Skip to content

๐Ÿ” Security Fundamentals

Now that we have a clearer understanding of Active Directory elements, let's delve deeper into the security aspects that form the foundation of a robust AD environment. Security in Active Directory is built upon several critical pillars that work together to create a comprehensive defense system.

๐ŸŒ Address Resolution

The Basics

Address resolution is the capability for users and machines to resolve addresses of other computers in order to establish connections with them. This fundamental process enables communication across the network but also presents significant security risks if not properly managed.

Security Implications

If an attacker can control address resolutions, they could:

  • Perform Man-in-the-Middle (MITM) attacks
  • Redirect users to malicious services
  • Capture credentials through LLMNR/NBT-NS poisoning
  • Conduct DNS spoofing attacks

Common Attack Vectors

  • LLMNR/NBT-NS Poisoning: Attackers respond to name resolution requests on behalf of legitimate systems
  • DNS Spoofing: Manipulating DNS records to redirect traffic
  • WPAD Hijacking: Exploiting Web Proxy Auto-Discovery settings

Defensive Measures

  • Disable LLMNR and NBT-NS where possible
  • Implement DNSSEC (Domain Name System Security Extensions)
  • Monitor for unusual name resolution patterns
  • Use network segmentation to limit broadcast domains
Security Pillar Description Common Attack Vectors Defensive Measures
๐ŸŒ Address Resolution The process of resolving network names to IP addresses, enabling communication between machines. If compromised, it can allow for traffic redirection. โ€ข LLMNR/NBT-NS Poisoning: Responding to broadcast name requests on behalf of legitimate systems.
โ€ข DNS Spoofing: Manipulating DNS records to redirect traffic to malicious servers.
โ€ข WPAD Hijacking: Exploiting proxy auto-discovery settings.		 โ€ข Disable LLMNR and NBT-NS where possible via Group Policy.
โ€ข Implement DNSSEC to ensure DNS response integrity.
โ€ข Monitor network traffic for unusual name resolution patterns.
โ€ข Employ network segmentation to limit the scope of broadcast attacks.
๐Ÿ”‘ Authentication The process of verifying the identity of a user or service. In AD, this is primarily handled via Kerberos and NTLM protocols. โ€ข Pass-the-Hash: Using captured NTLM hashes for authentication without cracking the password.
โ€ข Kerberoasting: Exploiting weakly configured service accounts to crack their passwords.
โ€ข Golden/Silver Ticket: Forging Kerberos tickets to impersonate any user or service.
โ€ข AS-REP Roasting: Requesting authentication tickets for users without pre-authentication enabled.		 โ€ข Enforce strong password policies and regular changes for all accounts, especially service accounts.
โ€ข Implement Privileged Access Management (PAM) and Just Enough Administration (JEA).
โ€ข Monitor for suspicious authentication events (e.g., unusual logon times or locations).
โ€ข Ensure "Do not require Kerberos preauthentication" is disabled for user accounts.
๐Ÿ›ก๏ธ Authorization The mechanism that determines what an authenticated user is permitted to do. This is managed through Access Control Lists (ACLs), group memberships, and permissions. โ€ข ACL Abuse: Modifying Access Control Lists on sensitive objects to grant oneself excessive permissions.
โ€ข Privileged Group Manipulation: Adding a user account to a high-privilege group (e.g., Domain Admins).
โ€ข DCSync Abuse: Misusing permissions to replicate domain controller credentials directly.		 โ€ข Adhere to the Principle of Least Privilege; grant only the permissions necessary for a task.
โ€ข Regularly audit group memberships, especially for privileged groups.
โ€ข Properly configure AdminSDHolder and ensure SDProp is running periodically.
โ€ข Implement a Tiered Administration model to separate high-level and low-level privileges.
๐Ÿ” Additional Considerations Broader security practices that support the core pillars and enhance the overall security posture of the Active Directory environment. โ€ข Lack of Monitoring: Attackers going unnoticed due to poor logging and alerting.
โ€ข Unpatched Systems: Exploiting known vulnerabilities in domain controllers or other critical infrastructure.
โ€ข Poor Backup Strategy: Inability to recover from a domain-wide compromise or ransomware attack.		 โ€ข Deploy a SIEM solution to centralise and analyse security logs.
โ€ข Maintain a rigorous patch management cycle for all domain-joined systems.
โ€ข Maintain secure, tested, and ideally immutable backups of Active Directory.
โ€ข Utilise advanced security features like Microsoft Defender for Identity and Azure AD Identity Protection.