killchain-compendium/Miscellaneous/Active Directory/AD Hardening.md

89 lines
2.7 KiB
Markdown
Raw Normal View History

2023-07-25 21:56:55 +02:00
# Active Directory Hardening
2023-07-25 22:09:46 +02:00
![AD hardening cheat sheet provided by tryhackme.com](./ad_hardening_tryhackme.png "AD Hardening Cheat Sheet provided by tryhackme.com")
2023-07-25 21:56:55 +02:00
## Policy Management Editor
Can be opened by right clicking on a domain in the Policy Management tool.
### Do Not Store The LM Hash
LM hashes can be bruteforced, disable them under security options in the Windows settings of the group Policy Management Editor
```
Network Security: Do not store LAN Manager hash value on next password change
```
### SMB Signing
Enable SMB signing in the Group Policy Mangement Editor under Security Options of the Local Policies of Windows Settings
```
Microsoft network server: Digitally sign communications (alway)
```
### LDAP Signing
Enable LDAP signin in the Group Policy Mangement Editor under Security Options of the Local Policies of Windows Settings
```
Domain Controller: LDAP servers signing requirements
```
### Passwords Policies
* Use Multi-factor authentication
* Use Group Managed Service Accounts (gMSAs) and rotate the passwords frequently
* Store a password history, so passwords won't be reused
* Set the password complexity through character pool and length of the password
* Use a passphrase
Set lifetime of passwords in the Group Policy Management Editor under Password Policy of Account Policies under Security Settings
```
Maximum password age
```
## Least Privilege Model
Do not use administrational accounts for everyday work.
Create accounts following these categories
* *User accounts*
* *Privileged accounts*
* *Shared accounts*
### Role Based Access Control (RBAC)
Grant permissions through temporary roles. Do not use Discretionary Access Control (DAC) if possible.
### Tiered Access Models (AD TAM)
Prevention of privileged credentials from crossing boundaries, either accidentally or intentionally.
Similar to the ring model
* *Tier 0*, includes administrational domain accounts, Domain Controller and groups
* *Tier 1*, Domain apps and servers
* *Tier 2*, unprivileged user
### Auditing Accounts
Frequent audits and continuous monitoring of the accounts and groups status and changes.
## Security Compliance Toolkit (MSCT)
Manage and implement domain-level policies via pre-defined baseline policies.
### Installing Security Baselines
Download the [Tools and the 'Security Baseline.zip'](https://www.microsoft.com/en-us/download/details.aspx?id=55319) and install the Powershell script.
### Policy Analyzer
It is included on [the same site](https://www.microsoft.com/en-us/download/details.aspx?id=55319) as the other tools.
### RDP
Do not expose RDP to the internet without additional security measures in place.
### Publicly Accessible Share
Use `Get-SmbOpenFile` cmdlet to look out for unwanted shares