No announcement yet.

AD Vulnerabilities

  • Filter
  • Time
  • Show
Clear All
new posts

  • AD Vulnerabilities

    I have just been tasked with developing an audit plan for uncovering or otherwise finding problems associated with our AD enterprise network. My background is more NT related and older security issues. Not knowing where to start, I have been searching the internet and not finding a lot of public information. I can't go to the systems people, because ultimately, the purpose is to test the security that they have in place - that would be asking the wolf to guard to chicken coop. So I must research this and come to my own conclusions - That is where I am asking for this groups help - this is not anything from the outside of the organization where firewalls are to be accessed, I have the rights to look for the vulnerabilities within the system and make the suggestions to plug them - IE: finding access 24/7 for users that don't need it (that's an easy one) but I need more input! Thanks in advance, M

  • #2
    Are you running penetration testing or general troubleshooting ?

    Most security problems are patch related, an unpatched machine is vulnerable to shell execution through buffer overflows and the likes.

    Use tools like hfnetcheck or Nikto to scan the network for unpatched and potentially vulnerable machines\servers. You can you use to read up on the patches\holes you have found to see how many exploits have been created\used, and the potential risks involved.

    Other security issues are permissions, as an ordinary user see how much you can get access to within the network, no need to try specials tools just have good snoop around, see if you can TS onto any servers, or access HR\Finance shares etc.

    For general AD troubleshooting use tools like DCdiag, netdiag, ntfrsutl, ntdsutil, repadmin and repmon.

    * Shamelessly mentioning "Don't forget to add reputation!"


    • #3
      Reply ---

      To the best of my knowledge, we hire an outside firm to do PEN testing. And they do it kind of half-assed - they tell the security folks where they intend to test - they call it "rules of engagement" ha ha - like a hacker would really do that -- that opinion aside, my task it look from the inside to see where the trouble could come from - the network is a nationwide network, but my responsibilit would be regional in scope as far as DC is concerned. It is a very daunting task, which is why I have to come up w/ a plan of action first and have it all on paper.


      • #4
        I'll just throw some random thoughts based on the last audit we undergo not long ago...

        - besides the obvious security updates things like security settings of the DCs and all the infrastructure servers are not less important. Those should be firmly formed, documented and enforced
        - physical access to the DCs: how easy can people fool you into letting you into servers room (by lying, pretending, etc...)
        - what are the passwords policies, are those enforces, do you have generic accounts that have multiple users ?
        - how well is the environment audited. For example - if some admin fingertips an OU, can you trace the event or he is using generic account that can not be assosiated with single user. Those things are important...
        - do you have written and tested procedures for day-to-day operation and disaster testcases (i.e.: if hacker gets into your network, what are the steps you will take ? Does a written procedure exist ?)
        - Do you have CA ? Do the people that administer CA have domain/enterprise admin equivalent access ? (if not, you should be aware that they can escalate themselves quite easily).

        ok... more coffee and I'll try to scrap some more later.
        Guy Teverovsky
        "Smith & Wesson - the original point and click interface"


        • #5
          In addition:

          - take a hard look at people who have domain admin permissions that they don't need. If you do it well, you don't need more then 3 domain admins. Anything more then 10 is a serious problem.

          - Like Guy already mentioned, physical security is paramount. If you don't have it, there is no security.

          - Is there any unneeded software running on the DC's? Think services, but also 3rd party programs? Worse, are DC's used for internet browsing?

          - Is there a virus scanner running?

          - is there monitoring software that will tell you if anything goes wrong? A DC that goes down unexpectedly _could_ be a security breach.

          - are you watching and auditing membership of important groups?

          And on and on...


          • #6
            Great thread guys!

            Daniel Petri
            Microsoft Most Valuable Professional - Active Directory Directory Services
            MCSA/E, MCTS, MCITP, MCT


            • #7
              Thanks for the feedback - I really appreciate the input - I will start looking into these issues immediately to formulate my audit plan - just in this alone, there is a lot of meat to chew on. Any more you add as time and coffee/jolt consumption goes by will be absorbed and documented. Many Thanks - I am sure that I am not alone looking at more than the obvious! - M