As former Microsoft Program Manager for Active Directory Security, I just wanted to take a moment to share a very quick note regarding Active Directory Recon i.e. Active Directory Reconnaissance, which is something that several folks out there have recently been focusing on and sharing from a hacking perspective.
An Intruder performing Active Directory Recon
|
In the past few months, there has been a notable increase in the focus and attention on Active Directory security in the hacking community, considering that in the past few years, credential-theft attacks have been focused on Active Directory credentials, and as Microsoft's efforts makes make it harder for hackers to engage in credential-theft, the hackers have started shifting their focus on trying to find ways to breach the security of the Active Directory itself.
Empowering Organizations
In days to come, time permitting, I will try to share with you likely the world's most advanced ways to perform an Active Directory Recon, but with the focus and intention on helping organizations safeguard their foundational Active Directory deployments.
Organizational IT Personnel performing Active Directory Recon
|
This is important because we should empower IT personnel at organizations worldwide with the knowledge, skills and resources they need to be able to adequately protect their foundational Active Directory deployments from attempts to breach security.
Active Directory is Rock-Solid
Until then, due to paucity of time, I would like to make 3 important points for all organizations worldwide -
- Active Directory is by definition a Directory Service, so obviously and by design, all Authenticated Users have blanket read-property access to literally everything in Active Directory. This includes domain (user and computer) account and security group enumerations, read access to all properties on all objects (including important security related attributes on all domain user accounts and computer accounts), sensitive contents of the System container, contents of the entire Schema and Configuration partitions, details of service connection points, trust relationships, replication meta-data, quota and security policy info, info exposed via rootDSE and of course prized info in Active Directory ACLs etc.
Consequently, an intruder that has any form of authenticated access can easily access, obtain and analyze vast amounts of valuable information about not just your Active Directory but your entire Active Directory based IT infrastructure.
- Mature organizations must always assume that intruders know everything there is to know (as an Authenticated User) in your Active Directory, and yet design, implement/deploy and enforce an adequate set of security measures to protect your foundational Active Directory deployments such that even if intruders know everything there is to know, they will still not be able to compromise your foundational Active Directory.
I'd like organizations to know that it is absolutely possible to do so because Active Directory is one of the most rock-solid, securable and trustworthy technologies ever built. In days to come, time-permitting, I'll try and show you how to do so. - You can operate a highly resilient and trustworthy Active Directory. I cannot stress this enough, so I'm repeating it again.
Even if a 1000 intruders know everything there is to know about your Active Directory, your Domain Controllers, your Privileged Users etc., you can still operate a highly resilient, defensible and trustworthy Active Directory. In fact, at Paramount Defenses, we do it 365-24-7. I will tell you that it takes knowledge, discipline and executive support.
In Essence
The point I wanted to make and the important thing to note here is that in order to be able to adequately secure and defend Active Directory, you have to know Active Directory better than the intruders do, and you have to have executive support.
I'd like all organizations that operate on Microsoft Active Directory to know that we're all in this together, and that together we can help safeguard the very foundation of our organizations, and in and by doing so, do our bit to make the world a safer place.
So, once I'm finished with Active Directory Security School for Microsoft, I will likely pen a post on Active Directory Recon.
For anyone that may want a head start, please feel free to review this.
Best wishes,
Sanjay.
PS: Humble advice to all CISOs - Help your AD Operations Teams gain the proficiency they need to adequately secure your organization's foundational AD deployments, and get your C*Os to understand the importance of adequately protecting AD.
PS2: Two quick points for folks out there shedding light on "Active Directory Recon" -
- To those who may want to show the world how to perform an Active Directory recon without admin rights, I would like to respectfully point out that it really is no big deal to that because by default Authenticated Users already have full read access to every object in every partition in Active Directory.
- To those cyber security enthusiasts who may just be discovering Active Directory and finding exuberance in showing to the world their new-found Active Directory recon skills, again I would only like to respectfully point out that Active Directory has been around for 17 years now, and thus there are 1000s of individuals who know a lot about it, many of whom may have already done a lot of this a decade ago, so while its great to discover new things and I wish you all the very best as you go about discovering the ocean that Active Directory is, its best to do so with humility.
No comments:
Post a Comment