SlideShare a Scribd company logo

Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?

BeyondTrust, profile picture
BeyondTrust

The document outlines the significance of active directory auditing tools and the potential vulnerabilities within active directory systems due to identity management issues. It emphasizes critical mitigations needed to protect against various attack methods, such as credential theft and privilege escalation, while also providing a roadmap for enhancing security practices. Additionally, it discusses the importance of proactive measures, including the use of privileged access workstations and time-bound privileges, to safeguard administrator activities.

Software
1 of 29
Downloaded 13 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Active Directory Auditing Tools: Building Blocks or Just a Handful of Dust? @paulacqure @CQUREAcademy CONSULTING Paula Januszkiewicz CQURE: CEO, Penetration Tester; Security Expert CQURE Academy: Trainer MVP: Enterprise Security, MCT www.cqureacademy.com paula@cqure.us
Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?
What does CQURE Team do? Consulting services  High quality penetration tests with useful reports Applications Websites External services (edge) Internal services + configuration reviews  Incident response emergency services – immediate reaction!  Security architecture and design advisory  Forensics investigation  Security awareness For management and employees info@cqure.us Trainings  Security Awareness trainings for executives  CQURE Academy: over 40 advanced security trainings for IT Teams  Certificates and exams  Delivered all around the world only by a CQURE Team: training authors
Chasing the obvious: NTDS.DIT, SAM The above means: To read the clear text password you need to struggle!
Identity is the new security “perimeter” under attack One small mistake can lead to attacker control Attackers Can • Steal any data • Encrypt any data • Modify documents • Impersonate users • Disrupt business operations Active Directory and Administrators control all the assets
Tier 2 Workstation & Device Admins Tier 0 Domain & Enterprise Admins Tier 1 Server Admins 1. Beachhead (Phishing Attack, etc.) 2. Lateral Movement a. Steal Credentials b. Compromise more hosts & credentials 3. Privilege Escalation a. Get Domain Admin credentials 4. Execute Attacker Mission a. Steal data, destroy systems, etc. b. Persist Presence Compromises privileged access 24-48 Hours Phase 1 Critical Mitigations: Typical Attack Chain
Making and Measuring Progress against Risk 2-4 weeks 1-3 months 6+ months Detect Attacks Harden ConfigurationDomain Controller (DC) Host Attacks Credential Theft & Abuse Reduce Agent Attack Surface Attacker Stealth Prevent Escalation Prevent Lateral Traversal Increase Privilege Usage Visibility AD Attacks Assign Least Privilege Attack Defense Securing Privileged Access Three Stage Roadmap http://aka.ms/privsec
Protecting Active Directory and Admin privileges 1. Separate Admin account for admin tasks 3. Unique Local Admin Passwords for Workstations http://Aka.ms/LAPS 2. Privileged Access Workstations (PAWs) Phase 1 - Active Directory admins http://Aka.ms/CyberPAW 4. Unique Local Admin Passwords for Servers http://Aka.ms/LAPS 2-4 weeks 1-3 months 6+ months First response to the most frequently used attack techniques
First response to the most frequently used attack techniques 2-4 weeks 1-3 months 6+ months DC Host Attacks Credential Theft & Abuse Attacker Stealth AD Attacks Top Priority Mitigations Attack Defense Detect Attacks Harden DC configuration Reduce DC Agent attack surface Prevent Escalation Prevent Lateral Traversal Increase Privilege Usage Visibility Assign Least Privilege
Protecting Active Directory and Admin privileges 2. Time-bound privileges (no permanent admins) http://aka.ms/PAM http://aka.ms/AzurePIM 1. Privileged Access Workstations (PAWs) Phases 2 and 3 –All Admins and additional hardening (Credential Guard, RDP Restricted Admin, etc.) http://aka.ms/CyberPAW 4. Just Enough Admin (JEA) for DC Maintenance http://aka.ms/JEA 987252 1 6. Attack Detection http://aka.ms/ata 5. Lower attack surface of Domain and DCs http://aka.ms/HardenAD 2-4 weeks 1-3 months 6+ months Build visibility and control of administrator activity, increase protection against typical follow-up attacks 3. Multi-factor for elevation
Build visibility and control of admin activity 2-4 weeks 1-3 months 6+ monthsAttack Prevent Escalation Defense
Protecting Active Directory and Admin privileges 2. Smartcard or Passport Authentication for all admins http://aka.ms/Passport 1. Modernize Roles and Delegation Model 3. Admin Forest for Active Directory administrators http://aka.ms/ESAE 5. Shielded VMs for virtual DCs (Server 2016 Hyper-V Fabric) http://aka.ms/shieldedvms 4. Code Integrity Policy for DCs (Server 2016) 2-4 weeks 1-3 months 6+ months Move to proactive security posture
Move to proactive security posture 2-4 weeks 1-3 months 6+ monthsAttack Prevent Escalation Prevent Lateral Traversal Defense
What is the most successful path for the attack right now?
:) THE ANATOMY OF AN ATTACK Healthy Computer User Receives Email User Lured to Malicious Site Device Infected with Malware
HelpDesk Logs into Device Identity Stolen, Attacker Has Increased Privs :) Healthy Computer User Receives Email User Lured to Malicious Site Device Infected with Malware
User Lured to Malicious Site Device Infected with Malware HelpDesk Logs into Device Identity Stolen, Attacker Has Increased Privs ceives il
Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?
“PASS THE HASH” ATTACKS Today’s security challenge
TODAY’S SECURITY CHALLENGE PASS THE HASH ATTACKS
User: Adm... Hash:E1977 Fred’s Laptop Fred’s User Session User: Fred Password hash: A3D7… Sue’s Laptop Sue’s User Session Pass-The-Hash Technique Malware Session User: Administrator Password hash: E1977… Malware User Session User: Adm… Hash: E1977 User: Sue Hash: C9DF User: Sue Password hash: C9DF… File Server User: Sue Hash:C9DF 1 3 4 1. FRED RUNS MALWARE, HE IS A LOCAL ADMINISTRATOR 2. THERE IS A PASS THE HASH SESSION ESTABLISHED WITH ANOTHER COMPUTER 3. MALWARE INFECTS SUE’S LAPTOP AS FRED 4. MALWARE INFECTS FILE SERVER AS SUE 2
Pass-The-Hash Solution: Virtual Secure Mode VSM uses Hyper-V powered secure execution environment to protect derived credentials – you can get things in but can’t get things out Decouples NTLM hash from logon secret Fully randomizes and manages full length NTLM hash to prevent brute force attack Derived credentials that VSM protected LSA Service gives to Windows are non- replayable
Summary: Best Practices Vulnerability Management Continuous vulnerability discovery Context-Aware Analysis Prioritization Remediation and Tracking Put on the Hacker’s Shoes External + Internal + Web Penetration tests Configuration reviews Prevention
Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?
PowerBroker Auditing & Security Suite Real-time Change Auditing and Recovery for AD and Windows environments
PowerBroker Auditing & Security Suite Centralized real-time change auditing of Active Directory, File Systems, Exchange, SQL and NetApp Entitlement reporting for AD and File Systems Continuous backup and recovery for AD
How does it work?
Demonstration
Quick Poll + Q&A Thank you for attending today’s webinar.

More Related Content

What's hot (20)

PDF
Security Implications of the Cloud
Alert Logic
 
PDF
Stories from the Security Operations Center
Alert Logic
 
PDF
Security Implications of the Cloud - CSS ATX 2017
Alert Logic
 
PDF
Stories from the Security Operations Center (S.O.C.)
Alert Logic
 
PDF
Unearth Active Directory Threats Before They Bury Your Enterprise
BeyondTrust
 
PDF
Beyond the mcse red teaming active directory
Priyanka Aash
 
PPTX
Cloud Security or: How I Learned to Stop Worrying & Love the Cloud
MarkAnnati
 
PDF
The Intersection of Security & DevOps
Alert Logic
 
PDF
Protecting Against Web Attacks
Alert Logic
 
PDF
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
PPTX
Secure Active Directory in one Day Without Spending a Single Dollar
David Rowe
 
PPTX
Continuous Automated Red Teaming (CART) - Bikash Barai
AllanGray11
 
PPTX
Escalation defenses ad guardrails every company should deploy
David Rowe
 
PPTX
Creating a fortress in your active directory environment
David Rowe
 
PDF
Web Application Penetration Testing
Priyanka Aash
 
PDF
Web Application Security 101 - 03 Web Security Toolkit
Websecurify
 
PPTX
Is the door to your active directory wide open and unsecure
David Rowe
 
PDF
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Alert Logic
 
PDF
Security precognition chaos engineering in incident response
Priyanka Aash
 
PPSX
TSS - App Penetration Testing Services
Ahmad Sharaf
 
Security Implications of the Cloud
Alert Logic
 
Stories from the Security Operations Center
Alert Logic
 
Security Implications of the Cloud - CSS ATX 2017
Alert Logic
 
Stories from the Security Operations Center (S.O.C.)
Alert Logic
 
Unearth Active Directory Threats Before They Bury Your Enterprise
BeyondTrust
 
Beyond the mcse red teaming active directory
Priyanka Aash
 
Cloud Security or: How I Learned to Stop Worrying & Love the Cloud
MarkAnnati
 
The Intersection of Security & DevOps
Alert Logic
 
Protecting Against Web Attacks
Alert Logic
 
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
Secure Active Directory in one Day Without Spending a Single Dollar
David Rowe
 
Continuous Automated Red Teaming (CART) - Bikash Barai
AllanGray11
 
Escalation defenses ad guardrails every company should deploy
David Rowe
 
Creating a fortress in your active directory environment
David Rowe
 
Web Application Penetration Testing
Priyanka Aash
 
Web Application Security 101 - 03 Web Security Toolkit
Websecurify
 
Is the door to your active directory wide open and unsecure
David Rowe
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Alert Logic
 
Security precognition chaos engineering in incident response
Priyanka Aash
 
TSS - App Penetration Testing Services
Ahmad Sharaf
 

Similar to Active Directory Auditing Tools: Building Blocks or just a Handful of Dust? (20)

PPTX
Presentation for information security & hacking
faizanmalik255119
 
PDF
The hacker playbook: How to think and act like a cybercriminal to reduce risk...
Paula Januszkiewicz
 
PDF
Avoiding the 10 Deadliest and Most Common Sins for Securing Windows
BeyondTrust
 
PDF
Tips to Remediate your Vulnerability Management Program
BeyondTrust
 
PDF
Gartner Security & Risk Management Summit 2018
Paula Januszkiewicz
 
PPTX
APT & What we can do TODAY
James Ryan, CSyP, EA, PMP
 
PDF
Security Breaches from Compromised User Logins
IS Decisions
 
PDF
Get Active Directory Security Guide 1st Edition Picussecurity free all chapters
wesxhalink
 
PPTX
Naked and Vulnerable - A Cybersecurity Starter Kit from Camp IT Dec 2016
Ted Wentzel
 
PPTX
Modern cybersecurity threats, and shiny new tools to help deal with them
Tudor Damian
 
PDF
Active Directory Security Guide 1st Edition Picussecurity
lautjeoghina
 
PDF
Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...
Identity Days
 
PDF
Modern cybersecurity threats, and shiny new tools to help deal with them - T...
ITCamp
 
PPTX
Secure active directory in one day without spending a single dollar
David Rowe
 
PDF
Solvit identity is the new perimeter
S.E. CTS CERT-GOV-MD
 
PPTX
Offence oriented Defence
SensePost
 
PDF
Annual OktCyberfest 2019
Fahad Al-Hasan
 
PDF
Hacking identity: A Pen Tester's Guide to IAM
Jerod Brennen
 
PPTX
Network Security - Real and Present Dangers
Peter Wood
 
PDF
Bcd Securing Active Directory v1 3
Pacho Baratta
 
Presentation for information security & hacking
faizanmalik255119
 
The hacker playbook: How to think and act like a cybercriminal to reduce risk...
Paula Januszkiewicz
 
Avoiding the 10 Deadliest and Most Common Sins for Securing Windows
BeyondTrust
 
Tips to Remediate your Vulnerability Management Program
BeyondTrust
 
Gartner Security & Risk Management Summit 2018
Paula Januszkiewicz
 
APT & What we can do TODAY
James Ryan, CSyP, EA, PMP
 
Security Breaches from Compromised User Logins
IS Decisions
 
Get Active Directory Security Guide 1st Edition Picussecurity free all chapters
wesxhalink
 
Naked and Vulnerable - A Cybersecurity Starter Kit from Camp IT Dec 2016
Ted Wentzel
 
Modern cybersecurity threats, and shiny new tools to help deal with them
Tudor Damian
 
Active Directory Security Guide 1st Edition Picussecurity
lautjeoghina
 
Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...
Identity Days
 
Modern cybersecurity threats, and shiny new tools to help deal with them - T...
ITCamp
 
Secure active directory in one day without spending a single dollar
David Rowe
 
Solvit identity is the new perimeter
S.E. CTS CERT-GOV-MD
 
Offence oriented Defence
SensePost
 
Annual OktCyberfest 2019
Fahad Al-Hasan
 
Hacking identity: A Pen Tester's Guide to IAM
Jerod Brennen
 
Network Security - Real and Present Dangers
Peter Wood
 
Bcd Securing Active Directory v1 3
Pacho Baratta
 
Ad

More from BeyondTrust (20)

PDF
The 5 Crazy Mistakes IoT Administrators Make with System Credentials
BeyondTrust
 
PDF
10 Steps to Better Windows Privileged Access Management
BeyondTrust
 
PDF
5 Steps to Privilege Readiness (infographic)
BeyondTrust
 
PDF
8-step Guide to Administering Windows without Domain Admin Privileges
BeyondTrust
 
PDF
Securing DevOps through Privileged Access Management
BeyondTrust
 
PDF
Crush Common Cybersecurity Threats with Privilege Access Management
BeyondTrust
 
PDF
Unix / Linux Privilege Management: What a Financial Services CISO Cares About
BeyondTrust
 
PDF
Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales)
BeyondTrust
 
PDF
Mitigating Risk in Aging Federal IT Systems
BeyondTrust
 
PDF
The Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
BeyondTrust
 
PDF
Hacker techniques for bypassing existing antivirus solutions & how to build a...
BeyondTrust
 
PDF
How Federal Agencies Can Build a Layered Defense for Privileged Accounts
BeyondTrust
 
PDF
Using Advanced Threat Analytics to Prevent Privilege Escalation Attacks
BeyondTrust
 
PDF
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
BeyondTrust
 
PDF
Prevent Data Leakage Using Windows Information Protection (WIP)
BeyondTrust
 
PDF
Enemy from Within: Managing and Controlling Access
BeyondTrust
 
PDF
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
BeyondTrust
 
PDF
External Attacks Against Privileged Accounts - How Federal Agencies Can Build...
BeyondTrust
 
PDF
Managing Unix Accounts in Today's Complex World: Stop the Shadow IT and Be Mo...
BeyondTrust
 
PDF
The Hacker Playbook: How to Think Like a Cybercriminal to Reduce Risk
BeyondTrust
 
The 5 Crazy Mistakes IoT Administrators Make with System Credentials
BeyondTrust
 
10 Steps to Better Windows Privileged Access Management
BeyondTrust
 
5 Steps to Privilege Readiness (infographic)
BeyondTrust
 
8-step Guide to Administering Windows without Domain Admin Privileges
BeyondTrust
 
Securing DevOps through Privileged Access Management
BeyondTrust
 
Crush Common Cybersecurity Threats with Privilege Access Management
BeyondTrust
 
Unix / Linux Privilege Management: What a Financial Services CISO Cares About
BeyondTrust
 
Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales)
BeyondTrust
 
Mitigating Risk in Aging Federal IT Systems
BeyondTrust
 
The Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
BeyondTrust
 
Hacker techniques for bypassing existing antivirus solutions & how to build a...
BeyondTrust
 
How Federal Agencies Can Build a Layered Defense for Privileged Accounts
BeyondTrust
 
Using Advanced Threat Analytics to Prevent Privilege Escalation Attacks
BeyondTrust
 
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
BeyondTrust
 
Prevent Data Leakage Using Windows Information Protection (WIP)
BeyondTrust
 
Enemy from Within: Managing and Controlling Access
BeyondTrust
 
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
BeyondTrust
 
External Attacks Against Privileged Accounts - How Federal Agencies Can Build...
BeyondTrust
 
Managing Unix Accounts in Today's Complex World: Stop the Shadow IT and Be Mo...
BeyondTrust
 
The Hacker Playbook: How to Think Like a Cybercriminal to Reduce Risk
BeyondTrust
 
Ad

Recently uploaded (20)

PDF
Step-by-Step Guide to Install SAP HANA Studio | Complete Installation Tutoria...
SAP Vista, an A L T Z E N Company
 
PDF
Infrastructure planning and resilience - Keith Hastings.pptx.pdf
Safe Software
 
PDF
Download iTop VPN Free 6.1.0.5882 Crack Full Activated Pre Latest 2025
imang66g
 
PDF
Supabase Meetup: Build in a weekend, scale to millions
Carlo Gilmar Padilla Santana
 
PDF
How to Download and Install ADT (ABAP Development Tools) for Eclipse IDE | SA...
SAP Vista, an A L T Z E N Company
 
PPTX
Farrell__10e_ch04_PowerPoint.pptx Programming Logic and Design slides
bashnahara11
 
PPTX
Presentation about variables and constant.pptx
kr2589474
 
PDF
Salesforce Implementation Services Provider.pdf
VALiNTRY360
 
PPT
Activate_Methodology_Summary presentatio
annapureddyn
 
PPTX
Web Testing.pptx528278vshbuqffqhhqiwnwuq
studylike474
 
PPTX
TRAVEL APIs | WHITE LABEL TRAVEL API | TOP TRAVEL APIs
philipnathen82
 
PDF
SAP GUI Installation Guide for Windows | Step-by-Step Setup for SAP Access
SAP Vista, an A L T Z E N Company
 
PDF
Adobe Illustrator Crack Full Download (Latest Version 2025) Pre-Activated
imang66g
 
PPTX
Role Of Python In Programing Language.pptx
jaykoshti048
 
PDF
Applitools Platform Pulse: What's New and What's Coming - July 2025
Applitools
 
PDF
Summary Of Odoo 18.1 to 18.4 : The Way For Odoo 19
CandidRoot Solutions Private Limited
 
PPT
Brief History of Python by Learning Python in three hours
adanechb21
 
PDF
SAP GUI Installation Guide for macOS (iOS) | Connect to SAP Systems on Mac
SAP Vista, an A L T Z E N Company
 
PDF
WatchTraderHub - Watch Dealer software with inventory management and multi-ch...
WatchDealer Pavel
 
PDF
ChatPharo: an Open Architecture for Understanding How to Talk Live to LLMs
ESUG
 
Step-by-Step Guide to Install SAP HANA Studio | Complete Installation Tutoria...
SAP Vista, an A L T Z E N Company
 
Infrastructure planning and resilience - Keith Hastings.pptx.pdf
Safe Software
 
Download iTop VPN Free 6.1.0.5882 Crack Full Activated Pre Latest 2025
imang66g
 
Supabase Meetup: Build in a weekend, scale to millions
Carlo Gilmar Padilla Santana
 
How to Download and Install ADT (ABAP Development Tools) for Eclipse IDE | SA...
SAP Vista, an A L T Z E N Company
 
Farrell__10e_ch04_PowerPoint.pptx Programming Logic and Design slides
bashnahara11
 
Presentation about variables and constant.pptx
kr2589474
 
Salesforce Implementation Services Provider.pdf
VALiNTRY360
 
Activate_Methodology_Summary presentatio
annapureddyn
 
Web Testing.pptx528278vshbuqffqhhqiwnwuq
studylike474
 
TRAVEL APIs | WHITE LABEL TRAVEL API | TOP TRAVEL APIs
philipnathen82
 
SAP GUI Installation Guide for Windows | Step-by-Step Setup for SAP Access
SAP Vista, an A L T Z E N Company
 
Adobe Illustrator Crack Full Download (Latest Version 2025) Pre-Activated
imang66g
 
Role Of Python In Programing Language.pptx
jaykoshti048
 
Applitools Platform Pulse: What's New and What's Coming - July 2025
Applitools
 
Summary Of Odoo 18.1 to 18.4 : The Way For Odoo 19
CandidRoot Solutions Private Limited
 
Brief History of Python by Learning Python in three hours
adanechb21
 
SAP GUI Installation Guide for macOS (iOS) | Connect to SAP Systems on Mac
SAP Vista, an A L T Z E N Company
 
WatchTraderHub - Watch Dealer software with inventory management and multi-ch...
WatchDealer Pavel
 
ChatPharo: an Open Architecture for Understanding How to Talk Live to LLMs
ESUG
 

Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?

  • 1. Active Directory Auditing Tools: Building Blocks or Just a Handful of Dust? @paulacqure @CQUREAcademy CONSULTING Paula Januszkiewicz CQURE: CEO, Penetration Tester; Security Expert CQURE Academy: Trainer MVP: Enterprise Security, MCT www.cqureacademy.com [email protected]
  • 3. What does CQURE Team do? Consulting services  High quality penetration tests with useful reports Applications Websites External services (edge) Internal services + configuration reviews  Incident response emergency services – immediate reaction!  Security architecture and design advisory  Forensics investigation  Security awareness For management and employees [email protected] Trainings  Security Awareness trainings for executives  CQURE Academy: over 40 advanced security trainings for IT Teams  Certificates and exams  Delivered all around the world only by a CQURE Team: training authors
  • 4. Chasing the obvious: NTDS.DIT, SAM The above means: To read the clear text password you need to struggle!
  • 5. Identity is the new security “perimeter” under attack One small mistake can lead to attacker control Attackers Can • Steal any data • Encrypt any data • Modify documents • Impersonate users • Disrupt business operations Active Directory and Administrators control all the assets
  • 6. Tier 2 Workstation & Device Admins Tier 0 Domain & Enterprise Admins Tier 1 Server Admins 1. Beachhead (Phishing Attack, etc.) 2. Lateral Movement a. Steal Credentials b. Compromise more hosts & credentials 3. Privilege Escalation a. Get Domain Admin credentials 4. Execute Attacker Mission a. Steal data, destroy systems, etc. b. Persist Presence Compromises privileged access 24-48 Hours Phase 1 Critical Mitigations: Typical Attack Chain
  • 7. Making and Measuring Progress against Risk 2-4 weeks 1-3 months 6+ months Detect Attacks Harden ConfigurationDomain Controller (DC) Host Attacks Credential Theft & Abuse Reduce Agent Attack Surface Attacker Stealth Prevent Escalation Prevent Lateral Traversal Increase Privilege Usage Visibility AD Attacks Assign Least Privilege Attack Defense Securing Privileged Access Three Stage Roadmap http://aka.ms/privsec
  • 8. Protecting Active Directory and Admin privileges 1. Separate Admin account for admin tasks 3. Unique Local Admin Passwords for Workstations http://Aka.ms/LAPS 2. Privileged Access Workstations (PAWs) Phase 1 - Active Directory admins http://Aka.ms/CyberPAW 4. Unique Local Admin Passwords for Servers http://Aka.ms/LAPS 2-4 weeks 1-3 months 6+ months First response to the most frequently used attack techniques
  • 9. First response to the most frequently used attack techniques 2-4 weeks 1-3 months 6+ months DC Host Attacks Credential Theft & Abuse Attacker Stealth AD Attacks Top Priority Mitigations Attack Defense Detect Attacks Harden DC configuration Reduce DC Agent attack surface Prevent Escalation Prevent Lateral Traversal Increase Privilege Usage Visibility Assign Least Privilege
  • 10. Protecting Active Directory and Admin privileges 2. Time-bound privileges (no permanent admins) http://aka.ms/PAM http://aka.ms/AzurePIM 1. Privileged Access Workstations (PAWs) Phases 2 and 3 –All Admins and additional hardening (Credential Guard, RDP Restricted Admin, etc.) http://aka.ms/CyberPAW 4. Just Enough Admin (JEA) for DC Maintenance http://aka.ms/JEA 987252 1 6. Attack Detection http://aka.ms/ata 5. Lower attack surface of Domain and DCs http://aka.ms/HardenAD 2-4 weeks 1-3 months 6+ months Build visibility and control of administrator activity, increase protection against typical follow-up attacks 3. Multi-factor for elevation
  • 11. Build visibility and control of admin activity 2-4 weeks 1-3 months 6+ monthsAttack Prevent Escalation Defense
  • 12. Protecting Active Directory and Admin privileges 2. Smartcard or Passport Authentication for all admins http://aka.ms/Passport 1. Modernize Roles and Delegation Model 3. Admin Forest for Active Directory administrators http://aka.ms/ESAE 5. Shielded VMs for virtual DCs (Server 2016 Hyper-V Fabric) http://aka.ms/shieldedvms 4. Code Integrity Policy for DCs (Server 2016) 2-4 weeks 1-3 months 6+ months Move to proactive security posture
  • 13. Move to proactive security posture 2-4 weeks 1-3 months 6+ monthsAttack Prevent Escalation Prevent Lateral Traversal Defense
  • 14. What is the most successful path for the attack right now?
  • 15. :) THE ANATOMY OF AN ATTACK Healthy Computer User Receives Email User Lured to Malicious Site Device Infected with Malware
  • 16. HelpDesk Logs into Device Identity Stolen, Attacker Has Increased Privs :) Healthy Computer User Receives Email User Lured to Malicious Site Device Infected with Malware
  • 17. User Lured to Malicious Site Device Infected with Malware HelpDesk Logs into Device Identity Stolen, Attacker Has Increased Privs ceives il
  • 21. User: Adm... Hash:E1977 Fred’s Laptop Fred’s User Session User: Fred Password hash: A3D7… Sue’s Laptop Sue’s User Session Pass-The-Hash Technique Malware Session User: Administrator Password hash: E1977… Malware User Session User: Adm… Hash: E1977 User: Sue Hash: C9DF User: Sue Password hash: C9DF… File Server User: Sue Hash:C9DF 1 3 4 1. FRED RUNS MALWARE, HE IS A LOCAL ADMINISTRATOR 2. THERE IS A PASS THE HASH SESSION ESTABLISHED WITH ANOTHER COMPUTER 3. MALWARE INFECTS SUE’S LAPTOP AS FRED 4. MALWARE INFECTS FILE SERVER AS SUE 2
  • 22. Pass-The-Hash Solution: Virtual Secure Mode VSM uses Hyper-V powered secure execution environment to protect derived credentials – you can get things in but can’t get things out Decouples NTLM hash from logon secret Fully randomizes and manages full length NTLM hash to prevent brute force attack Derived credentials that VSM protected LSA Service gives to Windows are non- replayable
  • 23. Summary: Best Practices Vulnerability Management Continuous vulnerability discovery Context-Aware Analysis Prioritization Remediation and Tracking Put on the Hacker’s Shoes External + Internal + Web Penetration tests Configuration reviews Prevention
  • 25. PowerBroker Auditing & Security Suite Real-time Change Auditing and Recovery for AD and Windows environments
  • 26. PowerBroker Auditing & Security Suite Centralized real-time change auditing of Active Directory, File Systems, Exchange, SQL and NetApp Entitlement reporting for AD and File Systems Continuous backup and recovery for AD
  • 27. How does it work?
  • 29. Quick Poll + Q&A Thank you for attending today’s webinar.