Microsoft recently updated their guidance for organisations. The guidance includes some significant changes to how organizations should approach privileged access, so Stealthbits (now part of Netwrix) is here to provide advice and guidance on what this means for you.
Tiered access model and the red forest
To protect our most privileged credentials, for the last several years Microsoft has described using the tiered access model (TAM), coupled with the Enhanced Security Admin Environment…
Understanding the Risk of Active Directory Permissions and Shadow Access
I recently covered the topic of Active Directory permissions by giving an overview on how to apply them and view what already exists in your organization. In this blog, I’ll be taking a deeper dive into Active Directory permissions, outlining potential risks that exist when certain permissions are applied to certain objects.
Why Do Active Directory Permissions Create Risk?
So how do Active Directory permissions …
It’s often helpful to know which Active Directory groups your current user is a member of when joined to a domain. That information is typically easy to obtain, however you need to know where to look.
For many, having a graphical UI is helpful for any task. While this isn’t the quickest way to locate your AD group membership, it’s the best way if you want to avoid the command line (i.e. PowerShell or Command Prompt).
Let’s discuss several methods to achieve our goal, including via the U…
The Linux operating system has come a long way since 1991 when it was first introduced by Linux Torvalds as a free operating system. Today, some form of Linux is used in devices ranging from high-end servers to IoT devices. More often than not, common database platforms such as Oracle, PostgreSQL, MySQL, and MongoDB, are deployed on servers running Linux. One notable exception was the Microsoft SQL Server. That changed recently after Microsoft announced support for Linux sta…
Part 2 – Active Directory
This is the second part of a three part series on Maersk, me, & notPetya, a blog post by Gavin Ashton about his experiences responding to and recovering from the NotPetya ransomware outbreak at Maersk.
Not everyone realizes that in the last several years ransomware has made significant advances in its ability to not just infect a single computer, but to also pivot from that computer and infect other workstations and servers. Following a common pattern …
Kerberos Explained
Kerberos is an authentication protocol enabling systems and users to prove their identity through a trusted third-party. The protocol was initially developed at the Massachusetts Institute of Technology (MIT) as part of a larger project called Project Athena. Project Athena was a joint initiative of MIT, Digital Equipment Corporation, and IBM to build a distributed computing environmen…
What is Changing?
In March, Microsoft will be releasing a patch that includes
new audit events, additional logging, and some changes to group policy
settings. Later in 2020, Microsoft will be changing the behavior of the default
values for LDAP channel binding and signing. They’re making these changes
because the current default settings allow for a potential man-in-the-middle
attack that can lead to privilege escalation. This means, once the default
settings are changed, that any new doma…
Discovery Solution for Microsoft’s March 2020 Update
Lightweight Directory Access Protocol (LDAP) – How did we
get here?
20 years ago, I embarked on the
fantastical journey that was migrating from NT4 to Active Directory. This is
also when I began learning the power of LDAP. While it was technically
available, very few companies implemented secure LDAP in the early days. Most
enterprise applications or internal applications took advantage of the
directory (and in a wide variety of ways)…
Kerberos Delegation Recap
Previously, I gave an overview of all of the various types of Kerberos delegation, how they’re configured, and how they can potentially be abused. Prior to that, I wrote about abusing resource-based constrained delegation and Jeff Warren has written about abusing unconstrained delegation. To round out the Kerberos delegation topic, I wanted to write a quick blog on how constrained delegation can be abused to get elevated access to a specific configured service. If…
What is a Service Account?
In this blog post, I won’t go too much into the details of service accounts but will class a service account as a user, Managed Service Account or a Group Managed Service Account which is used to run a process whether it be a Service, Task, IIS App Pools or used inside of an application.
The Problem?
A lot of organisations will have hundreds and maybe even thousands of service accounts that may be in use across their Active Directory environment. It can be …