The bad guys have dreamed up a lot of new ways to attack Active Directory and the larger Windows environment. And methods that in the past were just theoretical are now common place. I’ve been talking a lot about how to detect these attacks and also how to architect your environment to prevent them – such as with the “red forest” design. In this webinar, we are going to show you over 12 different ways to harden Windows using Security Options in Group Policy, registry settings and otherwise. Here are some of what we’ll cover:
• LSA Protection
• WDigest
• Computer Password Policy Refresh Interval
• Limit local user account logon restrictions with the S-1-5-113 (Local account) and S-1-5-114 (Local account and member of Administrators group) SIDs
• Restrict Domain and Enterprise Admins from logging on to less privileged servers and workstations
• Mark privileged accounts as “sensitive and cannot be delegated”
• Restrict NTLM by putting privileged accounts in the Protected Users security group
• Restricted Admin mode for Remote Desktop Connection
• PowerShell Script Block Logging and ConstrainedLanguage Mode
• PAC Validation
Not all of these are new settings in Windows; some have been around for years, but there’s either a new use for the setting or the setting mitigates an exploit that is much more viable than in the past. And therefore, I’m calling all of these “new”. Take “Computer Password Policy Refresh Interval” for example. This Security Options policy has been around since I can remember. And it was there to address a “theoretical” risk. After all, why should computers need to change their password since, unlike human users, computers don’t write the passwords down on sticky notes, share them or choose easy-to-guess passwords. But this policy becomes much more important in the light of mimikatz and related credential artifact attacks. In this case, it’s specifically to do with so-called “silver tickets”. If an attacker compromises a computer and gets its password hash, they can create silver tickets to elevate credentials and hide their identity. By disabling the password reset policy (default 30 days), they can keep this access forever.
We’ll also look at how to use password silos and logon rights to restrict Domain and Enterprise Admins from logging on to less privileged servers and workstations. This is extremely important to protect against pass-the-hash attacks.
A final example is “Configuring Additional LSA Protection”. This setting is available starting with Windows Server 2012 R2 but very few people understand why it’s there or what it protects against. Again, mimikatz makes this a very important setting. We’ll show you why, and with all of these settings, discuss any caveats that you need to consider.
This real training for free session is technical and focused on prevention. Jeff Warren from STEALTHbits is helping me put this real training for free session together and Jeff will briefly show you how STEALTHbits can help you defend your network against modern attacks.