Full Report
Kent Ickler & Jordan Drysdale // BHIS Webcast and Podcast This post accompanies BHIS’s webcast recorded on August 7, 2018, Active Directory Best Practices to Frustrate Attackers, which you can view below. […] The post Active Directory Best Practices to Frustrate Attackers: Webcast & Write-up appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Best Practices: Active Directory Security Hardening to Frustrate Attackers
## Overview
These practices focus on hardening the Active Directory (AD) environment beyond default settings to increase the time, effort, and complexity required for an attacker to compromise the network, ultimately encouraging them to target easier environments.
## Key Recommendations
### Immediate Actions
1. **Restrict Administrative Exposure:** Ensure administrators operate 99% of the time using **unprivileged, normal-user accounts** for day-to-day tasks (email, web browsing).
2. **Use Separate Admin Accounts:** Utilize a second account exclusively for administrative changes, preferably initiated only from a dedicated **jump host** or limited access system/network.
3. **Avoid Password Exposure:** **Do not** save sensitive passwords within Group Policies or scripts stored in the SysVol share.
4. **Secure Account Identification:** Implement mechanisms to ensure user **email addresses are not identical to usernames** to prevent attackers from assuming the username based on publicly available email information (e.g., appending a random suffix to the username).
### Short-term Improvements (1-3 months)
1. **Enforce Strong Password Policies:** Configure and enforce robust **Password Policies** via Group Policy, strictly defining minimum age, length, and complexity requirements.
2. **Implement Account Lockout Thresholds:** Configure **Account Lockout** settings, defining the number of failed attempts and the duration before lockout.
3. **Standardize Naming Conventions:** Establish and enforce clear, functional naming conventions for resources like **Group Policies, File Shares, and Printers** to improve internal efficiency and slightly obscure function from attackers.
4. **Establish Group-Based Access Control (JUGULAR Model):** Mandate the principle: Assign **Groups to Resources (ACLs)**, and **Users to Groups**. Avoid assigning direct user SIDs to resource ACLs to prevent legacy SID issues.
### Long-term Strategy (3+ months)
1. **Deploy Comprehensive Encryption:** Implement **BitLocker** encryption across all capable endpoints and utilize **VeraCrypt** for sensitive data stores where BitLocker is not applicable.
2. **Establish Testing/Sandbox Environment:** Set up isolated **Active Directory sandboxes** (e.g., using AWS Quick Starts) to test configuration changes, policies, and potential attacker impacts before deploying them to production.
3. **Develop Help Desk Security Training:** Implement mandatory, regular **security awareness and social engineering training** for the Support/Help Desk team, actively soliciting their input on potential AD security flaws if they were tasked with an internal penetration test.
4. **Institute Formal Password Request Procedures:** Create a documented process requiring that password management requests be verified by contacting the employee's **direct supervisor or direct report** to legitimize the request and aid memory recall.
## Implementation Guidance
### For Small Organizations
- Focus heavily on **Immediate Actions** and enforcing default security extensions via Group Policy (Password Policy, Lockout).
- Use the "Run as..." feature (instead of a full separate interactive logon) for administrative tasks to streamline the split between privileged and unprivileged activity.
- Leverage cloud-based AD services (referenced in the article) if available to simplify initial setup complexity.
### For Medium Organizations
- Prioritize the **Group-Based Access Control (JUGULAR)** implementation to clean up legacy ACLs.
- Begin systematic implementation of **naming conventions** for GPOs and File Shares.
- Start planning and deploying **BitLocker** across critical endpoints.
### For Large Enterprises
- Leverage the sandbox environment to extensively test complex **Group Policy Objects (GPOs)**, adhering strictly to the **LSD-OU** principle for policy application order.
- Formalize the process for separating administrative accounts and securing the **jump hosts** used for elevated access.
- Engage in recurring **penetration testing** cycles focused specifically on internal AD exploitation paths.
## Configuration Examples
* **Username Obfuscation Example (Conceptual):**
* Email Address: `[email protected]`
* AD Username Attribute (sAMAccountName): `[email protected]`
* **Resource Naming Guidelines:**
* **File Shares:** Name based on context/department (e.g., "Accounting", "Accounts Receivable", "Onboarding Forms").
* **Printers:** Name geographically to aid user location (e.g., "Floor2_WestWing_B&W").
* **Group Policies:** Name according to function (e.g., "GPO_PasswordComplexity_Enforce").
## Compliance Alignment
This advice aligns with foundational security controls required by:
* **NIST CSF (Identify & Protect):** Hardening authentication, configuration management, and access control policies.
* **ISO 27001 (A.5, A.9, A.14):** Policies for identity management, access control, and secure system engineering/development (testing in sandbox).
* **CIS Benchmarks for Windows Server/Active Directory:** Specific group policy controls for password strength and account lockouts.
## Common Pitfalls to Avoid
1. **Assuming Defaults Are Sufficient:** Failing to augment default AD configurations, especially around password policies.
2. **Sticking to User-to-Resource ACLs:** Maintaining direct SIDs on resource ACLs instead of using security groups, leading to inaccessible data when owners leave.
3. **Ignoring Help Desk Security:** Failing to educate the help desk, allowing them to become an unwitting vector through social engineering or weak verification processes.
4. **Information Disclosure:** Not restricting the information disclosed about internal infrastructure (Exchange, SSL details, web services) in external communications, which aids attacker reconnaissance.
5. **Deploying Configuration Without Testing:** Pushing GPOs or configurations directly to production without first validating functionality and impact in an isolated testing environment.
## Resources
* **Testing Environment:** AWS Quick Start for Active Directory Environments (for isolated configuration testing).
* **Encryption Tools:** Microsoft BitLocker Documentation; VeraCrypt homepage.
* **Training/Consulting:** Contacting consultation services (e.g., referenced email `[email protected]`) for penetration testing or specialized training.
* **Security Training:** SANS course recommendation for attacker techniques and incident handling.