Date post: | 16-Nov-2014 |
Category: |
Technology |
Upload: | jason-lang |
View: | 97 times |
Download: | 1 times |
Active Directory: Real Defense for Domain
AdminsJason Lang
Disclaimer
Goals
• Provide immediately useful content re: the defense of your Domain Admins (DAs) and Domain Controllers (DCs)
• Give you projects you can implement in one month or less.
About
• Consultant at SynerComm
• Passions: Dev (C#/PS/PY), InfoSec, Woodworking
• Twitter: @curi0usJack
• Blog: http://project500.squarespace.com/
Survey
• How many of you work in a large enterprise?
• How many work in an old enterprise (25+ yrs old)?
• How many in some kind of AD security?
• How many had a pentest some time in the last 12 months?
Did it go something like this?
Uh-oh
#1 - Test your new DAs
#2 - Limit the number of DAs
#3 - Separate DA accounts from
“everyday” accounts
#4 - Separate DA password policy
No Excuses!
#5 - Set DA logon restrictions
DCs only!
#6 - Disable Cached Creds
#7 - Be careful with DA service accounts
#7 - Service Accounts
• Delegate Delegate Delegate!
• If you must have DA service accounts:
• Treat task server like a DC
• Service Account can only login to that server
• Shut off cached creds
#8 - Microsoft Security Compliance Manager
#9 - A quick word about null sessions
https://project500.squarespace.com/journal/2014/3/13/powershell-enumerating-null-sessions-on-your-dcs
#10 - Get offensive security training!
Fail
Win
DomainLockDown: https://github.com/curi0usJack/activedirectory
Questions?
Huge Thank You’s:@DerbyCon
@TrustedSec