How to Guide: Securing Active Directory from Common Cyber Attacks

There is some new joint guidance on detecting and mitigating Active Directory (AD) compromises, published by cybersecurity agencies from five countries, which delivers important advice for organizations to defend against AD exploitation. Active Directory is a critical part of most enterprise networks, handling everything from user authentication to resource access.

Make sure to read to the bottom to see a checklist of defense techniques on how to protect yourself. (I love the canaries technique outlined at number 8).

Key Attack Techniques

The report covers 18 common techniques attackers use, starting from privilege escalation to establishing persistence. Highlights include methods like:

1. Kerberoasting: Attackers crack service account passwords by abusing AD’s Service Principal Name (SPN) configuration. Mitigation involves reducing the number of SPNs and using long, complex passwords for service accounts.

2. AS-REP Roasting: Similar to Kerberoasting, this technique exploits accounts without pre-authentication, allowing attackers to grab and crack AS-REP tickets. Ensure all accounts require Kerberos pre-authentication.

3. Password Spraying: This brute-force method tries common passwords on many accounts. Implement MFA, enforce strong password policies, and monitor for unusual login attempts.

4. MachineAccountQuota Exploits: Attackers leverage the default permission that allows users to create new machine accounts, sometimes leading to privilege escalation. Reduce this permission to zero for non-admins.

5. Golden and Silver Tickets: These allow attackers to forge authentication tokens, enabling complete control of systems. The report suggests strict monitoring of domain admin accounts and limiting their exposure.

6. Unconstrained Delegation: This technique allows attackers to steal a user's Ticket Granting Ticket (TGT) from a machine that has unconstrained delegation enabled. Once an attacker has local admin rights on the machine, they can impersonate any user, including domain admins, who authenticated to the machine. Mitigation strategies include disabling unconstrained delegation, using constrained delegation instead, and ensuring privileged accounts are marked as 'sensitive and cannot be delegated.'

7. Password in Group Policy Preferences (GPP) Compromise: Old GPP settings could store plaintext passwords in SYSVOL, which attackers can access. Although this was patched in 2014, many organizations still have remnants of these vulnerabilities. Mitigation involves removing any existing passwords stored in GPP and applying Microsoft’s patch to prevent further issues.

8. Active Directory Certificate Services (AD CS) Compromise: AD CS issues certificates for authentication, and misconfigurations in certificate templates can allow attackers to impersonate privileged accounts. To defend against this, you should audit your certificate templates, remove risky configurations like allowing users to supply their own subject alternative name (SAN), and implement strong access controls on Certificate Authority (CA) servers.

9. Golden Certificate: This advanced attack is similar to the "Golden Ticket" but exploits AD CS. If attackers gain control of the CA, they can extract private keys and create valid certificates for themselves, allowing them to impersonate any account indefinitely. Mitigation involves limiting access to CA servers, enforcing strong backup security, and using Hardware Security Modules (HSMs) to protect keys.

10. DCSync: Attackers with certain privileges can request password hashes and sensitive data directly from the domain controllers using DCSync. This attack requires “Replicating Directory Changes” privileges. Defending against this involves minimizing the number of accounts with replication permissions and closely monitoring who has those permissions.

11. Dumping ntds.dit: The database file that stores password hashes for all users can be dumped from domain controllers if attackers gain local admin or higher privileges. Protect against this by limiting admin access to domain controllers and ensuring strict audit logs for domain controller activity.

12. Golden Ticket: This attack allows the creation of a forged Ticket Granting Ticket (TGT) using the password hash of the KRBTGT account, effectively giving attackers unlimited access to the domain. Resetting the KRBTGT password twice is a crucial mitigation step, though it must be done carefully to avoid service disruptions.

13. Silver Ticket: Unlike Golden Tickets, Silver Tickets allow attackers to create service tickets (TGS) for specific services. While not as powerful as Golden Tickets, they still allow lateral movement and persistence. Limiting service account privileges and monitoring for abnormal ticket-granting activities can help mitigate this.

14. Golden Security Assertion Markup Language (SAML): Attackers who gain control of an organization's SAML signing key can create SAML tokens to authenticate as any user, even to cloud-based services. To mitigate this, regularly rotate SAML signing certificates and restrict access to SAML servers.

15. Microsoft Entra Connect Compromise: Attackers target the Microsoft Entra Connect tool, which syncs on-premises Active Directory with Azure AD. A compromise here can extend an attacker’s access to cloud services. Use conditional access policies, closely monitor sign-ins from Azure AD accounts, and limit Entra Connect permissions to reduce risk.

16. One-way Domain Trust Bypass: Attackers abuse domain trusts by compromising a trusted domain and using it to bypass security controls in a trusted domain. Mitigation strategies include restricting access to trusted domains and applying the principle of least privilege to trust relationships.

17. Security Identifier (SID) History Compromise: SID History allows for access to resources even after a user’s SID changes. Attackers can inject SIDs into the SID History to escalate privileges. Mitigation involves regularly cleaning up SID History and monitoring for unusual changes in SIDs.

18. Skeleton Key: Attackers install a “Skeleton Key” malware on domain controllers, allowing them to use a master password to authenticate as any user, even if the legitimate user password is changed. Defend against this by tightly controlling access to domain controllers and using tools to monitor LSASS (Local Security Authority Subsystem Service) activity.

Why This Matters

Active Directory is a massive attack surface. We’ve covered hacks that have involved AD several times in the Vulnerable U newsletter. It is also a favorite skill set for pen-testers trying to gain domain admin on a network they’re targeting.

As the joint government report says:

“Active Directory’s pivotal role in authentication and authorization makes it a valuable target for malicious actors. It is routinely targeted as part of malicious activity on enterprise IT networks. Active Directory is susceptible to compromise due to its permissive default settings, complex relationships and permissions, support for legacy protocols, and a lack of tooling for diagnosing Active Directory security issues. These issues are commonly exploited by malicious actors to compromise Active Directory.

Specifically, Active Directory’s susceptibility to compromise is, in part, because every user in Active Directory has sufficient permission to enable them to both identify and exploit weaknesses.”

Active Directory Security Checklist

1. Secure Privileged Accounts and Access

• Tiered Access Model: Implement Microsoft's Enterprise Access Model or the Active Directory Administrative Tier Model. Separate administrative tasks into tiers, ensuring Tier 0 assets (domain controllers, privileged accounts) are only accessed from secure, isolated workstations.

• Limit Admin Access: Restrict the number of accounts with domain admin, enterprise admin, and other high-privileged roles. Regularly review these accounts and ensure they only have the permissions necessary to perform their tasks.

• Phishing-resistant MFA: Require multi-factor authentication for all privileged accounts, and prioritize MFA methods resistant to phishing, such as FIDO2 security keys or certificate-based authentication.

• Privileged Access Workstations (PAWs): Ensure admins use dedicated workstations for administrative tasks. These workstations should be isolated from regular user environments and protected with enhanced security measures.

2. Kerberos and Ticket Protection

• Minimize SPNs: Reduce the number of user accounts with Service Principal Names (SPNs) to limit exposure to Kerberoasting attacks.

• Strong Service Account Passwords: Use Group Managed Service Accounts (gMSAs) where possible, which feature automatic password rotation. If not feasible, use passwords of at least 30 characters for service accounts.

• Enforce Pre-authentication: Ensure all accounts require Kerberos pre-authentication to protect against AS-REP Roasting attacks.

• Monitor Ticket Requests: Regularly analyze Kerberos ticket requests (Event ID 4769) to detect abnormal patterns, such as requests for multiple SPNs in a short time.

3. Protect Against Credential Theft

• Password Complexity and Rotation: Enforce long (15-30 characters) and unique passwords for all accounts, especially admin and service accounts. Rotate passwords regularly, particularly after a potential compromise.

• Disable NTLM: Where possible, disable NTLM authentication protocol to prevent pass-the-hash (PtH) attacks. Ensure you have alternatives in place like Kerberos.

• Restrict Local Administrator Access: Implement Microsoft’s Local Administrator Password Solution (LAPS) to manage and rotate local administrator passwords on workstations.

• Scan for Cleartext Credentials: Periodically scan network file shares and other storage for cleartext credentials and remove them immediately.

4. Secure Active Directory Certificate Services (AD CS)

• Audit Certificate Templates: Ensure certificate templates are configured securely. Remove the ability for users to supply their own Subject Alternative Name (SAN) and ensure CA manager approval is required for sensitive certificates.

• Use a Hardware Security Module (HSM): Protect Certificate Authority (CA) private keys using an HSM to prevent key theft.

• Limit CA Access: Restrict access to CA servers to only privileged users who need it. Do not install any unnecessary services or applications on these servers.

• Log Certificate Activity: Enable detailed auditing of certificate requests, approvals, and issuance events. Review CA logs regularly for signs of malicious activity.

5. Monitor and Protect Domain Controllers

• Restrict Logon Access: Prevent domain admins and other privileged users from logging into lower-tier systems, including workstations or internet-facing servers.

• Monitor Domain Controller Events: Enable and monitor critical events on domain controllers, such as account lockouts (Event ID 4740), logon failures (Event ID 4625), and password changes (Event ID 4738).

• Limit Physical and Remote Access: Only allow access to domain controllers from trusted, secure admin workstations (PAWs) and limit remote access protocols like RDP.

• Regularly Patch and Update: Apply security patches promptly to both domain controllers and other critical infrastructure to prevent exploitation of known vulnerabilities.

6. Protect Group Policy

• Remove GPP Stored Passwords: Ensure that Group Policy Preferences (GPP) no longer store plaintext passwords. Apply the Microsoft patch (MS14-025) and remove any leftover cpasswords from SYSVOL.

• Use Modern Policy Management: Implement more secure methods for password management, such as LAPS, and avoid using Group Policy for password distribution.

7. Harden Active Directory Configuration

• MachineAccountQuota: Set ms-DS-MachineAccountQuota to zero to prevent regular users from creating computer accounts in the domain.

• Remove SID History: Regularly clean up and audit SID History to prevent attackers from injecting SIDs for privilege escalation.

• Disable Legacy Protocols: Disable older, insecure protocols like SMBv1, LDAP simple binds, and NTLMv1 across your environment. Ensure you're using secure alternatives like SMBv3 and LDAP over TLS.

• Implement LDAP Channel Binding and Signing: Ensure LDAP signing is enforced on domain controllers to protect against man-in-the-middle attacks and credential relay attacks like KrbRelayUp.

8. Detecting and Responding to Attacks

• Deploy AD Canaries: Set up decoy accounts (canaries) with abnormal or unused credentials and monitor them for signs of unauthorized access.

• Centralized Log Collection: Use a SIEM or other centralized logging system to gather and analyze security-related events across your environment in real time. Focus on events related to authentication, user creation, and delegation changes.

• Detect Suspicious Account Behavior: Regularly analyze logs for signs of password spraying, unusual Kerberos ticket requests, and other suspicious behavior (e.g., Event ID 4769, 4625, 4740).

• Response Drills: Regularly conduct incident response drills and ensure that your team knows how to respond to specific AD attacks, such as DCSync or Golden Ticket compromises.

9. Secure Delegation

• Constrained Delegation: Where delegation is required, use resource-based constrained delegation (RBCD) to limit impersonation rights to specific services.

• Mark Sensitive Accounts: Ensure that high-privilege accounts are marked as "sensitive and cannot be delegated" to prevent abuse of unconstrained delegation.

• Disable Print Spooler on Domain Controllers: Turn off the print spooler service on domain controllers to prevent attackers from leveraging print spooler vulnerabilities to compromise the domain.

10. Regular Auditing and Review

• Review AD Permissions: Regularly review and audit AD permissions, particularly those related to replication, delegation, and certificate services.

• Clean Up Old Accounts: Periodically clean up stale accounts, especially old admin and service accounts, which may be targeted by attackers.

• Monitor Account Creation Events: Track and monitor events related to the creation of new accounts or computer objects (Event ID 4741) to detect unauthorized activities.

Final Steps

• Backups: Ensure you have secure, encrypted, and tested backups of domain controllers, CA servers, and other critical systems. Have a recovery plan in place.

• Incident Response Plan: Establish a detailed incident response plan specific to Active Directory compromises. This should include steps to reset the KRBTGT account and procedures for password resets in case of a domain-wide breach.

Active Directory is a prime target for hackers who want to dig in and stick around long-term. Once they're in, they can use sneaky techniques to stay hidden and keep accessing your systems, even getting around things like MFA. Some of these tricks make it tough to kick them out, and it can take months, or even years, to notice they’re still lurking. Getting rid of them isn’t easy either—it might mean resetting every user’s password or, in extreme cases, rebuilding your entire AD setup from the ground up. It’s a massive headache, both in terms of time and cost. That’s why it’s crucial to take the steps outlined here to lock down your AD and keep the bad actors out from the start.

Stay safe out there!