killchain-compendium/Miscellaneous/Active Directory/AD Hardening.md

# Active Directory Hardening

![AD hardening cheat sheet provided by tryhackme.com](./ad_hardening_tryhackme.png "AD Hardening Cheat Sheet provided by tryhackme.com")

## Policy Management Editor 

Can be opened by right clicking on a domain in the Policy Management tool.

### Do Not Store The LM Hash

LM hashes can be bruteforced, disable them under security options in the Windows settings of the group Policy Management Editor
```
Network Security: Do not store LAN Manager hash value on next password change
```

### SMB Signing

Enable SMB signing in the Group Policy Mangement Editor under Security Options of the Local Policies of Windows Settings
```
Microsoft network server: Digitally sign communications (alway)
```

### LDAP Signing

Enable LDAP signin in the Group Policy Mangement Editor under Security Options of the Local Policies of Windows Settings 
```
Domain Controller: LDAP servers signing requirements
```

### Passwords Policies

* Use Multi-factor authentication
* Use Group Managed Service Accounts (gMSAs) and rotate the passwords frequently
* Store a password history, so passwords won't be reused
* Set the password complexity through character pool and length of the password
* Use a passphrase

Set lifetime of passwords in the Group Policy Management Editor under Password Policy of Account Policies under Security Settings
```
Maximum password age
```

## Least Privilege Model

Do not use administrational accounts for everyday work.
Create accounts following these categories

* *User accounts*
* *Privileged accounts*
* *Shared accounts*

### Role Based Access Control (RBAC)

Grant permissions through temporary roles. Do not use Discretionary Access Control (DAC) if possible.

### Tiered Access Models (AD TAM)

Prevention of privileged credentials from crossing boundaries, either accidentally or intentionally.
Similar to the ring model

* *Tier 0*, includes administrational domain accounts, Domain Controller and groups
* *Tier 1*, Domain apps and servers
* *Tier 2*, unprivileged user

### Auditing Accounts

Frequent audits and continuous monitoring of the accounts and groups status and changes.

## Security Compliance Toolkit (MSCT)

Manage and implement domain-level policies via pre-defined baseline policies.


### Installing Security Baselines

Download the [Tools and the 'Security Baseline.zip'](https://www.microsoft.com/en-us/download/details.aspx?id=55319) and install the Powershell script.

### Policy Analyzer 

It is included on [the same site](https://www.microsoft.com/en-us/download/details.aspx?id=55319) as the other tools.

### RDP

Do not expose RDP to the internet without additional security measures in place.

### Publicly Accessible Share

Use `Get-SmbOpenFile` cmdlet to look out for unwanted shares
ad hardening 2023-07-25 21:56:55 +02:00			`# Active Directory Hardening`

fixed url 2023-07-25 22:09:46 +02:00			`![AD hardening cheat sheet provided by tryhackme.com](./ad_hardening_tryhackme.png "AD Hardening Cheat Sheet provided by tryhackme.com")`
restructured Miscaellaneous/Active Directory 2023-07-25 22:07:10 +02:00
ad hardening 2023-07-25 21:56:55 +02:00			`## Policy Management Editor`

			`Can be opened by right clicking on a domain in the Policy Management tool.`

			`### Do Not Store The LM Hash`

			`LM hashes can be bruteforced, disable them under security options in the Windows settings of the group Policy Management Editor`
			```
			`Network Security: Do not store LAN Manager hash value on next password change`
			```

			`### SMB Signing`

			`Enable SMB signing in the Group Policy Mangement Editor under Security Options of the Local Policies of Windows Settings`
			```
			`Microsoft network server: Digitally sign communications (alway)`
			```

			`### LDAP Signing`

			`Enable LDAP signin in the Group Policy Mangement Editor under Security Options of the Local Policies of Windows Settings`
			```
			`Domain Controller: LDAP servers signing requirements`
			```

			`### Passwords Policies`

			`* Use Multi-factor authentication`
			`* Use Group Managed Service Accounts (gMSAs) and rotate the passwords frequently`
			`* Store a password history, so passwords won't be reused`
			`* Set the password complexity through character pool and length of the password`
			`* Use a passphrase`

			`Set lifetime of passwords in the Group Policy Management Editor under Password Policy of Account Policies under Security Settings`
			```
			`Maximum password age`
			```

			`## Least Privilege Model`

			`Do not use administrational accounts for everyday work.`
			`Create accounts following these categories`

			`* User accounts`
			`* Privileged accounts`
			`* Shared accounts`

			`### Role Based Access Control (RBAC)`

			`Grant permissions through temporary roles. Do not use Discretionary Access Control (DAC) if possible.`

			`### Tiered Access Models (AD TAM)`

			`Prevention of privileged credentials from crossing boundaries, either accidentally or intentionally.`
			`Similar to the ring model`

			`* Tier 0, includes administrational domain accounts, Domain Controller and groups`
			`* Tier 1, Domain apps and servers`
			`* Tier 2, unprivileged user`

			`### Auditing Accounts`

			`Frequent audits and continuous monitoring of the accounts and groups status and changes.`

			`## Security Compliance Toolkit (MSCT)`

			`Manage and implement domain-level policies via pre-defined baseline policies.`


			`### Installing Security Baselines`

			`Download the [Tools and the 'Security Baseline.zip'](https://www.microsoft.com/en-us/download/details.aspx?id=55319) and install the Powershell script.`

			`### Policy Analyzer`

			`It is included on [the same site](https://www.microsoft.com/en-us/download/details.aspx?id=55319) as the other tools.`

			`### RDP`

			`Do not expose RDP to the internet without additional security measures in place.`

			`### Publicly Accessible Share`

			Use `Get-SmbOpenFile` cmdlet to look out for unwanted shares