This document complements the Active Directory security topics talked about on the 7 Minute Security podcast miniseries related to Active Directory - specifically #329. The purpose of this doc is to compile resources we can all use to make our Active Directory environments more physically and logically secure. Here we go....
I can't tell you how many companies I've run into that have flippin' Fort Knox around their DCs at their primary office (cameras, motion detectors, angry guard dogs, snipers, etc.) but then the branch office has a DC under the receptionist's desk with no security controls. Make sure all domain controllers are physically locked down. I think a good minimum config is to have the DC locked in a room with keycard access - where only a subset of employees have physical access.
Setup your users to run their day-to-day workstation tasks not as a local admin. Do this even for your IT/security staff. Then, let them have a separate account, such as jdoe_admin that they use only for tasks that require elevated privileges. If this is a tough sell to upper management, show them this awesome Avecto report which shows some staggering statistics, such as:
Removing admin rights would mitigate 80% of all Critical Microsoft vulnerabilities in 2017!
The technical nuts and bolts of this is pretty straightforward:
- Open Computer Management tool
- Right-click Computer Management (YOUR-MACHINE-NAME) and click Connect to Another Computer
- Type in the computer name and press Enter
- Under System Tools > Local Users and Groups > Groups > Administrators take the user's day-to-day account out of this group.
- Have the user reboot or log out and log back in.
- They've just been...insert dramatic music and say this with a Schwarzenegger accent.. "DE-ESCALATED!"
Pro tip: add their day-to-day account into the Local Users and Groups > Groups > Remote Desktop Users group if they use RDP on their machine via the VPN.
Microsoft has some great guidance around this. In general:
Domain Admins - nobody should be in here except the general Administrator account, and even that should have some additional best practices wrapped around it (see the Microsoft link above)
Schema Admins - should generally be empty unless someone is doing active schema changes.
Enterprise Admins - same as Domain Admins. Should be empty for the most part.
I picked this up from the fine folks at BHIS, and they recommend that instead of having your username structure be firstname.lastname@company.com or firstinitial.lastname@company.com (which is very predictable), move to something like firstname.lastname.5RandomCharacters@company.com. Brilliant! I love it. I wonder if anybody out there is actually using it? I've never seen it in the wild.
Find your most vulnerable AD abuse paths with BloodHound. For a two-part pentest tale showing how BloodHound can be used/abused by attackers, check out episodes 353 and 354.
On the paid product side, I have experience using Netwrix for this. On the free side, although I haven't tested it yet, Logging Made Easy looks like an awesome and free way to get some entry-level logging setup in your environment. Can't wait for a good lab day to play!