How to harden Active Directory: Part3
Part 2 link:
As I told in my part 2 blog, we will see how policy analyzer works and how to use it, so let’s begin.
We can analyze and compare our existing deployed gpo with the microsoft provided gpo. https://activedirectorypro.com/group-policy-backup-and-restore-steps/
The above article link will teach you how to take current gpo backup. After that you need to import that gpo on the policy analyzer. Then you need to again import the microsoft provided or stig provided gpo. Then you can compare and analyze. Don’t worry, I will show the details now.
https://www.microsoft.com/en-us/download/details.aspx?id=55319
From the above link, you need to download the whole package.
Now follow the below steps one by one.
- First extract the policy analyzer.
- Extract all the gpo’s ending with Baseline.zip
- Now create the following folder C:\GPO’s\Microsoft and copy all the microsoft provided gpo’s ending with Baseline to the C:\GPO’s\Microsoft folder.
- Now get in the Windows 10 version 1809 and windows server 2019 security baseline > GPO folder.
- There you will get 11 gpo’s and the folder name is like hex format.
- We need to change the folder name so that it can be easier for us while import this to policy analyzer. We will work for these 3 types of gpo’s.
a) MSFT windows 10 1809 — Computer
b) MSFT windows server 2019 — Domain controller
c) MSFT windows server 2019 — Member server - But you dont know in which of the 11 gpo folder your required gpo’s exists. In this case just get in to the folders one by one. Inside that you will find gpreport.xml file. Open that file. From there you will get the gpo name. Copy that and change the folder name accordingly. Hope this clears now.
Now open the policy analyzer and click on Add button.
Go to Windows 10 Version 1809 and Windows Server 2019 Security Baseline > GPO’s folder.
Now go to MSFT Windows Server 2019 — Domain Controller this foler.
Now click on Select Folder.
Now you need to click on Import.
Now you need to provide a name for the gpo that you just imported. Policy analyzer will save it as Policy.Rules format.
Done. Now following the same way add rest of the two gpo’s here.
Once the all 3 are added, then click on View Compare. Although we are seeing that all 3 are checked but when we click on view compare then you may see that only 1st one is showing. You can cancel that and again open that by selecting the right gpo for comparison. For example, we selected 1st one and 2nd one. Not 3rd one.
This is how you can compare what are the settings that are enabled for DC and member server. Like the same way you can compare your existing gpo with the Microsoft provided one.
STIG:
https://public.cyber.mil/stigs/gpo/
From the above link, download stig recommended gpo settings.
The same way you can also compare between stig recommended gpo and microsoft recommended gpo. The stig gpo could also be installed locally and imported to AD using the same script that we saw in part 2 but slightly that powershell script we need to modify. I have not try that yet. I am leaving that for you to explore.
Note: The administrator must fully test GPOs in test environments prior to live production deployments.
In the hardening part, you cannot go to the organization and implement the secure policy directly. Their management may not agree to do that. That’s why policy analyzer tool kicks in to help you. It allows you to analyze the current one with the stig or microsoft’s one. Then you can make a report which of the settings that organization must need to change.
Now let’s see how can we prevent some attacks against AD:
In order to prevent pass-the-hash and pass-the-ticket attack, you must need to enable credential guard feature. Then your ntlm hash will be shown as unknown key to mimikatz.
From windows 10 and windows server 2016, this feature is available.
Use Microsoft Security Compliance Toolkit to have this feature.
In the part 2 of my AD hardening blog, I already showed how to harden AD using Microsoft provided GPO. If you follow that then credential guard will be enabled automatically after your GPO implementation. See the below SS.
When you give this command then domain controller virtualization based security which is credential guard will be automatically installed.
Just to show you, see below:
From the GPO folder I have entered the red marked folder because from the above command output I figured out this is the GPO that will enable credential guard feature. Then inside that folder I opened gpreport.xml file.
These are the settings that you will see when you configure the same setting via group policy.
Configuring via group policy:
You can use Group Policy Manager to enable Credential Guard. Create a GPO and go to Computer Configuration > Administrative Templates > System > Device Guard. Then set Turn on Virtualization Based Security to Enabled, as shown below.
There is slightly variation you may find when you configure it on DC and manually on windows computer system.
You can configure this via GPO like the above way also.
Resource: https://www.thewindowsclub.com/enable-credential-guard-windows-10
Thanks. I hope these three blog’s will help you to implement hardening measures to your AD. Soon I will be releasing AD pentesting methods that will help you to secure your AD in more extensive way. Stay tuned and Please subscribe below.
LinkedIn:
https://www.linkedin.com/in/md-mahimbin-firoj-7b8a5a113/
YouTube:
