Page 122 - Cyber Defense eMagazine September 2022
P. 122
4. Consider your Kerberos security
Kerberos (the primary security protocol used in AD) attacks are on the rise. Here are some steps to take
to enhance your Kerberos security:
• Every Active Directory Forest has a KRBTGT account that’s used to encrypt user Kerberos ticket-
granting tickets (TGT). Protecting the KRBTGT account is an essential piece of protecting the
security in your AD environment. Annually reset the KRBTGT account in every domain to mitigate
Golden Ticket attacks. My colleague Jorge de Almeida Pinto maintains a widely used KRBTGT
reset script.
• Take advantage of recent Kerberos security enhancements and patches. For example, upgrade
your Windows Server 2019 domain controllers to take advantage of AES encryption over the older
RC4 encryption algorithm (post-upgrade steps are required).
• Remove Service Principal Names (SPNs) assigned to admin accounts. This step eliminates a
favorite Kerberoasting path to domain dominance.
• Eliminate unconstrained delegation, which gives a compromised server the ability to act widely
on behalf of unsuspecting users.
5. Deter lateral movement
Deterring lateral movement helps prevent an attacker from moving through systems from computer to
computer or across forests. Take these steps to make lateral movement more difficult:
• Where possible, remove local administrator rights from client user accounts. For some users, this
action might require a privileged access management (PAM) solution.
• Implement local administrator password solution (LAPS) on all member servers and client
computers.
• Restrict local administrator group membership to the smallest number possible.
6. Actively manage privileged users and group security
In light of recent highly publicized malware and ransomware attacks, organizations should actively
manage who has privileged access in AD and enforce least privilege across the forest. Although
explaining why access rights must be reduced can be difficult, the change is essential for good
governance. Here are some steps to take:
• Minimize privileged group membership. Operators should not require Domain Admin rights.
• Remove administrative permissions granted to service accounts. Applications should not require
Domain Admin rights.
• Delegate least privilege access to the lowest level required.
• Monitor for permission changes on the AdminSDHolder object. (If you see a change here, the
account has likely been compromised.)
Cyber Defense eMagazine – September 2022 Edition 122
Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.