Security Hardening & Auditing for Active Directory
A quick summary of Active Directory to get us started. Active Directory is a Microsoft product which runs several services on a Windows server to manage user permissions and access to networked resources. It stores data as objects – which can be users, groups, applications or devices. These are further defined as either resources – such as printers or computers, or security principals – such as users or groups.
From the above, you will understand just how important it is to secure your Active Directory properly. This can be done in a number of ways including hardening, auditing and detection rules.
The first step you should take is hardening your active directory against known attacks and following best practices. There are a lot of great articles out there to follow, starting with the official guide from Microsoft, found here. This contains important topics such as reducing the attack surface, audit policy recommendations and implementing least privilege administrative models.
Next up, activedirectorypro, which details 25 best practices to follow to secure your Active Directory. This contains tips on securing domain admins, local administrators, audit policies, monitoring AD for compromise, password policies, vulnerability scanning and much more.
Finally in terms of long read best practices articles, “The Ultimate Guide to Active Directory Best Practices” from DNSstuff. Like the previous two articles, this covers all important steps to secure your Active Directory.
Domain trusts are an important part of Active Directory security which most not be ignored. Here are some useful articles to understand domain trusts and ensure proper security processes are followed.
- Active Directory Trusts
- Top Ten Issues with Active Directory Trusts and Corporate Mergers
- Fundamentals of Active Directory Trust Relationships
Sven also mentions the importance of securely setting up domain trusts. Along with this, he mentions upgrading DC’s to at least 2016. See this article which details the process of upgrading your DC’s to 2016 along with understanding functional levels. Also see the second comment which details further tips to securely use and set up your domain controllers.
Even though Active Directory is the main focus, ensure you do not forget about any *nix systems connected to your active directories. Dependent on the connected systems, ensure they are also configured securely using best practices.
The main point I would like to concentrate on is securing privileged access. Incorrectly setup access is one of the main causes of issues and the article provided by Nathan is great to resolve these. Check the article regarding securing privileged access out here. Also don’t forget to checkout PingCastle and Bloodhound tools.
AUDITING
Once you believe you have followed the best practices and hardening, the next step is auditing your environment to see where your Active Directory is still vulnerable.
You should use tools such as BloodHound and PingCastle to audit your Active Directory environment.
Lets start with BloodHound, this article from ZephrFish details well what BloodHound is, what it is used for; and how to use it.
Also mentioned is PingCastle. This is a similar tool which can also be used to audit Active Directory environments. Read more about PingCastle here and learn how to use the tool here.
These tools will allow you to find the existing issues in your environment. Take these issues and go back to the start of this post and see the best practices guide to resolve them. Once you are happy that your Active Directory is set up securely, the next step is monitoring rules to detect when malicious actors are attempting to attack your environment.
DETECTION RULES
Once your Active Directory environment has been set up securely and audited, the next step is setting up monitoring rules using a SIEM. To learn more about SIEM, check out my “Learn SIEM for free” article.
As always, there are a large amount of rules in the Sigma repository which we can use to monitor Active Directory. The rules can be found in this directory. Please check the log source > definition under each rule which details the audit / log requirements for each rule.
There were also a couple useful comments regarding detection rules.
UltimateWindowsSecurity have a fantastic list of Windows Security Event’s. They have lots of useful information around WSEL and examples which help you understand them better. Larry is also working on a list of rules which you can check out here.
Sysmon allows for a much more detailed monitoring of events and should always be deployed on domain controllers. See the guide from Microsoft here which explains what Sysmon is, what it can be used for and how to set it up. Once setup, Sysmon logs can be sent to a central SIEM for more accurate monitoring of events. The SIGMA repository above has some rules which require Sysmon. For a more in depth look into Sysmon, check out this guide from Varonis.
WHAT NEXT
At this point you will now have your Active Directory set up securely, audited and well monitored. I hope you have found this article useful and learned something from it. I’d like to thank everyone again who replied to the thread with useful resources, points and articles of their own.