Defensive Strategies Against AD Misconfigurations

7 min readNov 23, 2023

Defensive Strategies Against AD Misconfigurations: Basic Principles to Know

Active Directory (AD) is a directory service developed by Microsoft. This system centrally stores and manages critical information such as user accounts, computer accounts, groups, and other network resources. The central identity management feature of AD facilitates users’ access to a variety of resources with a single identity, streamlining business processes efficiently.

The significance of Active Directory is pivotal in terms of ensuring business continuity and the continuity of daily operations. Organizations, with the proper functioning of AD, gain the advantage of ensuring business continuity, enhancing efficiency, and managing resources effectively.

Security is a critical aspect of Active Directory. AD incorporates security groups, authorization mechanisms, and other security features to control access to network resources and enforce security policies. Without a proper security configuration, the reliability and functionality of AD can be seriously compromised.

Security measures are crucial for Active Directory to operate effectively and keep an organization’s data secure. These measures include user authorization, monitoring security events, regularly updating systems, configuring group policies accurately, and ensuring physical security. Through these measures, Active Directory not only preserves data integrity but also creates a secure working environment.

Active Directory misconfigurations can pose serious security risks, and it’s important to take proactive measures to defend against potential threats.

What are misconfiguration errors in AD?

Misconfigurations can occur at various levels within the AD infrastructure. Here are some common examples:

Access Control Misconfigurations:

Incorrect Permissions: Setting inappropriate or overly permissive permissions on AD objects can lead to security risks. For example, granting unnecessary administrative privileges to user accounts.
Weak Password Policies: Inadequate password policies can weaken the overall security of the AD environment. This includes settings related to password length, complexity requirements, and expiration.

2. Group Policy Misconfigurations:

Inconsistent Group Policies: Group Policies define the security settings and behaviors for groups of users and computers. Inconsistencies or conflicts in Group Policy settings can lead to unpredictable behavior and security vulnerabilities.

3. DNS Misconfigurations:

Incorrect DNS Settings: Active Directory heavily relies on DNS for name resolution. If DNS is misconfigured, it can lead to authentication failures, replication issues, and difficulties in locating AD resources.

4. Replication Issues:

Replication Failures: Active Directory relies on replication between domain controllers to ensure that changes are propagated throughout the environment. Misconfigurations that interfere with replication can result in inconsistencies between domain controllers.

5. Time Synchronization Problems:

Clock Skew: Active Directory requires that the clocks of all domain-joined machines are synchronized. If there are time synchronization issues, it can lead to authentication failures and other problems.

6. Security Policy Misconfigurations:

Audit Policy Issues: Misconfigurations in audit policies can result in inadequate monitoring of security events, making it difficult to detect and respond to security incidents.

7. Service Account Misconfigurations:

Insecure Service Account Configurations: Service accounts with weak passwords or unnecessary privileges can be a security risk. It’s important to ensure that service accounts have the minimum required permissions for their intended tasks.

8.Kerberos Configuration Issues:

SPN (Service Principal Name) Misconfigurations: Misconfigurations related to SPNs can lead to authentication failures and affect services relying on Kerberos authentication.

IAM Misconfigurations

Firstly IAM (Identity and Access Management) misconfigurations refer to configuration errors related to IAM, the identity and access management service in the AWS (Amazon Web Services) environment. AWS IAM is a service that allows the creation and management of users, roles, and other identities. Misconfigurations can jeopardize the security of these identity and access settings, leading to various security issues. Here are examples of IAM misconfigurations:

Weak password requirements
No (or insufficient) account lockout settings
Password requirements

Changes required too frequently or too infrequently
O NIST recommends no regular password change requirements
Not requiring a password

Excessive privileges

Service accounts
Admin accounts

Details:

Permission Errors:

Permissions granted to users or roles being unnecessarily broad or overly specific.
Permissions not aligning with the principle of least privilege, meaning users or roles not having the minimum necessary permissions.

2. Authentication Policy Errors:

Multi-Factor Authentication (MFA) or other security settings being missing or improperly configured.
Authentication policies having weak password requirements or insecure settings.

3. User Account Management Errors:

Failure to disable old or unused user accounts.
Insecure management of sensitive information like encryption keys or access keys.

4. Role Policy Errors:

Role policies being missing or incorrect, leading roles to have unnecessary or insufficient permissions.
Role assignment errors, assigning roles to the wrong users or groups.

5. Access Key Errors:

Insecure storage or sharing of access keys, such as storing them openly in plaintext.
Keys being used for unnecessarily long periods without renewal.

6. CloudTrail and Other Logging Errors:

Logging services being missing or incorrectly configured, making it difficult to monitor events and detect issues.
Failure to store logging data for an adequate period or regularly review it.

7. Unauthorized Access Errors:

Malicious users or malware gaining access through poorly configured IAM identities.

Group Policy

GPO (Group Policy Object), is a feature used by Microsoft’s Windows-based operating systems for network management and the enforcement of security policies. Group Policy allows for the centralized management of user and computer configurations across a network. It is utilized to determine the behavior and characteristics of one or more computers on a network.

The usage of Group Policy is commonly found in Active Directory environments.

Minimal required permissions for GPOS

Users should not be able to modify or create
Minimize administrative permissions

Passwords stored in Group Policy Preferences (GPP)

May be recoverable through XML files

Group Policy settings written to SYSVOL share

When you configure Group Policy in a Windows Server environment, the settings are stored in a special shared folder called SYSVOL (System Volume). SYSVOL is a shared directory that contains public files such as policies and logon scripts that are needed to implement Group Policy objects (GPOs) and logon scripts.

The Group Policy settings themselves are stored in two main folders within the SYSVOL share:

Policies Folder: The Policies folder within SYSVOL contains the Group Policy Object (GPO) settings. Each GPO is assigned a unique Globally Unique Identifier (GUID), and within the Policies folder, you’ll find subfolders named with these GUIDs. These subfolders contain the actual policy settings in files such as Registry.pol and Machine.pol (for computer settings) or Registry.pol and User.pol (for user settings).

\\domain.com\SYSVOL\domain.com\Policies\{GPO_GUID}\Machine\Registry.pol
\\domain.com\SYSVOL\domain.com\Policies\{GPO_GUID}\User\Registry.pol

2. Scripts Folder: The Scripts folder within SYSVOL is used for storing logon scripts. Logon scripts can be assigned to users in GPOs, and these scripts are stored in the Scripts folder.

By storing Group Policy settings in SYSVOL, these settings are made available to all domain controllers in the domain, ensuring consistency across the network. The SYSVOL share is automatically replicated among all domain controllers in an Active Directory domain to maintain a consistent and up-to-date set of policies. This replication is part of the File Replication Service (FRS) or Distributed File System Replication (DFSR), depending on the Active Directory functional level.

Attackers can potentially access XML files to extract credentials

NTLM

NTLM (NT LAN Manager) is an authentication protocol used in Microsoft Windows operating systems. NTLM is a mechanism for authentication, particularly used in older Windows versions and legacy applications. However, due to its security vulnerabilities and the existence of more modern alternatives, it is considered an outdated protocol and is not commonly preferred today.

Susceptible to pass-the-hash attacks
Replaced by Kerberos (Windows 2000)
Challenge-response

Negotiation from client
Challenge from server
Authentication from client

Relies on password hashing

Kerberos uses encryption

Stored passwords not salted

Results in being able to use only the password hash for authentication

Domain Controller Connectivity

Domain Controller Connectivity refers to the ability of a computer or server to establish a connection with a domain controller. A domain controller is a server that provides the Active Directory (AD) service and manages authentication and authorization functions within a domain. Therefore, ensuring that a computer can communicate effectively with a domain controller is crucial.

Maintaining and establishing domain controller connectivity plays a critical role in many network and authentication processes.

NEVER allow RDP from internet
Allowing non-essential accounts to RDP to server

Potentially provides access for attackers to access NTDS.DIT f
Several other potential compromises

Only allow RDP for remote access

Only from administrative “jump boxes”

Internet access for DCs

Rarely required for DCs to directly access internet
Updates — internal centralized Windows Update server
Block at network firewall level, not local firewall

All outbound connectivity from DCs

Operating Systems and Patching

Always use up to date versions of Windows Server

Ideally use Server Core if possible

Anti-virus/EDR solution

Up to date and actively monitored

Timely patching of all DCs

Test updates in test environment first

Do not run any additional software on DCs

Should only be used for single purpose
Disable built-in Windows features/applications that are not needed

Highest Privilege Groups

Highest Privilege Groups refers to groups in a computer system that possess the highest level of privileges, typically having specialized privileges at the security, management, or system level. These groups grant extensive access and control over system resources and often include users capable of performing critical tasks.

Enterprise Admins

Can perform forest-wide changes, including adding/removing dom
Very rarely needed

Domain Admins

Similar to Enterprise Admin, but specific to domain

Schema Admins

Permissions to modify AD schema

Administrators

Admin permissions in domain, but not servers or workstations

Delegation should be used in all instances

Addiction ;

LLMNR-Local-link multicast name resolution

LLMNR (Link-Local Multicast Name Resolution) is a protocol used for name resolution in computer networks. This protocol comes into play, especially when the Domain Name System (DNS) infrastructure is not available. LLMNR utilizes multicast communication, particularly among devices on the same local network, to resolve names.

Disable if using DNS infrastructure
Allowing all users to join computers to domain

When an organization or network relies on DNS for name resolution, LLMNR may not be necessary and, in fact, could be disabled to avoid redundancy and potential security concerns. Disabling LLMNR in environments with a functional DNS infrastructure ensures that name resolution is handled through the more established and comprehensive DNS system, promoting consistency and security.

Users should not be local admins on workstations
Storing passwords using reversible encryption
Use LAPS to manage local admin accounts

LAPS is a Microsoft solution designed to address security concerns related to local administrator account passwords. It automatically generates, manages, and stores unique passwords for local administrator accounts on individual computers. This helps mitigate the risk associated with shared or unchanged passwords across multiple machines.

Now included in Windows by default
Ensure built-in “Administrator” account remains disabled
Synchronization and replication permissions

Reference: