Protect that Active Directory
Active Directory is the cornerstone of Windows administration, and it’s becoming an even more critical component as organizations continue moving their workloads to the cloud. No longer used to handle authentication and management for on-premises internal corporate networks, AD can now help with identity and authentication in Microsoft Azure.
Windows administrators, security professionals, and attackers all have different perspectives of Active Directory, Sean Metcalf, a Microsoft Certified Master for Active Directory and founder of security company Trimarc, told Black Hat attendees. For the administrator, the focus is on uptime and ensuring AD responds to queries within a reasonable window. Security professionals monitor Domain Admin group membership and keep up with software updates. The attacker looks at the security posture for the enterprise to find the weakness. None of the groups has the complete picture, Metcalf said.
All authenticated users have read access to most, if not all, objects and attributes in Active Directory, Metcalf said during the talk. A standard user account can compromise an entire Active Directory domain because of improperly granted modify rights to domain-linked group policy objects and organizational unit. Via custom OU permissions, a person can modify users and groups without elevated rights, or they can go through SID History, an AD user account object attribute, to gain elevated rights, Metcalf said.
If Active Directory is not secured, then AD compromise becomes even more likely.
Metcalf outlined strategies to help enterprises avoid common mistakes, and it boils down to protecting administrator credentials and isolating critical resources. Stay on top of software updates, especially patches addressing privilege-escalation vulnerabilities, and segment the network to make it harder for attackers to move through laterally.
Security professionals should identify who has administrator rights for AD and to virtual environments hosting virtual domain controllers, as well as who can log on to domain controllers. They should scan active directory domains, AdminSDHolder object, and group policy objects (GPO) for inappropriate custom permissions, as well as ensure domain administrators (AD administrators) never log into untrusted systems such as workstations with their sensitive credentials. Service account rights should also be limited.
Get AD security right, and many common attacks are mitigated or become less effective, Metcalf said.
Virtualization to contain attacks
Microsoft introduced virtualization-based security (VBS), a set of security features baked into the hypervisor, in Windows 10. The attack surface for VBS is different from that of other virtualization implementations, said Rafal Wojtczuk, chief security architect at Bromium.
“Despite its limited scope, VBS is useful -- it prevents certain attacks that are straightforward without it,” Wojtczuk said.
Hyper-V has control over the root partition, and it can implement extra restrictions and provide secure services. When VBS is enabled, Hyper-V creates a specialized virtual machine with a high trust level to execute security commands. Unlike other VMs, this specialized machine is protected from the root partition. Windows 10 can enforce code integrity of user-mode binaries and scripts, and VBS handles kernel-mode code. VBS is designed to not allow any unsigned code from executing in the kernel context, even if the kernel has been compromised. Essentially, trusted code running in the special VM grant execute rights in the root partition’s extended page tables (EPT) to pages storing signed code. Since the page can’t be both writeable and executable at the same time, malware can’t enter kernel mode that way.
Sign up for CIO Asia eNewsletters.