Securing Active Directory: Beginner Steps

Active Directory (AD) serves as the backbone of IT in many organizations. Securing active directory is vital to providing your data’s confidentiality, integrity and availability. In the countless number of incident response engagement’s I’ve been involved, privilege escalation techniques were used 95% of the time to access and compromise AD.

Because of its critical role, securing Active Directory against attacks is essential to protecting your entire network. Now before we begin, let me say, these steps are not the end-all-be-all steps for securing your environment, but serve as a great start to thwarting the majority of attacks.

  • Tiered Admin Accounts
    System Administrators with Domain Admin accounts should utilize a separate account for their daily activities (e-mail, web-surfing, etc.). Domain Admin accounts provide pretty much God-level rights to a domain. Because of this they should be protected with complex passwords and it’s a good idea to limit what servers/Workstations they can logon to.

    Another good idea would be to create another tiered account solely for managing workstations. This account could be assigned to the workstations Administrators group via User Rights Assignment.
  • Protected Users Group
    Ever wonder how privilege escalation works? Well here’s the short of it. When a user logs onto a machine those credentials are cached in a file. If a threat actor gains access to that machine, there are applications they can run that will dump any credentials that have logged onto that machine in plain text. Voila! They now have your credentials for whatever account you administered the workstation with.

    The fix for this is adding privileged accounts to the Protected Users Group in your Active Directory. The Protected Users Group does a few things, but most importantly it prevents the group members’ credentials from being cached, thus the threat actor cannot export the credentials. For a few gotchas on this solution, please review the article below.
    https://dirteam.com/sander/2014/11/25/ten-things-you-need-to-be-aware-of-before-using-the-protected-users-group/
  • MFA on Privileged Accounts
    Another good way to protect your privileged accounts would be to setup MFA on them. The most popular implementation I see of this is via Cisco Duo’s MFA for Windows logon. Once installed this solution requires users to authenticate their Windows logon session via Duo MFA prior to access. This can be setup for local Windows logon as well as RDP logons. At just $3 per user/month, this should be implemented on your Domain Admin accounts at a minimum.
    https://duo.com/editions-and-pricing
  • Disabling NTLMv1
    As authentication protocols bounce around your network, they are encrypted to protect your credentials. NTLMv1 uses an outdated encryption method and is highly susceptible to compromise. Most applications won’t be bothered by a switch to require NTLMv2 on your network, so implement a GPO to disable NTLMv1 as soon as you’ve got it tested in your network.
    https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/active-directory-hardening-series—part-1-%E2%80%93-disabling-ntlmv1/3934787
  • Disabling SMBv1
    Similarly, SMBv1 is highly susceptible to numerous vulnerabilities that have been released thru the years. Due to it’s legacy nature, it shouldn’t affect any applications in production, but it’s always best to test. Once tested, push the GPO to production for disabling SMBv1.
    https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/active-directory-hardening-series—part-2-%E2%80%93-removing-smbv1/3988317

ITBM’s Thoughts on Securing Active Directory

Implementing the above mentioned tactics are NOT a full-proof methodology for preventing a security breach, however, they do go a long ways in stopping the threat actor in escalating the incident. Key point is we are hoping the attacker moves onto to an easier target or sets off alarms when they attempt to thwart or brute-force any of the above tactics.

If this list peaked your interest or you’re concerned with protecting yourself from potential threats, we’d love to chat! Contact us today for a consultation and let’s see how we can help you.


IT Infrastructure Services | Security Services | Active Directory Hardening