Securing AD

[Mikensan]

the tl;dr - how do you, or your company protect active directory? Curious about solutions out there.

 

 

Would you put AD in a management vlan only to open every port that every service listens on anyway, or throw it into the user space? You can't attack a service that isn't running, and workstations/servers/users need damn near every service that does run... RPC, LDAP, Kerberoes, SMB, DNS, and some other junk I'm probably forgetting. You quickly learn to use groups/aliases for all these damn ports - but to what avail? If you expose it what's the point of segmenting it?

 

One thing I've recently seen a company do is their management network runs in a separate forest, and their user space runs on a different forest - with no trust relationships. On one hand this certainly minimizes the impact of a breach, but it sounds like a freaking nightmare. 

[Levisallanon]

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory

Have fun reading ;).

[Mikensan]

13 hours ago, Levisallanon said:

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory

Have fun reading ;).

Whelp I read through it, and unfortunately it is more common sense than anything useful. More of a starting point. Least priviliedge, two factor, least services, use host-based AV/FW, and keep an eye on logs.

 

I've been using the DISA STIG: https://iase.disa.mil/stigs/gpo/Pages/index.aspx as a starting point for OS configuration. Stops you from using domain admin accounts for services and rdp, turns on auditing, and all the fun things. Definitely will break a lazy person's domain, so either correct the mistakes or disable the offending GPO. (might not hurt to adjust the logon banner as well, the whole "DoD" will catch people off guard lol)

 

More interested of the in-depth of what everyone out there is doing, like in the example I gave of having two separate and isolated forests. Also curious of any real benefits of putting a DC on a separate VLAN or behind an additional firewall. I suppose if your firewall will be used for IPS/IDS then sure, but HIPS would take care of that.

[Sir Asvald]

1 hour ago, Mikensan said:

Whelp I read through it, and unfortunately it is more common sense than anything useful. More of a starting point. Least priviliedge, two factor, least services, use host-based AV/FW, and keep an eye on logs.

 

I've been using the DISA STIG: https://iase.disa.mil/stigs/gpo/Pages/index.aspx as a starting point for OS configuration. Stops you from using domain admin accounts for services and rdp, turns on auditing, and all the fun things. Definitely will break a lazy person's domain, so either correct the mistakes or disable the offending GPO. (might not hurt to adjust the logon banner as well, the whole "DoD" will catch people off guard lol)

 

More interested of the in-depth of what everyone out there is doing, like in the example I gave of having two separate and isolated forests. Also curious of any real benefits of putting a DC on a separate VLAN or behind an additional firewall. I suppose if your firewall will be used for IPS/IDS then sure, but HIPS would take care of that.

I've got my own AD network at home. As you mentioned,  keeping everything on different VLANs. For my setup, you can ping the server because you need access to AD, but you cannot connect to it it via RDP because I've disabled it via GPO for standard users. Only admins can use and connect to it. I've also got 3 firewalls, 1 software based and 2 hardware based. I haven't got IPS/IDS setup. Which I need to.