├── Layout.png ├── Layout_New.png ├── README.md ├── internal_network_security_cheat_sheet.pdf ├── lateral_movement_detection_basic_gpo_settings.pdf ├── measures_acc.md ├── measures_config.md ├── measures_network.md ├── measures_org.md └── measures_pw.md /Layout.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CompassSecurity/OnPremSecurityBestPractices/5529fe8695b0c7d95893072395636f00f77ef3fb/Layout.png -------------------------------------------------------------------------------- /Layout_New.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CompassSecurity/OnPremSecurityBestPractices/5529fe8695b0c7d95893072395636f00f77ef3fb/Layout_New.png -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Security Best Practices for On-Premise Environments 2 | 3 | # Table of contents 4 | 1. [Introduction](#introduction) 5 | 1. [Active Directory Administrative Tier Model](#adatm) 6 | 2. [Enterprise Access Model](#eam) 7 | 2. [Categorization of Measures](#categorization) 8 | 3. [Measures](#measures) 9 | 1. [Organizational Measures](#measures_org) 10 | 2. [Configuriational Measures](#measures_config) 11 | 3. [Account & Privilege Management Measures](#measures_acc) 12 | 4. [Password Management Measures](#measures_pw) 13 | 5. [Network Measures](#measures_network) 14 | 4. [Tools](#tools) 15 | 16 | 17 | ## Introduction 18 | This guide aims to help businesses to increase the security in an enterprise Windows Active Directory environment while focusing on the most important points. 19 | It is based on Microsoft best practices and learnings from dozens of penetration tests conducted by Compass Security in the past. 20 | Implementation guidelines for the different measures are kept to a minimum and references to more detailed guidelines are provided where necessary. 21 | 22 | 23 | ### Active Directory Administrative Tier Model 24 | Microsofts tiered administrative model was introduced many years ago with the goal to help customers secure their on-premise infrastructure from cyberattacks and malware. 25 | The purpose of this tier model is to protect identity systems (e.g. Active Directory Domain Controllers) using a set of buffer zones between full control of the environment (Tier 0) and the high-risk workstation assets that attackers frequently compromise. 26 | Dividing the systems and user permissions in the environment into different tiers (Tier 0, Tier 1 and Tier 2) and preventing administrators to interactively login to other tiers reduces the impact of compromise of lower tier systems like workstations. 27 | 28 | ![Three Tier Model Layout](Layout.png) 29 | > Image adapted from [Microsofts Legacy Tier Model](https://docs.microsoft.com/en-us/security/compass/privileged-access-access-model) 30 | - **Tier 0** includes accounts, groups and systems that have administrative control of the AD forest. Tier 0 administrators can manage and control assets in all tiers but only log in interactively to Tier 0 assets. I.e. a domain administrator can never interactively log in to a Tier 2 asset. 31 | 32 | - **Tier 1** contains domain member servers and applications with sensitive business data. Tier 1 administrators can access Tier 1 or Tier 0 assets (only network logon) but can only manage Tier 1 or Tier 2 assets. Tier 1 administrators can only log on interactively to Tier 1 assets. 33 | 34 | - **Tier 2** is for end-user devices (e.g. notebooks and workstations). Tier 2 administrators can access all tier assets (network logon) as necessary but can only manage Tier 2 assets. Tier 2 admins can only log in interactively to Tier 2 assets. 35 | 36 | This guide will help you to implement the important points of the administrative tier model. 37 | 38 | 39 | ### Enterprise Access Model 40 | Nowadays more and more companies are having a hybrid environment, whereas part of the infrastructure is in the cloud and part on-premise. Since the administrative tier model focuses on containing unauthorized escalation of privilege in an on-premises Windows Server Active Directory environment, Microsoft superseded it with the enterprise access model, which is adapted to the hybrid world. 41 | 42 | In comparison to the old tier model, the enterprise access model introduces a higher degree of separation between controls over critical business and technical assets. In addition, it also addresses the requirements of a modern enterprise, that spans on-premises, multiple clouds, internal or external user access, and more. 43 | ![Enterprise Access Model Layout](Layout_New.png) 44 | > Image adapted from [Microsofts Enterprise Access Model](https://docs.microsoft.com/en-us/security/compass/privileged-access-access-model) 45 | - **1. Data / Workload Plane:** Contains the business value of the organization (e.g. Business processes, intellectual property). 46 | - **2. Management Plane:** Used to manage and support the workloads and the infrastructure they are hosted on. 47 | - **3. Control Plane:** Provides consistent access control to all systems across the enterprise based on centralized enterprise identity systems (e.g. Active Directory, IAM/PAM), including networking where it is the only/best access control option, such as legacy OT options 48 | - **4. User and App Access:** Providing the access to the internal users, partners and customers using their workstations or devices (often using remote access solutions) and to applications for process automation (APIs) 49 | - **5. Privileged Access:** Providing the access to IT staff, developers or other highly privileged users which manage and maintain the systems. Because of the high level of control they provide over business critical assets in the organization, these pathways must be strictly protected against compromise. 50 | 51 | The complete Microsoft documentation about the enterprise access model can be found here: 52 | https://docs.microsoft.com/en-us/security/compass/privileged-access-access-model 53 | 54 | While the measures in this guide primarily focus on the on-premises environment, they will also help you to implement some key points of the enterprise access model. 55 | 56 | 57 | ## Categorization of Measures 58 | The measures are categorized, based on how they need to be addressed. 59 | The following categories of measures are defined: 60 | - **Organizational Measures:** Defining processes, training of employees etc. 61 | - **Configurational Measures:** Settings which have to be configured on workstations and servers. 62 | - **Account & Privilege Management Measures:** Creation of accounts and allocation of permissions. 63 | - **Password Management Measures:** Defining and enforcing of strong password policies. 64 | - **Network Measures:** Segregation of network, use of firewalls, etc. 65 | 66 | 67 | ## Measures 68 | 69 | 70 | 71 | ### [Organizational Measures](measures_org.md) 72 | Recommendation | Purpose | Priority 73 | ----------|-------------|------: 74 | [Implement monitoring](measures_org.md#implement-monitoring) | Detect security issues early and enable forensic readiness | A 75 | [Perform regular off-site backups](measures_org.md#perform-regular-off-site-backups) | Data restoration after ransomware or similar attacks | A 76 | [Implement patch management process](measures_org.md#implement-patch-management-process) | Mitigate exploits of known vulnerabilites | A 77 | [Maintain Hardware and Software Inventory](measures_org.md#maintain-hardware-and-software-inventory) | Be able to distinguish between legitimate and malicious components | A 78 | [Use group based access control](measures_org.md#use-group-based-access-control) | Limit access from compromised accounts | A 79 | [Separate Tier-0 management services](measures_org.md#separate-tier-0-management-services) | Prevent lateral movement to Tier-0 | A 80 | [Introduce privileged access workstations](measures_org.md#introduce-privileged-access-workstations) | Limit lateral movement from the workstation tier to the server and domain controller tier | A 81 | [Do regular reviews & vulnerability assessments](measures_org.md#do-regular-reviews---vulnerability-assessments) | Detect misconfigurations, excessive privileges, unpatched or outdated systems | A 82 | [Define emergency processes](measures_org.md#define-emergency-processes) | Predefined plans and trained employees allow efficient response to a cyberattack | A 83 | [Train employees on IT security best practices](measures_org.md#train-employees-on-it-security-best-practices) | Higher awareness from cyber attacks | A 84 | [Use personalized accounts](measures_org.md#use-personalized-accounts) | Enable accountability and traceability | B 85 | [Implement four eyes principle](measures_org.md#implement-four-eyes-principle) | Mitigate internal fraud or mistakes in business tasks | B 86 | [Use golden images](measures_org.md#use-golden-images) | Avoid configuration mistakes by providing an identical security baseline | B 87 | 88 | 89 | 90 | ### [Configurational Measures](measures_config.md) 91 | Recommendation | Purpose | Priority 92 | ----------|-------------|------: 93 | [Install Antivirus](measures_config.md#install-edr-or-antivirus) | Block malware and common attacks | A 94 | [Enforce SMB & LDAP signing](measures_config.md#enforce-smb-and-ldap-signing) | Limit privilege escalation within the internal network | A 95 | [Disable or restrict macros](measures_config.md#disable-or-restrict-macros) | Block malware which is spread via office documents | A 96 | [Enforce Multi-Factor Authentication](measures_config.md#enforce-multi-factor-authentication) | Limit malicious access to systems and services | A 97 | [Enforce BitLocker on clients](measures_config.md#enforce-bitlocker-on-clients) | Protect data on harddisks from malicious access | A 98 | [Implement hardening of domain controllers](measures_config.md#implement-hardening-of-domain-controllers) | Limit attack surface on domain controllers | A 99 | [Implement hardening of other systems](measures_config.md#implement-hardening-of-other-systems) | Limit attack surface on all systems | A 100 | [Deploy strictly configured host-based firewalls](measures_config.md#deploy-strictly-configured-host-based-firewalls) | Limit lateral movement within the internal network | A 101 | [Disable Spooler service](measures_config.md#disable-spooler-service) | Limit privilege escalation within the internal network | A 102 | [Enable detailed audit logs](measures_config.md#enable-detailed-audit-logs) | Traceability of events and evidence for forensic analysis | A 103 | [Raise Active Directory function level](measures_config.md#raise-active-directory-function-level) | Enable new security mechanisms introduced with newer Windows versions | B 104 | [Enable Credential Guard](measures_config.md#enable-credential-guard) | Protect stored credentials on systems from certain attacks | B 105 | [Enable AppLocker](measures_config.md#enable-applocker) | Limit execution of software and tools | B 106 | [Limit cached credentials](measures_config.md#limit-cached-credentials) | Reduce the exposure of password hashes to password cracking attacks | C 107 | 108 | 109 | 110 | 111 | ### [Account & Privilege Management Measures](measures_acc.md) 112 | Recommendation | Purpose | Priority 113 | ----------|-------------|------: 114 | [Remove local administrator rights](measures_acc.md#remove-local-administrator-rights) | Reduce the attack surface and limit impact of malware | A 115 | [Assign permissions according to the Least Privilege Principle](measures_acc.md#assign-permissions-according-to-the-least-privilege-principle) | Limit permission abuse & privilege escalation attacks | A 116 | [Minimize high privileged administrator accounts](measures_acc.md#minimize-high-privileged-administrator-accounts) | Limit privilege escalation attacks within the internal network | A 117 | [Implement least-privilege administrative model](measures_acc.md#implement-least-privilege-administrative-model) | Limit privilege escalation attacks within the internal network | A 118 | [Deny logon to other tiers](measures_acc.md#deny-logon-to-other-tiers) | Limit privilege escalation attacks within the internal network | A 119 | [Add sensitive accounts to protected users group](measures_acc.md#add-sensitive-accounts-to-protected-users-group) | Protect highly privileged accounts from credential theft | A 120 | [Disable high privileged account delegation](measures_acc.md#disable-high-privileged-account-delegation) | Protect highly privileged accounts from credential theft | A 121 | [Configure Exchange split permissions](measures_acc.md#configure-exchange-split-permissions) | Limit privilege escalation attacks within the internal network | B 122 | [Review unconstrained delegation systems](measures_acc.md#review-unconstrained-delegation-systems) | Reduce risk of credential theft | B 123 | [Limit users who can add systems to domain](measures_acc.md#limit-users-who-can-add-systems-to-domain) | Limit privilege escalation attacks within the internal network | B 124 | [Use group managed service accounts](measures_acc.md#use-group-managed-service-accounts) | Reduce the possibility of password cracking | C 125 | 126 | 127 | 128 | 129 | ### [Password Management Measures](measures_pw.md) 130 | Recommendation | Purpose | Priority 131 | ----------|-------------|------: 132 | [Enforce strong password policy](measures_pw.md#enforce-strong-password-policy) | Reduce the possibility of password guessing or password cracking | A 133 | [Use unique local administrator credentials](measures_pw.md#use-unique-local-administrator-credentials) | Limit lateral movement within the internal network | A 134 | [Require password for every account](measures_pw.md#require-password-for-every-account) | Limit compromise of accounts and systems | A 135 | [Change default credentials](measures_pw.md#change-default-credentials) | Limit compromise of accounts and systems | A 136 | [Force change of initial passwords](measures_pw.md#force-change-of-initial-passwords) | Reduce the possibility of password guessing | A 137 | [Store credentials securely](measures_pw.md#store-credentials-securely) | Limit compromise of accounts and systems | A 138 | [Configure account lockout](measures_pw.md#configure-account-lockout) | Limit compromise of accounts and systems | A 139 | [Configure strong password on service accounts with SPN](measures_pw.md#configure-strong-password-on-service-accounts-with-spn) | Reduce the possibility of offline password cracking | A 140 | [Review accounts with never expiring password](measures_pw.md#review-accounts-with-never-expiring-password) | Limit compromise of accounts | B 141 | [Enable Kerberos Pre-Authentication](measures_pw.md#enable-kerberos-pre-authentication) | Reduce the possibility of offline password cracking | B 142 | [Change krbtgt password regularly](measures_pw.md#change-krbtgt-password-regularly) | Limit Golden Ticket attacks | B 143 | 144 | 145 | 146 | 147 | ### [Network Measures](measures_network.md) 148 | Recommendation                                                               | Purpose                                                                         | Priority 149 | ----------|-------------|------: 150 | [Implement network segmentation & segregation](measures_network.md#implement-network-segmentation---segregation) | Limit lateral movement within the internal network | A 151 | [Use mail gateway with malware detection](measures_network.md#use-mail-gateway-with-malware-detection) | Prevent delivery of malware via email to the end user | A 152 | [Secure WiFi networks](measures_network.md#secure-wifi-networks) | Limit attacks on the internal network | A 153 | [Exclusively use encrypted protocols](measures_network.md#exclusively-use-encrypted-protocols) | Limit eavesdropping on the internal network | A 154 | [Restrict outbound traffic and deploy filtering proxy](measures_network.md#restrict-outbound-traffic-and-deploy-filtering-proxy) | Detect and block malicious connections | A 155 | [Deploy Network Access Control (NAC)](measures_network.md#deploy-network-access-control--nac-) | Limit network access of malicious devices | B 156 | [Deploy DNS sinkhole](measures_network.md#deploy-dns-sinkhole) | Limit malicious DNS queries | C 157 | 158 | 159 | ## Tools 160 | The following tools can be helpful for identifying issues in a network. 161 | 162 | ***Bloodhound*** 163 | Collects information about accounts, relationships and permissions in an Active Directory. 164 | The following blog article can help you to get started with the tool: https://blog.compass-security.com/2019/12/finding-active-directory-attack-paths-using-bloodhound/ 165 | URL: https://github.com/BloodHoundAD/BloodHound 166 | 167 | ***Snaffler*** 168 | This tool can be used to search shares and local drives for sensitive data (specific file types and keywords or patterns within files). 169 | URL: https://github.com/SnaffCon/Snaffler 170 | 171 | ***PingCastle*** 172 | Generates a report about different configurations and policies (e.g. password policies) in the Active Directory. 173 | URL: https://www.pingcastle.com 174 | 175 | ***Nmap*** 176 | Nmap is a tool to scan networks for hosts and services by sending packets and analyzing the response. 177 | URL: https://nmap.org/ 178 | 179 | ***CIS Benchmarks*** 180 | The Center for Internet Security (CIS) provides benchmarks and tools to verify security best practices for different operating systems and services. 181 | URL: https://www.cisecurity.org/cis-benchmarks/ 182 | 183 | More tools can be found on our Security Resources link collection on GitHub: 184 | https://git.io/secres 185 | -------------------------------------------------------------------------------- /internal_network_security_cheat_sheet.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CompassSecurity/OnPremSecurityBestPractices/5529fe8695b0c7d95893072395636f00f77ef3fb/internal_network_security_cheat_sheet.pdf -------------------------------------------------------------------------------- /lateral_movement_detection_basic_gpo_settings.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CompassSecurity/OnPremSecurityBestPractices/5529fe8695b0c7d95893072395636f00f77ef3fb/lateral_movement_detection_basic_gpo_settings.pdf -------------------------------------------------------------------------------- /measures_acc.md: -------------------------------------------------------------------------------- 1 | [Back to Overview](README.md) 2 | # Account & Privilege Management Measures 3 | 4 | # Table of contents 5 | - [Introduction](#introduction) 6 | - [Measures](#measures) 7 | * [Remove local administrator rights](#remove-local-administrator-rights) 8 | * [Assign permissions according to the Least Privilege Principle](#assign-permissions-according-to-the-least-privilege-principle) 9 | * [Minimize high privileged administrator accounts](#minimize-high-privileged-administrator-accounts) 10 | * [Implement least-privilege administrative model](#implement-least-privilege-administrative-model) 11 | * [Deny logon to other tiers](#deny-logon-to-other-tiers) 12 | * [Add sensitive accounts to protected users group](#add-sensitive-accounts-to-protected-users-group) 13 | * [Disable high privileged account delegation](#disable-high-privileged-account-delegation) 14 | * [Configure Exchange Split Permissions](#configure-exchange-split-permissions) 15 | * [Review unconstrained delegation systems](#review-unconstrained-delegation-systems) 16 | * [Limit users who can add systems to domain](#limit-users-who-can-add-systems-to-domain) 17 | * [Use group managed service accounts](#use-group-managed-service-accounts) 18 | 19 | 20 | ## Introduction 21 | Account and Privilege Management Measures make sure that users and services have only the minimum of privileges required and highly privileged accounts are protected appropriately. 22 | 23 | 24 | ## Measures 25 | 26 | ### Remove Local Administrator Rights 27 | Local administrator rights on workstations (and possibly also on servers) have to be removed from all users except a separate local account which is managed by LAPS. 28 | If local administrator rights are required, they should be provided only temporary for a limited amount of time. 29 | 30 | As seen in the [Microsoft Vulnerability Report 2021 by BeyondTrust](https://www.beyondtrust.com/resources/whitepapers/microsoft-vulnerability-report), 70% of the critical vulnerabilites could be mitigated by simply removing local administrator rights. 31 | 32 | To list the local administrators on the current system and their source you can use the following PowerShell command: 33 | `Get-LocalGroupMember -Group Administrators` 34 | 35 | ### Assign Permissions According to the Least Privilege Principle 36 | The permissions of all the accounts should be granted according to the least privilege principle. Only the minimum permissions required by a user or a service should be available to the account. Accounts should therefore also be separated by certain aspects, e.g. tasks (support account, database administrator, daily business like reading emails,...) classification (public, internal, confidential…), environment (test, preproduction, production…) etc. 37 | 38 | A tool like [BloodHound](https://github.com/BloodHoundAD/BloodHound) can be used to audit the permissions in the Active Directory. 39 | 40 | ### Minimize High-Privileged Administrator Accounts 41 | Review all the accounts in the high-privileged administrative groups and remove the unnecessary privileges if possible: 42 | - Domain Admins 43 | - Enterprise Admins 44 | - BUILTIN\Administrators 45 | - Schema Admins 46 | - Account Operators 47 | - Backup Operators 48 | - Print Operators 49 | - Server Operators 50 | 51 | To check the members of these groups you can use the following PowerShell command and specify the respective group name in the CN property: 52 | `([adsisearcher]"(&(ObjectClass=Group)(CN=Domain Admins))").FindAll() | % { write-host $_.Properties['Member'] }` 53 | 54 | For further information, see Microsoft's documentation about Active Directory security groups: https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups 55 | 56 | ### Implement Least-Privilege Administrative Model 57 | In security assessments of Active Directory domains, we often find an excessive number of accounts that have been granted rights and permissions far beyond those required to perform day-to-day work. This can quickly lead to a compromise of the domain by an attacker, because it is usually trivial to perform pass-the-hash and other credentials stealing attacks. 58 | 59 | To partly mitigate this, a hardening of administrative accounts is necessary. For this, consider the following key points: 60 | - The built-in local Administrator account should never be used as a service account nor to log on to local computers (except Safe Mode) 61 | → Apply security controls to disable the Administrator account and deny remote logons (https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-h--securing-local-administrator-accounts-and-groups) 62 | - The built-in domain Administrator account should only be used for initial build and disaster-recovery 63 | → Add security controls to disable the Administrator account, prevent delegation, deny remote logons, enable smart-card for interactive logon (https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-d--securing-built-in-administrator-accounts-in-active-directory) 64 | → Configure auditing of the disabled built-in Administrator accounts 65 | - **When admin access is required:** 66 | - Access should be provided regarding the administrative tier model (e.g. by creating separate admin groups for every tier) 67 | - Access should be only temporarily provided (e.g. by adding accounts only for a limited time to those groups) 68 | → Create management accounts for protected groups (https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/appendix-i--creating-management-accounts-for-protected-accounts-and-groups-in-active-directory) 69 | - All changes should be performed under supervision and be audited 70 | → Privileged identity/access management software (PIM/PAM) or manual procedures 71 | - It should be possible to perform disaster-recovery on the whole forest 72 | → Apply security controls to the domain controllers OU in each domain forest on the Built-in Administrators group (only!) to allow local and remote logon 73 | - Modifications to the properties or membership of the administrative group should be monitored 74 | → Auditing should be configured, alerting to AD owners set and processes defined 75 | 76 | For a complete documentation about how to implement these points, please refer to the following Microsoft documentation: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models 77 | 78 | ### Deny Logon to Other Tiers 79 | One of the important points of the tiering model is, that accounts in a tier are denied logon to systems within other tiers. 80 | For this some Group Policy Objects (GPOs) have to be configured and applied. 81 | 82 | A minimum setup would be: 83 | - An organizational unit (OU) for each tier (in reality this would be split into more OUs) 84 | - A GPO for each tier to prevent the following logon types from other tiers: 85 | - Deny access to this computer from the network (type 2) 86 | - Deny logon as a batch job (type 3) 87 | - Deny logon as a service (type 4) 88 | - Deny logon locally (type 1) 89 | - Deny logon trough Terminal Services (type 10) 90 | 91 | ### Add Sensitive Accounts to Protected Users Group 92 | Starting with Windows Server 2012 R2, the Protected Users group offers additional protection for sensitive users by adding restrictions on several credentials-related settings, including: 93 | 94 | - Password hashes are not cached 95 | - High cryptographic standards are enforced 96 | - NTLM authentication is prevented 97 | - Kerberos delegation is not possible 98 | 99 | All enterprise and domain administrator accounts should be added to this group. Accounts for services and computers should not be members of the Protected Users group. Also, since Managed Service Accounts (MSAs) and group Managed Service Accounts (gMSAs) use Kerberos Constrained Delegation (KCD), do not add these accounts to the Protected Users group, since their functionality will break. 100 | To prevent locking yourself out of the domain, one emergency account (domain admin) should be excluded from this group. Make sure that this account is secured properly (e.g. strong password and only accessible to a few users) and its activity is monitored and alerted. 101 | More details: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/how-to-configure-protected-accounts 102 | 103 | ### Disable High-Privileged Account Delegation 104 | All high-privileged accounts should be configured with the flag **this account is sensitive and cannot be delegated** active. 105 | This can be done for example with PowerShell. The following command sets the flag for all members of the "Domain Administrators" group: 106 | `(Get-ADGroupMember "Domain Admins" | Set-ADUser -AccountNotDelegated $true)` 107 | 108 | Note: As a consequence, it will not be possible anymore to use these accounts through a Kerberos delegation. 109 | 110 | To check which accounts have the flag set, you can use the following PowerShell command: 111 | `([adsisearcher]'(&(objectCategory=user)((userAccountControl:1.2.840.113556.1.4.803:=1048576)))').FindAll()` 112 | 113 | ### Configure Exchange Split Permissions 114 | Exchange should be configured to use the Active Directory split permissions model. 115 | Some Exchange Server installations default to the shared permissions model, which adds potential attack paths within the domain due to the Exchange objects getting high privileges on certain Active Directory objects. These permissions will also be kept if you update your Exchange server to a newer version. 116 | 117 | To check if your Exchange Groups might be affected, you can use the following PowerShell script: (Please note that it requires the ActiveDirectory modules installed!) 118 | ``` 119 | Import-Module ActiveDirectory 120 | $ADDomain = 'DOMAIN.COM' # change to your domain name here 121 | $DomainTopLevelObjectDN = (Get-ADDomain $ADDomain).DistinguishedName 122 | $DomainRootPermissions = Get-ADObject -Identity $DomainTopLevelObjectDN -Properties * | Select-Object -ExpandProperty nTSecurityDescriptor | Select-Object -ExpandProperty Access 123 | # This should detect the Exchange relevant groups and if they have too many permissions (WriteDacl): 124 | $DomainRootPermissions | Where-Object {$_.IdentityReference -like "*Exchange*" } | % { $idref = $_.IdentityReference; $adrights = $_.ActiveDirectoryRights; Write-host "Found possible Exchange group: $idref"; if($adrights -like "*WriteDacl*") { Write-warning "This group has WriteDacl permissions!`n`r$adrights" }else{ Write-host "Permissions are OK.`n`r$adrights"} } 125 | ``` 126 | 127 | Microsoft released a hotfix for Exchange Server 2013 and newer versions which should address the issue: 128 | https://support.microsoft.com/en-us/topic/reducing-permissions-required-to-run-exchange-server-when-you-use-the-shared-permissions-model-e1972d47-d714-fd76-1fd5-7cdcb85408ed 129 | 130 | For more information about the split permissions please refer to: 131 | - https://docs.microsoft.com/en-us/exchange/understanding-split-permissions-exchange-2013-help 132 | 133 | ### Review Unconstrained Delegation Systems 134 | Either disable delegation or replace it with resource-based constrained delegation. 135 | 136 | As an example scenario where delegation is required, e.g. an IIS server using an SQL database instance as backend, implement the following points to reduce the risk: 137 | - Have low privileged users running both the IIS Server and SQL Server 138 | - Ensure both of these users have very long and complex passwords 139 | - Ensure the SQL Server user hasn't the role sysadmin on the SQL Server and is not local admin on the SQL servers operating system 140 | - Implement hardening measures based on security best practices (e.g. CIS Benchmark) on the IIS and SQL servers and their underlying operating system 141 | - Use resource-based constrained delegation configured on the SQL service user 142 | 143 | Always protect all high-privileged accounts from delegation! (e.g. with the flag "Account is sensitive and cannot be delegated") 144 | 145 | To list all non-domain controller systems which allow for unconstrained delegation, use the following PowerShell command: 146 | `([adsisearcher]'(&(objectCategory=computer)(!(primaryGroupID=516)(userAccountControl:1.2.840.113556.1.4.803:=524288)))').FindAll()` 147 | 148 | ### Limit Users who can add Systems to Domain 149 | Set the number of computers that can be added to the domain by any domain user by setting the value of **ms-DS-MachineAccountQuota** to zero in the Active Directory. 150 | To check the current value you can use the following PowerShell command: 151 | `Get-ADObject ((Get-ADDomain).distinguishedname) -Properties ms-DS-MachineAccountQuota` 152 | 153 | Another solution is to remove the privilege **SeMachineAccountPrivilege** for the **Authenticated Users** group in the Default Domain Controllers Policy. 154 | 155 | Note that if you need to configure an account so it can add computers to the domain, it can be done through 2 methods: 156 | - Preferred: Granting the permission to create computer objects on the OU 157 | - Alternative: Assigning the **SeMachineAccountPrivilege** privilege to a specific group 158 | 159 | ### Use Group Managed Service Accounts 160 | Implement service accounts as "Group Managed Service Accounts" whenever possible, to make sure the password is rotated regularly by the Active Directory. 161 | Please note, that the computers hosting the service running the GMSA have access to the plaintext password and therefore have to be treated as secure as the service! 162 | (e.g. if the GMSA is member of the protected users group, the computer has to be in Tier-0) 163 | -------------------------------------------------------------------------------- /measures_config.md: -------------------------------------------------------------------------------- 1 | [Back to Overview](README.md) 2 | # Configurational Measures 3 | 4 | # Table of contents 5 | - [Introduction](#introduction) 6 | - [Measures](#measures) 7 | * [Install EDR or Antivirus](#install-edr-or-antivirus) 8 | * [Enforce SMB & LDAP signing](#enforce-smb-and-ldap-signing) 9 | * [Disable or Restrict macros](#disable-or-restrict-macros) 10 | * [Enforce Multi-Factor Authentication](#enforce-multi-factor-authentication) 11 | * [Enforce BitLocker on Clients](#enforce-bitlocker-on-clients) 12 | * [Implement hardening of domain controllers](#implement-hardening-of-domain-controllers) 13 | * [Implement hardening of other systems](#implement-hardening-of-other-systems) 14 | * [Deploy strictly configured host-based firewalls](#deploy-strictly-configured-host-based-firewalls) 15 | * [Raise Active Directory function level](#raise-active-directory-function-level) 16 | * [Enable detailed audit logs](#enable-detailed-audit-logs) 17 | * [Enable Credential Guard](#enable-credential-guard) 18 | * [Enable AppLocker](#enable-applocker) 19 | * [Disable Spooler service](#disable-spooler-service) 20 | * [Limit cached credentials](#limit-cached-credentials) 21 | 22 | 23 | ## Introduction 24 | Configurational Measures limit the possibilities for an attacker to gain higher privileges on systems within the domain and increase the overall resilience and robustness of your systems against attacks. 25 | 26 | 27 | ## Measures 28 | 29 | ### Install EDR or Antivirus 30 | Install and enforce an Endpoint Detection and Response (EDR) or Antivirus solution on all devices. 31 | While a traditional antivirus program detects malware and viruses by signatures, this can easily be bypassed by a sophisticated attacker. Therefore, an EDR system which detects endpoint threats based on behavior and provides real-time response, offers better protection. 32 | 33 | When deploying EDR or Antivirus, make sure to prohibit the ability of users to disable it without a password and manage and monitor the solution centrally. 34 | 35 | To check the locally installed AntiVirus software you can use PowerShell: 36 | `Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct` 37 | 38 | ### Enforce SMB and LDAP Signing 39 | Enable and enforce SMB and LDAP signing on all Windows server and clients. 40 | This can be set under the following group policy setting: 41 | SMB Signing Server 42 | ``` 43 | Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > 44 | Microsoft network server: Digitally sign communications (always) 45 | ``` 46 | SMB Signing Client 47 | ``` 48 | Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options -> 49 | Microsoft network client: Digitally sign communications (always) 50 | ``` 51 | 52 | LDAP Signing Server 53 | ``` 54 | Default Domain Controller Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > 55 | Domain controller: LDAP server signing requirements 56 | ``` 57 | LDAP Signing Client 58 | ``` 59 | Default Domain Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > 60 | Network security: LDAP client signing requirements 61 | ``` 62 | To check if SMB signing is enforced locally you can use the following PowerShell command and check the "signed" property: 63 | `Get-SmbConnection | select *` 64 | 65 | To check if LDAP signing is enforced on all DCs you can use the following PowerShell script: 66 | ``` 67 | $dcs = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllers 68 | # to test with the currently logged on user, env variables are being used, otherwise change this to e.g. hardcoded user 69 | $username = "$env:userdomain\$env:username" 70 | $credentials = new-object "System.Net.NetworkCredential" -ArgumentList $UserName,(Read-Host "Password" -AsSecureString) 71 | foreach($dc in $dcs){ 72 | $hostname = $dc.Name 73 | $Null = [System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices.Protocols") 74 | $LDAPConnect = New-Object System.DirectoryServices.Protocols.LdapConnection "$HostName" 75 | $LdapConnect.AuthType = [System.DirectoryServices.Protocols.AuthType]::Basic 76 | $LDAPConnect.Bind($credentials) 77 | write-host "signing on DC $hostname`: $($LDAPConnect.SessionOptions.Signing)" 78 | } 79 | ``` 80 | If you see an error message like "Strong authentication is required for this operation.", then LDAP signing is enforced. If no error appears, LDAP signing is NOT enforced. 81 | 82 | ### Disable or Restrict Macros 83 | Disable Macros in Office products completely or only allow signed macros to be executed. 84 | Note that the setting "disable with notification" allows the end user to enable the macro. Oftentimes, phishing attacks try to convince users to enable macros by displaying fake error messages, which is why this setting should not be used. 85 | 86 | To check what the macro settings for Word and Excel are on the local machine you can use the following PowerShell commands: 87 | `(Get-ItemProperty 'Registry::HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Security').VBAWarnings` 88 | `(Get-ItemProperty 'Registry::HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Security').VBAWarnings` 89 | 90 | The returned values are described in the following table: 91 | 92 | | Value | Macro setting | 93 | |----------|:------------| 94 | | 1 | Enable all macros | 95 | | 2 | Disable all with notification | 96 | | 3 | Disable all except digitally signed macros | 97 | | 4 | Disable all without notification | 98 | 99 | ### Enforce Multi-Factor Authentication 100 | Enforce Multi-Factor Authentication (MFA) on all logins which support it. Most importantly, MFA should be enforced on all logins allowing remote access to your network, all cloud services (e.g. Office 365, Azure, AWS, Google Cloud,...), all interfaces providing access to security-related systems (e.g. Firewall management interfaces, password management systems, etc.) and in general all internet-facing services. 101 | While any two-step verification method is better than none, wherever possible a modern MFA like FIDO2 should be used. If not possible, the usage of an authenticator app is preferred over SMS-based 2FA. 102 | 103 | Further details about the security of different MFA methods can be found in the following blog article by Microsoft: 104 | https://techcommunity.microsoft.com/t5/azure-active-directory-identity/all-your-creds-are-belong-to-us/ba-p/855124 105 | 106 | ### Enforce BitLocker on Clients 107 | Use BitLocker to encrypt the hard disk of all workstations. 108 | Bitlocker should be used with a TPM and configured to require at least a PIN on startup. 109 | In addition, the recovery key should not be stored together with the encrypted workstation. 110 | 111 | To check if BitLocker is active and display its settings, you can use PowerShell (might have to be run in an elevated PowerShell session): 112 | `Get-BitLockerVolume | select *` 113 | 114 | For more details about BitLocker please refer to: https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions 115 | 116 | ### Implement Hardening of Domain Controllers 117 | Domain controllers should be hardened regarding to security best practices (e.g. CIS guidelines). 118 | Besides the basic hardening which also applies to non-domain controller systems, they should have no Internet access and not have additional roles or features installed except those required for the Active Directory. 119 | 120 | Make sure that separate Group Policy Objects (GPOs) are being used for domain controllers and permissions on those GPOs are set to only allow changes from domain administrators. 121 | 122 | ### Implement Hardening of Other Systems 123 | A general hardening for all devices in the network should be implemented according to best practices, e.g. CIS guidelines. Among other things, the following points should be considered: 124 | - Disable unneeded services and features 125 | - Reduce authorized users to a minimum 126 | - Disable weak cryptographic algorithms (e.g. NTLMv1, SMBv1, Kerberos RC4 encryption…) 127 | - Disable NetBIOS and LLMNR 128 | - Disable the Proxy Auto Detection and configure WPAD URL explicitly if required 129 | - Introduce a software update process 130 | - Automatically log off idle Remote Desktop Protocol (RDP) sessions 131 | - Restrict Remote Desktop Protocol (RDP) to Administrators 132 | 133 | ### Deploy Strictly Configured Host-Based Firewalls 134 | All systems should have a strictly configured host-based firewall. Generally, all traffic should be blocked and only necessary network connections should be allowed based on restricted IPs and Ports (Whitelisting approach). 135 | 136 | For example, on client workstations, SMB, RPC and RDP traffic should not be allowed from client to client. Only IP addresses from management systems like PAWs should be able to connect to these services. 137 | 138 | On the server side, server-to-server communication should also be restricted as far as possible. Incoming SMB communication is normally only required to the Domain Controller and to file shares, but not between individual servers. In case of a webserver, only the HTTPS service should be available to the client network. 139 | 140 | ### Disable Spooler Service 141 | By default, the print spooler service is enabled on a domain controller. 142 | Any authenticated user can remotely connect to the Domain Controller’s print server (spooler service) and request an update on new print jobs. Because the user can ask the domain controller to send the notification to a specific system (e.g. one with unconstrained delegation) the domain controller will test that connection immediately, therefore exposing the computer account credential (since the print spooler is owned by SYSTEM). This can be abused for so-called "relay attacks", where the attacker can use the exposed computer account credential to authenticate against other services in the domain. 143 | 144 | To mitigate this, the spooler service must be disabled on all domain controllers. 145 | In addition, the spooler service should also be disabled on all windows servers where the printing functionality is not needed. 146 | 147 | ### Enable Detailed Audit Logs 148 | Regular log collection is essential to be able to track activities of an attacker during an active investigation or post-mortem analysis. If you do not have detailed logs available, it could be difficult to determine if an attack led to a data breach or not. In some cases, it might also be possible to detect a security incident before data gets stolen. 149 | Therefore, advanced audit log policies should be deployed for all affected domains. 150 | 151 | The following key events / activities should be logged on systems and services where relevant: 152 | - Logon (successful and unsuccessful) & Logoff events 153 | - Account changes (e.g., account creation and deletion, account privilege assignment) 154 | - Successful use and attempted (failed) use of privileged accounts 155 | - Process Start / Stop 156 | - Network connections and Network changes 157 | - Changes to, or attempts to change, system security settings and controls 158 | - Application authentication (successful and unsuccessful) 159 | - Application transactions 160 | - Access to files or folders 161 | - Executed scripts (e.g. PowerShell, Visual Basic, JavaScript, etc.) 162 | - Clearing / Deleting of Logfiles 163 | 164 | Some basic GPO settings for an audit policy to detect lateral movement are documented in the following cheat sheet: 165 | https://github.com/CompassSecurity/OnPremSecurityBestPractices/blob/c21a808f0f6e201619175701ef581091474e59a5/lateral_movement_detection_basic_gpo_settings.pdf 166 | 167 | ### Raise Active Directory Function Level 168 | The Active Directory function level should be raised to the most recent level to ensure that the latest security features can be used. 169 | You can check your current functional level with PowerShell: 170 | `([System.DirectoryServices.ActiveDirectory.Forest]::Getcurrentforest())` 171 | 172 | The following Microsoft documentation lists the added features with each new functional level: 173 | https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels 174 | 175 | ### Enable Credential Guard 176 | The Credential Guard security feature should be enabled to protect credentials from being stolen by an attacker or a malware. 177 | 178 | Further information: 179 | https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard 180 | 181 | ### Enable AppLocker 182 | Only programs defined in a whitelist should be allowed to be executed by the user. 183 | 184 | This can be achieved for example by using Microsoft Windows Defender Application Control and Microsoft AppLocker. 185 | 186 | Further information: 187 | https://docs.microsoft.com/en-us/windows/device-security/applocker/applocker-overview 188 | 189 | ### Limit Cached Credentials 190 | The number of domain passwords that are cached should be deactivated by setting the following policy to 0: 191 | ``` 192 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options 193 | Interactive logon: Number of previous logons to cache (in case domain controller is not available) 194 | ``` 195 | 196 | With a value of 0, the following GPO can also be activated: 197 | ``` 198 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options 199 | Interactive logon: Require Domain Controller authentication to unlock 200 | ``` 201 | Further information: 202 | - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj852209(v=ws.11) 203 | -------------------------------------------------------------------------------- /measures_network.md: -------------------------------------------------------------------------------- 1 | [Back to Overview](README.md) 2 | # Network Measures 3 | 4 | # Table of contents 5 | - [Introduction](#introduction) 6 | - [Measures](#measures) 7 | * [Implement network segmentation & segregation](#implement-network-segmentation---segregation) 8 | * [Use mail gateway with malware detection](#use-mail-gateway-with-malware-detection) 9 | * [Secure WiFi networks](#secure-wifi-networks) 10 | * [Exclusively use encrypted protocols](#exclusively-use-encrypted-protocols) 11 | * [Restrict outbound traffic and deploy filtering proxy](#restrict-outbound-traffic-and-deploy-filtering-proxy) 12 | * [Deploy Network Access Control (NAC)](#deploy-network-access-control--nac-) 13 | * [Deploy DNS sinkhole](#deploy-dns-sinkhole) 14 | 15 | 16 | ## Introduction 17 | Network measures reduce the attack surface of systems, by dividing networks into zones and separating systems from each other. 18 | 19 | 20 | ## Measures 21 | 22 | ### Implement Network Segmentation & Segregation 23 | Firewalled network zones should be created to isolate systems of different classification. For example, create isolated network zones for: 24 | - DMZ for systems exposed to the Internet 25 | - Client network for end user workstations 26 | - Server network for server systems containing sensitive data 27 | - Domain Controllers 28 | - Management network for management interfaces and management systems (e.g. Jump Hosts) 29 | - Network for Privileged Access Workstations 30 | - Network for VoIP systems 31 | 32 | Traffic between the zones should be strictly limited to the required communication. Restrictions should always include a source, a target and a protocol (i.e. no any-to-any rules). 33 | 34 | An even better way would be to use the concept of micro-segmentation, whereby network communication is separated on workload level instead of network zones. 35 | An explanation about micro-segmentation can be found on the following VMWare website: https://www.vmware.com/topics/glossary/content/micro-segmentation 36 | 37 | ### Use Mail Gateway with Malware Detection 38 | A mail gateway should be deployed, which filters incoming email traffic for malware and detects potential phishing attacks. 39 | 40 | ### Secure WiFi Networks 41 | Setup the wireless infrastructure according to security best practices: 42 | - Separate Guest and Enterprise Network 43 | - WPA2 Enterprise preferred (EAP-TLS), enforce authentication server certificate validation by the client 44 | or use less preferred WPA2 PSK with a strong key (12 characters or more) 45 | - Don’t use WPA or WEP 46 | - Use Rogue Access Point detection 47 | - Enforce client isolation 48 | - Physical protection of Access Points 49 | 50 | ### Exclusively use Encrypted Protocols 51 | Only encrypted protocols should be used, both in the internal network and for external communication. 52 | 53 | Unencrypted protocols (e.g. Telnet, FTP, HTTP…) should be deactivated or replaced by their secure counterpart (i.e. SSH, HTTPS etc.). 54 | 55 | Furthermore, make sure all protocols only support state-of-the-art cryptographic algorithms and use appropriate key lengths for the respective purpose. 56 | The following website can be helpful for choosing the right algorithms and key lengths: https://www.keylength.com/ 57 | 58 | ### Restrict Outbound Traffic and deploy Filtering Proxy 59 | Corporate systems should not be allowed to access systems outside of the company. Therefore, restrictive outbound Firewall rules should be deployed. 60 | 61 | Access to the Internet should be provided through a filtering proxy with SSL/TLS splitting. 62 | 63 | ### Deploy Network Access Control (NAC) 64 | Ensure that certificate-based NAC (802.1X-2010) is used in combination with MACsec (IEEE 802.1AE) to ensure only authorized devices are connected to the network and to encrypt the connection from the device to the switch on layer 2. 65 | 66 | Ideally, every device should support certificate-based NAC in combination with MACsec. However, since this is not always supported, exceptions can be implemented: 67 | - Certificate-based NAC without MACsec for devices that do not support MACsec 68 | - MAC Whitelisting for devices that do not support certificate-based NAC, but restricted on specific ports 69 | 70 | ### Deploy DNS Sinkhole 71 | Client machines should only be able to query a dedicated DNS server which performs filtering and logging of the incoming DNS queries. If a query is identified as malicious, the IP of a sinkhole server should be returned instead of the correct IP. This can be used to block unwanted communication. Access to other DNS servers needs to be prohibited through restrictively configured outbound rules. 72 | The following article by SANS contains more information about configuring a DNS sinkhole for Windows DNS servers: 73 | https://www.sans.org/blog/windows-dns-server-sinkhole-domains-tool/ 74 | -------------------------------------------------------------------------------- /measures_org.md: -------------------------------------------------------------------------------- 1 | [Back to Overview](README.md) 2 | # Organizational Measures 3 | 4 | # Table of contents 5 | - [Introduction](#introduction) 6 | - [Measures](#measures) 7 | * [Implement Monitoring](#implement-monitoring) 8 | * [Perform regular off-site backups](#perform-regular-off-site-backups) 9 | * [Implement patch management process](#implement-patch-management-process) 10 | * [Maintain Hardware and Software Inventory](#maintain-hardware-and-software-inventory) 11 | * [Use group based access control](#use-group-based-access-control) 12 | * [Separate Tier-0 management services](#separate-tier-0-management-services) 13 | * [Introduce privileged access workstations](#introduce-privileged-access-workstations) 14 | * [Do regular reviews & vulnerability assessments](#do-regular-reviews---vulnerability-assessments) 15 | * [Define Emergency Processes](#define-emergency-processes) 16 | * [Train employees on IT security best practices](#train-employees-on-it-security-best-practices) 17 | * [Use personalized accounts](#use-personalized-accounts) 18 | * [Implement four eyes principle](#implement-four-eyes-principle) 19 | * [Use golden images](#use-golden-images) 20 | 21 | 22 | ## Introduction 23 | Organizational measures relate to the system's environment and the people using it. They can be considered as the approach an organization takes in assessing, developing and implementing controls that secure information and protect personal data. 24 | 25 | 26 | ## Measures 27 | 28 | ### Implement Monitoring 29 | Setup a monitoring infrastructure. For example, consisting of: 30 | - A centralized logging server and log analytics software (Elk Stack, Splunk, Windows Event Log Forwarding). 31 | - Configuring Windows server and clients to collect logs of security relevant events (https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations). 32 | - Forward logs of all security related systems and services like the web application firewalls, network firewalls and anti-virus / endpoint protection software. 33 | - Forward logs of the DHCP and DNS servers, in order to make inspection of network activity possible. 34 | - Define a process that ensures events are reviewed on a regular basis. 35 | - Define events that should trigger an alert, like multiple failed login attempts or assignment of users to administrative groups. 36 | - Ensure alerts are being sent out to relevant parties (e.g. on-call shifts) 37 | - Define playbooks and processes to act on specific alerts and events 38 | 39 | ### Perform Regular Off-Site Backups 40 | Make sure that important infrastructure and data is backed up on regular basis. 41 | The following requirements have to be met: 42 | - Define which data and infrastructure need to be backed up and define a retention period accordingly. 43 | - Store backups in a storage secured from unauthorized access. 44 | - Store backups encrypted. 45 | - Perform off-site backups. (Disaster recovery) 46 | - Store backups offline, completely disconnected from any device. (Assume breach of your backup infrastructure) 47 | - Use a separate backup infrastructure (e.g. Windows Server Backup) to perform backups of Domain Controllers. (Tier-0 separation) 48 | 49 | ### Implement Patch Management Process 50 | A process has to be defined that handles the way servers, workstations, other devices (e.g. Firewalls) and applications are kept up to date with the lastest security updates. Apart from maintenance windows for regular security updates, a special process should be defined, for out-of-band emergency security updates which have to be deployed immediately. 51 | 52 | ### Maintain Hardware and Software Inventory 53 | Without knowing what systems and software are installed in the environment, it is not possible to keep everything up to date. Therefore it is essential to have an inventory of all hardware devices and installed software and actively maintain it. 54 | 55 | ### Use Group-Based Access Control 56 | Access to resources should be granted according to predefined groups. For example, employees responsible for human resources should not be able to access the data of the financial department. According AD groups should be defined and the according users should be assigned to those groups. 57 | 58 | ### Separate Tier-0 Management Services 59 | A compromised management service (e.g. backup server, infrastructure management, monitoring, etc.) in Tier-1 or Tier-2 should not make it possible to compromise the whole domain (Tier-0). 60 | 61 | Therefore, all services managing domain controllers and other Tier-0 assets must be built solely for Tier-0 or need to be removed for Tier-0 completely. Examples would be System Center Configuration Manager (SCCM), endpoint protection, backup, etc. 62 | One possibility would be to manually patch all domain controllers and use e.g. Windows Backup as the backup solution. 63 | 64 | ### Introduce Privileged Access Workstations 65 | Administration of Active Directory and other Tier-0 Servers should only be performed through a Privileged Access Workstation (PAW). 66 | The following key points have to be considered when deploying a PAW: 67 | - The PAW has to be deployed regarding to the "clean source principle", meaning the source (i.e. the PAW) has to be as secure as the target it accesses (i.e. the Tier-0 servers) 68 | - The host-based firewall on the PAW has to be configured to restrict all traffic to only the required minimum (e.g. downloading updates, connecting via RDP/SSH to targets being managed, etc.) 69 | - Internet access from the PAW has to be locked down, so that only Windows Updates and Azure URLs (if Azure / O365 is being used) are allowed (See: https://docs.microsoft.com/en-us/security/compass/privileged-access-deployment#url-lock-proxy) 70 | - Applications on the PAW should be kept to the minimum and AppLocker should be deployed 71 | - Daily tasks like reading emails or opening office documents and surfing the Internet must not be allowed on the PAW 72 | - Credential Guard should be enabled on the PAW 73 | - If you have a separate bastion forest for the management of your infrastructure, the PAW should be joined to this forest and not the production forest. 74 | 75 | As an example, The host operating system on a laptop or PC could be used as the PAW and via the Hyper-V feature, a shielded VM could be deployed on it to perform daily tasks (email, office, Internet, etc.). 76 | It must not be the other way around, since that would mean that the PAW would consequently be dependent on the host, and this violates the clean source rule. 77 | Another option would be to use two completely separated workstations, one as PAW and one as the workstation for daily tasks. 78 | 79 | Some key points to consider when connecting from the PAW to systems in different Tiers: 80 | - A PAW from Tier-0 can be used for administering all Tiers (i.e. 0, 1 and 2) AND the accounts used for connecting to those Tiers must be different for each tier and privileged only in that specific Tier. 81 | - A PAW from Tier-1 can be used for administering Tiers 1 and 2 only AND the accounts used for connecting to those Tiers must be different for each tier and privileged only in that specific Tier. 82 | - A PAW from Tier-2 can be used for administering Tier-2 only AND the accounts used for connecting to Tier-2 must be privileged only in Tier-2. 83 | 84 | In addition, please note that a PAW does not replace a Jump Host or the other way around. A Jump Host itself does not add additional security, because it is dependent on the source connecting to it, while the PAW is the source of the connection. (See also: https://docs.microsoft.com/en-us/archive/blogs/johnromsft/closing-the-jump-server-security-gap-with-paws) 85 | 86 | 87 | ### Do Regular Reviews & Vulnerability Assessments 88 | Computer systems present in the corporate network should be checked regularly for known vulnerabilities using automated scanners (e.g. Nessus, Qualys, Rapid7, etc.). 89 | Security issues related to Windows Domain configuration should be assessed regularly (e.g. PingCastle, BloodHound). 90 | 91 | - A process should be defined, which makes sure these scans are performed on a regular basis, the findings are evaluated and according actions are taken to mitigate the identified risks. 92 | - A process should be defined to check if users, groups and computers are still needed in the AD and if assigned permissions (e.g. members of high privileged groups) still follow the principle of least privilege. 93 | 94 | ### Define Emergency Processes 95 | Define guidelines how employees should react in case of a cyberattack. 96 | Address the following key points: 97 | - Create an incident response policy and plan. 98 | - Create procedures for incident handling and reporting. 99 | - Establish procedures for communicating with outside parties. 100 | - Establish response teams and leaders. 101 | - Prioritize servers and other critical assets. 102 | - Walk through the process and train the involved employees on a regular basis. 103 | 104 | ### Train Employees on IT Security Best Practices 105 | The employees' security awareness should be regularly trained. For example, by: 106 | - Teaching about secure handling of credentials (choose different passwords for different services, don't write down passwords, use a password manager, lock the laptop, disconnect from RDP...). 107 | - Performing phishing email simulations. 108 | - Explaining physical social engineering attacks like tailgating. 109 | 110 | ### Use Personalized Accounts 111 | Employees should always use personalized accounts to guarantee traceability and accountability. Technial, non-personal accounts should only be used for machine-to-machine communication. 112 | 113 | The use of default/shared accounts should be restricted to disaster recovery cases. 114 | 115 | ### Implement Four Eyes Principle 116 | Business critical processes should be additionally protected by a four eyes principle (also known as "Two-man rule"), which is a control mechanism that requires activities by individuals within the organization to be controlled and approved by a second independent and competent individual. 117 | 118 | ### Use Golden Images 119 | Maintain and use golden images to install your systems. These should be hardened regarding to security best practices (e.g. CIS guidelines). 120 | The following link contains a documentation by Microsoft on how to create such an image for a Windows 10 operating system: 121 | https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image 122 | -------------------------------------------------------------------------------- /measures_pw.md: -------------------------------------------------------------------------------- 1 | [Back to Overview](README.md) 2 | # Password Management Measures 3 | 4 | # Table of contents 5 | - [Introduction](#introduction) 6 | - [Measures](#measures) 7 | * [Enforce strong password policy](#enforce-strong-password-policy) 8 | * [Use unique local administrator credentials](#use-unique-local-administrator-credentials) 9 | * [Require password for every account](#require-password-for-every-account) 10 | * [Change default credentials](#change-default-credentials) 11 | * [Force change of initial passwords](#force-change-of-initial-passwords) 12 | * [Store credentials securely](#store-credentials-securely) 13 | * [Configure account lockout](#configure-account-lockout) 14 | * [Configure strong password on service accounts with SPN](#configure-strong-password-on-service-accounts-with-spn) 15 | * [Review accounts with never expiring password](#review-accounts-with-never-expiring-password) 16 | * [Enable Kerberos Pre-Authentication](#enable-kerberos-pre-authentication) 17 | * [Change krbtgt password regularly](#change-krbtgt-password-regularly) 18 | 19 | 20 | ## Introduction 21 | Password Management Measures prevent users from using weak passwords and reduce the risk of account takeover through password brute-forcing or password hash cracking. 22 | 23 | 24 | ## Measures 25 | 26 | ### Enforce Strong Password Policy 27 | Strong passwords are at least fourteen characters long, consisting of characters from the four groups mentioned below: 28 | - Lowercase characters 29 | - Uppercase characters 30 | - Numbers 31 | - Special characters 32 | 33 | To check the current password policy for all domains in the forest, you can use the following PowerShell command: 34 | `(Get-ADForest -Current LoggedOnUser).Domains | %{ Get-ADDefaultDomainPasswordPolicy -Identity $_ }` 35 | 36 | Furthermore, the password should be checked against a list of breached passwords, if possible. 37 | Microsofts Azure AD Password Protection feature can also be used in hybrid environments for on-premise Active Directories: 38 | https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad-on-premises 39 | 40 | Note: If you implement a list of banned passwords (password blacklist), there's no need for a policy with special characters and lower- / uppercase characters. In fact, newer guidelines advise against using such policies because of human behavior leading to more predictable passwords. However, for technical accounts like service accounts, it is still recommended. 41 | 42 | ### Use Unique Local Administrator Credentials 43 | The local administrator password should be changed on a regular basis and should be unique on every host (workstations and servers!). 44 | 45 | Microsoft LAPS (Local Administrator Password Solution) can be used to automate local credential management. 46 | The LAPS software and the installation and operation guide can be downloaded under the following Microsoft link: 47 | - https://www.microsoft.com/downloads/details.aspx?familyid=6e424d9b-e6dd-41c8-8523-6818fc2f07ec 48 | 49 | ### Require Password for Every Account 50 | No account should be allowed to have a blank password. The flag **PASSWD_NOTREQD** should be removed from the **userAccountControl** field on every account. 51 | 52 | A list of users which can have an empty password can be extracted with the following PowerShell command: 53 | `([adsisearcher]'(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))').FindAll()` 54 | 55 | ### Change Default Credentials 56 | Services and third-party devices (e.g. NAS, application servers, monitoring applications…) should have their default credentials changed. 57 | Default passwords can be easy guessed or are found in online documentation and are therefore an easy target for attackers. 58 | 59 | ### Force Change of Initial Passwords 60 | Initial passwords (e.g. "Sommer2021", "Companyname1234$") can be easily identified using password spraying attacks, whereas an attacker tries a single password on all domain accounts. Since this kind of attack cannot be prevented in an Active Directory, the chance to identify accounts with a valid password is usually high. 61 | 62 | Therefore, initial passwords configured by e.g. Helpdesk staff has to be configured to require change on first use (Flag "User must change password at next logon"). 63 | 64 | ### Store Credentials Securely 65 | Only store passwords in secure places like password managers. 66 | 67 | Example of insecure places where to store passwords: 68 | - GPOs to deploy local administrator 69 | - Scripts in SYSVOL shares 70 | - Files on shares 71 | - Object description in Active Directory 72 | - Field userPassword in Active Directory 73 | 74 | ### Configure Account Lockout 75 | Make sure that an account is locked out for several minutes after a few unsuccessful login attempts. 76 | - Set the lockout threshold to 10 or fewer attempts 77 | - Set the lockout duration to 15 minutes or more 78 | - Set the reset lockout count value to 15 or more minutes 79 | 80 | To check the lockout settings in the current password policy for all domains in the forest, you can use the following PowerShell command: 81 | `(Get-ADForest -Current LoggedOnUser).Domains | %{ Get-ADDefaultDomainPasswordPolicy -Identity $_ }` 82 | 83 | ### Configure Strong Password on Service Accounts with SPN 84 | Make sure service accounts, especially the ones with SPN, have a strong password with 25 characters or more. 85 | 86 | In addition, high-privileged accounts shouldn't have an SPN, as their compromise would have higher impact on the domain. 87 | 88 | ### Review Accounts with Never Expiring Password 89 | Check accounts that have a non-expiring password. Make sure that only low privileged service accounts are configured with non-expiring passwords. 90 | To check accounts with a non-expiring password you can use the following PowerShell command: 91 | `([adsisearcher]'(&(objectCategory=user)((userAccountControl:1.2.840.113556.1.4.803:=65536)))').FindAll()` 92 | 93 | ### Enable Kerberos Pre-Authentication 94 | Make sure that all accounts require Kerberos pre-authentication. This is enabled by default on every AD account, but can be configured by unchecking **Do not require Kerberos preauthentication** in the "Account" tab. 95 | To check all accounts which do not require Kerberos pre-authentication, you can use the following PowerShell script: 96 | `([adsisearcher]'(&(objectCategory=user)((userAccountControl:1.2.840.113556.1.4.803:=4194304)))').FindAll()` 97 | 98 | ### Change Krbtgt Password Regularly 99 | The password of the **krbtgt** account should be changed every 40 days. 100 | 101 | More information: 102 | - https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-accounts#sec-krbtgt 103 | 104 | Warning: 105 | The password should not be changed twice in a short time. More precisely, a complete replication between every domain controller must have been performed before changing the password a second time. Otherwise, authentication will fail due to different passwords being in use. 106 | --------------------------------------------------------------------------------