M1015 Active Directory Configuration
Implement robust Active Directory (AD) configurations using group policies to secure user accounts, control access, and minimize the attack surface. AD configurations enable centralized control over account settings, logon policies, and permissions, reducing the risk of unauthorized access and lateral movement within the network. This mitigation can be implemented through the following measures:
Account Configuration:
- Implementation: Use domain accounts instead of local accounts to leverage AD’s centralized management, including group policies, auditing, and access control.
- Use Case: For IT staff managing shared resources, provision domain accounts that allow IT teams to log in centrally, reducing the risk of unmanaged, rogue local accounts on individual machines.
Interactive Logon Restrictions:
- Implementation: Configure group policies to restrict interactive logons (e.g., direct physical or RDP logons) for service accounts or privileged accounts that do not require such access.
- Use Case: Prevent service accounts, such as SQL Server accounts, from having interactive logon privileges. This reduces the risk of these accounts being leveraged for lateral movement if compromised.
Remote Desktop Settings:
- Implementation: Limit Remote Desktop Protocol (RDP) access to specific, authorized accounts. Use group policies to enforce this, allowing only necessary users to establish RDP sessions.
- Use Case: On sensitive servers (e.g., domain controllers or financial databases), restrict RDP access to administrative accounts only, while all other users are denied access.
Dedicated Administrative Accounts:
- Implementation: Create domain-wide administrative accounts that are restricted from interactive logons, designed solely for high-level tasks (e.g., software installation, patching).
- Use Case: Create separate administrative accounts for different purposes, such as one set of accounts for installations and another for managing repository access. This limits exposure and helps reduce attack vectors.
Authentication Silos:
- Implementation: Configure Authentication Silos in AD, using group policies to create access zones with restrictions based on membership, such as the Protected Users security group. This restricts access to critical accounts and minimizes exposure to potential threats.
- Use Case: Place high-risk or high-value accounts, such as executive or administrative accounts, in an Authentication Silo with extra controls, limiting their exposure to only necessary systems. This reduces the risk of credential misuse or abuse if these accounts are compromised.
Tools for Implementation:
- Active Directory Group Policies: Use Group Policy Management Console (GPMC) to configure, deploy, and enforce policies across AD environments.
- PowerShell: Automate account configuration, logon restrictions, and policy application using PowerShell scripts.
- AD Administrative Center: Manage Authentication Silos and configure high-level policies for critical user groups within AD.
| Item | Value |
|---|---|
| ID | M1015 |
| Version | 1.2 |
| Created | 06 June 2019 |
| Last Modified | 10 December 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Addressed by Mitigation
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1134 | Access Token Manipulation | - |
| enterprise | T1134.005 | SID-History Injection | Clean up SID-History attributes after legitimate account migration is complete. |
| enterprise | T1606 | Forge Web Credentials | - |
| enterprise | T1606.002 | SAML Tokens | For containing the impact of a previously forged SAML token, rotate the token-signing AD FS certificate in rapid succession twice, which will invalidate any tokens generated using the previous certificate.7 |
| enterprise | T1003 | OS Credential Dumping | |
| Manage the access control list for “Replicating Directory Changes All” and other permissions associated with domain controller replication. 13 11 Consider adding users to the “Protected Users” Active Directory security group. This can help limit the caching of users’ plaintext credentials.9 | |||
| enterprise | T1003.005 | Cached Domain Credentials | Consider adding users to the “Protected Users” Active Directory security group. This can help limit the caching of users’ plaintext credentials.9 |
| enterprise | T1003.006 | DCSync | Manage the access control list for “Replicating Directory Changes” and other permissions associated with domain controller replication.1011 |
| enterprise | T1072 | Software Deployment Tools | Ensure proper system and access isolation for critical network systems through use of group policy. |
| enterprise | T1649 | Steal or Forge Authentication Certificates | Ensure certificate authorities (CA) are properly secured, including treating CA servers (and other resources hosting CA certificates) as tier 0 assets. Harden abusable CA settings and attributes. |
| enterprise | T1558 | Steal or Forge Kerberos Tickets | For containing the impact of a previously generated golden ticket, reset the built-in KRBTGT account password twice, which will invalidate any existing golden tickets that have been created with the KRBTGT hash and other Kerberos tickets derived from it. For each domain, change the KRBTGT account password once, force replication, and then change the password a second time. Consider rotating the KRBTGT account password every 180 days.1 |
| enterprise | T1558.001 | Golden Ticket | For containing the impact of a previously generated golden ticket, reset the built-in KRBTGT account password twice, which will invalidate any existing golden tickets that have been created with the KRBTGT hash and other Kerberos tickets derived from it. For each domain, change the KRBTGT account password once, force replication, and then change the password a second time. Consider rotating the KRBTGT account password every 180 days.1 |
| enterprise | T1552 | Unsecured Credentials | Remove vulnerable Group Policy Preferences.2 |
| enterprise | T1552.006 | Group Policy Preferences | Remove vulnerable Group Policy Preferences.2 |
| enterprise | T1550 | Use Alternate Authentication Material | Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc. |
| enterprise | T1550.003 | Pass the Ticket | To contain the impact of a previously generated golden ticket, reset the built-in KRBTGT account password twice, which will invalidate any existing golden tickets that have been created with the KRBTGT hash and other Kerberos tickets derived from it.12 For each domain, change the KRBTGT account password once, force replication, and then change the password a second time. Consider rotating the KRBTGT account password every 180 days.1 |
| enterprise | T1078 | Valid Accounts | Disable legacy authentication, which does not support MFA, and require the use of modern authentication protocols instead. |
| enterprise | T1078.004 | Cloud Accounts | Disable legacy authentication, which does not support MFA, and require the use of modern authentication protocols instead. |
References
-
UCF. (n.d.). The password for the krbtgt account on a domain must be reset at least every 180 days. Retrieved November 5, 2020. ↩↩↩
-
Microsoft. (2014, May 13). MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege. Retrieved January 28, 2015. ↩↩
-
Microsoft. (2014, November 19). Security Considerations for Trusts. Retrieved November 30, 2017. ↩
-
Microsoft. (n.d.). Configuring SID Filter Quarantining on External Trusts. Retrieved November 30, 2017. ↩
-
Microsoft. (2012, September 11). Command-Line Reference - Netdom Trust. Retrieved November 30, 2017. ↩
-
Metcalf, S. (2015, August 7). Kerberos Golden Tickets are Now More Golden. Retrieved December 1, 2017. ↩
-
Mandiant. (2021, January 19). Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452. Retrieved January 22, 2021. ↩
-
Schroeder, W. & Christensen, L. (2021, June 22). Certified Pre-Owned - Abusing Active Directory Certificate Services. Retrieved August 2, 2022. ↩
-
Microsoft. (2016, October 12). Protected Users Security Group. Retrieved May 29, 2020. ↩↩
-
Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation, and Detection. Retrieved August 7, 2017. ↩
-
Microsoft. (n.d.). How to grant the “Replicating Directory Changes” permission for the Microsoft Metadirectory Services ADMA service account. Retrieved December 4, 2017. ↩↩
-
Sean Metcalf. (2014, November 10). Kerberos & KRBTGT: Active Directory’s Domain Kerberos Service Account. Retrieved January 30, 2020. ↩
-
Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation, and Detection. Retrieved December 4, 2017. ↩