Secure AD

Top 25 Active Directory Security Best PracticesActive Directory Pro

Blocking Remote Use of Local AccountsTECHCOMMUNITY.MICROSOFT.COM

Lock down your Active Directory Domain Controllers internet access! (Part of my Active Directory Hardening Series)Paul Arquette

Appendix L - Events to MonitorMicrosoftLearn

Securing Domain Controllers Against AttackMicrosoftLearn

Admin Activities

Best Practices:

Enable Credential Guard GPO - Protects secrets in memory to prevent credential theft.

Use LAPS for Local Admins - Randomizes passwords for local admins to prevent password reuse.

Non-priv'd accounts for admins - Administrators should use their own, non-privileged accounts for everyday use.

Disabling priv'd accounts - DA, EA, and SA accounts should remain disabled until they are needed

Protected Users Group - All service accounts, admin accounts, and DA/EA/SA accounts should be put into the Protected Users group in AD.

What is protected user groups in active directory - ADAudit Plus

Least Privilege Service Accounts - Service accounts should be privileged with only what they truly need to function

Do not let a vendor dictate the security within your entire organization. - We often find these accounts compromised because they are used where they shouldn’t be, such as for running tasks, services, and processes on servers along with laptops and workstations.

Clear cached admin passwords - If they are in Protected User group then the credentials shouldn't be cached, but it's always a good move to clear the cache with a password reset after adding them into the Protected User group.

3 tiers of accounts.

• Tier 2: normal user daily productivity accounts. No administrative permissions on the domain at all. Restricted to workstation logon only, enforced via GPO.

• Tier 1: Server (non-DC) admin accounts. Elevated, but not DA, administrative permission on the domain. Restricted to server logon only, enforced via GPO.

• Tier 0: Domain admins. Restricted to DC logon only, enforced via GPO.

What is Tier Zero — Part 2Posts By SpecterOps Team Members

Credentials:

Registry Hives:

Hive	Details	Format or credential material
SAM	stores locally cached credentials (referred to as SAM secrets)	LM or NT hashes
SECURITY	stores domain cached credentials (referred to as LSA secrets)	Plaintext passwords LM or NT hashes Kerberos keys (DES, AES) Domain Cached Credentials (DCC1 and DCC2) Security Questions (L$SQSA<SID>)
SYSTEM	contains enough info to decrypt SAM secrets and LSA secrets	N/A

Cleartext Protocols:

• Wdigest

• LiveSSP

• TsPkg

LSA Secrets:

• Users passwords

• Internet Explorer passwords

• Service account passwords (Services on the machine that require authentication with secret)

• Cached domain password encryption key

• SQL passwords

• SYSTEM account passwords

• Account passwords for configured scheduled tasks

• Time left until the expiration of an unactivated copy of Windows

Dumping LSA SecretsRed Teaming Experiments

Worst Practices

Grant administrator privileges to all users.

• Malware and TA tools/scripts often require admin privs

• Making all users admin on their hosts eases the TA’s job

• Privilege Access Management solutions such as BeyondTrust are useful here.

Over-provisioned service accounts.

• Service accounts may be Domain Admin accounts (NO!!!)

• Service accounts should be created for a specific purpose, not used anywhere.

• Third-party vendors often “require” these settings. NO! Push back on them!

• Many ransomware incidents involve service account abuse.

Mitigation:

Logging

Best Practices

Must be enabled:

• Servers Event ID 5140 - A network share object was accessed.

• Servers Event ID 5145 - A network share object was checked to see whether client can be granted desired access.