Today Cyber Security plays a paramount role in global security. On this blog, the CEO of Paramount Defenses shares rare insights on issues related to Cyber Security, including Privileged Access, Organizational Cyber Security, Foundational Security, Windows Security, Active Directory Security, Insider Threats and other topics.


August 1, 2016

How to Lockdown Active Directory to Thwart the Use of Mimikatz DCSync

Folks,

I'm going to keep this post short, because some brilliant folks feel that my blog posts are longer than their source code.


This is Very Important

On a (very) serious note, today, thanks to the DCSync feature of Mimikatz, the creation of the brilliant Mr. Benjamin Delpy, we have a situation wherein organizational security worldwide boils down to this - if you assume a breached network, then your foundational Active Directory is only as secure as the number of individuals that have the Get Replication Changes All extended right effectively granted in the access control list (ACL) that protects the domain's root object.

A perpetrator using Mimikatz DCSync feature to obtain the credentials of all domain accounts in Active Directory
 
Here's why - if the perpetrator can compromise the account of even a single user who has the Get Replication Changes All extended right effectively granted on the domain root, he/she could login as using that account, request and obtain secrets from Active Directory, and use Mimikatz to in effect determine the credentials of the entirety of your user populace, within minutes!




This is Preventable -  Deny them the Access they Need

As serious as this is, it is easily preventable. You can deny perpetrators the access they need to leverage the DCSync feature.

Thus, in your own best interest, you'll want to immediately minimize (i.e. reduce down to a bare absolute minimum) the number of users who effectively have this right granted, and from that point on not only afford those accounts the highest protection, but also verify and ensure that at all times (365-24-7), not a single individual more than is absolutely required to have this extended right, has this extended right effectively granted to him/her.


The only ability you need to deny perpetrators the access they need to use the DCSync feature of Mimikatz is the ability to accurately determine effective permissions in Active Directory, so that you can accurately assess, audit and verify exactly who has the Get Replication Changes All extended right effectively granted on the domain root object at all times.

Here's how you can lockdown Active Directory in 5 simple steps, to deny perpetrators the opportunity they need to leverage the DCSync feature of Mimikatz -
1. Identify all users who currently have the Get Replication Changes All extended right granted today on the domain root by determining effective permissions on the domain root. 
2. Analyze this list of users to identify all users who should not be on this list.
3. For every user that should not be on this list, identify how he/she is being entitled to this effective permission.
4. For each such user, based on the above identification, proceed to lockdown the identified security permissions, such as by restricting access or modifying a group membership etc.
5. Finally, determine effective permissions on the domain root object again to verify the lockdown, and ensure that only authorized individuals effectively possess this right.

Using these steps, organizations worldwide can quickly lockdown Active Directory to deny perpetrators the opportunity required to leverage the DCSync Feature of Mimikatz to engage in domain-wide credential theft, thus thwarting its use.




Required Tooling

In order to enact the 5 steps outlined above, you can use any Active Directory effective permissions tool that can help you -
1. Accurately determine effective permissions in Active Directory
2. Identify all users that have a specific effective permission granted on an Active Directory object
3. Identify how a specific user has a specific effective permission granted on that Active Directory object

Here's why - Accuracy is essential. We need to identify all such users, and we need to know the how to lockdown their access.

One tool that I know of that meets these criteria is this one. I know so because I architected it. In fact, so many of the world's top business and government organizations worldwide use it to audit privileged access in Active Directory. However, I do NOT want my advice to sound biased so you do NOT have to take my word. Please feel free to do your own research. I will only say this much, and you can validate it yourself - stay away from this tool and scripts on TechNet, as they are dangerously inaccurate.

In the interest of fairness and objectivity, I will repeat this again - you can use any Active Directory effective permissions tool you want that can help you fulfill the above 3 essential needs. I've also provided the reasons as to why these 3 needs are essential.




One

It is critical to ensure that only the absolutely minimum possible number (0/1) of users have this right effectively granted to them.


If even one additional user is effectively granted this critical right, and the perpetrators can identify them and compromise their account(s) (credentials), then they will simply be minutes away from being able to steal the credentials of every user in the Active Directory domain, including all privileged users such as all Domain Admins, Enterprise Admins, Built-in Admins etc.

So, in a way, today, the security of an entire Active Directory domain (and thus forest) depends on exactly who effectively has sufficient enough rights to be able to replicate secrets out of Active Directory!

In other words, to put it simply, if this security grant is not fully locked down at all times, it could be Game Over very quickly.

Finally, to demonstrate just how deeply we care about cyber security globally, any* organization that wishes to find out exactly how many individuals effectively have this right granted today, can now do so completely free (i.e. via the free Try Now option.)




Complete Details

I wanted to keep this post short but perhaps you want more details. Complete details, including an example/illustration of the above 5 steps provided above, as well as the deficiencies in Microsoft's Effective Permissions Tab, and other relevant details can be found on my second blog at - http://www.active-directory-security.com. Here's the url to the post that has the details -
How to Prevent a Perpetrator from Using Mimikatz DCSync feature to perform Credential Theft from Active Directory


In your own organization's best interest, it is imperative to understand just how important this is to Active Directory security.

Best wishes,
Sanjay


PS: Ideally, I could have conveyed this in one sentence - "Simply minimize the number of individuals who effectively possess the Get Replication Changes All on the domain root. Done!"   The keyword here is "effectively" i.e. "effective permissions"

PS2: By the way, detection (see PS3 of this post) isn't sufficient, because by the time you detect and respond to an intruder replicating secrets out, it will have been too late because they will already have been replicated out. As such, when you can easily prevent something bad from happening, why merely rely on being able to detect it, especially when this is so critical?

PS3: By the way, where is Microsoft when it comes to providing some thought-leadership, as well as real-world advice and help on such critical cyber security issues? Also, what if solutions to such fundamental cyber security challenges didn't exist today?