# hardening-active-drectroy **I. Hardening Active Directory** * **Step One: Document and Audit** * Annual (or more frequent) audits of: * Naming conventions (OUs, computers, users, groups). * DNS, network, and DHCP configurations. * GPOs and their application. * FSMO role assignments. * Application inventory. * Enterprise host locations. * Trust relationships. * Users with elevated permissions. * **People** * Strong password policy (including password filters). * Periodic password rotation for service accounts. * Disallow local administrator access on user workstations. * Disable the default RID-500 local admin account. * Implement tiered administration. * Restrict privileged group memberships. * Use the Protected Users group. * Disable Kerberos delegation for administrative accounts. * **Protected Users Group** * Provides additional protections against authentication threats. * Restrictions: * No constrained or unconstrained delegation. * No plaintext credential caching (CredSSP, Windows Digest). * No NTLM, DES, or RC4 authentication. * No caching of long-term keys or plaintext credentials after TGT acquisition. * TGT renewal limited to the original 4-hour TTL. * **Processes** * AD asset management policies. * Access control policies (provisioning/de-provisioning, MFA). * Host provisioning and decommissioning processes (baseline hardening, gold images). * AD cleanup policies (stale accounts, records). * Legacy OS/service decommissioning processes. * Scheduled user, group, and host audits. * **Technology** * Periodic AD reviews for misconfigurations and threats. * Use tools like BloodHound, PingCastle, and Grouper. * Prevent storing passwords in AD account descriptions. * Review SYSVOL for sensitive data. * Use gMSAs and MSAs for service accounts. * Disable unconstrained delegation. * Harden jump hosts for DC access. * Set ms-DS-MachineAccountQuota to 0. * Disable the print spooler service. * Disable NTLM authentication for DCs. * Use Extended Protection for Authentication and Require SSL for CA services. * Enable SMB and LDAP signing. * Take steps to prevent enumeration with tools like BloodHound. * Regular penetration tests/AD security assessments. * Test backups and review disaster recovery plans. * Restrict anonymous access and null session enumeration (RestrictNullSessAccess registry key). **II. Protections by Section (MITRE ATT\&CK)** * **External Reconnaissance (T1589)** * Minimize publicly released information. * Scrub documents before release. * **Internal Reconnaissance (T1595)** * Monitor network traffic for suspicious activity. * Use firewalls and NIDS. * Implement SIEM. * Tune Windows Firewall and EDR to block unwanted traffic (e.g., ICMP). * **Poisoning (T1557)** * Use SMB message signing. * Encrypt traffic. * **Password Spraying (T1110/003)** * Enable logging and monitoring (Event IDs 4624, 4648). * Implement strong password policies. * Use account lockout policies. * Implement MFA. * **Credentialed Enumeration (TA0006)** * Monitor for unusual activity (CLI usage, RDP, file movement). * Use network heuristics and segmentation. * **Living Off the Land (LOTL)** * Establish network traffic and user behavior baselines. * Monitor command shells. * Implement AppLocker policies. * **Kerberoasting (T1558/003)** * Use strong encryption (not RC4). * Enforce strong password policies. * Use gMSAs. * Periodically audit user account permissions. **III. MITRE ATT\&CK Breakdown** * Explains the structure of the MITRE ATT\&CK framework (Tactics, Techniques, Sub-techniques). * Provides an example using Kerberoasting (TA0006/T1558.003). **IV. Key Takeaways** * A layered approach to AD hardening is essential. * Understanding and implementing best practices for People, Processes, and Technology is crucial. * Regular audits and assessments are necessary. * The MITRE ATT\&CK framework provides valuable insights into attack techniques and mitigations. * Having a strong baseline security posture is more important than just buying more security tools.