On Wednesday, August 3rd, I presented “Beyond the MCSE: Active Directory for the Security Professional” at Black Hat USA 2016.
Here are the slides for this talk: US-16-Metcalf-BeyondTheMCSE-ActiveDirectoryForTheSecurityProfessional
Active Directory (AD) is leveraged by 95% of the Fortune 1000 companies for its directory, authentication, and management capabilities. This means that both Red and Blue teams need to have a better understanding of Active Directory, it’s security, how it’s attacked, and how best to align defenses. This presentation covers key Active Directory components which are critical for security professionals to know in order to defend AD. Properly securing the enterprise means identifying and leveraging appropriate defensive technologies. The provided information is immediately useful and actionable in order to help organizations better secure their enterprise resources against attackers. Highlighted are areas attackers go after including some recently patched vulnerabilities and the exploited weaknesses. This includes the critical Kerberos vulnerability (MS14-068), Group Policy Man-in-the-Middle (MS15-011 & MS15-014) and how they take advantages of AD communication.
Some of the content covered:
- Differing views of Active Directory: admin, attacker, and infosec.
- The differences between forests and domains, including how multi-domain AD forests affect the security of the forest.
- Dig into trust relationships and the available security features describing how attack techniques are impacted by implementing these trust security features.
- AD database format, files, and object storage (including password data).
- Read-Only Domain Controllers (RODCs), security impact, and potential issues with RODC implementation.
- Key Domain Controller information and how attackers take advantage.
- Windows authentication protocols over the years and their weaknesses, including Microsoft’s next-generation credential system, Microsoft Passport, and what it means for credential protection.
- Security posture differences between AD on-premises and in the cloud (Microsoft Azure AD vs Office 365).
- Key Active Directory security features in the latest Windows OS versions – the benefits and implementation challenges.
Let’s go beyond the standard MCSE material and dive into how Active Directory works focusing on the key components and how they relate to enterprise security.