92 is half of 99

Reduce the attack surface for Active Directory

How to protect your Active Directory – AKA “Shrink the attack surface”

Tips for Windows Server 2025, 2022, 2019 and ‘Grandpa’ 2016 And also!

Active Directory (AD) is at the heart of many enterprise networks. But precisely because it is so central, it is also a popular target for attackers. In order to increase safety, you must Attack surface Keep as small as possible. This is achieved by consistently implementing technical control mechanisms. Here are the most important ways to strengthen your AD.

The three pillars to reduce the attack surface

Reducing the attack surface focuses on three core areas:

  1. Administrative models with the lowest rights (Least-privilege principle): This model aims to minimise the risk posed by excessive use of accounts with far-reaching rights.
  2. Secure administrative hosts: Setting up dedicated, foreclosed systems for administrative tasks prevents privileged credentials from landing on unsafe standard workstations.
  3. Hardening of domain controllers: Specific policies and settings protect the DCs at the heart of the AD from compromise.

Below we look at best practice, because (spoiler alarm) there is more to do!

Accounts and Groups in Active Directory

Understanding which accounts and groups have the highest rights is essential for their protection. By default, there are four very powerful groups that you should keep an eye on:

  • Enterprise Admins (EA): This group exists only in the root domain and has the highest rights in the entire Overall structure (forest). Your membership should only be granted temporarily for specific overall structure-wide changes.
  • Domain Admins (DA): Each domain has its own DA group. Members of this group are ‘all-powerful’ within their respective domain and have local administrator rights on all domain computers. Membership should only be used in emergency scenarios.
  • Administrators (BA): This local domain group, in which DA and EA are nested, has many direct rights in the directory and on domain controllers. (The B in BA stands for Built-In) However, it has no rights on member servers or workstations.
  • Schema admins (Schema Admins, SA): This group can change the Active Directory schema. Membership is rarely needed and only for a short time, which makes administration easier.

Protected accounts and the AdminSDHolder process

Active Directory has a built-in protection mechanism for privileged accounts and groups that further reduces the attack surface.

  • Protected accounts: If an account is a member of a protected group, it will be marked as a ‘protected account’. Inheritance of permissions is disabled for these accounts, so they cannot inherit rights from parent OUs. This prevents unintentional extension of rights.
  • AdminSDHolder and SDProp: In system-Container of each domain is the object AdminSDHolder. Every 60 minutes the process is the same Security Descriptor Propagator (SDProp) the permissions of all protected accounts and groups with those of the AdminSDHolder object and reset them if necessary. This ensures that the security settings for privileged accounts remain consistent. An account that is removed from a protected group does not automatically inherit the permissions of its OU, which requires manual customization.

Best practices for implementation

In order to use these protection mechanisms effectively, you should focus on the following points:

  • Targeted allocation of rights: Implements a granular delegation so that the use of the most powerful groups is kept to the absolute minimum.
  • Patch management: Ensure that your domain controllers and other critical systems are always provided with the latest security patches. A good patch management solution is essential.
  • Monitoring: Uses monitoring tools to track changes to critical groups (DA, EA) and LAPS (Local Administrator Password Solution) passwords. In this way, you will immediately recognize unauthorized activities.
  • Training: Sensitize your users to the risks of social engineering and phishing. A trained employee is one of your most important lines of defense.

By reducing the attack surface through these technical and organizational measures, you make it much harder for attackers to invade your Active Directory and cause damage.

Privileged accounts and groups in Active Directory

A basic safety principle is to minimize the rights. Active Directory is designed to enable very fine-grained delegation. Nevertheless, there are built-in groups with very high privileges. If you understand these groups, you can also secure them properly.

The Three Most Powerful Groups

There are three main groups that have the highest privileges in Active Directory:

  • Organization admins (enterprise admins): This group exists only in the root domain of the forest. Members may: Overall structure-wide changes It affects all domains. Their rights are so comprehensive that membership should only be required in rare exceptional cases (for example, when adding a new domain).
  • Domain Admins: Each domain has its own set of domain admins. They are the ‘all-powerful rulers’ within their domain and are by default local administrators on every computer in the domain. You should only use them in emergency scenarios.
  • Administrators: The third group is the local administrator group of the domain. It grants many direct rights to directory and domain controllers, but no rights to member servers or workstations. Domain and organization admins are members of this group by default.

Important note: Although these groups have different default permissions, a member of one of the three groups can change the permissions in the directory to become a member of the other groups. From a security point of view, you should consider all three as Equally risky look at.

The schema admins: A special group

The Schema admins (schema admins) It is a fourth privileged group. They exist only in the root domain of the forest and have exclusive permission to change the Active Directory schema, the underlying structure of the directory. This membership is extremely rare and only needed for a very short time.

AdminSDHolder and SDProp: The protection mechanism

To prevent privileged account permissions from being changed accidentally or maliciously, Active Directory has a special protection mechanism: AdminSDHolder and SDProp.

How does it work?

  1. The AdminSDHolder object: In each Active Directory domain, there is a special object called AdminSDHolder. It serves as a template for the permissions of all Protected accounts and groups.
  2. The SDProp process: Every 60 minutes (by default), a process called Security Descriptor Propagator (SDProp) runs on the domain controller with the role of the PDC emulator.
  3. Reconciliation and correction: SDProp compares the permissions of the protected accounts (e.g. domain admins or enterprise admins) with the permissions of the AdminSDHolder object. If the permissions do not match, SDProp resets the permissions of the protected accounts so that they match exactly those of AdminSDHolder again.

This means: No matter where you move a protected account in the directory, it will never inherit permissions from its new parent object. Inheritance is disabled for these accounts, which significantly increases their security.

This adminCountattribute

When a user becomes a member of a protected group, the value of their adminCount-Attributes on 1 set. If you later remove the account from the group, the attribute remains at 1. As a result, the object continues to inherit no permissions from its parent object, even if it is no longer protected. A script can help find these former protected objects and reset the attribute.

Strategies to reduce the attack surface

In order to effectively reduce the attack surface of Active Directory, you should definitely implement the following measures:

Administrative models with the lowest rights

Used none Highly privileged accounts for day-to-day management. Implemented an Delegation model, which gives IT staff only the permissions they need for their specific tasks, no longer.

Specopssoft.com describes six common ways to do this:
Role-based access control, group policy objects, password policies, user permissions, adding users to appropriate groups, and auditing and reporting.

Secure administrative hosts

Manage your Active Directory only from Dedicated, secure administration systems off. These Secure Admin Hosts are specially hardened computers that are not used for email, surfing or other everyday tasks. This minimizes the risk of keyloggers or malware intercepting credentials.

At Frankysweb.de you will find a nice detailed guide. Definitely worth reading! The follow-up article ‘Admin Tiers is worth a click. Otherwise, this is also Microsoft Security Compliance Toolkit helpful.

Hardening of domain controllers

Domain controllers are the crown jewel of your IT infrastructure. They must be extremely well protected. Sets specific Policies and settings to harden them against attacks. This includes limiting physical and logical access, as well as consistent monitoring.

By combining these technical controls, you can significantly reduce the risk to your Active Directory and create a more robust, secure infrastructure.

The easiest thing to do for hardening is to “look at it from the other side”. In the article by security-insider.de Learn about the tools that are used for attacks. Also this article on hardening and best practice You should have a look. Here too, this is Microsoft Security Compliance Toolkit class.

Using Microsoft's resources:

This section is about implementing technical control mechanisms to reduce the attack surface of an Active Directory installation.
First and foremost, it should Microsoft Help is a must read!
All best practice examples there are not only explained in detail but also stored accordingly with step-by-step instructions.

This section therefore contains the following information:

  • Implementation of least privileged management models: Focuses on identifying the risk posed by the use of comprehensive rights accounts for day-to-day management, and makes recommendations for implementation to reduce the risk posed by comprehensive rights accounts.
  • Implementing secure administrative hosts:
    Describes the principles for deploying dedicated, secure administrative systems, as well as some examples of deploying a secure administrative host.
  • Securing domain controllers against attacks:
    Discusses policies and settings that are similar to recommendations for implementing secure administrative hosts, but also include some domain controller-specific recommendations that help ensure that the domain controllers and the systems used to manage them are well protected.
  • Active Directory monitoring:
    A robust event log monitoring system is an essential part of your secure Active Directory design! Compromises can thus be detected at an early stage if appropriate monitoring of event logs and alerting is carried out. 
  • Maintenance and care as well as CIP of your Active Directory:
    You'll probably hear it again, but here, too, safety isn't a sprint, it's always a marathon. Those who have created a manageable, secure environment for critical corporate resources should then focus on ensuring that they are reliably maintained and continuously improved.

Privileged accounts and groups

This section provides background information about accounts and groups with comprehensive rights in Active Directory to explain the similarities and differences between accounts and groups with comprehensive rights in Active Directory.

Regardless of whether you follow the recommendations in Implementation of least privileged management models By understanding these distinctions, you have the necessary tools to adequately protect each group and account.

Additional information directly from learn.microsoft.com

An attribute for the AdminSDHolder object, dSHeuristics, allows limited customization (removal) of groups that are considered protected groups and are affected by AdminSDHolder and SDProp. This adjustment should be carefully considered when implemented, although there are valid circumstances in which changes to dSHeuristics are useful in AdminSDHolder.

For more information about changing the dSHeuristics attribute for an AdminSDHolder object, see the Microsoft Support articles 817433 and in Annex C: Protected accounts and groups in Active Directory.

Although this describes the groups with the most extensive privileges in Active Directory, there are a number of other groups that have been granted elevated permission levels. For more information about all default and built-in groups in Active Directory and their assigned user rights, see Annex B: Privileged accounts and groups in Active Directory.

Stephan
|
| | | |
to the top | homepage | to search