 Hi folks, I'm Eric Woodruff and this session is an ounce of prevention is worth a pound of detection, which may seem like a mouthful. So we'll just call this session Proactively Securing Active Directory. As mentioned, name is Eric Woodruff. I'm currently a product technical specialist at the company Simpris and also a Microsoft security MVP and I'm an ID Pro certified identity professional. You can see my social media handles there on the screen. It's pretty easy to figure out an EricOnIdentity.com for my blog and at EricOnIdentity on X and LinkedIn and all those other good things. So now as we go through this session, if you have any questions about what we're talking about, feel free to drop them in the chat here because this is pre-recorded. Afterwards, if you want to connect or you have questions, feel free to reach out to me because I love helping the community. So for our session here today, the agenda, we're going to have a little bit of background and we're going to dive into infrastructure security and then we're going to pivot to account security. We're going to talk about attack path management, the tier zero perimeter and then we'll kind of wrap things up. It may seem like a lot, but I promise we'll move through it pretty quickly here. So before we jump into things, I just wanted to mention that I love hiking. I love going to the Katie National Park. It's in Maine and the United States, which is where I'm from. Beautiful place. If you've never been, highly suggest making it out there sometime. In a Katie national park, there is precipice trail and you may not be able to tell it from the screen here, but if you look at this, this is basically a sheer cliff. And so if you were to sort of fall off that, you'd not be having a good day. And so at the foot of the trail, we have this warning sign here that's telling us different things to make sure that we're safe on our hike. So we have this here where dogs are prohibited, stay on the marked trail, don't climb in dark or wet conditions, use an alternate route down, wear sturdy hiking shoes, don't throw rocks. And so basically if you're an experienced hiker, this is all things that may just come naturally to you. But if you're not as familiar with hiking, you could really look at this in a sense as effectively defense in depth. So when we look at this list here, again, if we have all these things that we do to make sure we make it to the top of the mountain safe, but if we say maybe don't wear our sturdy hiking shoes, as long as it's not dark so we can see our footing or it's not raining or snowing out or something like that, it's likely that we'll still make it up to the top okay. And so many times when we talk about defense in depth from an IT perspective, a security perspective, another analogy we use are onions. You have all these layers of an onion that are sort of protecting the thing in the middle. Now when you see a lot of classic defense in depth models, they go through things like physical security, perimeter, identity, and at the core usually is data, but the actual defense in depth sort of concept of having mitigating controls, so if one fails or is compromised, other things will protect the thing at the center here, you can apply that to anything. And in this instance, we're applying it to Active Directory. And so when we talk about these different layers, it's our tier zero perimeter, the infrastructure, user security, and attack payoff management, and these effectively can all be the different layers to protect our Active Directory. Let's have this, the different layers here. So there's another concept I just wanted to mention here, which is ITDR, which is identity threat detection and response. And this is important when we talk about securing Active Directory, because whether you're on the camp where ITDR isn't a new thing and it's just marketing, or whether you truly believe in ITDR, securing AD and the technology behind ITDR has been around for a long time, but we continue to improve these things. And if we talk about the Gartner model for ITDR, they basically sum it up as prevention, detection, and response. And again, that detection part in the middle is a thing that there's a lot of focus on these days, especially with AI and machine learning and all this good new technology to detect attacks. But what if we can just really prevent them from even happening in the first place? And that's why we're really focusing here on the prevention, looking at the security posture of Active Directory and potentially tightening down the security of AD so that we need to focus less on the detection and hopefully not the response bit of things. So let's dive into securing Active Directory and talk about what we mean here with infrastructure. So by infrastructure, I'm talking about things like securing the Windows operating system that composes our domain controllers, and also the outside shell that is Active Directory that's holding all the objects within it. So how Active Directory interacts on the network and how other people or computers or things, applications interact with Active Directory. And so an example here from a proactive hardening perspective, if we talk about something like Print Nightmare. This is a remote code execution vulnerability from 2021. So it's a few years old and hopefully most people have patched against Print Nightmare. But what happened is a RCE came out. This was patched in June 2021. But then a new proof of concept came out that bypassed the patch, Microsoft released a subsequent out of band patch in July to fix this. But this wasn't the first vulnerability for Print Spooler. And so you look at this and you say, well, if we just weren't running Print Spooler on our domain controllers, then we wouldn't have been vulnerable to Print Nightmare. And so when we talk about securing AD, one of the measures is really stopping services that we don't necessarily need to run on our domain controllers. Now some folks may say that there's always edge cases where maybe for certain network printing functions, they use a Print Spooler feature on DCs. But it's always a risk that organizations have to assess and weigh. There's some other way we can provide printing within the office or the organization where we're not putting Active Directory at high risk here. But Print Nightmare feels sort of rather straightforward. So let's talk about something like Kerberos thing. So working in identity security, a lot of people want to know how to detect Kerberos. And if we look at this from a very high level, right, there's essentially four steps here. We want to enumerate user accounts that have a service principal name on them. We want to request a ticket for the target. And so the interesting thing here with the way Active Directory functions is that if a user account has a service principal name attribute populated on it, and we request a Kerberos ticket for that, you know, object, we'll actually receive the ticket hashed, right, with or encrypted with the hash password for that account. Right. And so we can take that hash and we can crack it offline. And then once we know, right, the clear text password for whatever that target account is, we can then go use it right on the network. And again, when you talk about Kerberos thing, there's a lot of focus on detecting Kerberos thing. Well, what if we could just harden Active Directory, right, so that it's very difficult to Kerberos the user to begin with. So if we look at request the ticket for the target and then cracking the hash offline, right, one of the things here is that many times an out of the box Active Directory install may be using RC4, which is a known weak cipher, right. But what if we can harden AD so that we're using stronger ciphers that are more difficult to crack, right. And how we can go about applying this are using security group policy objects, right, GPOs. And there's many different providers out there that will provide a similar outcome, right. So again, it's up to organizations to sort of assess which ones work best in their environment. But the three most sort of well known out there is the Microsoft Security Compliance Toolkit or SCT, the Center for Internet Security Benchmark or CIS Benchmark and the Department of Defense STIG, right. So organizations can sort of choose any of these, you know, the Security Compliance Toolkit in particular is, you know, absolutely free from Microsoft, assuming that, you know, as server 2025 goes GA, that there'll be a SCT policy release for that. CIS, they have it available for free as a PDF. And also if you're a customer of CIS, you can easily obtain the group policy objects to import into Active Directory. We also want to assess the security of Active Directory and we can do these things sort of in either order, right. We can either attempt a security and then assess the work that we've done or we can assess Active Directory security and then tighten things down based on those assessments. And again, there's a lot of options here for organizations. And I think in particular, when you talk to people, there's a lot of sort of, you know, anxiety and fear and certainty now, right, flood around Active Directory security assessments. But they don't need to be as difficult as they might seem, right, to sort of kick these things off and actually work through them. And there's a lot of different tools out there again, right, for Microsoft Unified Support Customers. There's on-demand assessments, which are, you know, previously known as ad-raps, the more familiar terms they'll use for them. Defender XDR, right, is going to have your Microsoft Secura score. And if you have Defender for Identity deployed, right, that's going to roll up information about Active Directory things that you can use to improve your AD security posture. But if you're, you know, a customer of a third-party XDR or a third-party ITDR, right, they also, many these days offer Active Directory security assessment components within them. And there's also consulting companies, right, that can assess the security of Active Directory. But for some organizations, again, right, it can feel like a lot to go spend some money on these things. So if you really want to kind of know where you stand, right, there's also some free tools out there, like Pin Castle and Purple Knight and Hardening Kitty, that you can use to assess, right, to kind of have that initial litmus test of, you know, how secure is Active Directory. And that's what we're going to just look at how easy these things can be to actually sort of run. So first up, just want to mention, right, when we talk about the weak cipher bit of things here, and we're going to go through, right, and we're going to actually look here and see that we applied to our Active Directory, the, you know, SCT, Windows Server 2022 Domain Controller Policy to our DCs. And within here, we've actually tightened down the, right, encryption types allowed for Kerberos, right, to AES-128, AES-256, and future encryption types, right. And this also, I believe, is a CIS recommendation for Hardening Active Directory, right. And so now, when we've applied these, and if we go just, right, try to extract Kerberos, user, now, right. So we can still extract a hash, right, for this user account that we have here. And so actually, if we scroll up a little bit, so service account here, this is a user, right, that's being used as a service account, but it's a user object in Active Directory, so it's a target for Kerberos thing, right. And we can see that we have the hash for the user here. But if we actually were to go look at the hash, we can see that this is actually encrypted with AES-256, right. And so we can actually just run K-List and sort of find it in our list here for, here we go, right. So we see here, and it's AES-256. So, right, when we think of, right, defense in depth and mitigating controls here, right, while an attacker could potentially still get the hash for this user account, right, it's going to be more difficult to crack. Now, again, if you're familiar with these sort of attacks on Active Directory, right, you may have reasons that you aren't increasing the security, right, within AD, or there are things out there, right, like down rate attacks to still get the RC-4 cipher, right. And this kind of moves us then into, right, another area where we can sort of mitigate Kerberos thing. So let's talk about account security here. But again, if we talk about that cracking the hash offline, right, well, a very simple sort of mechanism that we also have in Active Directory is making sure that that password is very long, right, trying to determine a very long password is a much more difficult thing, right. And so actually we'll come back here and break out of this, right. And so if we go and look in our Active Directory administrative center, just because, right, lazy, it's easy to sort of come use ADAC even though no one really likes to compare it to ADUC, right. And make sure that we have a password policy set here, right, that's assigned to service accounts. Now, again, right, you may say, well, you can't apply fine-grained password policies to OUs. And even if you use shadow groups on an OU, right, that on initial account creation, you're not going to be able to set necessarily a 32-character length password on the account, right. So organizations have to have some, you know, processes in place, right, to sort of strengthen how we're deploying service accounts if we need user-based service accounts, right, in the org. But so once it's deployed here, right, at least we're protected that if we change a password, right, it's going to be enforced to have this stronger password here with a 32-character length, things like that. And I actually wanted to just jump here and one other thing to show, right, that when we're talking about, again, assessing the security of Active Directory, that the tools that are free do not need to take a long time to run. Obviously, in a more complex environment, it's going to take longer, right. But so we're going to start a Ping Castle here and Purple Knight. And I don't have Hardening Kitty in this lab environment, so we can't really look at that one. Well, Purple Knight's loading up. Let's just run Ping Castle here. And we're going to let this run for a second. And we'll start this one up. Select our Active Directory forest and just run this thing. And we're going to let that go for a minute. And well, that's going, actually, we can see here that the Ping Castle assessment is already finished. And if we move to Ping Castle, we can see the security of Active Directory based on the findings within Ping Castle. So within Ping Castle, a lower score is better. And you can actually go through this report and see where the areas that we can improve the security posture of Active Directory. And a lot of these reports, just like pay products, we usually group things based on different things. And we'll have information in here on how you can sort of work to resolve findings within this. And this is still running here. Should be finished in a second. Well, that is running. Let us go actually back to, talk about one other thing here with Windows Server 2025. So, you know, one thing that I'm really looking forward to actually is Delegated Managed Service Accounts or DMSAs. Because we're talking about user objects, again, that are actually used for a service running an Active Directory. And with DMSAs, these are really designed to allow for the migration of user object-based service accounts to a managed service account. A lot of orgs are not using GMSA because of limitations within the application to use GMSAs. And Delegated Managed Service Accounts are something that will sort of help ridge that gap. They really lower the barrier for migration of applications to managed service accounts. So, yeah, this is still running here, but we can actually look at, here is our report. Perfect. Right, so again, in this instance with Purple Knight, the higher score is going to be better for you. But similar results, we can see where we have security gaps in Active Directory. And we can go to these things and look at the assessment and see sort of the offending object. And that's all great. But when we talk about securing Active Directory, sometimes it's how we configure Active Directory that really dictates where the attack path may lie. And what do I mean by this? So, if we look at Kerberos thing from a high-level perspective, we just enumerate user accounts with a service principal name. This is a very simple PowerShell command pretty simple LDAP query here to look for accounts that have this attribute set. So, you may say, well, from an attack path perspective, Kerberos thing is sort of pretty easy to see the users that are targets that are going to be a risk here. Well, let's talk about another attack that is popular to want to try to detect in Active Directory. Again, if you look at the whole ITDR, XDDR landscape, golden ticket attacks are something that people like to know, how can we detect? Again, what if we can just proactively secure Active Directory so that golden ticket attacks effectively are something that cannot happen or not happen very easily, right? And if we look at a golden ticket attack, we have to compromise Active Directory, obtain the KRB TGT password hash, and then create a golden ticket and then use that golden ticket. And so, if we kind of step back here a second, we look at this first item here, where we have to compromise Active Directory, right? So, we need to get on a domain controller or get domain admin, right? So, a golden ticket attack is effectively like a post breach, right? Someone already is on our network that's malicious, unless it's a insider threat, right? Which is always a possibility. But when we talk about something like golden tickets, right, it is something that happens after the network is initially compromised or another user account was compromised. And so, let's sort of look at a attack path for, you know, golden ticket here. But before we do that, again, just want to mention some tools that exist out there that are both paid, both several XDR and IPDR vendors, maybe sound like a broken record here, but also several Active Directory, you know, security assessment companies all will perform attack path management to various degrees, right, to sort of help you see what these attack paths look like. And we also have a lot of free tools, right, the most sort of well known is Bloodhound, but also Adelange, ForestRuid, and other sort of blue derivatives of Bloodhound like Goodhound, Plumhound, and Bluehound. So we're going to look at an example attack path to compromise Active Directory, but instead of actually looking at the output of these tools, right, because it can still take a little bit of time to sort of understand what we're looking at. We're just going to look at the concept here, right, of an example attack path that very likely will exist at some organization out there. So let's work it a little bit backwards here, right? So we have Active Directory and we decide we're going to back it up with some backup software and we need a backup service account, right, pretty common for things like this to need a service account. So we create our backup service account, but in this instance, right, for that backup service account to function and backing up Active Directory, it needs to be a domain admin, right, so that service account is already highly privileged. A couple years go by, right, and this sort of builds a stage to why attack path management and analysis is so critical. A couple of years goes by, right, and we're doing some Active Directory cleanup and we're deciding we're going to bucket all of our service accounts into an OU. So we create the service accounts OU, and we add the backup service account into that OU, right, pretty straightforward. So Alex Wilber, who if you work in intro development much, you know, he's usually causing trouble out there, right, Alex Wilber shows up at our organization and he's hired to work in our service desk in a level two role, right, so when he's hired on his user account, as they added to the service desk level two group. But if we look at when we set up that service account OU, we delegated the service desk level two group to be able to reset user passwords on objects within that OU, right, and you may already see where this is going. But from a business perspective, we said we want the service desk to help empower our developers or application owners to be able to manage, right, the passwords for their service accounts and help troubleshoot these things without needing to contact, right, the people that manage Active Directory. But Alex Wilber isn't viewed as a tier zero user, right, so his account becomes compromised, he's in that SD level two group, right, now we're able to use those permissions to reset the password on that backup service account user, right, and Active Directory is now effectively compromised. And anyway, we could paint this path in several different ways, right, that backup service account that's a domain admin could be running on a, used on a server that's used for management of our backup software, right, and that, you know, server may not be viewed as tier zero, right, and that's where it really becomes important to understand, right, the tier zero perimeter, kind of tying all this together, right. So if you've been sort of working in Active Directory for a good while, you've probably seen this diagram, right, and it's been refreshed now with their enterprise access model from Microsoft, but really when we're talking about Active Directory security, right, this three tiered model still works quite well for us. But the reality of tier zero is changing here, right, and so we have our domain controllers and our domain admins and our privilege access workstations, but that's also starting to expand here, right, when we talk about things like Active Directory Federation services, and certainly a lot of organizations these days have Active Directory certificate services, and also your Entra Connect or your Entra Cloud Sync, or if you're using something else, even like ACTA, right, your ACTA Active Directory agent, right, all these systems have some level of privilege on them. And again, if we expand this a bit further, but again, those backup systems, whether it's the actual backups that contain the DIT file, right, from Active Directory or the servers that are managing the backups of AD, right, if they have privileges in Active Directory are effectively tier zero, and also the management plane, right, for both virtualization platforms, so you might run on-prem like Hyper-V or vSphere, or if we're in the cloud, right, with Azure, AWS, GCP, right, it doesn't really matter. A lot of management planes offer the ability to have extensions into servers, and in these cases, if it's our domain controller, you can see where that's going. I actually have another session that is Mind the Management Plane, Attacking Active Directory from the Management Plane, which we'll dive into that a bit more, and hope you check that one out, right. So, you know, kind of want to wrap things up here and just talk about, right, the cost of all this, right, and so this is from the Microsoft Digital Defense Report from 2023, right, and on page 41 here, there's a lot of text that we have going on here, but I really want to focus on this return on mitigation, right, that Microsoft has in here that's targeting the investment to increase resilience, and the too long didn't read on this, is effectively, right, Microsoft goes through, they look at incidents, and they really calculate, right, what are the high value returns on mitigation, what are the mitigations, right, to protect Active Directory that we can implement, right, to make sure that we're not the victim of, you know, a breach of ransomware, some sort of cyber attack, right, that's taking AD down and likely taking a lot of our organization and business down, and again, so I think if you look at this diagram here, right, and if you look at a lot of these things for like reconnaissance, privilege escalation, right, persistence, right, with things like golden ticket attacks, right, lateral movement, right, execution, right, depending on what execution can mean, if it's RCE, things like that, all of these, right, while there are likely detections within our, right, identity threat detection response platforms, to see if there's sort of suspicious behavior going on, there's likely also proactive mitigations that we can put in place in Active Directory, right, to even prevent a lot of these attacks from happening. So I hope you found some valuable information within the session today, right, and I thank you for attending. You know, I know a lot of people may find that there's there's edge cases or there's legacy things that we need to support, right, still support within Active Directory, but again, you know, don't let the fear of securing AD stop you from the proactive remediation. So, you know, social media handle here on the screen, right, feel free to reach out, drop a comment in the chat, appreciate you attending this session today, and I hope you enjoy your day.