Hey Everyone, further to my post on Group Policy and AD last week I want to follow up with a post on Security.
When I’m out on site with customers doing risk assessments we always see the same risks being raised, mainly about the following topics:
Servers, especially DCs not being patched. For example we see MS14-068 missing on domain controllers in many customer environments. This patch (among others) is critical and was released in late 2014 – nearly 1 year ago. Please check your environment for missing patches.
Too many members in the highly privileged admins groups – this one always flags and is down to there being too many people in Enterprise Admins and Domain Admins groups permanently or service accounts being a member of these groups
High privilege users have password never expires set
Stale user and computer accounts – very easy for attackers to compromise these accounts and stay unnoticed in an environment
No configuration baseline or standard build for servers, especially DCs, therefore allowing unneeded, unwanted and potentially malicious software to run
Allowing internet access from servers, particularly DCs
Security baselines and basic security configuration not being done, such as restricting logon types to service accounts, restricting RDP access, other User Rights Assignment not being configured and the advanced firewall not being configured
It may seem too hard to solve some of these issues, however locking down these areas will significantly improve your overall security. It’s still a cat and mouse game but you should be trying to make this as hard as possible for the attackers and you really do need to make the investments financially and in the resource to implement and maintain these things.
This post will have links to Microsoft’s current recommended practice when it comes to security, mainly focussed on the identity space. Again, this post may evolve over time so please use as a reference point and check back.
A Snippet of Security as it relates to identity:
Immutable laws of Security
The following two links provide the 10 immutable laws of security V1 and V2, some great reference material for your CIO:
Also, see this link for some general links around Windows Security:
The bible when it comes to AD security is the “Best Practices for AD Security” whitepaper written by MSIT and Microsoft consultants. This document includes all of the best practices for proactively managing and securing your directory based on experience from several security CritSits, AD Security Assessments and breaches of Microsoft customers. You should be looking to align your environment as best you can with these recommendations:
Another great document to reference is the Threats and Countermeasures guide:
Credential theft became a big problem a few years ago when Pass the hash attacks became prevalent. Although PtH has been around for many years it is only in recent years that tooling has been feely available that makes these attacks trivial to undertake. Although the PtH “vulnerability” cannot be fixed with an update there are plenty of mitigations to put in place and these are documented in the excellent PtH whitepapers which are a must read for any security admin:
It should be noted that by mitigating these risks isn’t a panacea for security as the credential thieves will just use other techniques, but it does help address the low hanging fruit. There I said it, low hanging fruit J. Let’s see what other buzz terms I can drop in…
It’s also worth checking out the new Windows 10 feature call Credential Guard which also helps mitigate credential theft, again not a panacea but certainly raises the bar. There’s another one J
Managing the security of accounts such as service accounts and accounts is paramount to the environments security as these accounts are usually high value targets for attackers. When using these accounts, the principle of least privilege should be used. Some guidance does exist on this and can be found here for service accounts:
And here for admin accounts:
When looking at service accounts it is also worth seeing if you can invest into Group Managed Service Accounts, introduced with Server 2012:
Lastly, check out the Best Practices for Delegating Active Directory Administration guide:
Privileged Account Management and Just in Time elevation is quite big at the minute and managing accounts with high levels of access in the environment (either admin or VIP accounts) is crucial to maintaining good security posture. Therefore, Microsoft have implemented a PAM feature into Windows Server vNext and JIT feature into MIM 2016. Check this post for info on this:
Also, our very own PoSH Chap Ian Farr has a good post on JIT using PowerShell and some of the built in features on Windows Server 2012:
Proactive Monitoring and Detection
One of the key aspects of security is to perform monitoring, but also have the correct alerts in place tuned for your environment so you can use them to detect any attack or compromise. This guide will help you create this:
Defining a Security Baseline:
You should have a security baseline in your environment for DCs, member servers and workstations such that you are blocking some legacy security protocols, blocking certain logon types for certain users, configuring the Windows firewall and services such as AppLocker. The Security Compliance Manager tool can help you with this:
As you know from reading my blog PKI is my passion and the security around PKI including designing key signing ceremonies and secure implementations is what I specialised in before joining Microsoft. I’ve touched on some of the security aspects of PKI in my non-repudiation and offline CA virtualisation posts here:
Further to my postings there is also the Securing PKI whitepaper which is very good:
There are plenty of other reference guides and links that you can use, however the above will give you a starter for ten and plenty of bed time reading!