This post is based on the Hack The Box' (HTB) Academy module (or course) on Introduction to Active Directory. The module demystifies AD and provides hands-on exercises to practice each of the tactics and techniques we cover (including concepts used to enumerate and attack AD environments).
You can learn more by browsing the catalog of free or advanced cybersecurity courses on the HTB Academy!
Active Directory is the central hub for the management of an organization's resources. If cybercriminals were to breach it, they’d have almost complete control over your network.
With AD being so vast and central to your organization’s security, protecting it against attacks is critical.
However, safeguarding such a comprehensive environment is no easy feat. AD’s extensive attack surface can make it difficult to keep track of defensive measures. This is where an expertly crafted checklist can save time and offer you the reassurance of covering common weak spots.
💡There's no one-size-fits-all solution to Active Directory hardening and defense. The tips in this checklist act as a starting point and are sourced from our team of expert attackers and defenders.
Learn the fundamentals of Active Directory with HTB
Examine the history of Active Directory
Define commonly used terms
Examine AD objects and structures
Discuss the authentication protocols used
Gain an understanding of the difference between rights and privileges
Practice executing common AD management tasks
The goal of this Active Directory hardening checklist is to help you reduce the overall attack surface. By working through these best practices, your network will be less vulnerable to AD attacks, and you’ll have a starting point for potential hardening measures to take.
Learn common active directory enumeration & attacks
Learn popular enumeration techniques hackers deploy using tools such as Bloodhound and Kerbrute.
Discover common AD attacks, including SMB Null sessions, password spraying, ACL attacks, attacking domain trusts, and more.
Be better prepared to defend by understanding where your vulnerabilities are.
Implement account lockout policies to lock accounts after a certain number of failed login attempts, thus slowing down or stopping enumeration attempts.
Restrict access to Lightweight Directory Access Protocol (LDAP) by implementing network segmentation and access controls to reduce exposure.
You can learn more about Active Directory LDAP with our Academy module, which focuses on working with LDAP and AD search filters.
Enforce complex password policies, including minimum length, character diversity, and password age. Using a password management solution is a good idea, as users can save their complex passwords without the risk of losing or forgetting them.
Implement MFA to provide an extra layer of security, making it significantly more challenging for attackers to gain unauthorized access.
Educate users on the importance of strong passwords and identifying suspicious activity, such as phishing attempts. You can also regularly audit password policies and settings to ensure rules are being followed.
These processes can help protect against man-in-the-middle attacks that could lead to unauthorized access to service accounts.
These accounts provide automatic password management and help mitigate the risk of password hash exposure.
You should also audit service account permissions regularly to ensure they are appropriate for each account’s role.
This helps limit the exposure of privileged credentials and reduce the attack surface for Kerberoasting. It’ll also enable you to monitor all changes to security group permissions.
Ensure that your AD Certificate Services (CS) setup follows best practices, such as restricting certificate templates to the necessary permissions and limiting the types of certificates users can request.
If you have many overprivileged accounts, attackers can use these accounts to gain a greater foothold in your environment.
Grant users, computers, and services only the minimum necessary privileges to perform their tasks, reducing the risk of unauthorized certificate requests. This also reduces the risk of attackers exploiting overprivileged accounts to perform DCSync or Golden Ticket attacks.
Periodically review your AD CS setup, checking for misconfigurations or potential vulnerabilities that could be exploited by attackers.
Keep track of issued certificates and their associated permissions. Revoke any suspicious or unnecessary certificates to limit attackers' abilities to exploit them.
Limit the number of accounts with permissions to perform replication activities. Ideally, only domain controllers and necessary administrative accounts should have these permissions.
It’s important to also restrict the number of accounts with high privileges, such as Domain Admins, to minimize the risk of attackers gaining unauthorized access through Golden Tickets.
Periodically review permissions in your AD environment to identify and remediate any unnecessary or excessive privileges that could be exploited by attackers.
Set up alerts for suspicious activities, such as:
Unauthorized replication requests.
The use of known DCSync-related tools.
Unusual Kerberos ticket requests.
The use of known Golden Ticket-related tools like Mimikatz.
Regularly change the password for the krbtgt account to limit the attacker's ability to create valid Golden Tickets. Ensure that the account's password is complex and not reused across other accounts.
To truly defend a network, you need to gain an understanding of both blue and red techniques.
Exploring how pentesters might exploit AD is a great way to understand how they gain a foothold. Our Active Directory 101 Track also contains a selection of Machines for pentesters to exploit using AD vulnerabilities. (Exposing blue teams to these Machines is a great way to excel in their roles and “see the other side of the coin.”)
But what about the defense and aftermath of an AD exploit?
Our Sherlocks Labs empower both blue and red teams to elevate defensive skills, with many of the Machines having offensive counterparts.
A purple team approach is vital for defending against today’s advanced threat actors. This checklist can benefit both blue and red teams, demonstrating how either side may attack or defend corporate networks.
Learn enhanced digital forensics and incident response (DFIR) capabilities.
Gain a deeper understanding of security tools and technologies.
Leave with an improved ability to prioritize during real investigations.
Boost proficiency in technical analysis.
Author Bio: Sabastian Hague (sebh24), Defensive Content Lead, Hack The Box
Sabastian Hague is a seasoned cybersecurity professional with over eight years of experience in the field. After serving in the Royal Air Force as a specialist in all things SOC, he went on to work for Vodafone's global CERT team before taking on a role as a senior security consultant with SpiderLabs and working on numerous high-profile incidents. He is now the Defensive Content Lead at Hack The Box.
Seb has numerous industry certifications, including GIAC Certified Detection Analyst (GCDA), GIAC Continuous Monitoring Certification (GMON), GIAC Certified Incident Handler (GCIH), GIAC Certified Intrusion Analyst, Offensive Security Certified Professional (OSCP), Blue Team Level 1 (BTL1), Blue Team Level 2 (BTL2), Cybereason Threat Hunter (CCTH).