Active Directory Defense – A must review these days

Active directory is the Microsoft software that manages all the information of objects on the network . (from docs.microsoft.com )

“A directory is a hierarchical structure that stores information about objects on the network. A directory service, such as Active Directory Domain Services (AD DS), provides the methods for storing directory data and making this data available to network users and administrators. For example, AD DS stores information about user accounts, such as names, passwords, phone numbers, and so on, and enables other authorized users on the same network to access this information.”

Image from http://bucarotechelp.com/computers/winadmin/89001102.asp

You can see that the Active Directory(AD) is in the middle of all Windows network functions.  So it goes almost without saying that if AD is not configured correctly then there will either be problems to do with some windows software functionality or it will be easy to hack the network configuration.

There are a number of online information sites to help you learn what not to do. Like from Sean Metcalf a frequent security conference speaker like at Derbycon 2019:  “Beyond the Easy Button

For example: Service accounts sometimes are installed by vendors, these need to be removed eventually.

Also sometimes System administrators (or your IT guy/gal) do not always have different tiers for managing systems (workstations, servers, and domain controllers). Instead they may have it set up to be ‘easier’ which also means they are easier to take advantage of. It all depends on how many people are managing the environment and how large the environment is.

Do you have several ‘forests’? Is this a problem?

Forest trust  can be a problem, especially  when a problem in one forest can manifest itself into problems in the other forest. And sometimes because one has to manage both forests, if they are not administered correctly then it can be a security problem.don’t forget to review the backup of your active directory information, as a hacker can copy the NTDS.DIT (which is the file that keeps all of the information for AD). If you search for NTDS.DIT around the net, the first website that comes up is Insider Threat Security Blog: ‘Extracting Password Hashes from the NTDS.DIT file’

With so much attention paid to detecting credential-based attacks such as Pass-the-Hash (PtH) and Pass-the-Ticket (PtT), other more serious and effective attacks are often overlooked. One such attack is focused on exfiltrating the Ntds.dit file from Active Directory Domain Controllers.

So be aware that this file Ntds.dit is wanted by the hackers,  as they can try to guess username passwords that are in it. and more.

If you are not looking at possible theft of this file, and you have a significant investment to protect, then you should spend money on tools to help you to see if this file was taken or not.

Needless to say this is a topic that is much larger than a single post. if you are interested in discussing this topic let me know.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.