Title here
Summary here
ADSec101: Account Security
You work in an environment that uses the capability of an Active Directory? You want to make sure that it cannot be easily compromised? That’s the right guide to follow!
We all want a strengthen Active Directory, but a lot of parameters are usually overlooked when configuring a new AD. In this article, I’ll talk about the first step to tackle the low hanging-fruits in term of security, which can lead to an improved security posture quickly.
Account Management
Accounts are the core of Active Directory. A weak account management can expose users to credentials theft or account takeover. Therefore, having a secure configuration for users is of paramount importance.
Password Complexity
Password length reduces the risk of brute force attacks or password cracking (e.g. using rainbow tables). A 12 characters password complexity is the minimum to ensure a good level of security.
The GPO to enforce password complexity is located at: Computer Configuration/Policies/Windows Settings/Security Settings/Account Policies/Password Policy
- Minimum password length: 12 characters
- Enforce password history: 24 passwords remembered
Password Expiration Policy
Password expiration ensures that users change the password on a regular basis. It greatly mitigates the risk of password reuse by an attacker if the system is compromised.
The GPO to enforce password expiration is located at: Computer Configuration/Policies/Windows Settings/Security Settings/Account Policies/Password Policy
- Maximum password age: 60 days
Account Lockout Policy
Account lockout is an important mechanism that mitigate the risk of brute force or password spraying. Windows defines two types of account lockout:
- Soft: account is locked for an determined amount of time
- Hard: account is locked until an administrator unlocks it
The GPO to enforce account lockout is located at: Computer Configuration/Policies/Windows Settings/Security Settings/Account Policies/Account Lockout Policy
- Account lockout duration: 10 minutes
- Account lockout threshold: 5 invalid logon attempts
- Reset account lockout counter after: 10 minutes
Administrator Account Delegation
Account have the attribute Account is sensitive and cannot be delegated not enabled by default. For administrators account, this attribute should be enabled to prevent sensitive accounts to be delegated and reduce the risk of privilege escalation.
Account delegation allows service to impersonate a user. For example, a web server storing SQL data in a separate server can query the SQL server using the user Ticker Granting Ticket. However, if the web server service account is compromised, and a domain admin have the account delegation attribute, the attacker can impersonate the administrator and have full control over the domain.
To enable the attribute, navigate to the account -> Right Click -> Properties and check the box Account is sensitive and cannot be delegated.
Inactive Users
Inactive users represent a risk against the AD environment. They can be abused by former employees or attackers, and since the account is inactive, the password is static in time.
To retrieve all inactive users in the environment, use the following command:
# Import AD module
Import-Module ActiveDirectory
Search-ADAccount –AccountInActive -UsersOnly –TimeSpan 180:00:00:00 –ResultPageSize 2000 –ResultSetSize $null |?{$_.Enabled –eq $True} | Select-Object Name, SamAccountName, DistinguishedNameAll the accounts retrieved should be treated as they pose a security risk. When disabling the account, the following steps should be followed:
- Disable the account
- In the Account tab, select Account is disabled
- Remove all the group memberships
- In the Member Of tab, remove every group
- Change its password to a random value
-join ((33..126) | ForEach-Object {[char]$_} | Get-Random -Count 16)
- Enable Smart card is required for interactive logon