What do we mean by a “Complete” Active Directory Security Assessment?
Nirmal K Ratawa [ Ex-MVP-Directory Service ]
MD/CTO @DP Technologies
We all claim that our products can do a thorough technical Active Directory Security Assessment and can reduce the attack surface by 85% or some other percentage. We could be somewhat correct, but in my opinion if you use a company's services for an Active Directory evaluation, they will never guarantee that your Active Directory infrastructure will be 100% safe and secure. That is acceptable to remark given that Active Directory is a complex architecture that is made much more complex by its permission structure. But how do you define a "complete" technical evaluation for an Active Directory system, and do you actually have the expertise reviewing Active Directory beyond using the default criteria that come with an Active Directory assessment tool?
I took the liberty to write this article in order to clarify some of my ideas on how to conduct a “complete” technical evaluation of an Active Directory infrastructure. I may have missed important topics to highlight as part of my thoughts, but I welcome those suggestions to improve the accuracy of this article. All I'm doing is sharing my opinions as part of my interactions with clients for the Active Directory and Azure Entra ID evaluations that we've been doing using SmartProfiler for Active Directory .
Table Of contents
Why Attackers are more interested in breaking into Active Directory?
Someone is "securing" something, and someone else is "breaking" something. Attackers just need to employ the 30–35 approaches listed in order to get access to Active Directory, but security personnel must employ all available technological tools in order to defend the environment from attackers. When I say, "all technical means," I mean looking at Active Directory from the standpoints of attackers and AD upkeep.
After working with clients from all around the world, my path to Active Directory has been interesting. Since there were no ransomware attacks when we were working with Windows NT, Windows 2000 AD, and even Windows 2008, we never paid any attention to protecting Active Directory. Active Directory is now more open to attack. It's because your Active Directory infrastructure is completely open to intruders once an attacker has obtained access to your network. Moving to Azure cloud would thus protect you from 60% of attacks, but the sad fact is that not many organizations can totally switch to Active Directory since the majority of in-house design applications will be severely impacted by performance issues as a result.
There are several reasons as to why I think that Active Directory is more vulnerable to attackers:
The fact that an attacker would have investigated every method of breaking into Active Directory despite the fact that not all Active Directory administrators are aware of them makes it necessary to conduct a "complete" security assessment for Active Directory. When I say, "complete AD assessment," I mean looking for misconfiguration that an Active Directory administrator would overlook and never examine, as well as checking for configuration and issues that you can investigate depending on your level of Active Directory expertise. Let's clarify the difference between a "Complete" and "Incomplete" Active Directory evaluation.
“Complete” vs. “Incomplete” Active Directory technical evaluation.
You are missing a lot of other components for an Active Directory review if you only discuss the default assessment criteria, which are also often used by AD professionals and businesses. When it comes to conducting a security assessment of an Active Directory system, there are a few standard criteria that every AD professional is aware of. PowerShell scripts are easily accessible and can be used to check 50% of an Active Directory environment's security, and 20% of PowerShell scripts for an Active Directory environment's health. However, this does not necessarily imply that you can use these scripts to perform a "Complete" technical assessment of an Active Directory environment.
If a company claims to offer a "complete" technical evaluation for Active Directory, or, to put it another way, a complete cybersecurity assessment, I believe this to be discussed with the company offering the service. I have tested and reviewed several utilities and tools for Active Directory security assessment in order to understand what they cover as part of their AD evaluation, but none of them pay attention to "all" parameters. For instance, if you claim to verify (as part of the security assessment) "Ensure the AdminSDHolder object's permissions are right", you really fail to check the orphaned Admins in the domains which are directly related to the AdminSDHolder object. A User account that is not visible in Active Directory as an admin but still qualifies as an admin is known as an orphaned admin. These orphaned admins are actually used by SDProp process and consider them as an admin for permissions propagation. So orphaned admins are admins, but they are hidden is a security risk too. Similarly, if you check all Service Principals in a domain how are going to make sure those service principals are real and won’t cause any issues.
If some companies claim to be able to lower the Active Directory attack surface by around 70% or some number, you should inquire further or perform a more thorough evaluation to see whether they are genuinely able to do so. And if companies claim to be able to undertake a "complete" technical evaluation of an Active Directory system, then why do you believe the AD assessment services you're planning to offer will be able to perform a thorough AD evaluation?
Take note that the phrase "Complete" suggests that every risk and their related items in Active Directory will soon be mitigated as part of the evaluation. Saying "Complete" demonstrates that your Active Directory environment is now safe and that no one can access it or breach into any domain joined devices.
The concepts "Complete Assessment" and "reducing attack surface by 75% or some number" need to be discussed as part of this section. In the context of an Active Directory evaluation, the term "Complete Assessment" refers to the parameters that were examined. Keep in mind that Active Directory consists of a variety of elements, and because of the complexity of its structure, you must include all of them, from user objects to NTDS Objects and lower-level attributes. Group Policy Objects are important to remember. Similar to this, it is impossible to disregard DNS tests that must be examined as part of the AD technical review. Your tool or technique must examine every component of Active Directory in order to provide a thorough technical evaluation. Even if you checked GPOs, DNS, AD Replication, domain configuration, domain controllers, and other things, failing to check other components would result in an "Incomplete" assessment. The issues that you fix as part of an Active Directory technical assessment may not remain resolved if an incomplete assessment is performed.
A basic strategy to perform a “complete” assessment of an Active Directory should include two things:
It should be noted that the tool or software you choose for an AD technical assessment can assist you in identifying problems but cannot ensure that the Active Directory environment will be safe once the issues uncovered by the tool are fixed. For example, you can fix those issues identified by those general PowerShell scripts, but what if someone with a “Write” permission can undone the change made by you to appear that issue again? Based on the basic evaluation result provided by the tool/software, you will utilize your knowledge to analyze a number of different Active Directory environment factors. Keep in mind that every organization wants our assistance and relies on us to make sure that their Active Directory environment is protected against intruders including ransomware attacks.
Active Directory Assessment Categories and Methodology
We were recently hired to do a review of the Active Directory assessment for a customer. We discovered a great deal of information that I won't go into detail about here, but every interaction with a client teaches you more and improves your ability to assist them. All basic parameters and advanced parameters should be included in any tool or piece of software you choose to conduct an Active Directory assessment, depending on your level of Active Directory expertise. In my opinion, you should consider all the factors in the three main categories below while evaluating Active Directory. Each evaluation tool should include the following five fundamental assessment areas, whether it focuses on Active Directory, Office 365, or any other technology: Health Check, configuration errors, security risks, and noncompliance and Performance.
You can read more about assessment categories in this article here:
Assessment Methodology
While the Assessment Categories assist in selecting the appropriate Active Directory Assessment tool, the Methodology provides an overall perspective for both the IT Management Team and IT Operations Team. The tool should adopt a methodology that caters to the needs of both teams. The methodology should include the following:
Basic Assessment Parameters in an Active Directory Assessment Engagement
Once you have identified categories, you need to define sub-categories in each of the category to ensure you do not miss from the parent category point of view. For example, for Health Category, what all components of Active Directory you will be checking to ensure components are healthy and define those sub-categories for each component for example GPO sub-category. Similarly, what all parameters you need to check when it comes to check DNS in misconfiguration category. Now to define a complete picture of sub-categories associated with above categories here is a list of sub-categories:
Note that even if you include above sub-categories to be checked as part of the AD Assessment, the assessment still can’t be considered as “complete” assessment. As I stated earlier, the AD evaluation requires that you perform an assessment in above sub-categories, but still use your own experience to evaluate rest of the parameters based on the technical findings. Please check section “Advanced Assessment Parameters” in this article.
Coming back to the test parameters to be included in an Active Directory, there are actually many of them depending on how much experience you have working with Active Directory? If I am to provide you a list of test parameters for each sub-category, there could be more than 200. However, some of the basic assessment parameters are highlighted here:
Account Policies
Active Directory DNS
Active Directory Forest
?and many more.
Advanced Assessment Parameters
How many times have you assessed an Active Directory environment for a client and seen users with unrestricted delegation, trusted for delegation, DES-Encryption enabled, and pre-authentication Kerberos disabled? So, a small business running Active Directory with two to five domain controllers should to be able to manage their AD infrastructure easily without the need for utilising the aforementioned settings for users. Unrestricted delegation, DES-Encryption for users, and deactivating pre-authentication Kerberos for users are not actually required. You would still need to complete the tests associated to users as part of the standard checklist included in the Assessment tool to make sure everything is in order for user objects. The advanced parameters of an Active Directory include but not limited to:
Let’s take a look at each of these topics one by one:
Investigating further based on the Assessment Findings
You will be evaluated on your Active Directory experience when you work with the advanced evaluation criteria. Let's go over some of the factors for advanced evaluation and how you might look into them more.
It completely depends on your basic assessment that you performed for the Active Directory before you can use your own experience in performing an advanced assessment.
GPO Structure and Settings
Be aware that the assessment tool may not be able to gather all of the hundreds of settings listed in every Group Policy Objects if you do an Active Directory evaluation. All GPOs must be gathered, together with the parameters that are specified in each one. To gather all GPO settings, use a PowerShell script. You must run the following tests on the GPOs you have gathered:
CIS and NIST GPO Settings
Have you every thought that there are recommended GPO settings by the CIS and NIST which need to be configured and applied to every Domain Controller in an Active Directory Forest? CIS stands for Center for Internet Security is a non-profit organization working closely with Microsoft to release standard benchmark for Microsoft technologies. CIS released standard GPO Settings to be applied for Domain Controllers running below Operating Systems:
SmartProfiler for Active Directory ships with CIS/NIST Analyzer module that can help you check CIS/NIST settings on your domain controllers as it shows in the screenshot below:
Organizational Units Permissions
Given that Active Directory is quite complicated when it comes to understanding its permissions structure, analyzing organizational unit permissions is a challenging undertaking. The Active Directory permissions defined on Organizational Units and Tier 0 objects must be checked when doing an Active Directory assessment, though. Inability to do so would leave the consumer with an incomplete assessment. Let's imagine that after fixing the problems found during the evaluation and completing the client interaction, you neglected to handle some of the abusable permissions. In such situation, someone with a privilege that may be abused could acquire access to Active Directory and subsequently do bad things. So, keep the following things in mind while analyzing permissions for an Active Directory environment:
Understanding AD Permissions and Structure
Although Active Directory has a wide variety of objects, five of them are vulnerable to attack: the User, Computer (regular computer or domain controller), Managed Service Account, gMSA, and inetOrgPerson classes. In other words, whether the permissions are explicit or implicit (direct or indirect), Active Directory attack routes apply to an object that has a password associated with it and then those permissions that make the object a privileged account.
If you're referring to Azure Active Directory (Azure Entra ID), these attack paths would include Global Administrators, Guest accounts, Azure Applications, Azure application permissions, and a few other flags that all Hybrid Admin should be checking out. However, we will briefly discuss Azure AD (Entra ID) permissions and attack paths in another article.
Keep in mind that before performing an operation, Active Directory significantly relies on the permissions given to objects and the properties of objects. For instance, if I want to change someone's password, I can only do so if I have been granted the Password Reset permissions, am a part of a security group that has already been granted the Password Reset Permissions, or am a member of a security group that has the ability to change an object's password by default. Password Reset authority is "indirectly" granted to Domain Admin. In the same way, in order for me to remove an item, I must first have those permissions granted to me.
Active Directory's structure is complicated because of its design. It might be a direct assignment, the user could be a member of a group that has Password Reset permission assigned, or the user could be a member of a group that explicitly has Password Reset permission, such as the Domain Admins group. The largest issue to date is assessing the rights given to objects in Active Directory. Before delving into Active Directory permissions, let's look at the many types of actions that may be carried out there:
However, note that these operations will occur with the help of three types of standard permissions: Read, Write (Modify), Full Control.
The two interesting standard permissions are "Write" and "Full Control"; occasionally, AD refers to "Full Control" as "Generic All". It's important to understand that a write action on an object in Active Directory might occur at multiple places for the same object, as indicated below:
Remember that not all permissions in Active Directory begin with the word "Write"? That's another challenging aspect. While some permissions go by a different name, they really write to the object. "Self" permission is one of the illustrations. The "Self" permission enables a user to belong to the target security group. For instance, I may join the group myself if I have the "Self" permission. Is it confusing that a permission with the name "Self" is also carrying out a write operation? If the word "Write" had been the first word in each permission that actually performs the task of writing to an object, things would have been much simpler! It's okay though because this is how the AD developed.
Actually, in addition to using permissions to take over Active Directory or its objects, attackers may also leverage other weak properties. Not all of these attributes will be explained in this article. Here is a list of permissions that attackers are more likely to be interested in and can use or assign themselves in order to take control of Active Directory as we continue our study of permissions. For our discussion, however, and to make sure you understand the difference between changing an object's property and the whole object, I have produced a table that indicates if that permission would change the entire object or simply its property:
领英推荐
Object
Note: In a subsequent article, I want to go into further depth on Active Directory Permissions. Attackers frequently exploit the aforementioned permissions to access Active Directory, though.
How Active Directory Remediation should be handled?
Your assistance is now needed to resolve the noted problems once the evaluation was completed. Whether they are GPO issues, permission issues, important issues, high, medium, or low issues, each one needs to be carefully examined before being resolved.
The whole purpose of investigating Active Directory is to ensure you identify and fix those “ghost” entries/issues. A ghost entry in Active Directory is an object that is unknown to “administrators”. A ghost entry is always an object that has a password associated with it. If you can find and fix those ghost entries/issues, then you can eliminate 95% of attacks in Active Directory. Those 5% you can’t eliminate as those 5% belong to “social engineering” where one admin supplies credentials to an attacker or create a user account with necessary permissions required for attacking active directory.
In this section we will learn how you can fix those issues identified during the basic and advanced assessment stages. We will look at below:
Approach to Fix Critical, High, Medium and Low Issues
Many Active Directory specialists, according to what I've observed, have recommended disabling TLS 1.1, NTLM, RC4, and other things that were discovered during the Active Directory evaluation. But it's important to remember that you can't just address the problems if you don't have a plan for doing so. To put it another way, you must evaluate the customer's environment in relation to the problem you want to fix. For instance, if you choose to disable the TLS 1.1 protocol in Active Directory, you must first confirm with the client that none of their apps use the protocol or are enforcing it. So keep the following strategy in mind when fixing problems in the Active Directory environment:
o?? Desktop Applications
o?? Browser-Based Applications
o?? If no, then you request customer to implement one.
Create an excel sheet with a summary of the problems you noticed, and the columns mentioned above. Make sure that the customer is aware of your plan for resolving the issue.
Think Logically when fixing issues
It's not required to address every issue separately. Some of the issues are automatically resolved if you resolve another problem. For instance, problems with errors and warnings on the domain controllers will be resolved immediately if the Active Directory replication topology is corrected and related issue is fixed. Here, you must take some time to sit down and go over each issue one at a time. Then, using your own logic and experience, you must determine whether any of these issues may be resolved by addressing others.
Approach to Fix Active Directory Permissions
When it comes to fixing Active directory permissions your approach for fixing should consider if removing any permissions will cause any issues in the Active Directory. Do you have an easy way to fix these permissions ensuring there will be no downtime for the services or access for users will not be removed unnecessarily if the access is removed. Remember that when you are removing permissions from Organizational Units you need to check each user or group object account to ensure the account is not required by a particular application. If an account is required by a particular application, then you should make sure to protect the account by manipulating its permissions and hiding the object. For example, if you have full control permission assigned to a Service Account on an organizational unit and if that service account is used by an application, then you should ensure to hide that account or assign the least permission. Let’s assume you have found some risky permissions assigned to objects and have decided to remove them, but removing these permissions doesn’t solve customer’s problem. You need to be addressing those permissions in such a way that customer understands the need for assigning these permissions. For example, you decide to remove full control permission for a Service Account, but you don’t know what an application does as part of the permissions assignment then it is important to know what actual permissions are required by the application to ensure it can work without assigning Full Control permissions to the organizational unit or OU. When fixing Active Directory permissions, take following approach:
Active Directory Tier Model
An Active Directory Tier model can help you streamline your permissions structure. You need to define an structure for managing Tier 0, Tier 1 and Tier 2 objects in Active Directory if its not implemented you are required to work with the customer and have it implemented. There are several benefits associated with Active Directory Tier management as listed below:
When working on a Tier model for customer, ensure to collect required information from the customer by having a discussion with them on the following topics:
Note that these “Managed Objects” can be Tier 0, Tier 1, or Tier 2 objects, but let’s not get into details as to understand what are Tier 0, Tier 1 and Tier 2 objects. If you can define all objects in an excel sheet under the “AD Managed Objects” category, then all you need to is just put a check mark in respective column indicating that the object can be managed by the respective Tier Admin.
There could be multiple admins that can be defined a Tier Admins. You need to work with the customer to help you understand their current management model for managing these AD Managed Objects.
Please take a note that all objects in an Active Directory environment can be read by an authenticated user. You may want to block read access to some critical objects depending on the assessment outcome and your discussion with the customer. If you find that some important organizational units contain some important objects that are very critical to the business, then you must block read access to these objects and organizational units and also apply a logical thought process to ensure only allowed users can access or read those objects.
Reactive Vs Proactive Engagement
Active Directory engagements that are reactive don't benefit your customer. It could help you earn some money, but it doesn't benefit the consumer in any way. The customer you deal with for an Active Directory assessment engagement has high expectations of you, since you are more knowledgeable about technology, and you are the technology leader. If you only run the tool and address the problems you identified during the evaluation, you cannot consider the engagement to be finished. Making the assessment and addressing the problems identified during the assessment are examples of a reactive strategy. While a proactive strategy involves putting in place the essential safeguards to secure and protect the customer's environment against problems/disasters. What other controls do you believe you could put in place as part of a proactive strategy, now? Your prior expertise is helpful in this situation. If you have experience with such engagements, you are aware of the controls you must put in place to safeguard the environment of your clients. For instance, a client could be using a pricey solution to fully backup and snapshots of Active Directory domain controllers, but failing to take a system state backup poses a serious risk in the event that Active Directory needs to be restored following a disaster. You may wish to compile a list of documents and develop a mitigation strategy while assessing the environment of a client in order to avoid failures in the near future. These documents should include:
The scheduler that comes with the assessment tool allows you to set up all or some checks as part of the schedule. The scheduler runs at pre-defined intervals and provides you warnings if it discovers any critical or high concerns. Keep in mind that you must perform the assessment checks each week to make sure the problems you found and resolved as part of the remediation services do not come up again. You need to start working on the mitigation plan at this point.
SmartProfiler for Active Directory was redesigned to meet proactive engagement requirement
To satisfy the needs of a proactive Active Directory engagement, DynamicPacks Technologies has worked very hard to redesign the SmartProfiler for Active Directory . When you propose Active Directory engagement to your customer, you are doing so with a full evaluation package that includes an issues fixer to address issues, a permissions analyzer and fixer to examine and address permissions, a scheduler to plan assessments, an operational scheduler to run operational scripts at pre-defined intervals, and many other features that will help with the assessment and allow for a quick evaluation.
Here are some of the features that we are providing as part of SmartProfiler for Active Directory:
Assessment of Active Directory and Azure Entra ID:
Now SmartProfiler for Active Directory ships with Azure Entra ID assessment. After receiving feedback from our customers, we decided to include tests for Azure Entra ID. As you can see in the screenshot below SmartProfiler is capable of executing Azure Entra ID tests:
The assessment license now supports following features:
Active Directory?Issues Fixer
Version 6.2 of SmartProfiler for Active Directory now ships with Issues Fixer which can be used to fix critical, high, medium and low issues easily. Issues Fixer provides following features:
Permissions Analyzer & Fixer
As stated earlier, analyzing Active Directory permissions and fixing them is part of advanced assessment. To ensure you can analyze Active Directory permissions and fix them we have included Permissions Analyzer & Fixer. The Permissions Analyzer & Fixer can be used to analyze permissions on Organizational Units and Tier 0 objects. The Permissions Analyzer & Fixer provides below features:
Assessment Scheduler
Every Active Directory assessment requires that the environment is monitored to ensure issues do not re-occur and if the issues re-occur then admins are notified of the issues via email. Keeping the feedback from customers in mind, we have include Assessment Scheduler that runs all checks in Active Directory Azure Entra ID and notifies you if any issues:
Assessment Scheduler provides following features:
Thank you for reading!