Planning and designing access model for Active Directory is crucial for any Windows-based environment. Nowadays, Many attacks are successful because of the poor planning of how privileged accesses are been used in the company. Specially, when we talk about credential thefts attacks like Pass-the-Hash (PtH) and Pass-the-Ticket (PtT). Unfortunately, companies are focusing in implementing irrelevant or less-important security controls, but forget to implement some critical principles that protect attacker-attractive accounts of the company.
In this post, I will highlight some principals that should not be overlooked in the company before implementing any security controls related to access management. After the principles, will see some best practices built upon those principles. But before that, let’s define some terms:
- Attacker-Attractive Accounts are accounts that attackers are trying to have control over because of of their privileges (like: Domain Admins, Enterprise Admins, Server Admin, IT Help Desk) or their access to critical information (like: Executive Directors (VIP), HR Personnel, Intellectual Property Personnel….etc).
- Deep Privileged Accounts are those accounts that have privileged/administrative access to specific system(s). Example is an IIS Admin that has administrative access on IIS server.
- Board Privileged Accounts are those accounts that have specific privilege to carry specific activity across large number of systems. Example is an IT support engineer that has reset password privilege for all endpoints.
- Build and Emergency Accounts are accounts used to build-up the system and no longer needed after the system is ready only in case of emergency. Example is ‘Administrator’ account which was used to install the system and now it is disabled but only in safe-mode it is enabled.
Active Directory Security Principles
I have listed the following principles based on risk-driven principles and best practice defined by Microsoft:
- Try to eliminate the direct access to the accounts that have both board and deep privilege as this will reduce the attack surface and the impact of credential theft attacks. With this principle, will try to segregate the roles, implement workflow process and define administration tiers.
- Eliminate the use of privileged accounts in non-secure or high-risk environment. This principle mandates the use of secure administrative workstations where are different than normal everyday use workstations. This means, admin will have two workstations, one for administration tasks and another for email, Internet and other use.
- [Strictly] Eliminate the use of privileged accounts for non-administrative tasks. In other words, create two accounts for each administrator, one standard account for normal use and another privileged accounts for administrative tasks only.
- Multi-factor authentication for critical privileges like DC Built-in Administrator.
- Clean Source Principle which requires all security dependencies to be as trustworthy as the object (privileged credentials) being secured. So, all subjects (processes, systems…etc) that are mandatory to access privileged credentials must be as critical and secure as those credentials.
- Emergency accounts should be disabled always and only enabled for recovery.
- Auditing and monitoring for high-impact Administrators with keeping the clean source principle in mind.
Now, let’s show some best practices which have previous principles built-in.
1. AD Administrative Tier Model
Microsoft defines the tier model to create buffer zones among AD Administration, Server Administration and Workstation Administration.
Most of the time, the attacks come from the workstations in Tier 2. Thus, administrator accounts in Tier 2 must isolated and secured to minimize the impact. In Tier 1, we have the administrators for enterprise servers and applications. Lastly, Tier 0 contains the AD admins.
Administration within the same tier is allowed, but blocked from lower to upper tier. However, administration is allowed, after workflow process (e.g. PAM), from upper to lower tier.
2. Red Forest or Enhanced Security Administrative Environment (ESAE)
ESAE is an initiative (and professional service) from Microsoft with the core idea is to keep AD administration accounts in separate forest (Admin/Red Forest) with enabling Just-In-Time, Just-Enough-Administration and PIM-trust between the red and production forests.
3. Privileged Access Workstations (PAW)
PAW or Secure Admin Workstation (SAW) is a secure workstation used for administration only. Microsoft defines many technical controls to secure PAW and here I list some:
- Always up-to-date with no delay of deploying security patches
- Only for administration
- No local built-in admins or powerful users
- Logon Restriction
- No inbound connections
- No Internet access
- No Firewall Override
- Prevent Proxy Change
- Enable RestrictedAdmin mode
- Enable EMET
- Enable Credential Guard
- Multi-factor authentication: Smart Card/Virtual Smart Card
- Secure Boot
- Use Protected Users, Authentication Policies, and Authentication Silos
- AppLocker or Device Guard