Patching alone won't fix all known Active Directory vulnerabilities. Here are the steps to audit your Active Directory domains and shore up weaknesses. Credit: Thinkstock If you have a traditional domain, it’s time to audit your Active Directory. In fact, it’s probably way past time. You probably have accounts that have been unchanged for years and might not have reviewed settings or registry entries. Attackers know that these domains have legacy settings that allow them to take greater control and use techniques to gain domain rights. Active Directory security came into the news with the release of several updates in May, you need to take many more steps than mere patching to protect your network.Microsoft’s server tools include Best Practices Analyzer (BPA), but it doesn’t identify some of the means that attackers use to go after Active Directory domains. Several other resources analyze the health and security of Active Directory domains including Purple Knight from Semperis, PingCastle, or Quest’s Active Directory health check tool.I ran PingCastle on a sample domain, and it became obvious that I had a lot of work to do. I had likely forgotten many older pieces in our network that now threatened its security. Here’s how I analyzed my Active Directory status.Identify unsupported operating systemsFirst, I looked for unsupported server operating systems in the domain. Windows Server 2012 R2 drops out of support on October 10, 2023. My guess is many of you have that or earlier platforms in your network, probably not patched. These older platforms are often running SMB v1, which allows for weaker protocols. Scan for weak Kerberos encryptionNext, the tool checks for the use of Kerberos with weak encryption or DES encryption. They recommend that you disabled this in the property of an account by unchecking the box “Use Kerberos DES encryption for this account”. As the PingCastle documentation notes, you can also detect which accounts support Kerberos DES encryption by running: Get-ADUser -Filter {UserAccountControl -band 0x200000}.Identify old and unused accountsOther tests the tool performs review for stale or inactive accounts in the network. Accounts that haven’t been logged into in years often have weak or insecure passwords. Worse, these passwords may be available to attackers on harvested password sites. Block basic users from registering computersChange a longstanding default that allows basic users to add registration of computers. This setting is in the news lately due to PetitPotam and other vulnerabilities. Modify the value of ms-DS-MachineAccountQuota to zero (0).Review non-expiring passwordsReview non expiring passwords used in the domain. Remedy this by using two-factor authentication through third-party keys or software solutions to provide additional protection especially for remote access. While you are reviewing passwords, ensure that any administrator or privileged accounts have long and complex passwords or are moved to managed service accounts.Enable Active Directory recycle binReview whether the AD domain’s recycle bin feature is enabled. You’ll need to be on a forest level of at least Server 2008 R2 or higher and then check the level with Get-ADForest. Enable the feature using the PowerShell command:Enable-ADOptionalFeature -Identity 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target 'test.mysmartlogon.com'Change Kerberos passwords regularlyThe disabled Kerberos account is often overlooked in a domain. Change the password for the krbtgt account on a regular basis. As the PingCastle points out, a Microsoft script can be run to guarantee the correct replication of these secrets. Unfortunately, this script supports only English operating systems. Another way is to reset the password manually once, wait three days, then reset it again. This is the safest to ensure the password is no longer usable by the golden ticket attack.Change settings to avoid certificate abuseAttackers can use certificates to launch attacks. One techniques uses certificate request templates. If editing before a certificate’s issuance is allowed, a malicious user can set the subject to an administrator account and assign the certificate to them. On the certificate template properties in the property sheet “Subject Name”, uncheck the field “Supply in the request”. Alternatively, restrict this template to a specific group. Set domain controller audit policiesSet audit policies in your domain controller for specific issues. The PingCastle review recommends the following audit settings:Policy Change / Authentication Policy ChangeNo GPO check for audit successCollect events 4713, 4716, 4739, 4867 to track trust modificationsAccount Management / Computer Account ManagementNo GPO check for audit successCollect events 4741, 4742 to track computer changesDetailed Tracking / DPAPI ActivityNo GPO check for audit successCollect event 4692 to track the export of DPAPI backup keyAccount Logon / Kerberos Authentication ServiceNo GPO check for audit successCollect events 4768, 4771 for Kerberos authenticationAccount Logon / Kerberos Service Ticket OperationsNo GPO check for audit successCollect events 4769 for Kerberos authenticationLogon/Logoff / LogoffNo GPO check for audit successCollect events 4634 for account logoffLogon/Logoff / LogonNo GPO check for audit successCollect events 4624, 4625, 4648 for account logonDetailed Tracking / Process CreationNo GPO check for audit successCollect event 4688 to get the history of executed programsAccount Management / Security Group ManagementNo GPO check for audit successCollect events 4728, 4732, 4756 for group membership changeSystem / Security System ExtensionNo GPO check for audit successCollect events 4610, 4697 to track LSASS security packages and servicesPrivilege Use / Sensitive Privilege UseNo GPO check for audit successCollect events 4672, 4673, 4674 for privileges tracking such as the debug oneLogon/Logoff / Special LogonNo GPO check for audit successCollect event 4964 for special group attributed at logonAccount Management / User Account ManagementNo GPO check for audit successCollect events 4720,22,23,38,65,66,80,94 for user account managementEnable PowerShell loggingEnsure that PowerShell logging is enabled. From Group Policy, follow these steps:Go to “Computer Configuration”.Go to “Administrative Templates”.Go to “Windows Components”.Go to Windows PowerShell”.Enable “Turn on Module logging” and “Turn on PowerShell Script Block logging”.Set “*” as the module list.You may think you have done enough to secure Active Directory, but often you need third-party eyes or tools to help you understand that you are still at risk. Take the time to review your Active Directory. You may be surprised that you have more work to do to ensure that you are more protected. Related content news Top cybersecurity product news of the week New product and service announcements from Coro, Descope, Genetec, Varonis, Cloudbrink, Databarracks, and Security Journey By CSO staff Dec 07, 2023 22 mins Generative AI Generative AI Machine Learning news analysis Attackers breach US government agencies through ColdFusion flaw Both incidents targeted outdated and unpatched ColdFusion servers and exploited a known vulnerability. By Lucian Constantin Dec 06, 2023 5 mins Advanced Persistent Threats Cyberattacks Vulnerabilities news BSIMM 14 finds rapid growth in automated security technology Embrace of a "shift everywhere" philosophy is driving a demand for automated, event-driven software security testing. By John P. Mello Jr. Dec 06, 2023 4 mins Application Security Network Security news Almost 50% of organizations plan to reduce cybersecurity headcounts: Survey While organizations are realizing the need for knowledgeable teams to address unknown threats, they are also looking to reduce their security headcount and infrastructure spending. By Gagandeep Kaur Dec 06, 2023 4 mins IT Jobs Security Practices Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe