Monday

Tag: Kerberos

Active Directory Security Overview

Active Directory (AD) is a directory service that manages the identities and access rights of users and devices in a network. AD security settings are the policies and configurations that define how AD objects, such as users, groups, computers, and organizational units, are protected from unauthorized access or modification.

AD security settings are essential for any organization that uses AD as their directory service. They help protect the network from internal and external threats, comply with various regulations and standards, and optimize the network performance and management. However, not all AD security settings are equally important. Some settings have a greater impact on the security posture and compliance status of the network than others.

In this post, I will discuss the importance of the top 5 security settings in AD, namely:

  • Password policy
  • Account lockout policy
  • Group policy
  • Permissions and auditing
  • Kerberos policy

Password Policy

Password policy is the set of rules that govern how passwords are created, changed, and stored in AD. Password policy affects the security of user accounts and the authentication process. A strong password policy should enforce the following requirements:

  • Minimum password length
  • Password complexity
  • Password history
  • Password expiration
  • Password encryption

A strong password policy helps prevent password cracking, guessing, or phishing attacks by making passwords harder to break or steal. It also reduces the risk of password reuse or sharing by requiring users to change their passwords regularly and use different passwords for different accounts. You should look at minimum password length of 10-12 characters with complexity requirements enabled, remembering at least the last 5 passwords, etc.

Account Lockout Policy

Account lockout policy is the set of rules that govern how AD responds to failed logon attempts. Account lockout policy affects the security of user accounts and the authentication process. A reasonable account lockout policy should enforce the following requirements:

  • Account lockout threshold
  • Account lockout duration
  • Account lockout reset

A reasonable account lockout policy helps prevent brute force attacks by locking out accounts after a certain number of failed logon attempts. It also reduces the risk of denial-of-service attacks by unlocking accounts after a certain period of time or by allowing administrators to manually reset them. You should look at disabling a user account if they guess their password incorrectly 10 times in 30 minutes, and automatically enabling their account after it has been locked for 30 minutes.

Group Policy

Group policy is the set of rules that govern how AD objects are configured and managed. Group policy affects the security of users, devices, and data. A comprehensive group policy should enforce the following requirements:

  • Security settings
  • Software settings
  • Administrative templates
  • Preferences

A comprehensive group policy helps enforce consistent and secure configurations across the network by applying security settings to users, devices, and data. It also helps automate and simplify the deployment and management of software, policies, and preferences across the network.

You should minimize any GPOs linked at the root domain level as these policies will apply to all users and computers in the domain. You should also avoid blocking policy inheritance and policy enforcement.

Permissions and Auditing

Permissions and auditing are the set of rules that govern how AD objects are accessed and monitored. Permissions and auditing affect the security of users, devices, and data. A granular permissions and auditing policy should enforce the following requirements:

  • Least privilege principle
  • Role-based access control
  • Object ownership
  • Inheritance and propagation
  • Audit policy

A granular permissions and auditing policy helps ensure the confidentiality, integrity, and availability of AD objects by granting only the necessary access rights to authorized users or groups based on their roles and responsibilities. It also helps detect and deter unauthorized access or modification by recording and reporting any changes or activities on AD objects.

Kerberos Policy

Kerberos policy is the set of rules that govern how AD uses Kerberos as its primary authentication protocol. Kerberos policy affects the security of user accounts and the authentication process. A secure Kerberos policy should enforce the following requirements:

  • Ticket lifetime
  • Ticket renewal
  • Maximum tolerance for computer clock synchronization

A secure Kerberos policy helps prevent replay attacks by limiting the validity and renewability of Kerberos tickets. It also helps prevent man-in-the-middle attacks by requiring a close synchronization of computer clocks within the network. It’s advisable to set Maximum lifetime for service ticket to 600 minutes and Maximum lifetime for user ticket renewal to 7 days.

In conclusion, AD security settings are vital for any organization that uses AD as their directory service. Among them, password policy, account lockout policy, group policy, permissions and auditing, and Kerberos policy are the most important ones. They help protect the network from internal and external threats, comply with various regulations and standards, and optimize the network performance and management.

Limit SMB Traffic in Windows Environments

Microsoft recently posted an article talking about reducing your SMB traffic, and thereby reducing the risk of compromise on your systems. Before you think we’re saying this one change is the solution to all network security issues, even Microsoft states “We are not trying to make the entire network impervious to all threats. We are trying to make your network so irritating to an attacker that they just lose interest and go after some other target.”

Many times we know a security change doesn’t completely fix an issue, we are just making another small change in a series of small changes to make things slightly more secure. A group of small changes often work together to create an overall more secure environment.

If nothing else you’ll have a better understanding of what systems need SMB enabled and where SMB traffic is common on your network.

Server Message Block (SMB) Traffic

Reducing your SMB traffic can really help your risk profile. Server Message Block (SMB) traffic is a communication protocol for providing shared access to files, printers, and serial ports between devices on your network. It also provides an authenticated inter-process communication (IPC) mechanism. There are also security issues in Microsoft’s implementation of the protocol. Many vendors have security vulnerabilities in their solutions because of their lack of support for newer authentication protocols like NTLMv2 and Kerberos. Recent attacks show that SMB is one of the primary attack vectors for many intrusion attempts. Recently two SMB high-severity vulnerabilities were disclosed which can provide RCE (Remote Code Execution) privileges to systems that allow SMB traffic.

Recommendations
  1. Block inbound SMB access at the corporate firewalls – This means block inbound SMB traffic at the corporate firewall before it is on your LAN. This is usually the easiest way to block unauthorized traffic to your network and corporate systems. This will not work for remote systems that aren’t behind a managed firewall, but you can use this to help protect servers and other devices on the corporate network.
  2. Block outbound SMB access at the corporate firewall with exceptions for specific IP ranges – Sometimes, rarely, you need outbound SMB traffic. If you don’t know, block the traffic and monitor logs for anything that might break.
  3. Inventory for SMB usage and shares – It is understandable that employees need to connect to file servers to access file shares, as one example. Great, then allow inbound SMB traffic to just those servers, and block inbound SMB traffic to all Windows 10 clients or other servers. Start looking at your environment and begin blocking traffic unless it is required.
  4. Configure Windows Defender Firewall to block inbound and outbound traffic on the workstations – Use the  client firewall to block traffic except to required devices. There are several references to how to make this work, but it is past the time to start working out the details.
  5. Disable SMB Server if unused – If you know the device doesn’t require SMB services, you may be able to stop the SMB Server service on Windows clients and even many of your Windows Servers.
  6. Test at a small scale – Test the changes and make sure you understand the impact before you just deploy changes into production and break everything. As always, test twice and make sure you understand the changes (and have a rollback plan) before you deploy any changes into production.
%d bloggers like this: