How to harden Active Directory: Part-2
Please check out the part 1 before start reading this. Again I will be summarizing the things from TryHackMe that I think will be helpful for you.
Implement least privileged model.
- Creating the Right Type of Accounts for right purpose. Don’t use user account as service account or vice versa.
- Role-Based Access Control on Hosts — Make sure your normal domain user’s should not get local admin privilege on their local system. If they need to install any software, they should seek help to IT Support. Also make sure, only necessary ports to communite with AD (i.e. Kerberos) is allowed from lan user subnet. Lan users should not access AD over RDP port.
- Tiered Access Model.
Now let’s see how to create tired access model:
1. Create a Security Group for System Admins:
Create a security group in Active Directory to hold your system administrators (i.e. “ServerAdmins” group).
2. Delegate Permissions (Not Needed Though):
You do not need to delegate additional permissions to the “ServerAdmins” group for administrative access. The Restricted Groups feature will handle this aspect.
3. Create and Configure a Group Policy Object:
Open “Group Policy Management” on your domain controller.
Create a new GPO or use an existing one that is linked to the appropriate OU containing your server computer objects.
In the GPO, navigate to “Computer Configuration” > “Policies” > “Windows Settings” > “Security Settings” > “Restricted Groups.”
Add the “Administrators” group and specify the “ServerAdmins” group as a member.
4. Apply Group Policy Object:
Link the GPO to the appropriate OU containing your server computer objects.
Allow time for Group Policy to propagate through your network or force an update using gpupdate /force.
With these steps, the “ServerAdmins” group will be automatically added as a member of the “Administrators” group on each server within the specified OU. This will grant administrative access to the members of the “ServerAdmins” group without the need for separate permission delegation.
The purpose of the Restricted Groups feature is to centrally manage group memberships on target computers, helping to enforce consistent security configurations across multiple machines. Doing this you dont need to give your admins Domain admin privilege on each server.
Implementation of Tiered Access Model
Restricted Groups are on need basis. Our motive is, we will give permissions to some people (called/member of Tier 1 Admins) who will only manage our servers and for that reason, they will also be the local admin of those servers. We want when we spin up our servers then we shall see in the Local Administratos group, Tier 1 Admins are present. We will push this policy to only our servers OU. But remember it is not globally ok!!! See the below SS.
You can see that the Builtin Administrators group in AD does not contain the Tier 1 Admins group. You supposed to see this because this is not globally applied. We created a gpo only for our servers and we only want some of our server admin peoples only become local admin of those server’s. Which can only be established by using Restricted Groups in AD. In Restricted Group we can explicitly tell that which of our groups we want to be a member of other powerful group. Like here, Tier 1 Admins group we want to be member of powerful Administrators group.
Auditing Accounts:
A great tool from Enzoic. You will need this tool before your audit or in the situation of pentesting. It will tell what account passwords that you need to change depending on some criteria. Read it please by going to the website. It’s easy.
Now we will learn how to use Microsoft Security Compliance Toolkit to harden systems.
https://www.microsoft.com/en-us/download/details.aspx?id=55319
It provides you various windows platform and server platform’s baseline security policy. You can apply that in your server or local computer and manage them. Say your AD is under windows server 2016. So now you can harden them using server 2016 baseline security policy by running the provided powershell script. And you can also import that server 2016 baseline security policy in your AD gpo settings so that you can push the same settings on your other 2016 servers in the server 2016 OU created in AD. Similarly you can import windows 10 security baseline policy in AD and import that to the gpo settings. Then apply to all windows 10 OU.
Please note, just clicking the above way will not work. You need to do the following first. First go to C:\Users\Administrator\Desktop\Scripts\Windows Server 2019 Security Baseline\Local_Script\LGPO folder and copy LGPO.exe to the C:\Users\Administrator\Desktop\Scripts\Windows Server 2019 Security Baseline\Local_Script\Tools folder.
Now open powershell.exe (with admin privs)
Now type, Set-ExecutionPolicy RemoteSigned
Then, Import-module .\BaselineLocalInstall.ps1
Then, .\BaselineLocalInstall.ps1 -WS2019DomainController or . .\BaselineLocalInstall.ps1 -WS2019DomainController
Now all the recommended local policies will be set.
Just a little bit of RnD. From the above, I tried to change the value of Interactive logon from 900 seconds to 400 seconds and saved the file. After that re-execute the command but changes does not take effect.
Import gpo to AD
We can also import the group policies to the AD using the Baseline-AdImport.ps1 script.
#
# Import all GPOs in this baseline into Active Directory Group Policy
#
$GpoMap = .\Tools\MapGuidsToGpoNames.ps1 ..\GPOs
Write-Host "Importing the following GPOs:" -ForegroundColor Cyan
Write-Host
$GpoMap.Keys | ForEach-Object { Write-Host $_ -ForegroundColor Cyan }
Write-Host
Write-Host
$rootDir = [System.IO.Path]::GetDirectoryName($MyInvocation.MyCommand.Path)
$parentDir = [System.IO.Path]::GetDirectoryName($rootDir)
$gpoDir = [System.IO.Path]::Combine($parentDir, "GPOs")
$GpoMap.Keys | ForEach-Object {
$key = $_
$guid = $GpoMap[$key]
Write-Host ($guid + ": " + $key) -ForegroundColor Cyan
Import-GPO -BackupId $guid -Path $gpoDir -TargetName "$key" -CreateIfNeeded
}
This is Baseline-AdImport.ps1 script which can be found in windows server 2022 baseline security policy. Yes I did not find it under Windows Server 2019 folder.
<#
.SYNOPSIS
Map GUIDs in a GPO backup to GPO display names
.DESCRIPTION
A GPO backup is written to a directory named with a newly-generated GUID. The GPO's display name is embedded in a "backup.xml" file in that directory. This script maps display names to GUIDs and outputs them as a sorted list or as formatted text.
.PARAMETER rootdir
Path to the directory containing one or more GPO backups.
.PARAMETER formatOutput
If this switch is specified, this script outputs text as a formatted and auto-sized table.
If this switch is not specified, this script outputs a SortedList object that can be further manipulated.
.EXAMPLE
PS C:\> MapGuidsToGpoNames.ps1 C:\GPOs\Windows-10-2004-Security-Baseline-FINAL\GPOs -formatOutput
Name Value
---- -----
MSFT Internet Explorer 11 - Computer {709F36C5-8A36-4147-AD59-0E97BDC937E1}
MSFT Internet Explorer 11 - User {6DCED4C2-A15B-4196-BFD6-E0B0C95DAB35}
MSFT Windows 10 2004 - BitLocker {1CA47B6D-E2C9-47E6-B118-3DA81F866C9F}
MSFT Windows 10 2004 - Computer {7ADC8490-6FDB-483B-8F50-0D04F96393C4}
MSFT Windows 10 2004 - User {9D0259DB-2897-4B47-B9D5-546DF7D961AC}
MSFT Windows 10 2004 and Server 2004 - Defender Antivirus {91CFE1E8-873C-4651-9CD7-B1ED210DC15D}
MSFT Windows 10 2004 and Server 2004 - Domain Security {23B187AE-72AC-42D2-AB34-CA19CCCB6662}
MSFT Windows 10 2004 and Server 2004 Member Server - Credential Guard {C8D01A97-637E-4471-87F3-D7BECA95642C}
MSFT Windows Server 2004 - Domain Controller {2F9F252F-8D88-4114-AF1C-99FA36B2A6F4}
MSFT Windows Server 2004 - Domain Controller Virtualization Based Security {03AE3824-FBFA-4760-BC66-B8A1E1E5F122}
MSFT Windows Server 2004 - Member Server {ADD7EEAB-B8C4-457E-8424-9E7A1AB72897}
#>
param(
[parameter(Mandatory=$true)]
[String]
$rootdir,
[switch]
$formatOutput
)
$results = New-Object System.Collections.SortedList
Get-ChildItem -Recurse -Include backup.xml $rootdir | ForEach-Object {
$guid = $_.Directory.Name
$displayName = ([xml](gc $_)).GroupPolicyBackupScheme.GroupPolicyObject.GroupPolicyCoreSettings.DisplayName.InnerText
$results.Add($displayName, $guid)
}
if ($formatOutput)
{
$results | Format-Table -AutoSize
}
else
{
$results
}
The above script is called MapGuidsToGpoNames.ps1 which is used by Baseline-AdImport.ps1 script and can be found in windows server 2022 baseline security policy.
Policy analyzer
Another thing is policy analyzer. Using this tool you can compare with currently configured gpo with the baseline security policy. You can take a backup of your current gpo settings then import it to policy analyzer to cross check with STIG viewer gpo or Microsoft provided compliance toolkit gpo to find out what you are missing. Details will be in the third part.
https://www.youtube.com/watch?v=46yBDG19zIU&ab_channel=Audilitics
https://www.youtube.com/watch?v=ZrcEx4kan40&t=118s&ab_channel=DavidSartin
- Use 2FA in AD.
- Make sure you have the latest patch installed.
- Change frequently kbrtgt account password.
- Set strong password on AD.
- Never expose RDP in the public internet without additional security controls.
- During AD configuration, some share folders are publicly accessible or left unauthenticated, providing an initial foothold for attackers for lateral movement. You can use the Get-SmbOpenFile cmdlet in PowerShell to look for any undesired share on the network and configure access accordingly.
Thanks. I hope these two blog’s will help you to implement hardening measures to your AD. Soon I will be releasing AD pentesting methods that will help you to secure your AD in more extensive way. Also part 3 will be on enabling some more features to secure the AD. Stay tuned and Please subscribe below.
Part-3: https://mahim-firoj.medium.com/how-to-harden-active-directory-part3-4823e9ea527a
LinkedIn:
https://www.linkedin.com/in/md-mahimbin-firoj-7b8a5a113/
YouTube: