Only one appreciation… gMSAs where introduced in windows server 2012. Thanks for your post.
Microsoft Active Directory (AD) is the central credential store for 90% of organizations worldwide. As the gatekeeper to business applications and data, it’s not just everywhere, it’s everything! Managing AD is an ongoing, never-ending task, and securing it is even harder. At Stealthbits, we talk to a lot of customers who are using our tools to manage and secure AD, and over the years, several key strategies for tightening up security and hardening AD to resist attacks have emerged. Here a 5 (+1!) tips that you can use to harden Active Directory in your environment:
Active Directory has thousands of objects, and a lot of moving parts to manage and secure. Cleaning up users, groups, and computers that are no longer needed is the best way to reduce clutter and improve security. By reducing the number of stale objects in AD, you reduce your attack surface by eliminating objects that can be exploited by an attacker. In addition, you may discover objects that are used only infrequently. Take this opportunity to add some context to those objects. Make sure there is an owner, and using data from your HR system, add that owner’s manager to the object’s attributes. When in doubt, do some investigation and communicate with your business stakeholders. The next time you have an audit or compliance review, you will be glad you did.
Wait! What? Yep, you read that right. Complex passwords are better than simple, easily guessed passwords, but not as good as complex easy to remember passphrases! There are a lot of passphrase generators on the internet, but the basic idea is to pick three unrelated words, add them together and insert numbers or special characters in between. Like this:
These passphrases are complex but easier to remember than a complex password that is totally random, nearly impossible to remember, and prone to being written down or stored in a document!
Most organizations have a standard image for their end-user devices, which are then configured for the specific job role they will be used for. Most end users do not need to install additional software on their machines, and therefore, do not need admin permissions. Make this the rule. Create a user account on the device, that is specifically configured for the job role, and force users to ask the help-desk if they want to install additional software. If an attacker can gain control of a workstation (which we all know happens quite a bit), they will install hacking software needed to help them move laterally and take over other accounts. Having a local admin makes this too easy. Don’t forget to use Microsoft LAPS to lock down the local admin account with a strong, unguessable password.
Service accounts are used by applications to authenticate to AD. They are also frequently targeted by attackers since they are rarely monitored, have elevated privileges, and typically have passwords with no expirations. Take a look at your service accounts and restrict their permissions as much as possible. Sometimes service accounts are a member of the Domain Admin’s group but typically don’t need all of that access to function. You may need to check with the application vendor to find out the exact privileges needed. Finally, change their passwords periodically to make it even more difficult for attackers to exploit them.
For more complex environments, Microsoft introduced the concept of the Group Managed Service Account (gMSA) in Windows Server 2016 (https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview). When using gMSAs, Microsoft will handle the password management of service accounts for you.
Enterprise Admin, Schema Admin, and Domain Admin security groups are the crown jewels of Active Directory. Attackers will do everything they can to get access, and if they do, they will own you. If your admins have permanent membership in these groups, attackers will attack their personal accounts and get permanent access. A better solution is to make all membership in these groups temporary. Enterprise Admin and Schema Admin groups are not frequently used, so for these, this won’t’ be an issue. Domain Admin is needed much more, so a system for granting temporary membership will have to be setup.
There are three more, fairly common permissions that attackers need to execute attacks against AD: Reset Password, Group Membership changes, and Replication. These permissions are harder to tighten since they are so frequently used in day to day operations. You may not be able to restrict these permissions very much, but you should at least monitor them for changes, and routinely examine them for any suspicious behavior.
Active Directory is an amazing system for controlling access. However, it’s only secure when it’s clean, understood, configured properly, monitored closely, and controlled tightly. These 5 + 1 tips are practical ways that you can tighten security and harden your Active Directory installation.
As the VP of Product Marketing, Darin is responsible for product messaging and positioning as well as generating industry and market awareness for STEALTHbits products. He is an experienced leader who has worked in software for over 21 years.
Prior to joining STEALTHbits, he was VP of Marketing for Quorum and SecureAuth, and has held positions in product management & product marketing at Oracle, and Quest Software.
Learn why Active Directory security should be a priority for your organization and ways to mitigate against a data breach with this free white paper!Read more
Start a Free Stealthbits Trial!
No risk. No obligation.