Fortress that stands still: Tips and Tricks to Know if Your Active Directory Auditing Tools Are Even Working

@paulacqure

@CQUREAcademyCONSULTING

Krzysztof PietrzakCQURE: Infrastructure & Security ExpertCQURE Academy: Trainer

Mike Jankowski - LorekCQURE: Cloud Solutions & Machine Learning ExpertCQURE Academy: Trainer

What does CQURE Team do?

Consulting services

High quality penetration tests with useful reports

Applications

Websites

External services (edge)

Internal services

+ configuration reviews

Incident response emergency services

– immediate reaction!

Security architecture and design advisory

Forensics investigation

Security awareness

For management and employees

info@cqure.us

Trainings

Security Awareness trainings for executives

CQURE Academy: over 40 advanced security

trainings for IT Teams

Certificates and exams

Delivered all around the world only by a CQURE

Team: training authors

Agenda

Auditing Active Directory

You must enable auditing in a domain-level GPO, with no

override, to ensure every system in your domain is

tracking important events.

For Domain members you should audit failed logons,

successful and failed account management and policy

change.

For Directory servers you should monitor critical

directory object change

Use the same GPO to boost the security log size, because

with the increased auditing you’ll need it (but not overdo

this).

Active Directory Dynamic Objects

What is the most successful path for the attack right now?

:)

THE ANATOMY OF AN ATTACK

Healthy Computer

User Receives Email

User Lured to Malicious Site

Device Infected with

Malware

HelpDesk Logs into Device

Identity Stolen, Attacker Has

Increased Privs

:)

Healthy Computer

User Receives Email

User Lured to Malicious Site

Device Infected with

Malware

User Lured to Malicious Site

Device Infected with

Malware

HelpDesk Logs into Device

Identity Stolen, Attacker Has

Increased Privs

User Receives Email

Chasing the obvious: NTDS.DIT, SAM

The above means:

To read the clear text password you need to struggle!

To perform an analysis on NTDS.DIT the following information

sources are needed from the domain controller:

NTDS.DIT

Registry hives (at least the SYSTEM hive)

SAM, ntds.dit are stored locally on the server’s drive

They do not contain passwords

Auditing Active Directory is not enough!

Summary

Start monitoring professionally your AD

Know who has changed what and when

If you detect a successful attack

Report the issue

Investigate or do a penetration test /AD Audit

Perform regular AD Health Checks

Database changes, permission on top-level objects - we

commit obvious mistakes

PowerBroker Auditing &

Security Suite

Real-time Change Auditing and Recovery

for AD and Windows environments

PowerBroker Auditing & Security Suite

Centralized real-time change auditing of Active

Directory, File Systems, Exchange, SQL and

NetApp

Entitlement reporting for AD and File Systems

Continuous backup and recovery for AD

How does it work?

Demonstration

Quick Poll + Q&A

Thank you for attending

today’s webinar.