to access the other machines ,in the following link you will find step by step guide for LAPS deployment its free tool and very easy to implement and manage . it creates unique password for local admin on every workstation and change it automatically every 30 days by default https://gallery.technet.microsoft.com/step-by-step-deploy-local-7c9ef772
that is all for now , our upcoming blogs will be about other security best practices like ESAE , ATA .. etc , stay tuned .