How to secure your ad directory against malware attacks

The Active Directory is probably the nerve center of your IT infrastructure. It is therefore necessary to ensure that it is properly configured so that your organization is not susceptible to persistent attacks or malware/cryptovirus infections.

The history of computer attacks in France confirms that no one is safe, and that all organizations must absolutely implement a specific investigation plan to verify the design and governance of their Active Directory.

Where do you start to protect Active Directory?

This is a very broad question, but overall, a specific plan is needed that incorporates the following:

  1. Drastically increase proficiency in Active Directory technology
  2. Read the very useful recommendations proposed by Microsoft and ANSII
  3. At a minimum, implement the Microsoft Tier-Model to obtain a secure design
  4. Install a minimum of tools that allow you to control changes within your Active Directory environment

Before going any further, it is necessary to understand some of the fundamentals of Active Directory security:

  • It is impossible to protect an operating system against its global administration account, this has nothing to do with supposed weaknesses of Windows, it is a global concept that also applies to UNIX or Linux ;
  • It is impossible to protect an Active Directory environment from a Domain Administrator (beware of the “myth” Domain admin vs Enterprise admin) ;
  • One must be careful not to give under any reasons a local administrator account of a workstation to a normal user.

Kinetics of an attack on Active Directory

  • Phase 0: The attacker begins a listening and analysis phase. The goal here is to learn about the target’s environment. Several methods are available, the use of social hacking is one of the preferred methods of an attacker because it is very effective.
  • Phase 1: The attacker will aim to become the local administrator of a workstation on the network, this initial compromise will be the starting point for the rest of the attack. At this stage, several methods are available: boot on a Live-CD, use of a Kali distribution for injection, use of specific hardware to collect the used passwords, etc.
  • Phase 2: The attacker will then attempt a lateral move to compromise other workstations in parallel to the first infection. Typically, the attacker will be able to use accounts already present on the first workstation, but may also work on service accounts common to different workstations.
  • Phase 3: The attacker will start the stopover and take over one or more member servers in the domain. He will typically use discovery tools such as BloodHound and tools to explore password hash traces such as Mimikatz.
  • Phase 4: To follow up on the exploitation of the password hashes and the exploration of some Active Directory attributes the attacker could make himself the domain administrator. Another approach is to gain physical access to the virtual or non-virtual hard drive of one of the domain controllers in order to extract a copy of the Active Directory database and perform a dictionary attack for example.
  • Phase 5: The attacker must now cover his actions to make the attack persistent and access the organization’s data.

Basic but effective countermeasures should be implemented to ensure a minimum of security in your infrastructure.

Countermeasure number 1: Encrypt operating system hard drives

It is extremely important to encrypt the hard disks of all operating systems and especially workstations. You can use Bitlocker on Windows, FileVault on MacOS or LUKS on Linux. These encryption tools are embedded in the operating systems and their basic settings are relatively trivial. If you want more advanced features in terms of functionality or administration, add a cross-platform centralizing tool such as WinMagic.

Countermeasure number 2: enable UEFI functions instead of BIOS

For a few years now, new hardware has included UEFI to replace BIOS functions. This allows to add security features such as Secure Boot. It can be useful to set a password at hardware startup in addition.

Countermeasure number 3: never give a local administrator account to a normal user

This countermeasure is essential, it is absolutely necessary to forbid the use of administration accounts for users on their workstations. Indeed, the start of each attack will be greatly facilitated if the user has a local administration account because the attack will then be able to execute tasks and processes using the local “nt authority” account. Contrary to the legend, it is quite possible to fine-tune the workstation so that the user can work normally by adapting his privileges. In case of difficulties with the settings or recalcitrant business applications, do not hesitate to deploy a privilege management solution such as DefendPoint on the client operating systems.

Countermeasure number 4: Implement the Tier-model proposed by Microsoft

Microsoft proposes a type of Active Directory design called Tier-model. If followed to the letter, this model avoids the governance errors typically implemented in most Active Directory deployments.

Overall, the principle of the Tier-model is to define 3 zones with administration and access limits for each of these zones. This Microsoft diagram explains the main features of this type of design:

You can consult the extremely complete document written by Microsoft which demonstrates in detail the principles of this model. Consult and review this document, it is the basis for any secure Active Directory design worthy of the name.

Countermeasure number 5: Implement a solution to collect event logs and track changes

It is essential to be able to track all changes made to your Active Directory environment. This involves collecting and maintaining event logs from your domain controllers and getting alerts on changes made. This will allow you to identify suspicious actions such as: changes in high-level administration groups, intrusion attempts via a password dictionary, changes to certain sensitive objects in the Active Directory, etc. Netwrix Auditor offers Complete and powerful tools in this field that you can discover on their site.

Countermeasure #6: Implement an Active Directory Recovery Plan

No protection is 100% secure. You need to be prepared for the worst and have a plan B in place if necessary. It is therefore extremely important to plan ahead for this type of situation. An Active Directory recovery plan should be written and tested. You can manage this plan with functions directly embedded in Microsoft operating systems, but you can also choose a dedicated solution such as Semperis to plan and anticipate fully automated restorations of your domains or Active Directory forests in case of compromise.

Thank you for taking the time to read this article, I sincerely hope that reading it will be useful in understanding Active Directory security.