Configure Active Di...
Clear all

Configure Active Directory Authentication Policies to protect Tier 0

1 Posts
1 Users
Brandon Lee
Posts: 542
Member Admin
Topic starter

While there are many great next-generation endpoint security tools available, it is better to prevent compromise than rely on cybersecurity defenses. Identity is still the target of attackers time and again.

Analysts observe that attackers typically use many of the same techniques, with Active Directory (AD) Domain control (Tier 0 compromise) being an important phase in the majority of cyberattacks. Securing Tier 0 is thus deemed a foundational step in fortifying Active Directory, a sentiment underscored in the discussed article aimed at aiding in such endeavors.

A refresher on the AD Administrative Tier Model elucidates its design to thwart privilege escalation by delineating administrative control and login capabilities. This model is particularly crucial for safeguarding Tier 0, ensuring that credentials from this tier are insulated from exposure to systems in lower tiers (Tier 1 or Tier 2).

First, what is Tier 0? Tier 0 encompasses accounts and groups with direct or indirect administrative sway over all AD-related identities and systems. Identifying direct administrative control, such as membership in the Domain Admins group, is straightforward, whereas indirect control, exemplified by the capabilities of a virtualization host admin over a Domain Controller, can be elusive. Thus, environments hosting Tier 0 entities are classified as Tier 0 systems, including the virtualization admin accounts.

The three core principles of the AD Administrative Tier Model include prohibiting higher-tier credential exposure to lower-tier systems, allowing lower-tier credentials to utilize services from higher tiers but not vice versa, and classifying any entity managing a higher tier as belonging to that tier.

The implementation strategies for the AD Administrative Tier Model typically involve a complex array of Group Policies to prevent higher-tier administrators from exposing their credentials to lesser tier systems. However, this strategy is susceptible to bypassing by local administrators and is limited to Active Directory joined Windows computers. A more resilient approach involves the use of Authentication Policies, which confine high-privilege credentials to pertinent systems, thereby offering a robust defense against credential theft attacks.

Authentication Policies leverage the Kerberos protocol extension, FAST (Flexible Authentication Secure Tunneling), to encrypt pre-authentication communications and ensure message integrity, thereby offering protection against offline dictionary attacks and other vulnerabilities.

The process to limit Tier 0 account usage to appropriate hosts involves enabling Kerberos Armoring across the domain, creating a structured Organizational Unit (OU) that segregates Tier 0 accounts, and formulating Authentication Policies that specify allowed authentication sources.

Further discussions delve into the intricacies of Authentication Policies, highlighting the necessity for Privileged Access Workstations (PAWs) to mitigate risks associated with compromised administrative endpoints. The modern approach to Tier 0 protection incorporates cloud-based security features provided by Azure Entra ID, alongside traditional on-premises strategies.

Automation emerges as a solution to the complexities and dynamic nature of maintaining Tier 0 security, with PowerShell tools developed to streamline the creation and management of the necessary OU structure, security groups, and Authentication Policies.

Concluding remarks emphasize prerequisites for implementing Kerberos Authentication Policies, special settings for enhanced security, the importance of Break Glass accounts for emergency access, the clean source principle for maintaining trustworthiness in security dependencies, and the critical review of Access Control Lists (ACLs) at the domain's root level. This comprehensive approach underscores the importance of meticulous planning and execution in securing Tier 0 against sophisticated cyber threats.

Posted : 23/02/2024 10:25 pm