The most recent Microsoft Digital Defense Report notes that nearly half of all Microsoft Incident Response engagements encountered insecure Active Directory configurations. Mandiant has previously reported that 9 of 10 cyberattacks exploit Active Directory. These sobering statistics are a reminder that enterprises that hope to build a more resilient IT environment simply must prioritize Active Directory hardening.

Few situations are as disruptive as an attack on Active Directory. Each user and device relies on the identity service. Attackers that compromise Active Directory can potentially:

Elevate their permissions

Create and delete accounts

Access critical data

Persist undetected in the victim’s environment

One goal of cybersecurity is maintaining the continuity of business operations. Building a strong defense that enables cyber resilience means securing Active Directory against the threats, weaknesses, and common attack paths that threat actors use as well as planning for a fast, secure Active Directory recovery.

Related reading: What is Active Directory security?

Think like a cyberattacker

Attacks against Active Directory typically start with reconnaissance, followed by a plan to escalate privileges and move laterally. By taking advantage of the openness of Active Directory, cybercriminals use reconnaissance to uncover everything from service accounts to the makeup of various groups.

By default, any authenticated user can easily use the Lightweight Directory Access Protocol (LDAP) to query Active Directory for resources such as applications, other users, and groups. Using tools like PowerView and BloodHound, LDAP queries enable attackers to get a bird’s-eye view of your environment.

As a result, part of hardening Active Directory against attacks involves the ability to detect suspicious queries. This task can be challenging, as LDAP queries are commonplace and typically legitimate. Still, enterprises should seek to identify any LDAP queries from unusual sources within the environment and correlate that information with any other activity that might indicate an attack.

Threat actors also favor certain techniques. Let’s look at a few of their preferred tricks and how you can mitigate these threats for more effective Active Directory hardening.

Kerberoasting attacks

Many applications that integrate with Active Directory—SQL Server, for example—require the use of service accounts. These accounts are like regular user accounts but are dedicated to an application and don’t require interactive user logons.

Service accounts can be highly privileged, though they often don’t need to be. The accounts also often have passwords—sometimes very, very old passwords—that are not complex or otherwise hard to crack.

How does Kerberoasting work?

Services advertise themselves for users in Active Directory via service principal names (SPNs). Threat actors find service accounts by querying SPNs, then use Kerberoasting to crack the targeted service account’s password. Like many stealthy attacks, Kerberoasting works by abusing legitimate functionality.

After using a domain user account to authenticate to Active Directory, the threat actor receives a Kerberos Ticket Granting Ticket (TGT) from the Key Distribution Center (KDC).

The attacker requests a service ticket for the targeted service.

The domain controller generates a Ticket Granting Service (TGS) ticket for that service, encrypts the ticket with the service’s password, and then sends the ticket to the “user”—in this case, the threat actor.

The attacker cracks the password hash that encrypted the TGS ticket.

Using the cracked hash, the attacker can log in to the targeted service and take advantage of any privileges that service has.

How can you harden Active Directory against Kerberoasting?

Organizations can limit the risk of Kerberoasting by enforcing long, complex passwords for service accounts and using AES encryption for Kerberos service tickets.

Learn more about hardening Active Directory against Kerberoasting.

Golden Ticket attacks

One of the most critical accounts to protect in Active Directory is the KRBTGT account, which exists as a service account for the KDC service. If an attacker gains control of the KRBTGT account, they can create phony TGTs and leverage those tickets to do extensive damage to the organization. This approach is known as a Golden Ticket attack.

How does a Golden Ticket attack work?

Golden Ticket attacks are very difficult to detect.

The attack begins when an attacker gains control of an account that has elevated privileges and can access a domain controller; each domain controller runs an instance of the KDC.

The threat actor uses a tool such as Mimikatz to steal the NTLM hash of the KRBTGT account.

Once the attacker has the KRBTGT password hash, they need only the fully qualified domain name (FQDN) of the domain, the domain’s security identifier, and the username of the account they want to target to create a TGT.

The attacker uses the TGT to impersonate legitimate users and potentially gain unlimited access.

How can you harden Active Directory against a Golden Ticket attack?

To combat a Golden Ticket attack, organizations should change the KRBTGT password twice in succession. Update the password whenever any employee who had the power to create a Golden Ticket leaves the organization. (A Semperis expert, Jorge de Almeida Pinto, has developed a PowerShell script to streamline this process.)

Additionally, look for red flags such as forged tickets sometimes contain mistakes such as relative ID (RID) mismatches or changes to the ticket’s lifespan. And follow Active Directory security best practices, including limiting the number of users with access to domain controllers.

Learn more about hardening Active Directory against Golden Ticket attacks.

Pass the Hash and Pass the Ticket attacks

Pass the Hash and Pass the Ticket attacks are popular methods for achieving lateral movement.

How do Pass the Hash and Pass the Ticket attacks work?

In a Pass the Hash attack, a threat actor first steals a user’s NTLM password hash. The attacker then uses that hash to bypass authentication controls—without needing to crack the actual password.

The Pass the Ticket attack is similar to the Pass the Hash attack but abuses Kerberos rather than NTLM. In this attack, the threat actor uses a stolen Kerberos ticket to authenticate as a user, again without needing to know the victim’s actual password.

How can you harden Active Directory against Pass the Hash and Pass the Ticket attacks?

To mitigate a Pass the Hash attack, you can disable the use of the NTLM authentication protocol, which this attack exploits. In addition:

Watch for unusual user behavior, such as a high number of access attempts targeting network resources. Such behavior can be a sign of either attack.

Minimize the value of compromised accounts by enforcing the principle of least privilege. Ensure that only those who need privileged access rights have them.

Learn more about hardening Active Directory against Pass the Hash and Pass the Ticket attacks.

Focus on account security to harden Active Directory

Protecting passwords is paramount to Active Directory hardening. Update timeworn, traditional password policies to reflect current Microsoft and NIST recommendations.

Scrutinize, remove, or heavily monitor any accounts that are allowed to authenticate without passwords.

Update service accounts with strong complex passwords of at least 25 characters.

Just as attackers take advantage of legitimate functionality to perform surveillance, they also take advantage of privileged accounts. Accounts with excessive permissions can exist for many reasons.

Often, the issue is the result of business pressures. A user might urgently need to perform certain tasks. Determining how to provide access while honoring the principle of least privilege is deemed too time-consuming. Nested groups can also lead to messy inheritance scenarios.

Over time, these situations can spiral out of control. The result is an Active Directory environment filled with over-privileged accounts.

As the number of user and service accounts with excessive privileges grows, so does the Active Directory attack surface. To reduce it, organizations need to ensure that permissions are delegated properly.

On a strategic level, that requires the Active Directory team to truly understand the business needs of the users and groups in the environment.

When building out your environment, put similar resources in the same organizational unit (OU) and sub-OUs.

Delegate permissions to groups rather than specific users.

Determine the scope of each group you want to create and assign privileges based on roles.

Frequently review user and group permissions.

Monitor continuously for and roll back unauthorized changes that could lead to privilege escalation or credential theft.

These steps make the process of auditing permissions more effective and less tedious.

Active Directory hardening includes domain controller security

Arguably, domain controllers are the most critical part of your Active Directory infrastructure. A compromised domain controller can bring the house down, allowing threat actors to:

Modify all the accounts in your environment

Create new accounts

Spread malware

Take other actions to disrupt your environment

Due to their sensitivity, domain controllers should be a priority for patching. But that step is only the beginning.

Tightly control access to domain controllers. Only those administrators who absolutely need such access should have it. Examine which Group Policy Objects (GPOs) are linked to the domain controller’s OU in Active Directory and confirm that only the Domain Admins group has the Allow Log on Through Remote Desktop Services and Allow Log on Locally permissions set.

Disable web browsing on domain controllers. Any opening to a domain controller poses a significant risk. The impact of a potential compromise due to a drive-by download or other attack is simply too significant to justify the risk. Your firewalls should play a role as well, blocking outbound connections from domain controllers to the Internet unless necessary.

Follow physical security best practices. Microsoft recommends installing physical domain controllers in dedicated secure racks or cages, kept separate from the general server population. Microsoft also recommends configuring domain controllers with Trusted Platform Module (TPM) chips.

Use encryption. Protect all volumes in domain controller servers by using BitLocker Drive Encryption.

Harden virtual domain controllers. Run virtual domain controllers on separate physical hosts from other virtual machines. These host’s administrators can control the virtual domain controllers, so keep those admin accounts separate from other virtualization administrators.

Active Directory hardening is a must

Active Directory hardening requires a combination of vigilance and proactiveness. At Semperis, we offer tools to help organizations identify and address security gaps in their Active Directory environments.

Assess your hybrid identity attack surface and close paths to your Tier 0 identity assets with free tools like Purple Knight and Forest Druid.

Analyze your security architecture and develop remediation and recovery plans—or if the worst happens, get expert help for an active attack—with Breach Preparedness & Response Services.

Implement automatic rollback of suspicious changes to Active Directory with Directory Services Protector (DSP).

Speed and simplify the Active Directory recovery process with Active Directory Forest Recovery (ADFR).

Keep Active Directory modernization and migration secure with expert help from Semperis.

These solutions can help you identify, recover from, and respond to cyberattacks by ensuring the integrity and availability of on-premises Active Directory as well as Entra ID and Okta. Getting started doesn’t need to be pricey or time consuming; free tools are available to identify critical security gaps. Whatever approach you choose, begin by making Active Directory hardening a documented part of your cybersecurity plan.

The post Top Active Directory Hardening Strategies appeared first on Semperis.