Tag Archive: AD hardening


Some interesting sites:

 

Delegate WMI access to domain controllers:

This post originally came about after several customers asked how to remove users accounts from Domain Admins and the Administrators group in the domain. These accounts are needed to monitor the systems, so we needed to find a way to get them to read the instrumentation of the system with non-elevated privilege.

https://blogs.technet.microsoft.com/askpfeplat/2018/04/30/delegate-wmi-access-to-domain-controllers/

 

Reference articles to secure a Windows domain:

https://github.com/PaulSec/awesome-windows-domain-hardening

Microsoft audit Policy settings and recommendations:

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations

Sysinternals sysmon:

https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow

On ADsecurity.org:

Beyond domain admins: https://adsecurity.org/?p=3700

Gathering AD data with PowerShell: https://adsecurity.org/?p=3719

Hardening Windows computers, secure Baseline check list: https://adsecurity.org/?p=3299

Hardening Windows domain, secure Baseline check list:

Securing Domain Controllers to Improve Active Directory Security

Domain hardening in general:

 

List of items
Setting Up Jump server
Domain joining of all windows boxes
Proper account Management Based on privileges
Usage of service accounts to run application instead of local system accounts
Review of existing AD accounts/Deletion of Unnecessary Accounts/ Review Ou structuring/GPO etc
HoneyToken Account Creation in Local boxes as well domain
GPO changes for disabling guest accounts across system,restricted RDP mode,Password Policy changes,disabling internet in member servers
GPO for Jump server implementation based on PAW GPO settings
Rename existing builtin Administrator account and lockdown
Sysmon deployment and WEF setup (WEC for symon events)
Ping castle review to assess the AD security
FGPP implementation
LAPS Implementation
Process for proper cleanup of unused AD accounts
Reset of krbtgt account,domain admins account,It administrators account
Advertisements

Resources materials:

AD Security:

https://adsecurity.org/?p=1684

https://digital-forensics.sans.org/blog/2013/06/20/overview-of-microsofts-best-practices-for-securing-active-directory

Mimikatz and Active Directory Kerberos Attacks:

https://adsecurity.org/?p=556

https://www.nsa.gov/ia/_files/app/Reducing_the_Effectiveness_of_Pass-the-Hash.pdf

https://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf

http://www.gentilkiwi.com/mimikatz    /   http://blog.gentilkiwi.com/

Scripts:

https://github.com/iadgov/Pass-the-Hash-Guidance
https://github.com/iadgov/Event-Forwarding-Guidance

Domain lockdown: https://github.com/curi0usJack/activedirectory

Microsoft resources:

http://www.microsoft.com/pth

http://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating-Pass-the-Hash-Attacks-and-Other-Credential-Theft-Version-2.pdf

http://blogs.technet.com/b/security/archive/2014/07/08/new-strategies-and-features-to-help-organizations-better-protect-against-pass-the-hash-attacks.aspx

 

Pass the Hash – isolation technique:

passTheHash