From 12ff223c5201cb10ccb601beaa263baf81d5c139 Mon Sep 17 00:00:00 2001 From: whackx Date: Tue, 25 Jul 2023 21:56:55 +0200 Subject: [PATCH] ad hardening --- .../Active Directory/ad_hardening.md | 86 +++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 Miscellaneous/Active Directory/ad_hardening.md diff --git a/Miscellaneous/Active Directory/ad_hardening.md b/Miscellaneous/Active Directory/ad_hardening.md new file mode 100644 index 0000000..99e2f94 --- /dev/null +++ b/Miscellaneous/Active Directory/ad_hardening.md @@ -0,0 +1,86 @@ +# Active Directory Hardening + +## Policy Management Editor + +Can be opened by right clicking on a domain in the Policy Management tool. + +### Do Not Store The LM Hash + +LM hashes can be bruteforced, disable them under security options in the Windows settings of the group Policy Management Editor +``` +Network Security: Do not store LAN Manager hash value on next password change +``` + +### SMB Signing + +Enable SMB signing in the Group Policy Mangement Editor under Security Options of the Local Policies of Windows Settings +``` +Microsoft network server: Digitally sign communications (alway) +``` + +### LDAP Signing + +Enable LDAP signin in the Group Policy Mangement Editor under Security Options of the Local Policies of Windows Settings +``` +Domain Controller: LDAP servers signing requirements +``` + +### Passwords Policies + +* Use Multi-factor authentication +* Use Group Managed Service Accounts (gMSAs) and rotate the passwords frequently +* Store a password history, so passwords won't be reused +* Set the password complexity through character pool and length of the password +* Use a passphrase + +Set lifetime of passwords in the Group Policy Management Editor under Password Policy of Account Policies under Security Settings +``` +Maximum password age +``` + +## Least Privilege Model + +Do not use administrational accounts for everyday work. +Create accounts following these categories + +* *User accounts* +* *Privileged accounts* +* *Shared accounts* + +### Role Based Access Control (RBAC) + +Grant permissions through temporary roles. Do not use Discretionary Access Control (DAC) if possible. + +### Tiered Access Models (AD TAM) + +Prevention of privileged credentials from crossing boundaries, either accidentally or intentionally. +Similar to the ring model + +* *Tier 0*, includes administrational domain accounts, Domain Controller and groups +* *Tier 1*, Domain apps and servers +* *Tier 2*, unprivileged user + +### Auditing Accounts + +Frequent audits and continuous monitoring of the accounts and groups status and changes. + +## Security Compliance Toolkit (MSCT) + +Manage and implement domain-level policies via pre-defined baseline policies. + + +### Installing Security Baselines + +Download the [Tools and the 'Security Baseline.zip'](https://www.microsoft.com/en-us/download/details.aspx?id=55319) and install the Powershell script. + +### Policy Analyzer + +It is included on [the same site](https://www.microsoft.com/en-us/download/details.aspx?id=55319) as the other tools. + +### RDP + +Do not expose RDP to the internet without additional security measures in place. + +### Publicly Accessible Share + +Use `Get-SmbOpenFile` cmdlet to look out for unwanted shares