We feel obliged to re-state the most important point regarding AD forests and security: forests are the only true security boundary in Active Directory. They are an immensely useful feature to prevent a local compromise from spreading to a global catastrophe. We encountered too many multinational companies facing security issues because of a weakly-secured subsidiary in a remote country. Putting in place security boundaries such as multi-forest infrastructures and well-configured trust relationships helps isolate the system from its weaker components.
Multiple forests help the forester (no pun intended) prevent fires to spread massively. However, setting up a multi-forest environment is by no mean bullet-proof: great care must be taken when configuring trust relationships between those AD instances. Parameters such as trust direction and filtering must be considered carefully to benefit from a strong isolation.
The report’s author mentions the importance of physical protection for domain controllers. Encrypting their hard-drives is a solution to prevent an attacker from stealing the secrets they manipulate. As domain controllers should be up and running 24/7, this is only useful against physical attacks: if an attacker manages to compromise a running DC, hard-drive encryption won’t stop him from accessing authentication secrets.
To mitigate this risk, Microsoft added a powerful feature to their DC arsenal: Read-Only Domain Controllers (RODC). They allow conscious AD administrators to restrict the secrets accessible to domain controllers in physically-unsecured sites, thus protecting the most sensitive credentials from local attacks.
Passwords must indeed be protected. The report hints at the classic solution to protect from credential thefts: using two-factor authentication (2FA). While a great hardening method, one must not forget the fundamentals of AD authentication. When a user authenticates, AD generates an authentication secret (such as a Kerberos ticket, a session key, a token or a certificate) to allow users to connect to different services (file servers, web applications, remote desktop) without having to re-enter a password and use the 2FA device. This functionality is described as the Active Directory Single-Sign-On (SSO). A malicious attacker able to steal or forge a valid ticket will be able to impersonate the victim, without the use of the 2FA device. While a more complex scenario, this must remind us that 2FA is not bulletproof.
Protecting these secrets has been a recent focus of Windows security teams at Microsoft. They added powerful features (such as Credential Guard) to prevent attackers from extracting authentication keys from the computer’s memory and help mitigate this risk.
The author rightly points at the AD groups as the usual source of privileges: indeed, a user can or cannot perform an action because of the groups he belongs to. To be slightly more precise, every Active Directory object (e.g. user or computer) embeds its own set of permissions. Examining this list of access control entries is the key to discovering security flaws. Having a strong control of privileges in an ever-evolving company is one of the challenges that every CISO must tackle.
The report recommends replacing manual security reviews by more regular automated checks using software solutions. The vendors mentioned by the article offer great tools to check that a company security policy is well implemented: how many admin accounts are allowed, how often a password must be changed, etc. These checks are unfortunately too simplistic to guarantee resilience against modern AD attacks. For example, many other AD features can be leveraged by a skilled attacker to escalate privileges (e.g. using the “SID History” attribute to grant oneself increased privileges). Being compliant with the enterprise security policy is by no mean a safeguard.
The tools mentioned in the article have some operational drawbacks, such as putting a heavy burden on the security teams, as policy must be manually implemented and updated as state-of-the-art attack techniques are published in security conferences. We believe in decreasing the workload of operational teams, not increasing it. AD security mechanisms are complex, and attackers regularly find creative ways of exploiting them. Staying ahead in this cat-and-mouse game is impossible to do in a corporate environment without a specialized R&D team, a luxury very few enterprises have. Outsourcing this research effort to competent vendors providing ready-to-use solutions with continuously-updated detection mechanisms appears to be the best posture. A good solution provides immediately actionable insights, so that administration teams have more time to focus on other problems.
At Alsid, we believe in pragmatic security. A secure system is one that is impossible to compromise, not one compliant with a legacy security policy that has not evolved. We implement non-intrusive, real-time and plug n’ play solutions to make sure an AD infrastructure is safe from the most advanced attack techniques.