The hidden benefit of hacking your own Active Directory?

This summary stems from a brief conversation within a peer circle. A parallax perspective on the issue of passwords. 

Most IT organisations have an IT Security policy, which defines the required password parameters for an organisation.  Active Directory provides a method to enforce the password parameters, from their complexity and length to the frequency that they must be changed. 

Once a company’s password policy is understood and required parameters are known, internally bad practice can set in and this is not necessarily limited to the end users, IT can equally be at fault.  For example the service desk may create all new user or service accounts with the same common password.  Password1234$$ or Welcome2015! 

So what has this got to do with hacking your own Active Directory? 

Using one of the numerous Active Directory password cracking tools on the internet, you can analyse (crack the easy ones) the passwords stored in Active Directory and produce a list of the most common passwords.

These common passwords can then be cross referenced to their owners and with a little bit of mathematics, it is possible to deduce that perhaps with 10 passwords, 70 % of all systems can be accessed, not only is this a rather frightening metric, but this is reality and one attack vector for anyone with access to a domain controller. 

This is not a simple problem to fix with the current architecture of Active Directory, but with small process changes and education around the use of common passwords the percentage of systems that could be accessed or compromised may be reduced. 

 

Best Practices for Securing Active Directory

 

Microsoft have released a new document which contains best practice recommendations to assist organisations in enhancing the security of their Active Directory installations.

Microsoft state that “In implementing these recommendations, organisations will be able to identify and prioritise security activities, protect key segments of their organisation’s computing infrastructure and create controls that significantly decrease the likelihood of successful attacks against critical components of the IT environment“.

This document discusses the most common attacks against Active Directory and countermeasures to reduce the attack surface, and recommendations for recovery in the event of complete compromise.

Download

Threats and Countermeasures Guide: Security Settings in Windows 7 and Windows Server 2008 R2

Threats and Countermeasures Guide: Security Settings in Windows 7 and Windows Server 2008 R2

 

If you are looking to understand what the security policies in Windows 7 and 2008 R2 mean and how they can impact your environment, then this guide is a must read.

Threats and Countermeasures Guide: Security Settings in Windows 7 and Windows Server 2008 R2

The document is covers the following categories in some depth:

Account Policies

This section discusses the Group Policy settings that are applied at the domain level: password policies, account lockout policies, and Kerberos protocol authentication policies.

Advanced Security Audit Policy

This section discusses the use of advanced audit policy settings, which are now integrated with Group Policy to monitor and enforce your security measures. It describes the various settings, and it provides examples of how audit information is modified when the settings are changed.

User Rights

This section discusses the various logon rights and privileges that are provided by the Windows 7 and Windows Server 2008 R2 operating systems, and it provides guidance about which accounts should be assigned these rights.

Security Options

This section provides guidance about security settings for digital data signatures, Administrator and Guest account names, drive access, driver installation behaviour, and logon prompts.

Event Log

This section provides guidance about how to configure the settings that relate to the various event logs on computers running Windows Server 2008 R2 or Windows 7.

System Services

Windows Server 2008 R2 and Windows 7 include a variety of system services. Many of these services are configured to run by default, but others are not present unless you install specific components. This section describes the various services included with the operating systems so that you can best decide which ones to leave enabled and which ones can be safely disabled.

Software Restriction Policies

This section provides a brief overview of the Software Restriction Policy feature that is available in Windows Server 2008 R2 and Windows 7. It provides links to additional resources about how to design and use policy settings to control which applications can be used in your organization.

Application Control Policies

This section provides a brief overview of the AppLocker™ feature that is available in Windows Server 2008 R2 and Windows 7. It provides links to additional resources about how to design and use policy settings to control which applications can be used in your organization.

External Storage Devices

This section describes Group Policy settings that can be used to limit, prevent, or allow the use of external storage devices in networked computers.

Additional Resources

This section provides links to additional information sources about Windows security topics from Microsoft that you may find useful.

Threats and Countermeasures Guide: Security Settings in Windows 7 and Windows Server 2008 R2

Windows 7 and Windows Server 2008 R2 Service Pack 1 Release Candidate–now available.

Microsoft have today delivered the first release candidate (RC) for Windows 7 and Windows Server 2008 R2. Service Pack 1 is slated for release in early 2011 but there is no confirmed date.  The Service Pack can be downloaded here and the associated documentation can be downloaded here.

The document “Windows 7 and Windows Server 2008 R2 Service Pack 1 Release Candidate Notable Changes” has changed since the initial beta release but  is now dated June instead of February 2010; the document “Windows Server 2008 R2 and Windows 7 Service Pack 1 Test Focus Guide” has moved to version 1.3 and is dated October 2010 and the final document “Hotfixes and Security Updates included in Windows 7 and Windows 2008 R2 Service Pack 1 Release Candidate” is dated October 2010 too.

The Service pack now consists of: 78 Non-Security GDR updates, 27 Security updates and 520 Hotfix updates.

The last Security update included in the Release Candidate is MS10-061

For a technical overview of Windows Server 2008 R2 SP1 RC release, click here

Microsoft Office 2010 Group Policy

Microsoft have released a guide for configuring and applying Group Policy in Microsoft Office 2010.

The guide states that " it provides a guide is the IT administrator who plans to use Group Policy to configure and enforce settings for Microsoft Office 2010 applications."  In addition to providing an insight into Group Policy for Office 2010, the guide also provides an insight into how Group Policy functions and is applied at a Windows level.

Group Policy for Office 2010

I have had a quick read through the guide and it makes interesting reading.

Network port requirements for Active Directory and Windows Server.

In the companies that I work with, Active Directory and Firewalls are often said in the same sentence, this KB article discusses the essential network ports; protocols and services that are used by Windows client and server operating systems;  server-based programs and their subcomponents in the Windows server system.

I have found this document to be invaluable when it comes to making Active Directory and other Windows components such as  (DFS-N and DFS-R) work through a firewall.

http://support.microsoft.com/kb/832017/en-US

One of the reasons that I am adding this post is that this KB article is constantly evolving and in the pass 6 six weeks alone I have seen 4 versions.

30th March 2010 Version: 42.0
9th April 2010
Version: 43.0
23rd April 2010
Version: 44.0



  

Security Compliance Manager (Guidance on how to harden your Windows environments).

The Security Compliance Manager is a free Solution Accelerator from Microsoft which has been designed to enable organisations  to take advantage of the experience of Microsoft security professionals and reduce the time and cost required to harden Windows infrastructure.

The Security Compliance Manager provides access to the complete database of Microsoft recommended security settings; using this information you can configure and customise security baselines; these can then be exported to multiple formats,  including Excel, Group Policy objects (GPOs), Desired Configuration Management (DCM) packs or the Security Content Automation Protocol (SCAP), for analysis or implementation.

Download the Security Compliance Manager

Learn more about the Security Compliance Manager

Solution Accelerator’s are tools and guidance that help you solve your deployment, planning and operational IT problems. Solution Accelerator’s are free and fully supported.  Want to learn more about Microsoft Solution Accelerator’s, Click Here.