Active Directory – Security Hardening, Auditing and Detection Rules
This post is inspired by a thread on my twitter recently where I brought up and discussed the issue and importance of Active Directory security. The purpose of this article is to share all the useful resources I have found myself, or through this thread; and to summarise them in one easy to digest place. All contributors to the thread will be given credit throughout the article.
A quick summary of Active Directory to get us started. Active Directory is a Microsoft product which runs several services on a Windows server to manage user permissions and access to networked resources. It stores data as objects – which can be users, groups, applications or devices. These are further defined as either resources – such as printers or computers, or security principals – such as users or groups. For a continued description of Active Directory, click here.
From the above, you will understand just how important it is to secure your Active Directory properly. This can be done in a number of steps including hardening, auditing and detection rules.
HARDENING AND BEST PRACTICES
The first step you should take is hardening your active directory against known attacks and following best practices. There are a lot of great articles out here to follow, starting with the official guide from Microsoft, which you can read here. This contains important topics such as reducing the attack surface, audit policy recommendations and implementing least privilege administrative models.
Next up, a great article from activedirectorypro which details 25 best practices to follow to secure your Active Directory. This contains tips on securing domain admins, local administrators, audit policies, monitoring AD for compromise, password policies, vulnerability scanning and much more.
Finally in terms of long read best practices articles, “The Ultimate Guide to Active Directory Best Practices” from DNSstuff. Like the previous two articles, this covers all important steps to secure your Active Directory.
There were some very useful and important comments made in the thread, lets dig into them.
Natti makes a good point here. Domain trusts are an important part of Active Directory security which most not be ignored. Here are some useful articles to understand domain trusts and ensure proper security processes are followed.
Top Ten Issues with Active Directory Trusts and Corporate Mergers
Fundamentals of Active Directory Trust Relationships
Sven also mentions the importance of securely setting up domain trusts. Along with this, he mentions upgrading DC’s to at least 2016. See this article which details the process of upgrading your DC’s to 2016 along with understanding functional levels. Also see the second comment which details further tips to securely use and set up your domain controllers.
John makes a great point here. Even though Active Directory is the main focus here, ensure you do not forget about any *nix systems connected to your active directories. Dependent on the connected systems, ensure they are also configured securely using best practices.
Nathan makes great points here. The main one I would like to concentrate on is securing privileged access. Incorrectly setup access is one of the main causes of issues and the article provided by Nathan is great to resolve these. Check the article regarding securing privileged access out here. He also mentions using PingCastle and Bloodhound, which leads me well into the next section around auditing your environment.
AUDITING
Once you believe you have followed the best practices and hardening, the next step is auditing your environment to see where your Active Directory is still vulnerable.
As per the below tweet from @ZephrFish, you should use tools such as BloodHound and PingCastle to audit your estate.
Lets start with BloodHound, this article from ZephrFish details well what BloodHound is, what it is used for; and how to use it.
Also mentioned is PingCastle. This is a similar tool which can also be used to audit Active Directory environments. Read more about PingCastle here and learn how to use the tool here.
These tools will allow you to find the existing issues in your environment. Take these issues and go back to the start of this post and see the best practices guide to resolve them. Once you are happy that your Active Directory is set up securely, the next step is monitoring rules to detect when malicious actors are attempting to attack your environment.
DETECTION RULES
Once your Active Directory environment has been set up securely and audited, the next step is setting up monitoring rules using a SIEM. To learn more about SIEM, check out my “Learn SIEM for free” article.
First up, I personally wrote about “18 WAYS TO DETECT MALCIOUS ACTIONS IN YOUR ACTIVE DIRECTORY LOGS USING SIEM” a while back. This contains a large amount of rules using just Windows Security Event Log in combination with a SIEM.
As always, there are a large amount of rules in the Sigma repository which we can use to monitor Active Directory. The rules can be found in this directory. Please check the log source > definition under each rule which details the audit / log requirements for each rule.
There were also a couple useful comments regarding detection rules.
Larry’s first point here is one of the sites which I use most on a daily basis. UltimateWindowsSecurity have a fantastic list of Windows Security Event’s. They have lots of useful information around WSEL and examples which help you understand them better. Larry is also working on a list of rules which you can check out here.
Another useful comment from Sven. This time, in relation to the usage of Sysmon. Sysmon allows for a much more detailed monitoring of events and should always be deployed on domain controllers. See the guide from Microsoft here which explains what Sysmon is, what it can be used for and how to set it up. Once setup, Sysmon logs can be sent to a central SIEM for more accurate monitoring of events. The SIGMA repository above has some rules which require Sysmon. For a more in depth look into Sysmon, check out this guide from Varonis.
WHAT NEXT
At this point you will now have your Active Directory set up securely, audited and well monitored. I hope you have found this article useful and learned something from it. I’d like to thank everyone again who replied to the thread with useful resources, points and articles of their own.
If you have any other Active Directory security tips, tricks or anything else which you think would improve this article; contact me at https://twitter.com/blueteamblog with the details. I want to keep updating this article with useful resources which everyone can benefit from as we continue to protect our Active Directories against advesories.