Active Directory ain't going anywhere, so we might as well secure it

soble give me so yeah topic is AC directory ain't going anywhere so we might as well secure it uh just a brief introduction about myself Eric wood I work for company seus we do a lot of directory anding which was AZ uh security stuff um you know as we go through this today in particular a lot of the things I'll be covering sort of like the short list easy win um you both make software to protect active direct 3 so so we sort of have research folks that are are looking at you know sort of things that are going on out there and we also have an in response that only focuses on ad so

this is also inform you know what we see in the industry what we see ourselves and and all that good stuff uh social media handles you want to reach out to me Hurrican identity you know it's pretty easy to remember when I'm here uh make my own slides my own branding so I figure if I fail cyber security I so right so basically we're just talk about why active directory security is important and then again sort of quick wings for securing uh ad but before we get into things here so I actually live in uh New York not New York City but I'm in the Northeast and love going up to K National Park Maine

if you like hiking Outdoors anything like that it's it's beautiful up here um and this one he press his Trail it may be hard to tell but if you sort of go off of the the right where it's green but that's basically like fall on your death um on this particular heke right so at the foot of the trail we've got a warning sign here right um basically telling us right if we uh you know stay on the trail don't hike it's raining or snowing or dark out right wear our hiking boots uh you know don't dump things basically right we we'll probably survive a hike um but right you will see people still hiking in like their frogs

and all sorts of stuff but you know I kind of like to think of this almost is like defensive death right because as long as we do most of those things like if it's not snowing but it wearing my Frost like it's I still have a high chance of actually surviving uh the height the and right so another way we like to talk about defensive death right is this onion model here um and we really can apply this you know to to any right and so in this case active directory is sort of in the center of things um right when you see the more clastic defense and depth models all the different way using the physical

perimeter network with your data in the M here but what we can really apply this thing anything right and I kind of like this over like zero trust beyond that being like you know a drinking game and buzzword thing um but in many ways they're actually very similar and I think defense and depth sort of model is way just easier to comprehend and then ultimately again everything that we're going to talk about today is sort of compensating controls right to try to uh protecting the ultimately right it's not that everything is going to be bulletproof but we're trying to create as much friction for an attackers so that they're going to sort to go elsewhere now this

isit marketing but I'm like going to the guy and I will say that right this this is true with identity being the the new security perimeter but it's actually not real new um for another presentation I I actually looked up and found that someone sort of claimed this term in the beginning of 2012 right so now we're going on like 12 years of saying identities that the new security perimeter um right the identity perimeter how you want to put it the only sort of slide I I stole this picture from work CU I didn't feel like making I'm lazy but ultimately it's question with Co right everything is you know work from home you know we've got

Google work Spades and Office 365 and all our employees now right are trained to want everything from everywhere all the time they want it easy right we got vendors and contractors and msps and csps all people right wanting to come in and help us with everything and know everything sass right which is all like great but now where we used to go just right we wrap a firewall around things maybe we have a Blackberry bz server or whatnot um but for the most part right that was the sort of old perimeter of that we were dealing with not So Much Anymore we also deal with this thing uh right called hybrid identity again for a

lot of organizations right whether your you know Google work space or Office 365 great you got all your onr stuff with your active directory and right your onr things right but we're introducing again the cloud here right you're going to have your enture ID and you know Office 365 and you know aure and all these things right and we we pl this up in the you know sort of Microsoft ecosystem with this interconnect server right and it's all great because again from a business perspective right this enables us to sort of get all those S applications that that everyone loves right but as as we sort of build this out but the problem is is that the

active directory he becomes compromise it's actually very easy for a attacker to not only compromise what is you know in your on state would also move LLY to you know enter ID here right and then basically start compromising all of your your uh you know sass applications there right and and I'll just say again like you see in the news or people like we're leaving the cloud and all this stuff I mean one of my favorite articles about this um was written a year and a half ago this guy at his company I think it's uh k.com he's like they C he's like they're leaving AWS because it's too expensive um they offer a a SAS application for

email right so even though we talk about like leaving the cloud right from a comp perspective it's we're not leaving all these s apps right nobody's running workday or Salesforce or box or something like that on premise right so the whole you know hybrid identity situation that we're seeing it it's it's not going any and then a little little sort of cliche with some of these things that are saying but also true right is so this is Alex Wier he's VP of uh identity spirity of Microsoft right now Yu s saying attacks were like ransomware the second stage predicated by then compromise right and so if you look in the news um and you seeing a lot of text

out there right it's usually um many times actually not something that is super complex uh right there was I think one of the the simpler things in the past year or so was one of the the many coordinate bugs um where it was integrated right El that with active directory and in one of those instances the like service account for foret is a domain admin so it was like right super simple for the attacker to not have to do much that's you know nothing complex once they got on the network right they just sort of hopped on a but you can see here that if we look at a lot of the headlines right so here's um you know an

article side reason ice be noware compromise Act of directly domain and L of day right the whole MGM BR that was going on which also had a bit of an a component in this right but they went after like that new systems um here's a you know mational Tech firm ABD did by black Bo Ram some where pack and you can go on and on um but I'll actually give a pitch for this this sort a shortlived uh series it's a podcast where raning Weare files and um if you've never listened to it or you know you just like podcast or whatnot I say check it out I think the guys won some of the wars for this but

the thing I always found interesting is uh and pretty much every single episode of this it's like active directory is compromised and that the whole ransomware thing happens right so um so I think we all sort of understand right why you need to SC Act great so you know now we'll get into it's it's a bit dry right but we'll we'll try to keep it sort of widely here great securing active drug GRE the things that are sort of those those short uh winds the Quick List who else right um so we want to implement strong identity processes and and this one is one that I I just said there's going to be quick wins but um right this can turn

very complex uh but really here we're talking about like your you know man the life cycle of your privileged users in particular like you're don't being a right and so um you know one of the problems that we'll actually see at organizations is you can have all this robust HR stuff going on right someone leaves the organization uh and that their privilege credentials aren't action disabled because they're not within that sort of HR life site little thing right so you know unfortunately right like your your it admins may not mean your security people lot infrastructure owns active directory still um we want to make sure we like Dom main admins at least that when those

people leave the organization that their accounts are getting canned right if we don't have a process to set of account for this like we need to build something right this can easily turn into like a very longw drawn out identity governance um project right but we can also start small right a lot of organizations um you know it's as much of like a culture change amongst whoever home the directory right to sort of implement these processes get a bit more technical here uh we want to make sure if we have Forest right so active directory Forest it's like right the forest is sort of the security boundary you can have Forest a we can have Forest B then we

can set a trust relationship up between these two forests um but there are some sort of things we want to watch out for here and right A lot of times Forest will come out of you know mergers and Acquisitions or you know just at a place where we had a lot of um I was in public sector for 15 years and there's a lot of B fighting um because it's it's public sector and so there's a lot of active directory domains and Forest because they have one to have their own little fight Dum and eventually we sort of all brought these things together with with Forest uh trust right well with trust there's a thing within active directory which is

your Sid right this is basically a security identifier for who you are there's a functionality in AC directory called s history where um if you've gone through a migration or whatnot you can basically keep a list of you know the former SS that your you know user account have right because our users aren't typing some long unique string in they're typing in great their UPN Sam account name something simple right as my username not some on Str so with um for us though in Sid history what we can potentially have is if like I a guest right in another forest and there's someone that is interesting over there you can potentially copy right that interesting

person to Sid in your Sid history if you have great Privileges and you know sort of impersonate this person right so we want to um actually I should have looked at my slides because I I'll speak backwards here and that we want to make sure that we have stood filtering um enabled across their Forest trust right to sort of protect against this um and it's a bit more uh difficult at times well in certain scenarios we'll have like a very untrusted sort of Forest right and we'll have a very trusted forest and perhaps the very entrusted for us we only want to let people get to certain things well that's where selective authentication can come in

right if there's like only one thing in this Forest you want people to actually use right you set up your Forest trust and then with Selective off we can say like people can only use this one thing right it's not necessarily like a freefor all uh within the era the two Forest there right and again a lot of the stuff as we go through it it's stuff that you know we've sort of seen out there sort of Po incident with um things that organizations were I don't want to say doing goong right A lot of times again oh what we'll TR to find is it Pros right trying to get stuff done back in my

days there was a a fellow I worked with very nice guy we had more than one incident where um something wasn't working right and all of a sudden it's like full control right until whatever is working is working right cuz you needed to get something done unfortunately when those situations happen nobody sort of goes back and actually tries to figure out what was really required from a permission perspective right which was like on the the nice thing so securing keros right um you know we want to make sure that we rotate the KB account password and so in particular right this is sort of like the thing that is used like um you know go picking

attacks and whatnot we should rotate this you know at least twice a year or someone again that had like domain admin privileges leaves the organization um right some of this gets into these these things where we're asked by customers a lot like I want to against golden ticket and kosting and all these things and and honestly some of it boils down to um right either Behavior where you've already been compromised like if someone can really get the caraban PGT password at that point you'll be pretty much um not in a good place um right so some of the other steps that we want to make sure that we're securing Kos is doing things like eliminating

unconstrained delegation unconstrained delegation and within active directory there's a model where you can say right like a a service or a system can essentially impersonate other users right so you know you can have a web service with single or something like that and maybe you have certain permission setar than that when you tell like IIs or whatnot right that it can impersonate users um right to sort of have access to certain things within that database um but un constrain delegation let you impersonate basically anyone within active directory if you get Dom main admins right this IIs server that was probably incorrectly configured with this is going to be outside of that sort of you know tier

zero protection like doing whatever it's IIs things are um but also like anous person to move to it and and uh sort of go on from there um and also you know a quicker win is um you know service principal names right so SPN or spins again assigned to your domain admins in particular right so uh with accounts that have a service principal name assigned to them they're basically primed to be keros did right which again sort of long story short is with C roasting right um if you reust service ticket for an account and has an SPN sit on it uh effectively the the ticket um is encrypted with the hash of the password right so you can go take that

hash and your crack and R thing out over time right you're effectively you're likely going to determine what the users password was right there's other things you can do like having strong password policies but right why why give the person a a chance here right in most scenarios there isn't actually a need to have these things set again we'll see right someone was trying something because something didn't work so it's like let's just do all the things and that the service works so Al when we talk about you know detering lateral movement here right some of this stuff is that you know before we get on our domain controllers right I know this one is a painting is

removing local administrator um right from our end users right but if we can not have our end users via local ad man or if we can you implement a Pam solution right where they have to sort of go through a process that only temporarily have local administrator but it's really helping reduce that foothold on those devices for people to move around um and also laps right so laps right Windows functionality were basically the local administrative password is not known um again back to my pups names we were not using laps well one of the districts in the the public sector realm where I work was not using Labs all the devices had the same H set on them for a local administrator

um it didn't compromise ad but there was Ransom s of going around and right sort of spread to every device within their sort of District so still was not a a super fun time for it so kind of moving in here to to securing privilege users and groups right and and again some of this may seem uh a bit straightforward right but unfortunately this is the stuff that um you know we we tend to not actually see spoted organizations right so limiting those those privileged service accounts right this could be something like uh a decade ago or something made your backup software and need a domain admin um it probably does not these days or may not

these days right or if it does right see if you know the active directory recycling B and sort of suffice for some of the things you may want toore but you know back to the foret thing right where a firewall has an account that has domain add right it just it's uh a lot of things where it just unfortunately um you know I think Pros do not have the sort of oversight or for as what they're doing here right identity is difficult a lot of people don't fully understand what they're doing here directly enfort manage it um we also monitor for for permission changes on the admin has beh holder object so admin has beh holder is

effectively a thing um and we'll sort of keep a higher level right that sets the permission on your privileged users so your domain admins and other privileged uh you know user groups or types of users in um R active directory uh and again what we'll see is like admin the holder someone's been trying to do something where right um we're rolling out I don't know some self-service password reset uh software for us the organization and sort of unfortunately right thinking here like wondering why this this service can't impact our domain or other privilege users um and what organizations will do is they'll go change the permissions on admin be holder because effectively like if I

don't try to like say you know give uh you know John or something uh full control over domain ad then we'll find out like sometime within the next hour that that permission will be reverted because it's not stamped on admin as the holder where the process goes through it's sort of Compares what's on our privilege users to this and it's like wait this isn't right like let me go flip it that um go back to like things like self-service password reset right what we'll find then is like they've gone through and and set those permissions on had an holder but you'll see wacky stuff like you know the service desks will have permissions to reset domain admin

passwords right and now all of a sudden your service desk is like basically also to being administrator and a lot of this gets into defining Q zero which is as much of sort of like a a business exercise than than anything that's necessarily technical so if you've been around the block for active directory or with active direct while um you've probably sort of seen the diagram like this right where we have our tier zero tier one tier two now Microsoft has changed this but um with the the Enterprise uh access security model or something like that but but honestly this still works quite well right when we're talking about active directory security but unfortunately it's aitd right in um what we're

actually including within tier zero here these days right so the real tier zero is not just their admins and our domain controllers and our privilege access workstations right which hopefully what we're using is stay within that FL on a plane right we expand this event right with things like adfs and active directory certificate Services right now we we find there's a lot of attacks on ABCs in particular where um if you think people don't know AC directory we try and go through a bunch of it Pros that you know managing pki and it's just like a complete nightmare um there's so many ways that organizations can attack through their certificate Services right and effectively again an attack can move

up uh and impersonate you know domain controllers and personate being admins right from all this stuff that we're we're implementing is we're trying to be more secure and really we're sort of shooting ourselves in the foot um also interconnect or if you're using OA right OA agent or whatever it's called um if you have hybrid identity systems these things are also right tier zero um they're one of the things that again can be used to not only sort of move out into uh you know active directory where because this thing like me is highly privileged I'm going to also move into you know your Azure active directory entryid as well right this goes a bit further these

days where we can talk about things like your backup Sy again right if you're backing up your domain controllers into your convol or your rubric or whatnot it's like great but also just remember right Whoever has access to those backups I mean one the backup right could be sort of taken off the system and someone could start you know going at the the disc image or the contents of their DCS but what we've seen again I I worked at nor where our conso right back in the day before I B uh had a service account that had domain admin right nobody's thinking about the fact that basically now our condo um you know admins are also effectively you know

indirectly remain administrators um and you know one that I think is more interesting now is the the management plane right so in here I have Azure um unfortunately my layup is uh not working um well today uh because I was going to have a very quick demonstration here sort of on the management plane thing b instead I'll just sort of walk through this right and see why the management plane is now also becoming a sort of attack Vector way that thre actors can actually move into active directory and this isn't like theur um man in particular seen organizations from their IR uh breach because like Cloud platforms has been used to gain a footo into active

directory right so some of this you know we we Define things um sometimes also when we're protecting our zero right we actually need to map our attack p like this right uh know using like blood hound um you know other tools like cadland or Forest Druid or whatnot right both free commercial software right but and I say this where we're you know probably more offensive or Security on oriented people but what I can find difficult in a lot of organizations is right like because their xdr platform will um you know flag Blood Hound is like malware something like that where a lot of blue folks a lot of Ip Pros think it's like bad right they think it's only

like hackery things when in reality a lot of stuff we talked about the complexities of how right the business is sort of uh implemented active directory can easily sort of be figured out and and dispill down when we use these tools um we do also want to follow the clean Source principle right so this again sort of goes back to the diagram here of in particular I'd say implementing privilege is work stations um know with the PBS stuff again when we were implementing ha nobody really um likeed me because the people that worked for me were not happy that I was having been used a different workstation for um right what they're doing within active

directory but uh privilege access access workstations it's really like a culture change thing right and it's as simple as saying like hey right like you want to be the person who is the reason why we're like you know in the paper whatnot um we actually had a red team come in and I don't know within like 10 or 15 minutes they had domain admin so that was sort of like the like oh like right this is why we want to use things like privileg access workstations right but again it's why we want to make sure right within this sort of horizontal that any sort of Target resource right so active directory or DCS um we're

accessing it from a device such as a privilege access workstation that's on that same playing right if you sort of we're down the workstation admins the the sort of you know General user tier there right those are the devices where we're browsing Instagram and Amazon and all these things and reading our personal email and we're just right sort of setting ourselves up to the compromise there and then then attack or can easily sort of move on up again so the management plane here right so for a management plane of P um if we have you know our are not a softt person or something here right um for a lot of organizations out in Azure they

may have certain rights the virtual machines to say stop and start them you know do basic things right so that if something is going wrong on the weekend like whoever's working that sort of shift can easily go in and you know restart the server right it's still windows so you know the first sort of fix for something going wrong is to Rego it right um so they're giv access to a subcription or several subscriptions through management groups or something like that and we gave them like reader and virtual machine contributor rights now these don't actually say that they can like log in right they can't RDP in this Windows server or this domain controller in particular but it gives

them certain rights over that right so if we have that domain control out there running VM um they have with these said the right the ability to use a run command and this is a thing that you know was open the demo but it takes like 5 Seconds 15 seconds within half a minute right so the Run command window basically lets you run anything as system on Windows VN and the agent for it is required you know virtual machine that's running an Azure um similarly Microsoft is pushing Azure par which is sort of extending the management plane aure like on stuff us or gcp uh wherever you want to host you know servers whether they're physical or virtual um

and very similar you can sort of do the same ATT cat through the arc agent um so while I don't have uh the demo here today I actually had like a half an hour session sort of dive some the details here at um there was a a virtual suit Microsoft did for Server 2025 coming out so if you go to that URL and for protecting that directory management plan attacks I get BN of sort of how we would REM these things from like an arbat perspective and try to you know protect our our DC we're also hardening our domain controllers right so we want to do things like dis sayable unnecessary Services right print error is a big

thing where the print schooler you know historically has had problems with you know RCC and whatnot over the years right we can disable these things again it's a quick win uh right for most organizations you know removing unnecessary roles right again it's amazing you can walk into an or and see the stuff that they're running on Main controllers or even like they'll want to try to shortcut things and they'll be like well you know we want to run ECT or we want to run active directory certificate services or can we run adfs right lot like they they want like the active directory of Appliance um and while those things may still be tier zero right it it's it's reducing the

impact surface where said I Le for moving those roles and putting them on other systems um you know an unnecessary agents right again this is one of those things where uh at times you may see something like if it's a light management system right if we're going back from you know actual physical iron or something like that where again they're maying agents because we want that that painting L right and in some of these instances again that agent may have you know system rights or something that may seem innocuous but effectively whoever's managing our HP lights out management system right now is also a a domain ader um you know in applying paring policies and this one is again a bit difficult in

that um you know I will say it's difficult but what we'll tend to see is um you know everyone wants everything like it's it's all or nothing right so if you look at like a CIS uh control or you know Microsoft security compliance toit or this big hardening polic for domain controllers right um we we'll tend to look at it very black and white place we can't do all the things right because the Harding policy maybe is disabling ntlm you know V2 and it's just like right what we still have stuff that needs nlm or what not um or she'll choose to just be like well we're just not going to do anything right we're not

going to apply any of that um but right instead like when we're talking about reducing that attack surface well if like we can Hardon the DC like 90% of the way right and it really has an impact than anything like let's do that and I think that's both a shift sort of in you know the security world and with IP Pros uh because you know I've seen the challenges certainly where some organizations will be like we're not going to do any identity security right because um we can't like hit 100% And we need to look at it more as like an iterative process right a lot of what we're talking about here is even somewhat iterative right it's more like

let's go through find the quick wins all right round two round three instead of these waterfall approaches of like let's Hardon active directory and we're going to we know right have our active directory security assessment and then we're just going to sit on everything right until we can like get rid of and also monitoring for for unusual activity right and so this gets into the the term out there I thre protection response which um you I'm just going to leave it at this in that you can find if you're a Microsoft customer if you have M365 licensing you may have Defender for identity bre there's also a lot of free tools and vendor driven tools that are

sort of in the space uh you know I mean i' work for a software company that right sort of lives in this realm but I also know right acronyms and everything um you know can always be a thing that people hate or um hate less um but where I'd say this is evolving from like your si scene orever you want to put it right is that these identity attacks in other ways though are um they're not always to have a a s right sort of understand what's going on um and right identity is just tough it's challenging a lot of security people unless you live in identity right it can be very difficult to understand what is a false positive

how to tune this sort of stuff there's been other sessions I've seen a conference was given about sort of you know Socko now and one of the things in particular gets this whole like we we just getting bombarded constantly with like you know identity alerts and you know are Act directe is telling us to ignore it right it's just creating all this sort of unnecessary burden so you know i' say with any of these things it's really trying to both um you know from a proactive perspective give you more prescriptive guidance on how to secure you know your attive directory but also from like a detection perspective right um in a lot of these systems the sort of intelligence behind

it is built more by you know active directory or identity you know security people who we're trying to balance right um not just giving everyone a headache um you know last bit here is you know testing director directly re Force recovery so you know one of the other things that would see though is organizations will unfortunately have not done all the other things and you know the ransomware to you know active director a tank um and they haven't actually tested restoring a and right for a lot of boards that have active directory if active directory is down for two weeks well then the whole business is down for two weeks right there's companies that have like been

really going out of business because they could not recover right active directory and subsequently like nothing else uh was functioning the functioning in the organization um you know the folks that manage are aing uh may say that they've tested this or they may be like yeah you know we we've got a backup right again weeks and compo all the rubric or something like that which it's all great but have you actually gone through the process of you know going through that that table well not even a tabletop exercise a real exercise right standing up a lab seeing how want to take action with directory to where it's it's usable and functional with the the organization right because most people

uh in organizations do not do this but it's not then sort of Dr yeah when you're doing that restore is there a way to tell it restore you know these limited users first so that we can get these really critical people to log in into their jobs and then restore everybody else in the background or usually do what all want so so I would say I mean generally it's all at once but the more difficult part is not so much like determining the the users that need to be restored um and unless like we're talking like a very large Enterprise with like CH million user objects um you know really the issue is more than the infrastructure of AC

direct getting it getting stood back up from that um and many S I mean if if we were restoring it it would be in like you know an isolated environment where we might focus on connecting critical apps but um yeah it's more like getting the the infrastructure up and it could be things like right Rory we global company um right well we're going to test our ReStore in the US but what about like all the stuff that's running in Europe or something like that and if we have to stay on the back of directory here there right how do we do this how do we keep it isolated because also in many IR cases um best case scenario you're trying to

sort of restore an active directory well other IR people are trying to do forensics on like what went wrong and you want to make sure like that the threat actor still isn't like hanging out somewhere before you sort of reconnect that D so um yeah the recovery piece really as much it's really focusing on like getting the infrastructure of active directory stood up and again right not just like me restoring a VM I my death St like it worked right I I know it's kind of like a consultant like it depends on answer answer but um you know so last thing I I want to tou on NE again from Microsoft so so they released their digital defense

report uh for 2023 at the beginning of this year I don't expect any of you to read any of this very small text on the screen um the focus is really in this return on mitigation right and so uh a lot of the the the content with in this report from Microsoft comes from their own ird which was previously darkart now I think it's just Microsoft in response right so when you know you have an incident if you were to qual yourself have them come in right a lot of that data that they' seen sort of funnels up in this visual ref support and the return on mitigation is effectively looking at like okay what security

controls can we Implement that have like a high return on value right that they're they have a high return on you know making it more difficult for an attacker to sort of like compromise active directory but they're not necessarily the the most um you know complex thing right because you can start to talk about like implementing like privilege access management and other things which are great right but sometimes identity protection stuff can also have a very large you know uplift to actually get these things that my so you there there's a lot sort of going on on this screen but what I really just want to highlight if you can sort of see is it uh you know animates in is really

everything that we talked about today falls under that high return on mitigation right so um you know all these quick wins kind of a line right from what we're seeing um to you know what Microsoft also is basically saying will help sort of give you those those quick RS that gave question

any question when it comes to like St how do you so it with your identity teams you know to help them lock that stuff down so that you don't have users who don't need for station admin with board station admin yeah I mean that's a good question it's also one where it's like it depends I mean right like um I gu I'll say un you'll see that like I people are not great at dog fooding where like right we should like do what we tell other people we're like the worst at it um you know for some ORS it has to sort of you get into sort of profiling right your devices out there uh you know it kind of depends on who

manages workstations and you know client devices in the or um right if they're running something like you know CCM or other you know endpoint management software they might be able to sort of wrate profile the soft that's installed and and usually many times you can go from there right to try to get like ideas and patterns and behavior around your end users um right like what are you installing what are they installing right if they have local ad man having you sort of like figure out a uh you know nice compromise there um right there some some organizations unfortunately in Sp a long time where people are just used to being able to do whatever they want um and some of that

gets into organizational change management which is like having to build the awareness and desire for your users to sort of like realize that right we're not taking away local administrator because we hate you and we want you to just like not like your job anymore right it's because there is these things right you've seen software that use that maybe you know has had a lot of you know bugs in it things like that I mean just you know you can easily sort of I grab a hole on it e