Any Legacy AD Security Admins?

[netsendHello]

Anyone done any work with these sorts of preventative measures?

• PAWs
• Tiered Admin Model
• MFA via Smart Cards
• MFA via Crowd Strike IdP integration

Do you run PingCastle? do you run Bloodhound? How many Domain Admins is too many? Do you MFA internally on the network (and if so is it just RDP)?

[lurto]

So, If you have PAWs. Depending on the work done, why not use a Jump server?

Smart cards are good if you have any measures that forces the user to take it with him when he leaves the workstation.

Depending on what you use, the Auth0 api works almost everywhere. So MFA could generally done via that.

For domain admins, 2 to 3 is my guess. All the automated task should be done with GMSA accounts. 

For internal MFA, you could use auth0 for your jumphost and other internal apps.

So thats my opion on that matter. For the other things you noted, I coudn't say anything.

[Elched]

We run PingCastle (free version) on a regular basis as a sanity check and I quite like the tool. It does not see everything but at least you'll see quickly if you have done something very wrong on your AD.

I would say it's a great starting tool if you want to start securing your Active Directory. It will highlight the biggest issues, provide clear recommandations and allow you to act quickly.

I have less experience with Bloodhound but for me it's kind of a "next-step" tool, once the biggest warnings from PingCastle have been corrected.

 

As for the question about how many Domain Admin is too many, that is a very difficult (and contentious) question to answer. My take is that there is no magic number but the less the better (as long as you avoid using generic Domain Admin accounts). Also make use of Delegation as far as possible and be sure that the Entreprise Admin and Schema Admin groups are always empty - except for very short period of time.

[Florian]

Yeah, we implemented the Tiering model multiple times. (At customers and at my last company in a shared MSP environment) 

The Tiering model or as it's called nowadays Enterprise access Model if you add the Cloud part too is a great security measurements.

 

Domain admin depends on your environment. As far as i heard does Microsoft have 20 Domain Admins so you could reduce it almost everytime.

The PAW is a nice to have feature but could also achieved with Terminal server or citrix. But to operate these is heavy. 

[sysadminafterdark]

My domain controllers run server core. It really sends the message “get off my damn dc”. They happily run on a single core with a gig of ram. Admins can SSH into them, use Windows Admin center (the new web UI for Windows), or use traditional RSAT tools on a jump box. 
 

Admins have two accounts: one for everyday use (eg crankysysadmin) and an admin account (eg cranky.admin) that allows them to perform admin tasks. Proper RBAC is setup for admin accounts to only allow them to login to authorized computers, portals, etc. In the event a user needs software installed it’s typically pushed over the domain with intune or PDQ which have their own delegated credentials. 
 

Wall of text, hope this makes sense to you. 😂

[Florian]

We had Domain admin (for DC), Tier 0 admin (for Hypervisor, pki, etc.) Tier 1 (application server x ...) And regular user without local admin rights (we leave out tier 2 users but this would be nice)

[horse]

I'm no longer an AD admin, but I now work for Trimarc as the lead for our Active Directory Security Assessment (ADSA) service. Here are my thoughts:

• PAWs - Do these now! They're hard but worth it.
• Tiered Admin Model - The best time to do this was 5 years ago. The second best time is now.
• MFA via Smart Cards - Can be a good improvement but kinda difficult to get right. Doesn't prevent delegation or replay attacks.
• MFA via Crowd Strike IdP integration - No suggestions here.

Do you run PingCastle?
- PingCastle is good for low hanging fruit. But don't think you're secure just because you get your scores into the green zone!

do you run Bloodhound?
- BH is a great tool... which can sometimes be too overwhelming for admins. Plumhound and Goodhound are built on the same base but may be a better option for defenders.

How many Domain Admins is too many?
- In a decently-sized environment (10000+ users), aim for <.05% as DAs. Anything smaller, stay under 5, but aim for 0. IT IS POSSIBLE!

Do you MFA internally on the network (and if so is it just RDP)?
- In my prior gig, I did MFA for local logon, RDP, and on-prem OWA. After joining Trimarc, I realized that these protections are okay but not the panacea it's sold as due to previously mentioned replay and delegation attacks.

Some things you should be looking into if you aren't already:

• Mark all AD admin accounts as "this account is sensitive and cannot be delegated"
• Add as many AD admin accounts to the "Protected Users" group that you can
• Enable LDAP Channel Binding and Signing
• Remove Authenticated Users from the "Add workstations to domain" User Rights Assignment and set the ms-DS-MachineAccountQuota value to 0
• Audit your AD CS installation. I maintain a tool called Locksmith that checks for the most common misconfigurations AND provides code snippets to fix some of those issues. https://github.com/TrimarcJake/Locksmith 

Back in June, Trimarc did a webcast about quick wins for improving security. Recently, my co-worker Jim Sykora compiled all the suggestions into a very thorough whitepaper that will take you even further: https://www.hub.trimarcsecurity.com/post/ten-ways-to-improve-ad-security-quickly

[Mika]

On 11/11/2022 at 9:33 PM, netsendHello said:

Anyone done any work with these sorts of preventative measures?

• PAWs
• Tiered Admin Model
• MFA via Smart Cards
• MFA via Crowd Strike IdP integration

Do you run PingCastle? do you run Bloodhound? How many Domain Admins is too many? Do you MFA internally on the network (and if so is it just RDP)?

PAWs are hard but great. If you can’t, jump servers can be OK but you loose the clean source which is bad.

I just set up a completely new Tiered AD model from scratch. I admit to scratching my head a few times but it’s easy to see the security gain. Depending on the amount of admins (not domain admins) you have there might be people who need admin accounts in multiple tiers, therefore it might be a learning curve for these people with multiple accounts.

This works really well and is in fact the next step in my environment. 
 

Can’t say anything about the IdP, I don’t have any experience with it.

I’ll be doing MFA for different things in the environment but RDP is one.

As for PingCastle and BH, I haven’t yet but will be doing that.

I’d sleep best with 0 domain admins, while certainly possible it makes certain things very hard. But really try to keep the number as low as possible. I takes a while to create roles and permissions for the roles but it does help a lot.

There can also be some easy wins by reading the tips above from @horse

And to follow up:

disable SMBv1 completely 

Disable LLMNR

Lock down SMB everywhere where it’s not needed, no c$.

Same for RDP

Deploy LAPS

The list goes on 🙂

 

[horse]

1 hour ago, Mika said:

PAWs are hard but great. If you can’t, jump servers can be OK but you loose the clean source which is bad.

I just set up a completely new Tiered AD model from scratch. I admit to scratching my head a few times but it’s easy to see the security gain. Depending on the amount of admins (not domain admins) you have there might be people who need admin accounts in multiple tiers, therefore it might be a learning curve for these people with multiple accounts.

This works really well and is in fact the next step in my environment. 
 

Can’t say anything about the IdP, I don’t have any experience with it.

I’ll be doing MFA for different things in the environment but RDP is one.

As for PingCastle and BH, I haven’t yet but will be doing that.

I’d sleep best with 0 domain admins, while certainly possible it makes certain things very hard. But really try to keep the number as low as possible. I takes a while to create roles and permissions for the roles but it does help a lot.

There can also be some easy wins by reading the tips above from @horse

And to follow up:

disable SMBv1 completely 

Disable LLMNR

Lock down SMB everywhere where it’s not needed, no c$.

Same for RDP

Deploy LAPS

The list goes on 🙂

 

Oh shoot. How did I forget about LAPS?

[Elched]

@horse and @Mika tips are very good, thanks.

About LAPS, did you ever experience issues when using it on a large fleet of computers?

We use it where I work so that IT technician can troubleshoot user's laptops without having to use a "super T2 admin" account but they often complain about it.

 

And what about LAPS for servers?

Edited November 13, 2022 by Elched

[horse]

@Elched

> About LAPS, did you ever experience issues when using it on a large fleet of computers?

The largest issues I had were local passwords not matching what was stored in AD (rare), and the terrible font choice in the LAPS GUI (common). The password mismatch issue is solved in newer versions of LAPS that store a password history, and products like Lithnet Access Manager provide a better GUI so passwords can be used more consistently without typos.

> And what about LAPS for servers?

LAPS should absolutely be managing everything except DCs. 

[netsendHello]

These are all great replies, thanks all, interesting to read what others are doing.

I have implemented the Tiered Admin Model and Virtual Smart Cards (they work well for Tier 0 where SCRIL is enabled on the accounts and on the servers via GPO) - but anything needing a username and password (some Tier 2 & 1) then this means you can't enable SCRIL.

PAWs I'm still on the fence - I'd like to go as far as to do it, but there are other problems which demand more attention. Also, it seems like with various agents, cloud accounts, security products, and other privileged web consoles, that the problem with PAWs is you'd need to be accessing all those things which potentially have a T2 -> T0 path on them, from a PAW. Which is really hard to enforce (not impossible).

especially liked @Horse's reply; I've done all of those things on the admin accounts except the Channel Binding (which I think was blocked by some load balancer using LDAPS). I am a big fan of adsecurity.org and learnt a lot from there. I've also enforced AES everywhere and gotten rid of all unconstrained delegations.