In the last few years, attack techniques which fall in the categories of “Credential Theft” or “Credential Reuse” have grown into one of the biggest threats to Microsoft Windows environments. Microsoft has stated more than one time, that nearly almost all of their customers that run Active Directory have experienced “Pass-the-Hash” (PtH) attacks recently.[1] Once an attacker gains an initial foothold on a single system in the environment it takes often less than 48 hours until the entire Active Directory infrastructure is compromised. To defend against this kind of attacks, a well-planned approach is required as part of a comprehensive security architecture and operations program. As breach has to be assumed[2], this includes a preventative mitigating control strategy, where technical and organizational controls are implemented, as well as preparations against insider attacks. This is mainly achieved by partitioning the credential flow in order to firstly limit their exposure and secondly limit their usefulness if an attacker was able to get them. Although we spoke last year at Troopers 15 about “How to Efficiently Protect Active Directory from Credential Theft & Large Scale Compromise”[3], we would like to summarize exemplary later in this post Active Directory pentest findings that we classified in four categories in order to better understand what goes typically wrong and thus has to be addressed. For a better understanding of the overall security goals, we classified the findings as to belonging as a security best practice violation of the following categories:
- Secure Design of Active Directory (SDAD):
- Before any technical or organizational measurements can be implemented, the structure of the Active Directory (such as Forest Trusts, Domain and OU hierarchy) should be planned and recorded in a design document. This step greatly facilitates all subsequent measurements and is in some cases a hard requirement to realize specific controls.
- Secure Design of Active Directory Management (SDADM):
- The next essential step is the design of an Active Directory administration concept. Here, various aspects of secure administration practices are aggregated and summarized in a global guideline for all administrative (and other high-privileged) personnel. Main topics of such a document are the following (some of which should be described in more detail in additional documents):
- Separation of administrative tiers and credential partitioning
- Role concept for high-impact accounts and delegation of e. g. OU administration
- Use of secure administration tools and method
- The next essential step is the design of an Active Directory administration concept. Here, various aspects of secure administration practices are aggregated and summarized in a global guideline for all administrative (and other high-privileged) personnel. Main topics of such a document are the following (some of which should be described in more detail in additional documents):
- Secure Active Directory Management (SADM):
- This category represents the administrative practice in /operations of Active Directory. It encompasses everything that was recorded beforehand in the administration concept. From the tools chosen to access systems remotely, to the password management of local administrative accounts. It is here, where most of the problems in the daily administrative work lays, that should be addressed with a secure Active Directory management, thus reducing greatly the risk of credential theft and credential reuse.
- Secure Configuration (SC):
- The last integral part is the technical configuration of Active Directory. Ideally, these configurations should enhance the guidelines given in the design documents for the Active Directory structure and management, and enforce specific controls whenever possible to Domain Controllers as well as each member of Active Directory – be it a computer, be it a user or be it a group. Examples of this are the secure configuration of Domain Controllers, of forest trusts, as well as the setup of logon restrictions for high privileged accounts.
This blogpost will focus on the third category “SADM” (although overlaps with other categories might be possible) and we will give you a few examples of typical real-world findings identified during security assessments of large-scale Active Directory environments we performed in 2015:
Use of standard and administrative user accounts not strictly separated
Based on security best practice, administrative personnel should always have two separate accounts. One standard user account is used for everyday tasks (e.g. email, Internet browsing, and editing documents) while a separate high-privileged account is used just for specific administrator tasks (e.g. managing the Active Directory, installing or managing server applications).
In the assessed environment this policy was already implemented, as a differentiation was made between standard and administrative account. Nevertheless, a behaviour that was observed during the pentest was the usage of the Windows Credential Manger by standard user accounts to save high-privileged account credentials in their user profile (e.g. saving credentials when establishing a RDP connection). This undermines completely the separation of administrative and standard user account, as the security of the administrative account is in that case dependent on the security of the standard user account, which is much more vulnerable to attacks. In case of the Credential Manager, every (remote) logon on a system using the standard user credentials transfers the administrative credentials saved in the Credential Manager of the OS to this remote computer; these can then be extracted by an attacker.
In this particular case, we recommended to disable the usage of the Windows Credential Manager to prevent the intended or unintended saving of high-privileged account credentials in the context of the standard user account. This is possible via Group Policy. In a second step, it should be verified if other applications are in use in the environment that allow for the caching of credentials with similar mechanisms as the Credential Manager.
Missing roles concept for high-impact accounts and groups
A missing or insufficient roles concept greatly increases the risk for credential theft attack techniques, as high-impact accounts often have extensive privileges which are not necessary for the actual task, and, in addition, have these rights on a multitude of systems across the entire environment. The main targets of an Active Directory compromise are domain administrators and domain administrator-equivalent accounts which either grant the attacker total control over the domain or allow for extensive changes in important configurations. The most significant indicator for this finding was the fact that domain controller administration was supposedly not separated from server and workstation administration. Meaning that users with a high-privileged account use the same account for various other tasks not designated for the account.
Mitigation can be achieved by adhering to the principle of least – or at least less – 😉 privilege and creating a roles concept based on it, which will limit the rights, access, and exposed credentials that an attacker may gain by compromising resources. This requires detailed knowledge of the actual state of the environment which has to be protected. For example, it must be determined which access privileges a computer or user really needs, and these limitations must be then implemented accordingly (e.g. logon restrictions). This task might initially seem complex, however, it is an essential step to successfully secure an Active Directory environment.
Insufficient separation of administrative tiers
As credential theft and reuse is based on the ability of an attacker to jump from one host to another by using stolen credentials, containment is of critical value to counter this threat. The IT environment of an organization should be designed so that the compromise of a single asset (or even several assets) is contained and does not lead to an overall compromise of the whole environment. It is important to note that restriction of lateral movement is just as important as preventing privilege escalation. This can be achieved by using network segmentation or credential partitioning, which will limit the privileges, access, and exposed credentials that an attacker may gain by compromising a single or multiple resources.
In another assessed environment a strict separation of different administrative tiers was only partially implemented and a supposed cardinal concept for account segmentation was insufficient. High-privileged accounts were often able to access resources across the whole Active Directory forest without any obvious segmentation. In addition, practically no technical controls were implemented to restrict logon capabilities, as well as to create secure administration environments.
To achieve credential partitioning a containment model for account privileges must be designed and implemented by defining multiple tiers of resources, which are logically and technically separated. This model adapts Biba and Bell-LaPadula hierarchical mandatory access control models to administrative control and is represented by multiple tiers of administrative privilege. It is the most important control in the context of credential theft and reuse.
If you would like to have detailed guidance on the issues teased above, as well as many other recommendations with real-world samples for securing your Active Directory environment, please attend our “Hardening Microsoft Environments” workshop on 14th. and 15th of March. We are looking forward to seeing you (again) at TROOPERS16!
Cheers,
Friedwart Kuhn & Heinrich Wiederkehr.
Footnotes:
[1] Cf. for example: https://www.microsoft.com/security/sir/strategy/default.aspx#!pass_the_hash
[2] See „ Mitigating Pass-the-Hash and Other Credential Theft, version 2, p. 6. This paper is available at https://www.microsoft.com/en-us/download/details.aspx?id=36036
[3] How to Efficiently Protect Active Directory from Credential Theft-An Approach Based on Real-World Expertise