Introducing StealthAUDIT 11.5! Complete your cloud security puzzle. LEARN MORE


And other things that keep you up at night

Blog >Active Directory

Browsed By
Category: Active Directory

Cutting down the Red Forest

Microsoft recently updated their guidance for organisations. The guidance includes some significant changes to how organizations should approach privileged access, so Stealthbits (now part of Netwrix) is here to provide advice and guidance on what this means for you. Tiered access model and the red forest To protect our most privileged credentials, for the last several years Microsoft has described using the tiered access model (TAM), coupled with the Enhanced Security Admin Environment…
Active Directory Permissions - Hiding in the Shadows

Active Directory Permissions – Hiding in the Shadows

Understanding the Risk of Active Directory Permissions and Shadow Access I recently covered the topic of Active Directory permissions by giving an overview on how to apply them and view what already exists in your organization. In this blog, I’ll be taking a deeper dive into Active Directory permissions, outlining potential risks that exist when certain permissions are applied to certain objects. Why Do Active Directory Permissions Create Risk? So how do Active Directory permissions …
What Active Directory Groups Am I In?

What Active Directory Groups Am I In?

It’s often helpful to know which Active Directory groups your current user is a member of when joined to a domain. That information is typically easy to obtain, however you need to know where to look. For many, having a graphical UI is helpful for any task. While this isn’t the quickest way to locate your AD group membership, it’s the best way if you want to avoid the command line (i.e. PowerShell or Command Prompt). Let’s discuss several methods to achieve our goal, including via the U…

Adding a Linux Host to an Active Directory Domain

The Linux operating system has come a long way since 1991 when it was first introduced by Linux Torvalds as a free operating system.  Today, some form of Linux is used in devices ranging from high-end servers to IoT devices. More often than not, common database platforms such as Oracle, PostgreSQL, MySQL, and MongoDB, are deployed on servers running Linux.  One notable exception was the Microsoft SQL Server.  That changed recently after Microsoft announced support for Linux sta…

Back to “The Basics” Blog Series – Part 2: Active Directory

Part 2 – Active Directory This is the second part of a three part series on Maersk, me, & notPetya, a blog post by Gavin Ashton about his experiences responding to and recovering from the NotPetya ransomware outbreak at Maersk. Not everyone realizes that in the last several years ransomware has made significant advances in its ability to not just infect a single computer, but to also pivot from that computer and infect other workstations and servers. Following a common pattern …
What is Kerberos?

What Is Kerberos?

Kerberos Explained   Kerberos is an authentication protocol enabling systems and users to prove their identity through a trusted third-party. The protocol was initially developed at the Massachusetts Institute of Technology (MIT) as part of a larger project called Project Athena. Project Athena was a joint initiative of MIT, Digital Equipment Corporation, and IBM to build a distributed computing environmen…
Ready for Microsoft’s LDAP Changes? What You Need to Know

Ready for Microsoft’s LDAP Changes? What You Need to Know

What is Changing? In March, Microsoft will be releasing a patch that includes new audit events, additional logging, and some changes to group policy settings. Later in 2020, Microsoft will be changing the behavior of the default values for LDAP channel binding and signing. They’re making these changes because the current default settings allow for a potential man-in-the-middle attack that can lead to privilege escalation. This means, once the default settings are changed, that any new doma…

Microsoft LDAP Channel Binding and Signing Patch

Discovery Solution for Microsoft’s March 2020 Update Lightweight Directory Access Protocol (LDAP) – How did we get here? 20 years ago, I embarked on the fantastical journey that was migrating from NT4 to Active Directory. This is also when I began learning the power of LDAP. While it was technically available, very few companies implemented secure LDAP in the early days. Most enterprise applications or internal applications took advantage of the directory (and in a wide variety of ways)…
Constrained Delegation Abuse: Abusing Constrained Delegation to Achieve Elevated Access

Constrained Delegation Abuse: Abusing Constrained Delegation to Achieve Elevated Access

Kerberos Delegation Recap Previously, I gave an overview of all of the various types of Kerberos delegation, how they’re configured, and how they can potentially be abused. Prior to that, I wrote about abusing resource-based constrained delegation and Jeff Warren has written about abusing unconstrained delegation. To round out the Kerberos delegation topic, I wanted to write a quick blog on how constrained delegation can be abused to get elevated access to a specific configured service. If…

Cleaning Up Unused Service Accounts Series – Part 1: Overview of the Process

What is a Service Account? In this blog post, I won’t go too much into the details of service accounts but will class a service account as a user, Managed Service Account or a Group Managed Service Account which is used to run a process whether it be a Service, Task, IIS App Pools or used inside of an application. The Problem? A lot of organisations will have hundreds and maybe even thousands of service accounts that may be in use across their Active Directory environment. It can be …




© 2022 Stealthbits Technologies, Inc.

Start a Free Stealthbits Trial!

No risk. No obligation.