Active Directory: Real Defense for Domain

AdminsJason Lang

Disclaimer

Goals

• Provide immediately useful content re: the defense of your Domain Admins (DAs) and Domain Controllers (DCs)

• Give you projects you can implement in one month or less.

About

• Consultant at SynerComm

• Passions: Dev (C#/PS/PY), InfoSec, Woodworking

• Twitter: @curi0usJack

• Blog: http://project500.squarespace.com/

Survey

• How many of you work in a large enterprise?

• How many work in an old enterprise (25+ yrs old)?

• How many in some kind of AD security?

• How many had a pentest some time in the last 12 months?

Did it go something like this?

Uh-oh

#1 - Test your new DAs

#2 - Limit the number of DAs

#3 - Separate DA accounts from

“everyday” accounts

#4 - Separate DA password policy

No Excuses!

#5 - Set DA logon restrictions

DCs only!

#6 - Disable Cached Creds

#7 - Be careful with DA service accounts

#7 - Service Accounts

• Delegate Delegate Delegate!

• If you must have DA service accounts:

• Treat task server like a DC

• Service Account can only login to that server

• Shut off cached creds

#8 - Microsoft Security Compliance Manager

#9 - A quick word about null sessions

https://project500.squarespace.com/journal/2014/3/13/powershell-enumerating-null-sessions-on-your-dcs

#10 - Get offensive security training!

Fail

Win

DomainLockDown: https://github.com/curi0usJack/activedirectory

Questions?

Huge Thank You’s:@DerbyCon

@TrustedSec