Active Directory Security Essentials Review

AD can be a huge liability; let's tighten it up.

Microsoft Active Directory is such a common vulnerable part of corporate networks that any mature network penetration testing methodology heavily involves around how to gain an AD foothold, maintain it, and escalate privileges. Domain Admin privileges may not be an attacker's goal, but admin privileges certainly makes their goals easier. Ransomware attacks rely on the single-sign on functionality provided by AD, exploit weaknesses in AD to escalate privileges, and use AD-connected computers and shares to spread their payloads. 

We've boiled down what we know about compromising AD networks into an essential checklist of things that we know directly allow actors to gain AD footholds (acquire a set of credentials), escalate their privileges to higher levels, and spread laterally across AD-joined workstations, servers, shares, services, & databases. The result is a cost-effective process with a relatively short time frame that provides you a list of significant issues and how to fix them, with no false positive that could waste your team's time.

Benefits of our Active Directory Security Essentials Review service:

  • Identify AD Certificate Services configuration issues that allow even the most basic user account a one-shot to DA
    • Template allows low-privileged users to abuse authentication EKUs (ESC1)
    • Template allows low-privileged users to abuse dangerous EKUs (ESC2)
    • Template allows low-privileged users to request certificates on behalf of others (ESC3) 
    •  Template settings modifyable by low-privileged users (ESC4) 
    •  ADCS allows allows arbitrary SAN (ESC6) 
    •  ADCS allows low-privileged users to manage the CA (ESC7) 
    •  ADCS allows NTLM Relay to HTTP Endpoints (ESC8)
  • Find Service Account weaknesses that allow generic user accounts to escalate their privileges
    • Overprivileged service accounts (Kerberoasting, Privilege Escalation)
    • Accounts with preauthentication disabled (ASREP-Roasting)
  • Review account configurations that enable attackers to spread laterally and escalate privileges
    • Accounts with unconstained delegation
    • Accounts with password expiration disabled 
    • Accounts with potential passwords stored in comments/description fields 
    • Accounts with password not required
    • Accounts with reversible password encryption
    • Accounts with a password age of over one year
    • Excessive administrative group membership
    • Excessive machine account quota
    • krbtgt password not rotated in over six months
    • Protected Users group not utilized
    • Potentially unused accounts
  • Show general AD weaknesses that contribute towards making attackers jobs easier
    • Unsupported OS running on domain member
    • LDAP signing not enforced
    • Anonymous logon enabled
    • Weak SMB share permissions
    • Passwords stored In GPP and GPRF
    • NetNTLMv1 enabled 
    • No lockout configured on domain password policy
    • Weak domain password policy settings
  • Unusual privileges, DNS, and DHCP config weaknesses