active directory - real defense for domain admins
DESCRIPTION
A defensive talk about securing Active Directory (specifically Domain Admins) against some of the most common red team attacks.TRANSCRIPT
Active Directory: Real Defense for Domain
AdminsJason Lang
Disclaimer
Goals
• Provide immediately useful content re: the defense of your Domain Admins (DAs) and Domain Controllers (DCs)
• Give you projects you can implement in one month or less.
About
• Consultant at SynerComm
• Passions: Dev (C#/PS/PY), InfoSec, Woodworking
• Twitter: @curi0usJack
• Blog: http://project500.squarespace.com/
Survey
• How many of you work in a large enterprise?
• How many work in an old enterprise (25+ yrs old)?
• How many in some kind of AD security?
• How many had a pentest some time in the last 12 months?
Did it go something like this?
Uh-oh
#1 - Test your new DAs
#2 - Limit the number of DAs
#3 - Separate DA accounts from
“everyday” accounts
#4 - Separate DA password policy
No Excuses!
#5 - Set DA logon restrictions
DCs only!
#6 - Disable Cached Creds
#7 - Be careful with DA service accounts
#7 - Service Accounts
• Delegate Delegate Delegate!
• If you must have DA service accounts:
• Treat task server like a DC
• Service Account can only login to that server
• Shut off cached creds
#8 - Microsoft Security Compliance Manager
#9 - A quick word about null sessions
https://project500.squarespace.com/journal/2014/3/13/powershell-enumerating-null-sessions-on-your-dcs
#10 - Get offensive security training!
Fail
Win
DomainLockDown: https://github.com/curi0usJack/activedirectory
Questions?
Huge Thank You’s:@DerbyCon
@TrustedSec