Page 122 - Cyber Defense eMagazine September 2022
P. 122

4. Consider your Kerberos security

            Kerberos (the primary security protocol used in AD) attacks are on the rise. Here are some steps to take
            to enhance your Kerberos security:

               •  Every Active Directory Forest has a KRBTGT account that’s used to encrypt user Kerberos ticket-
                   granting tickets (TGT). Protecting the KRBTGT account is an essential piece of protecting the
                   security in your AD environment. Annually reset the KRBTGT account in every domain to mitigate
                   Golden Ticket attacks. My colleague Jorge de Almeida Pinto maintains a widely used KRBTGT
                   reset script.
               •  Take advantage of recent Kerberos security enhancements and patches. For example, upgrade
                   your Windows Server 2019 domain controllers to take advantage of AES encryption over the older
                   RC4 encryption algorithm (post-upgrade steps are required).
               •  Remove Service Principal Names (SPNs) assigned to admin accounts. This step eliminates a
                   favorite Kerberoasting path to domain dominance.
               •  Eliminate unconstrained delegation, which gives a compromised server the ability to act widely
                   on behalf of unsuspecting users.




            5. Deter lateral movement

            Deterring lateral movement helps prevent an attacker from moving through systems from computer to
            computer or across forests. Take these steps to make lateral movement more difficult:


               •  Where possible, remove local administrator rights from client user accounts. For some users, this
                   action might require a privileged access management (PAM) solution.
               •  Implement  local  administrator  password  solution  (LAPS)  on  all  member  servers  and  client
                   computers.
               •  Restrict local administrator group membership to the smallest number possible.



            6. Actively manage privileged users and group security

            In  light  of  recent  highly  publicized  malware  and  ransomware  attacks,  organizations  should  actively
            manage  who  has  privileged  access  in  AD  and  enforce  least  privilege  across  the  forest.  Although
            explaining  why  access  rights  must  be  reduced  can  be  difficult,  the  change  is  essential  for  good
            governance. Here are some steps to take:

               •  Minimize privileged group membership. Operators should not require Domain Admin rights.
               •  Remove administrative permissions granted to service accounts. Applications should not require
                   Domain Admin rights.
               •  Delegate least privilege access to the lowest level required.
               •  Monitor for permission changes on the AdminSDHolder object. (If you see a change here, the
                   account has likely been compromised.)






            Cyber Defense eMagazine – September 2022 Edition                                                                                                                                                                                                         122
            Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.
   117   118   119   120   121   122   123   124   125   126   127