{"id":6896,"date":"2021-10-13T07:50:00","date_gmt":"2021-10-13T07:50:00","guid":{"rendered":"https:\/\/www.insentragroup.com\/gb\/insights\/uncategorized\/protecting-active-directory-part-3-long-term-projects\/"},"modified":"2022-04-29T02:59:33","modified_gmt":"2022-04-29T02:59:33","slug":"protecting-active-directory-part-3-long-term-projects","status":"publish","type":"post","link":"https:\/\/www.insentragroup.com\/gb\/insights\/geek-speak\/secure-workplace\/protecting-active-directory-part-3-long-term-projects\/","title":{"rendered":"Protecting Active Directory Part 3 \u2013 Long Term Projects"},"content":{"rendered":"\n<p>In Part 2 of our series \u2018<a>Protecting Active Directory \u2013 Near Term Wins\u2019<\/a>, we outlined several near-term, \u2018quick win\u2019 activities an organization can implement to reduce the risk of compromise. This article will build on the mitigations from the previous article and move the defense into a more proactive posture.<\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#f16020\"><strong>1. <em>Leaked Credential Protection<\/em><\/strong><\/p>\n\n\n\n<p>Many organizations are in a hybrid identity configuration with Azure Active Directory. Azure AD Connect is the Microsoft tool designed to enable hybrid identity features such as user and group object synchronization and password hash synchronization (PHS), a sign-in method which synchronizes a hash of a user\u2019s on-premises AD password with Azure AD. My colleague Hambik Matvosian spoke about <a href=\"https:\/\/www.insentragroup.com\/gb\/insights\/geek-speak\/fasttrack\/aad-connect-and-beyond\/\" target=\"_blank\" rel=\"noreferrer noopener\">Azure AD Connect in a previous edition of his monthly Fast Track Update<\/a>.<\/p>\n\n\n\n<p>When enabling PHS, it also enables leaked credential detection for your hybrid accounts. When cybercriminals compromise valid passwords of legitimate users, they often share those credentials. This sharing is typically done by posting publicly on the dark web, paste sites, or by trading and selling the credentials on the black market. When the Microsoft leaked credentials service acquires user credentials from the dark web, paste sites, or other sources, they are checked against Azure AD users&#8217; current valid credentials to find valid matches.<\/p>\n\n\n\n<p>Microsoft works alongside dark web researchers and law enforcement agencies to find publicly available username\/password pairs. If any of these pairs match those of our users, the associated account is moved to high risk.<\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#f16020\"><strong>2. <em>Enable Credential Guard on User Workstations<\/em><\/strong><\/p>\n\n\n\n<p>Previous versions of Windows stored secrets in the Local Security Authority (LSA). Malicious actors who can gain privileged access to an endpoint can query the LSA for the secrets in memory and compromise a hash or ticket which could then be used in a Pass-The-Hash or Pass-The-Ticket attack allowing them to move laterally within an organization.<\/p>\n\n\n\n<p><a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/identity-protection\/credential-guard\/credential-guard\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Windows Defender Credential Guard<\/a> is a security feature in Windows 10 Enterprise and Windows Server 2016 and <a>above<\/a> which uses virtualization-based security to protect credentials. Credential Guard is a way to protect against LSA attacks, as a new component called the \u2018isolated LSA process\u2019 which stores and protects the secrets when it is enabled is not able to be queried by attackers.<\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#f16020\"><strong>3. <em>Privileged Access Management<\/em><\/strong><\/p>\n\n\n\n<p>Humans are always the weakest link in the cybersecurity chain. Knowing the more privileges and access a user is granted, the greater the potential for abuse, exploit, or error, it is vital to secure and monitor these core enterprise identities.<\/p>\n\n\n\n<p>Privileged Access Management (PAM) refers to cybersecurity strategies and technologies to control, monitor, secure and audit all privileged identities and activities across an enterprise IT environment. A central goal of PAM is the enforcement of least privilege, where users are only delegated the minimum levels of access required to perform their job functions at the right time.<\/p>\n\n\n\n<p>All IT organizations need to apply some control over privileged accounts, and how each approach this depends on many factors. A small IT organization may be able to govern privileged access through manual controls. For larger, more complex IT organizations, PAM software should be employed.<\/p>\n\n\n\n<p>PAM solutions vary in scope and features. Most have capabilities to assign privileged account access, manage passwords and track privileged account sessions. When choosing a PAM solution an organization must consider their unique security, IT, business and organizational requirements.<\/p>\n\n\n\n<p>My colleague Dan Snape wrote more about <a href=\"https:\/\/www.insentragroup.com\/gb\/insights\/geek-speak\/secure-workplace\/pim-and-pam-in-office-365\/\">PAM (and PIM) in this blog<\/a>.<\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#f16020\"><strong>4. <em>Privileged Access Strategy<\/em><\/strong><\/p>\n\n\n\n<p>Microsoft\u2019s <a href=\"https:\/\/docs.microsoft.com\/en-us\/security\/compass\/overview\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Privileged Access Strategy<\/a>, built on Zero Trust principals of explicit validation, least privilege and assumption of breach, underscores the concept that user access to resources and data must be kept separate from privileged access, with appropriate controls and pathways for accessing the various tiers. The strategy is to create an isolated virtual zone where sensitive accounts can operate with low risk. By securing privileged access, you can effectively block unauthorized pathways and leave a select few authorized access pathways which are protected and closely monitored.<\/p>\n\n\n\n<p>One component of this strategy is a <a href=\"https:\/\/docs.microsoft.com\/en-us\/microsoft-identity-manager\/pam\/planning-bastion-environment\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">bastion<\/a> environment, a hardened, dedicated Windows Server 2016\/2019 Active Directory forest (shadow forest) which enables organizations to manage administrative accounts, workstations and groups in an environment which has stronger security controls than their existing production environment. Some core components to make up the bastion environment include a Privileged Identity Management (PIM) trust, shadow principals and temporary group memberships.<\/p>\n\n\n\n<p>Active Directory still plays a vital role in access and security for many organizations, both on-premises and now in the cloud. The aim of this series was to assert how important it is to put strong Active Directory security in place. Poor management and misconfiguration of Active Directory can enable a criminal attacker to gain access to an organizations\u2019 critical systems and deploy malicious payloads, like ransomware, bringing business to an abrupt halt.<\/p>\n\n\n\n<p>To recap, head back to <a>Part 1 and Part 2 of this series.<\/a><\/p>\n\n\n\n<p><strong>Recommended Additional Reading:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/identity\/ad-ds\/plan\/security-best-practices\/best-practices-for-securing-active-directory\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Best Practices for Securing Active Directory<\/a><\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>In Part 2 of our series \u2018Protecting Active Directory \u2013 Near Term Wins\u2019, we outlined several near-term, \u2018quick win\u2019 activities an organization <\/p>\n","protected":false},"author":117,"featured_media":6897,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[20],"tags":[110,88,76,77,111,112,113,58,114,59,60,49,94,115],"class_list":["post-6896","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-secure-workplace","tag-access-management","tag-active-directory","tag-azure","tag-azure-ad","tag-azure-ad-connect","tag-credentials","tag-data-protection","tag-it-security","tag-local-security-authority","tag-microsoft","tag-microsoft-365","tag-microsoft-fasttrack","tag-ms-partner","tag-password-syncronisation","entry"],"_links":{"self":[{"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/posts\/6896","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/users\/117"}],"replies":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/comments?post=6896"}],"version-history":[{"count":3,"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/posts\/6896\/revisions"}],"predecessor-version":[{"id":9705,"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/posts\/6896\/revisions\/9705"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/media\/6897"}],"wp:attachment":[{"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/media?parent=6896"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/categories?post=6896"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/tags?post=6896"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}