Domain Controller Hardening

At blackhat usa this past summer i spoke about ad for the security professional and provided tips on how to best secure active directory.

Domain controller hardening. Because domain controllers can read from and write to anything in the ad ds database compromise of a domain controller means that your active directory forest can never be considered trustworthy again unless you are able to recover using a known good backup and to close the gaps that allowed the compromise in the process. Awesome windows domain hardening. They can become domain admin.

Every dc has by default the default domain controllers policy in place but this gpo creates different escalation paths to domain admin if you have any members in backup operators or server operators for example. Therefore we need a combined security baseline for these two services. This post focuses on domain controller security with some cross over into active directory security.

Created by gepeto42 and paulwebsec but highly inspired from pyrotek3 research. This document summarizes the information related to pyrotek and harmj0y s derbycon talk called 111 attacking evilcorp anatomy of a corporate hack. If you re building a web server for example you re only going to want web ports 80 and 443 open to that server from the internet.

Protected accounts and groups in active directory. Active directory security effectively begins with ensuring domain controllers dcs are configured securely. The blog is called.

Maintaining a more secure environment. Domain controllers security hardening gpo baseline customization domain controllers typically run active directory domain services and dns services at the same time. The settings are not applied if the gpo is linked to domain controllers ou.

Basically default settings of domain controllers are not hardened. Privileged accounts and groups in active directory. Securing domain controllers against attack.