Secure AD
Last updated
Last updated
Enable Credential Guard GPO - Protects secrets in memory to prevent credential theft.
Use LAPS for Local Admins - Randomizes passwords for local admins to prevent password reuse.
Non-priv'd accounts for admins - Administrators should use their own, non-privileged accounts for everyday use.
Disabling priv'd accounts - DA, EA, and SA accounts should remain disabled until they are needed
Protected Users Group - All service accounts, admin accounts, and DA/EA/SA accounts should be put into the Protected Users group in AD.
Least Privilege Service Accounts - Service accounts should be privileged with only what they truly need to function
Do not let a vendor dictate the security within your entire organization. - We often find these accounts compromised because they are used where they shouldn’t be, such as for running tasks, services, and processes on servers along with laptops and workstations.
Clear cached admin passwords - If they are in Protected User group then the credentials shouldn't be cached, but it's always a good move to clear the cache with a password reset after adding them into the Protected User group.
Tier 2: normal user daily productivity accounts. No administrative permissions on the domain at all. Restricted to workstation logon only, enforced via GPO.
Tier 1: Server (non-DC) admin accounts. Elevated, but not DA, administrative permission on the domain. Restricted to server logon only, enforced via GPO.
Tier 0: Domain admins. Restricted to DC logon only, enforced via GPO.
SAM
stores locally cached credentials (referred to as SAM secrets)
LM or NT hashes
SECURITY
stores domain cached credentials (referred to as LSA secrets)
Plaintext passwords
LM or NT hashes
Kerberos keys (DES, AES)
Domain Cached Credentials (DCC1 and DCC2)
Security Questions (L$SQSA<SID>)
SYSTEM
contains enough info to decrypt SAM secrets and LSA secrets
N/A
Wdigest
LiveSSP
TsPkg
Users passwords
Internet Explorer passwords
Service account passwords (Services on the machine that require authentication with secret)
Cached domain password encryption key
SQL passwords
SYSTEM account passwords
Account passwords for configured scheduled tasks
Time left until the expiration of an unactivated copy of Windows
Grant administrator privileges to all users.
Malware and TA tools/scripts often require admin privs
Making all users admin on their hosts eases the TA’s job
Privilege Access Management solutions such as BeyondTrust are useful here.
Over-provisioned service accounts.
Service accounts may be Domain Admin accounts (NO!!!)
Service accounts should be created for a specific purpose, not used anywhere.
Third-party vendors often “require” these settings. NO! Push back on them!
Many ransomware incidents involve service account abuse.
Mitigation:
Must be enabled:
Servers Event ID 5140 - A network share object was accessed.
Servers Event ID 5145 - A network share object was checked to see whether client can be granted desired access.
