The SolarWinds/Solorigate attack used several worrisome methods, one of which is an attack process called Golden SAML. Security Assertion Mar (SAML) Enables the exchange of authentication and authorization information between trusted parties. Using the golden SAML technique, an attacker can generate a SAML response by itself and gain access or control. You must gain access to access the certificate used to sign the SAML entity.
Microsoft's Active Directory (AD) has a number of tools to identify and prevent these and other techniques used to attack SolarWinds. Vendors like Trimarc Security have also released PowerShell scripts to analyze and review users' AD infrastructure. It is a script that can perform the review process in a simple single AD environment. This script scans the AD domain for major issues that could limit or reduce the company's security posture. The items that must be reviewed are as follows, even when the script is not used.
User account settings
The first problem concerns user accounts. The script reviews inactive accounts that have never been changed or logged in. Settings related to Kerberos are also reviewed. At this time, check the account configured not to require Kerberos pre-authentication. This is because attackers are known to exploit this setting.
The name of this attack is AS-REP Roast. As part of the authentication process, a request to authenticate without a password appears at first. The attacker who receives this request can send a fake AS-REQ (Authentication Server Request). Hash) encrypted additional data is immediately returned. Attackers can obtain this hash and decrypt it offline. Microsoft added controls to Kerberos 5, but the configuration may still be wrong.
Domain password policy
The next thing the script reviews is the domain password policy. If weak passwords are used, they are vulnerable to password spray attacks on AD. Therefore, you must make sure that the appropriate password policy has been applied. Trimac Security recommends setting the password policy to at least 12 characters, preferably at least 16 characters. Whenever you choose a long password policy, you must make sure it works with all applications in that domain. Applications that require the use of weaker password policies weaken their security posture and should all be investigated and upgraded or removed from the network.
Active Directory Backup Policy
Some companies prefer to install a new domain controller and a copy instead of backing up the domain controller. Due to the impact of ransomware on the network, this policy is potentially dangerous and can jeopardize the company. You should review whether AD backups are being made. With a backup process supported by Microsoft, the process can set a flag or attribute to determine the last backup date. If you do not perform system state backup, you are not properly backing up the AD structure. Trimark Security recommends performing a system state backup at least once a month to include FSMO (Flexible Single Master) and keeping the backup copy for at least 6 months.
Outdated Group Policy preference credentials
Group Policy preferences were first released in 2008, and they allow administrators to update and provide authentication information. Since this authentication information is encrypted using AE256, it is possible to get the plaintext value by inverting the password with the PowerShell function. If the domain is quite old, there is a patch that increases the level of protection by preventing the use of the Group Policy default password, but it may have saved the authentication information value inadvertently. The attacker searches the user's domain, finds the remaining password, and uses it to attack the domain.
Domain administrator rights and policies
Make sure you have identified a domain administrator or a user with equivalent privileges. After that, it is reviewed for additional security issues. These accounts change passwords periodically and add a two-factor authentication procedure (2FA). Third-party software may be required to add 2FA to your admin account.
The domain service account is a KRBTGT account, which is frequently released. Used to grant Kerberos tickets or generate golden tickets. An attacker who discovers the password for a domain service account can generate a golden ticket. As mentioned in MITER, this attack sequence allows attackers to create authentication data for any account in Active Directory. You should change this password at least twice a year after the AD administrator leaves or if you follow US Department of Defense guidelines.
Unlimited Kerberos delegation
The Kerberos'double hop' problem is an old attack method. Kerberos uses double hops to maintain Kerberos authentication information of a client over two or more connections. Unrestricted Kerberos delegation should be audited and reviewed to ensure that it is used only in one-time situations or not at all. When Kerberos delegation type is used for web configuration, if there are no restrictions, users can be impersonated and connected to all Kerberos services, not just specific services.
Linked Group Policy Object
Group policy is strong, and attackers know it. The owner of a Group Policy Object (GPO) may have the ability to change rights that should not be changed. That's why you need to be careful when linking GPOs to domain roots and organizational units on domain controllers. GPO owners should be restricted to domain administrators or enterprise administrators.
Domain controller patching steps
You should review the domain controller's patching steps to make sure it is appropriate for your network. Do not run domain controllers on older or outdated operating systems. Doing so exposes your company to security risks and prevents you from using the modern authentication process that requires a modern operating system. All domain controllers must run at least Windows Server 2012 R2.
Review whether you can switch to Windows Server 2016 or preferably Windows Server 2019, and run that domain infrastructure on the latest operating system possible. Keep your monthly patching up to date. Having an unpatched Windows Server 2019 also puts corporate networks at risk for a variety of security issues.
0 Comments