Transcription

Beyond the MCSE:Active Directoryfor theSecurity ProfessionalSean MetcalfTrimarcTrimarcSecurity.comBlack Hat USA 2016

Table of ContentsOverview . 4Differing Views of Active Directory . 5Active Directory Components . 6Administration . 6Forest . 9Domains . 10Schema . 10Trusts. 11Sites, Subnets, & Replication . 13Organizational Units . 14DNS. 14Domain Controllers . 15DCLocator . 15Global Catalog . 16FSMOs . 16Read-Only Domain Controllers . 18DNS Zone Hosting . 19Kerberos Handling. 19Authentication & Password Caching . 20Directory Services Restore Mode (DSRM) account . 25Active Directory Database . 27Group Policy . 28Authentication . 32The Evolution of Windows Authentication . 32NTLM . 32Kerberos . 34Active Directory Administration Groups . 38Default Groups & Permissions: DC Rights . 38AD Security Enhancements by OS . 40Forest and Domain Functional Level Security Enhancements . 40Windows 2008 R2 Forest/Domain Mode Features . 41New AD Features: Windows Server 2012 . 41

Key AD Security Features: 2012 R2 . 41Windows 10 - New & Updated Auditing . 42Active Directory Security Best Practices . 43General Recommendations . 43Protect Admin Credentials . 43Protect Service Account Credentials. 43Protect Resources . 44Protect Domain Controllers . 44Protect Workstations (& Servers) . 44Logging . 44Interesting AD Facts . 45A Security Pro’s AD Checklist . 45Recommended Domain Controller Event Logging . 46References . 48

OverviewThis whitepaper is meant to augment the Black Hat USA 2016 presentation “Beyond the MCSE: ActiveDirectory for the Security Professional” which highlights the Active Directory components that haveimportant security roles.There are plenty of resources for learning Active Directory, including Microsoft’s websites referenced atthe end of this document. This whitepaper highlights the key Active Directory components which arecritical for security professionals to know in order to defend Active Directory. Many securityprofessionals aren't very familiar with AD to know the areas that require hardening. There are manyaspects of Active Directory that are not well known often leveraged by attackers. By highlighting thisinformation, blue teams can better understand their AD environment in order to protect it moreeffectively. The presentation builds on the standard Microsoft material by adding the security angleoften missing in typical training books. Properly securing the enterprise means identifying andleveraging appropriate defensive technologies.

Differing Views of Active DirectorySystems administrator/engineer, security professional, and attacker each see Active Directory and howthese differences matter when defending the enterpriseThe Active Directory administrator/engineer focuses on uptime and ensuring that Active Directoryresponds to queries in a reasonable amount of time.The security professional may monitor Domain Admin group membership, ensure that the DomainController security logs are forwarded to a central logging server, and that systems are patched.The attacker focuses on the entire enterprise security posture including that of every component.

Active Directory ComponentsActive Directory is like a network registry where all information about users, groups, computers, servers,printers, network shares, and more are stored. Each of these are considered objects and have attributesassociated with them in the directory. A user object has attributes such as first name, last name, workphone number, and group membership associated with it.AdministrationThere are several methods for interactive with Active Directory.Active Directory Users & ComputersActive Directory Administrative Center – an updated admin console with a new style and PowerShellsupport.

AD Sites & ServicesAD Domains & Trusts

PowerShell – PowerShell provides a number of methods to interact with Active Directory, from ADSI and.Net to the Active Directory PowerShell module.

ForestForests are the Active Directory structure and security boundary and domains are the administrative andreplication boundary. Unfortunately, many organizations have designed their AD environment with thefalse belief that the AD domain is the security boundary. This is not the case and enables full forestcompromise with the compromise of a single domain. Furthermore, the authentication andauthorization boundary can be extended beyond the forest to other forests and/or domains, oftenwithout full understanding of the security implications.A forest is a complete instance of Active Directory in a single namespace, with each forest being thesingle entity containing all Domains, Domain Controllers, Organizational Units, etc. within the forest. Theforest has a single schema which defines object types and associated properties. By default, forest datais contained within the forest and not shared outside of the forest. All intra-forest trust relationships areautomatically created as two-way transitive trusts.

The first Domain Controller promoted in a new forest also instantiates the first forest domain, called theforest root domain as well as the forest name.Security Note:The Active Directory forest is the security boundary. Administrators in one domain can gainadministrative access to other domains in the forest. Creating trusts from one forest to another extendsthe authentication boundary as well as potentially unintentionally exposing information. Compromise ofany domain in the forest and/or any trusted domain could lead to complete forest compromise.Microsoft Forest ary/cc759073%28v ws.10%29.aspxDomainsAn Active Directory Domain partitions the Active Directory forest to allow smaller AD databases whichreplicate domain data separately from other domains. From a Domain perspective, all properties of allobjects within the Domain are replicated to all Domain Controllers within that Domain only. TheDomain provides a replication boundary as well as one of authentication and security policy. Domainsdo not provide protection from a malicious Domain Admin in another Domain in the Forest.Security Note:An Active Directory domain contains all the data for the domain which is stored in the domain database(NTDS.dit) on all Domain Controllers in the domain. Compromise of one Domain Controller and/or theAD database file compromises the domain. The Active Directory forest is the security boundary, not thedomain. Creating trusts from one domain to another extends the authentication boundary as well aspotentially unintentionally exposing information.SchemaThe schema is the forest-wide template that defines the objects and their properties hosted in ActiveDirectory. The schema must not only be protected from failure, but also protected from inadvertent orrandom changes since the schema affects every user, system and application that is part of the forest.Changes to Active Directory schema should be infrequent, but well tested. Object and attributeadditions are not reversible; objects can be disabled but not deleted once created. There is a specialgroup in Active Directory that has rights to modify the schema called Schema Admins. This groupremains empty, secured, and monitored so no changes can be made without prior approval.Security NoteThe schema defines all objects and their properties. Unauthorized modification of the schema couldunintentionally expose data or corrupt the Active Directory forest.Microsoft Schema ry/cc961756.aspx

TrustsA trust is a connection between domains or forests leveraged to extend authentication and areauthentication pipelines that must be present in order for users in one domain to access resources inanother domain.Some trusts are one-way only enabling users from one domain/forest to access resources in anotherdomain/forest. A two-way, or bidirectional, trust enables users in either domain/forest to accessresources in the cc786873%28v ws.10%29.aspxThere are two primary types of trusts: Domain and Forest. Within an Active Directory forest withmultiple domains, there are implicit two-way transitive trusts between the parent domain and the childdomains in the forest. These trusts are transitive meaning that authentication can flow from one domainto another while transiting a third. Transitivity determines whether a trust can be extended outside ofthe two domains with which it was formed. A transitive trust can be used to extend trust relationshipswith other domains; a nontransitive trust can be used to deny trust relationships with other domains.Additionally, within a forest there is another trust that can be manually created called a Shortcut Trust.This type of trust is used to improve authentication between domains in a forest when a user inChildDomainA needs to authenticate to ChildDomainB since the authentication needs to transitParentDomain. A Shortcut Trust created between ChildDomainA and ChildDomainB tyNontransitiveDirectionDescriptionOne-way ortwo-wayUse external trusts to provide access to resources that are locatedon a Windows NT 4.0 domain or a domain that is located in a

RealmTransitive ornontransitiveOne-way ortwo-wayForestTransitiveOne-way ortwo-wayShortcutTransitiveOne-way ortwo-wayseparate forest that is not joined by a forest trust. For moreinformation, see Understanding When to Create an External Trust.Use realm trusts to form a trust relationship between a nonWindows Kerberos realm and an Active Directory domain. Formore information, see Understanding When to Create a RealmTrust.Use forest trusts to share resources between forests. If a foresttrust is a two-way trust, authentication requests that are made ineither forest can reach the other forest. For more information, seeUnderstanding When to Create a Forest Trust.Use shortcut trusts to improve user logon times between twodomains within An Active Directory forest. This is useful when twodomains are separated by two domain trees. For moreinformation, see Understanding When to Create a Shortcut cc730798(v ws.11).aspxActive Directory stores information about trusts in Trusted Domain Objects (TDOs) which represent eachtrust relationship within a domain. A unique TDO is created with each trust and stored in the domainsystem container.Domain Trust TDO Attributes store trust transitivity, type, and the reciprocal domain names.Forest Trust TDOs store additional attributes to identify all of the trusted namespaces from its partnerforest. Including attributes: domain tree names, user principal name (UPN) suffixes, service principalname (SPN) suffixes, and security ID (SID) namespaces.Domain Controllers (2003 ) authenticates users and applications using Kerberos V5 or NTLM, with theKerberos V5 protocol configured as the default protocol for all supported versions of Windows. If anycomputer involved in a transaction does not support Kerberos V5, the NTLM protocol will be used.Kerberos AES needs to be explicitly enabled on manually created trusts to ensure Kerberos across thetrust leverages AES.Additionally, there are different options for trusts: SID History Filtering (Quarantine): Does not allow SID History data to be included in theauthentication and the data is filtered out.Selective Authentication: Changes the default access rules that external users have to the forest.The most notable is that there is no access to resources across this trust type, not even readaccess. With Selective Authentication, an external user must have explicit delegated access tothe resource in order to receive a Kerberos ticket to access nterforestTrust TypeExternalDescriptionPermits unrestricted access by any users in the trusted domain to allavailable shared resources located in the trusting domain. This is thedefault authentication setting for external trusts.

tionExternal andForestPermits unrestricted access by any users in the trusted forest to allavailable shared resources located in any of the domains in the trustingforest. This is the default authentication setting for forest trusts.Restricts access over an external or forest trust to only those users in atrusted domain or forest who have been explicitly given authenticationpermissions to computer objects (resource computers) residing in thetrusting domain or forest. This authentication setting must be s/library/cc755321(v ws.10).aspxTrust information can be enumerated via WMI on the Domain Controllers or by querying the TrustedDomain Object in the domain.WMI Class NameMicrosoft yMicrosoft osoft n CompatibilityWindows 2000 Server and WindowsServer 2003Windows 2000 Server and WindowsServer 2003Windows 2000 Server and WindowsServer 756944(v ws.10).aspxSecurity NoteThe Active Directory forest is the security boundary. Administrators in one domain can gainadministrative access to other domains in the forest. Creating trusts from one forest/domain to anotherextends the authentication boundary as well as potentially unintentionally exposing information.Compromise of any domain in the forest and/or any trusted domain could lead to complete forestcompromise. SID History filtering should be enabled to protect against leveraging SID History tocompromise a trusting domain. Selective Authentication should be enabled when possible to limit dataexposed across the trust to only explicitly authorized accounts and groups.Sites, Subnets, & ReplicationActive Directory replication topology is divided into multiple sites to optimize replication.Active Directory uses the concept of sites to map Active Directory resources to a geographical ornetwork area. AD clients use sites to discover Domain Controllers and other resources such as DFSshares. Sites effectively map Active Directory to physical locations.Subnets are configured in AD to map network subnets to Active Directory sites. This linkage enablesresource discovery.Active Directory sites are also used by certain enterprise services to ensure that data is transferred viathe quickest possible route.