Last week Will “harmj0y” Schroeder published an excellent technical article titled “Not A Security Boundary: Breaking Forest Trusts” in which he lays out how a highly critical security compromise can be achieved across a forest boundary, resulting from a combination of default AD (security) settings and a novel attack method. His post is a follow-up to the DerbyCon talk “The Unintended Risks of Trusting Active Directory” which he had given together with Lee Christensen and Matt Nelson at DerbyCon (video here). They will also discuss this at the upcoming Troopers Active Directory Security Track (details on some more talks, including Sean Metcalf’s one, can be found in this post or this one).
As of Will’s writing the basis for the attack path is an existing two-way trust between two forests. Trusts and their security implications have been the topic of many discussions in the last years while at the same time many enterprise organizations have quite a few AD trusts in their environments, for historical reasons and due to mergers & acquisitions.
Christoph Kuderna from infoWAN and JD/SadProcessor from ERNW’s Active Directory Security team are currently working in an organization where this exact discussion is happening right now. One of the outcomes of said project is a document discussing the risks of AD trusts, together with some mitigation approaches. We’ve decided to extract some parts of this document in order to contribute to well-informed decision taking in the context of AD trusts; the link to the resulting document can be found below.
For some additional background on the attack vector one might read Sean Metcalf’s “Active Directory Security Risk #101: Kerberos Unconstrained Delegation (or How Compromise of a Single Server Can Compromise the Domain)”.
Talking about mitigation & defense you should look at Roberto Rodriguez‘ accompanying post “Hunting in Active Directory: Unconstrained Delegation & Forests Trusts“. Also Will lays out he didn’t get the attack working in one-way trust scenarios (there’s a dedicated section in his post on this) which, from a defensive perspective, raises the following considerations:
- When establishing trusts carefully think about their direction, most importantly: do you really need a two-way trust or would a one-way trust be sufficient? In the case study we discuss in the whitepaper one-way trusts were considered sufficient for the business purpose (a centralized authentication service used by several subsidiaries to access central services).
- In M&A scenarios think about the direction of the trust and if a two-way trust is really necessary. Try to assess the security posture of the forest(s) of the organizations to take over (merge with) in advance. Our own tool DirectoryRanger is well suited for the task and it has a special feature (called “DrPortable”) where a small binary is created which collects the data, so not even a network connection is needed to the forest(s) to be assessed (let alone DA privileges) which greatly facilitates performing such assessments (from both a technical and a “politics” level – you know, IT and/or security personnel from $ACQUIRED_PARTY or just $CORPORATE_SUBSIDIARY might not be too happy to run an assessment tool in their environment which requires a privileged user…).
Additional advice can be found in our whitepaper “Active Directory Trust Considerations” (an archive of ERNW’s whitepapers is here). If you want to learn more about AD and Windows security here’s some upcoming Troopers trainings:
- Hardening Microsoft Environments
- Windows PowerShell for Security Professionals, by Carlos Perez/Darkoperator.
- Hands-on BloodHound – Intro to Cypher Workshop
- Insight into Windows Internals
- Windows & Linux Binary Exploitation
Wish you all a great rest of the year and a happy xmas time in a few,
Enno