image

This walkthrough will cover TryHackMe’s Active Directory Hardening whilst also hardening the previously created active directory server.

Type: #TryHackMe, #HomeLab
Links: https://tryhackme.com/room/activedirectoryhardening

Understanding General Active Directory Concepts

Domain

The domain acts as a core unit regarding the logical structure of the Active Directory. It initially stores all the critical information about the objects that belong to the domain only.

Domain Controller

A Domain Controller is an Active Directory server that acts as the brain for a Windows server domain; It supervises the entire network. Within the domain, it acts as a gatekeeper for users’ authentication and IT resources authorisation.

Trees and Forests

Trees and Forests are the two most critical concepts of the Active Directory.

Trees

Trees are responsible for sharing resources between the domains. The communication between the domains inside a tree is possible by either one-way or two-way trust. When a domain is added to the Tree, it becomes the Offspring domain of that particular domain to which it is added – now a Parent domain.

Forests

When the sharing of the standard global catalogue, directory schema, logical structure, and directory configuration between the collections of trees is made successfully, it is called a Forest. Communication between two forests becomes possible once a forest-level trust is created.

Securing Authentication Methods

Windows stores passwords with two types of hash representations: LM (LAN Manager Hash) and NT (Windows NT Hash), These are generated by Windows and can be stored in the AD. The LM hash is prone to a fast brute-force attack and therefore weaker than LM. Therefore the first step to hardening AD is to prevent Windows from storing LM hashes. This can be done via the group policy management editor.

Group Policy Management Editor > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > double click Network security - Do not store LM hash value on next password change policy > select “Define policy setting” image

The next stage is to secure SMB to allow for secure transmission over the network, this involves digitally signing communication and is crucial for detecting man-in-the-middle attacks.

image
Group Policy Management Editor > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > double click Microsoft network server: Digitally sign communication (always) > select Enable Digitally Sign Communications

Next, LDAP signing can be configured to enable locating and authenticating resources on the network, this ensures that only signed LDAP requests are accepted.

image


Group Policy Management Editor > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Domain controller: LDAP server signing requirements > select Require signing from the dropdown

Password security is pivotal, incorrect password policies or password reuse can compromise an entire organization, TryHackMe outlined some techniques:

First Technique: Create a script to update passwords automatically in the Scheduled Task with the help of PowerShell. This method does not require any additional overhead and removes all the manual efforts for password rotation, but it requires you to write and maintain your script – which could be challenging. 
Second Technique: Add a Multi-Factor Authentication (MFA) solution to AD and choose not to change the password often. It adds a security layer, and you will not need to change your password often. You can read more about implementing MFA here.
Third Technique: Microsoft provides a solution for services account password rotation through Group Managed Services Accounts (GMSAs), which change passwords every 30 days. You can learn more about it here.

Password policies can also be set with the intention to prevent dictionary attacks, password spraying and other brute force attacks. The password policy can be anything from setting minimum password lengths to maximum password age and can be configured by Group Policy Management Editor > Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy

image

Least Privilege Model

Implementing the least privilege model requires limiting the user or application access to minimise security risks and attack surfaces. When the application or the users are allowed to operate with administrative privileges, they are granted complete access to modify, alter, create other resources on the system and perform any action with administrative rights. Contrary to this, the least privilege model grants limited and authorised access per current conditions.

image

Microsoft Security Compliance Toolkit (MSCT) is an official toolkit provided by Microsoft to implement and manage local and domain-level policies. You don’t have to worry about complex policy syntaxes and scripts, as Microsoft will provide pre-developed security baselines per the end user environment. You can download MSCT from the official Microsoft website.

Publically Accessible Share

During AD configuration, some share folders are publicly accessible or left unauthenticated, providing an initial foothold for attackers for lateral movement. You can use the Get-SmbOpenFile cmdlet in PowerShell to look for any undesired share on the network and configure access accordingly.

image

This is a simplistic walkthrough that implements basic hardening techniques to prevent exploits against an active directory server.

<
Previous Post
Home Lab Active Directory Setup
>
Next Post
Intro to Cyber Threat Intel