Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Monday, June 12, 2017

The Active Directory Attack Surface (Day 4)

Dear Microsoft,

Today is Day-4 of our advanced Active Directory Audit School for you. Today, I'll help you better understand the Active Directory attack surface, and because my time's valuable, I'll focus on the two specific areas that you don't seem to understand too well.
(If you want to know why I think that you don't understand them that well, just read the post and the PS section that follows.)

The Active Directory Attack Surface

As most organizations know today, the Active Directory attack surface is primarily comprised of 5 components -

1. Domain Controllers
2. Active Directory Backups
3. Active Directory Administrative Accounts and Security Groups
4. Administrative Workstations used by Active Directory Administrative Personnel
5*. Last but not the least, unique to Active Directory, Administrative Delegations / Ocean of Security Permissions

* Note: Strictly speaking, if implemented perfectly the compromise of administrative delegations whilst could result in substantial damage, could not result in the compromise of Active Directory. However, because in reality, today, at most organizations worldwide, the implementation of administrative delegations is far from perfect, realistically speaking the compromise of administrative delegations can easily result in the compromise of Active Directory.

Suffice it to say that if a perpetrator can compromise any one of the above, he/she can compromise Active Directory.


Here's why these five components constitute the Active Directory Attack Surface -

  1. Domain Controllers (DCs) - The protection of DCs is of utmost importance because the compromise of even a single DC is tantamount to a compromise of the entire Active Directory, considering that Active Directory is hosted on DCs.

  2. Active Directory Backups - The protection of physical Active Directory backups is equally important because should a perpetrator be able to obtain physical access to such a backup, with the right tooling, he/she could extract the credentials of all accounts from the backup, including of course, the credentials of all privileged accounts, resulting in a compromise.

  3. Active Directory Administrative Accounts and Security Groups - The protection of all Active Directory Administrative Accounts and Security Groups is of utmost importance, because the compromise of a single such Active Directory privileged user account or security group could instantly result in the compromise of the entire Active Directory.

  4. Administrative Workstations used by Active Directory Administrative Personnel - The protection of all computers used by all Active Directory administrative/privileged users is of equal importance as well, since their compromise could be used to have malicious code designed to compromise Active Directory, be easily executed in a privileged context.

  5. Administrative Delegations / Ocean of Security Permissions in Active Directory - The need to ensure that all administrative delegations done in Active Directory and all access provisioned in Active Directory adhere to the principle of least privilege, is also of utmost importance, as even a single excessive/unauthorized delegation / security permission could give instantly perpetrators the opportunity to easily gain complete command and control over Active Directory.

Since Microsoft's Active Directory Security guidance adequately covers speaking about #1, #2 and #4 above, in the remainder of this post, we will focus on certain aspects of #3 and an overview of #5, especially considering that Active Directory ACLs are rapidly and increasingly becoming the focus of topics like Persistence in Active Directory, and being targeted by amateur pen-testing tools like BloodHound (which incidentally is substantially inaccurate) and other such Active Directory ACL analysis tools.

Speaking of the Attack Vectors to Active Directory Administrative/Privileged Accounts and Security Groups

It is a well known fact by know that Active Directory administrative (privileged) domain accounts (and groups) are target #1 for perpetrators, (because their compromise instantly provides domain-wide root access,) as evidenced by the fact that 100% of all major recent cyber security breaches involved the compromise and misuse of an Active Directory privileged user account.

Speaking of Active Directory administrative accounts and groups, there are 5 main attack vectors that are commonly used to try and compromise them -
  1. Credential guessing - This is an archaic approach that is seldom employed today because it is easily thwarted by the presence of simple security measures like domain account lockout security policies.

  2. Credential theft and re-use - This has recently been the predominant approach, and includes techniques like Pass-the-Hash (PtH) etc., most of which are becoming harder to enact as Microsoft improves the security of its operating systems and organizations employ various solutions to combat the use, efficacy and success rate of these attack vectors.

    Mass credential-theft, enabled by the Mimikatz DCSync remains a very serious threat, but can today be easily thwarted.

  3. User Impersonation - This approach primarily involves leveraging Kerberos delegation, wherein a service trusted for (Kerberos) delegation could impersonate a client, and in cases where the client happens to be an Active Directory administrative user or service account, the service could effectively then be impersonate the client across the network.  

  4. Credential change (/reset) - This simple approach involves measures aimed affecting a change in a user's credentials, and the primary technique involves simply resetting the user's password, a legitimate administrative task that can be enacted most easily as long as one has sufficient privileges (i.e. effective permissions) to be able to do so.

  5. Entitlement misuse - As it pertains to administrative accounts and groups, this simple approach involves resetting user account passwords and/or modifying an administrative group's membership, legitimate administrative tasks that can be enacted most easily as long as one has sufficient privileges (i.e. effective permissions) to enact them. This is likely going to be the next predominant approach as perpetrators have started focusing their attention within Active Directory.

Of the 5 ways listed, #4 and #5 are most relevant today. Speaking of #4 and #5, i.e. credential change and entitlement misuse, consider that any individual who could enact any of the following tasks could instantly obtain admin access in Active Directory -

  1. Reset the password of any Active Directory administrative domain user account

  2. Modify the membership of any Active Directory administrative domain security group

  3. Modify the permissions protecting any Active Directory administrative domain user account

  4. Modify the permissions protecting any Active Directory administrative domain security group

  5. Modify the permissions protecting any Active Directory Organizational Unit in which a non-default administrative domain user account or domain security group resides (and there could easily be hundreds of such accounts in Active Directory.)

Again, suffice it to say that anyone who can enact any of the tasks above can instantly gain admin access over Active Directory.

Unfortunately, in most Active Directory deployments today, password resets and entitlement misuse remain the #1 real threat, as no one seems to have any clue as to exactly who can enact any of these simple administrative tasks, and as a consequence, most organizations are operating in the dark today.

There are two simple reasons for this - 1) Most organizations have yet to even start giving thought to this remarkably simple attack vector, and 2) of those that may have, most organizations do not know how to correctly analyze permissions on Active Directory objects, which is essential to making these simple yet paramount determinations.

Specifically, they may not know yet that what matters when making these determinations is not "who has what permissions in Active Directory", but "who has what effective permissions in Active Directory", and most simply stated, the difference between the two could be the difference between compromise and security!

Thus, when speaking of the Active Directory attack surface, the protection of admin accounts and groups, albeit vital, remains a weak area, and if left unaddressed, could leave the door WIDE open for perpetrators to gain admin access in Active Directory.

In days to come, I will be sharing a substantial amount of additional detail on this, so anyone interested may want to stay tuned.

The Largest Component of the Active Directory Attack Surface -
Administrative Delegations / Security Permissions

One could easily write a book on this single subject (and Microsoft, as you know, I actually did write a 400-page one on it, titled Microsoft's Best Practices for Delegating Active Directory Administration), yet this is the one area that unfortunately still remains largely unaddressed, and thus provides an OCEAN of opportunities for perpetrators to compromise organizational security.

You see, the most important part of Active Directory is its content, i.e. thousands of domain user accounts, computer accounts, security groups, group policies etc., which are the very building blocks of IT and cyber security today, and the entirety of this content is protected by thousands of access control lists (ACLs), within which lie millions of access control entries ACEs) that together (and not individually/separately) specify who has what permissions on these objects, AND it is this ocean of security permissions that exists within each Active Directory that together ultimately determines the true effective access provisioned in/across Active Directory, and today it comprises the vastest component of the Active Directory attack surface.

Putting it most simply, in addition to the default administrative accounts and groups that exist in Active Directory, and the default permissions that have been provisioned for them, over the years an extensive amount of administrative delegation and/or access provisioning has been done in most Active Directory deployments to fulfill various business needs, and as a result, today substantially many more than just the default administrative accounts and groups have all kinds of access provisioned in the Active Directory, yet no one knows exactly who actually (i.e. effectively) has what access and where in Active Directory.

Want the simplest example? Look no further than Mimikatz DCSync - by default only certain default admin groups have the Get-Replication-Changes-All extended right effectively granted on the domain root. However, a single intended (or unintended) administrative delegation / provisioned access could instantly end up granting this right to who knows how many individuals, and as a consequence, the accounts of any one of them could be used to compromise everyone's credentials within minutes!

It could have been something as simple as an admin trying to provision a single specific permission in Active Directory - Allow All Extended Rights on Descendant objects only on the domain root object, but accidentally ended up provisioning this - Allow All Extended Rights on This object and all descendant objects. Right there, in that one accidental mistake, one could jeopardize the entire organization's security! And this is merely one example. I could give you hundreds of such examples, wherein a single accidental or intentional misconfiguration of Active Directory security permissions could result in the existence of a HUGE hole.

Considering that by default Active Directory grants Authenticated Users blanket read access across Active Directory, literally anyone who knows anything about Active Directory security can use mere authenticated user access to analyze this ocean of security permissions and find thousands of vulnerabilities and privilege escalation paths, which can be easily exploited to inflict damage, and in many cases easily escalate privilege to that of a Domain Admin equivalent account.

In fact, the recently introduced BloodHound penetration testing tool leverages this exact authenticated user access to attempt to make this determination. Unfortunately, it is substantially inaccurate because it makes the same classic mistake that so many IT professionals in the world do i.e. it simply attempts to try and determine "who has what permissions" instead of trying to determine "who has what effective permissions" in Active Directory. (More on this tool's ludicrous inaccuracy in days to come.)

More pertinently, as evidenced by the emergence of such tooling, as Microsoft finally makes progress towards making most of today's predominant hacking/compromise avenues/attack vectors (e.g. Pass-the-Hash etc.) much more difficult to carry out, hackers seem to be rapidly shifting their focus, effort and attention on trying to learn more about and finding ways to exploit any weakness they can find in this ocean of Active Directory security permissions (and there are thousands to be found today.)

In essence, in virtually every foundational Active Directory deployment in the world, this vast ocean of security permissions in Active Directory presents a vulnerable attack surface the size of the Pacific ocean, and in light of the above, this worries us.

So, in days to come, I will be also sharing a substantial amount of detail on this, so anyone interested may want to tune in.

In Summary

To summarize, today I just wanted to help Microsoft and the world better understand what constitutes the Active Directory attack surface, and where organizations should really be focusing their energies if they truly want to protect their foundational Active Directory deployments (because as BloodHound, Mimikatz DCSync etc. show us, that is likely the next wave perpetrators are going to be focused on in the near future; apparently they're still learning, so there is still a little time before the tsunami hits.)

Alright then, that'll be it for today.

Best wishes,

PS: Dear Microsoft, consider this - in light of what I have shared above, the best you've got is baby tools like dsacls, acldiag, an (inaccurate and inadequate) Effective Permissions Tab, PowerShell etc. and you've given the world nothing in this area during the last entire decade, not even guidance, which is what prompted me to say this and ask this. Organizations trying to reduce (i.e. identify, lock-down and protect) the vastest part of their Active Directory attack surface (described above) with your native tools (or with any one of numerous woefully inadequate "Active Directory permissions audit" solutions out there) is like someone trying to accomplish a herculean task, one that actually requires Iron Man's skills and intellectual depth, but has to make do with Donald's (no not this one's, this one's) instead.

No comments:

Post a Comment