I'm going to keep this post short, because some brilliant folks feel that my blog posts are longer than their source code.
This is Very Important
(very) serious note
, today, thanks to the DCSync feature of Mimikatz, the creation of the brilliant Mr. Benjamin Delpy
, we have a situation wherein organizational security worldwide boils down to this
- if you assume a breached network, then your foundational Active Directory is only as secure as the number of individuals that have the Get Replication Changes All extended right effectively granted in the access control list (ACL) that protects the domain's root object
|A perpetrator using Mimikatz DCSync feature to obtain the credentials of all domain accounts in Active Directory|
- if the perpetrator can compromise the account of even a single user
who has the Get Replication Changes All
extended right effectively
granted on the domain root, he/she could login as using that account, request and obtain secrets from Active Directory, and use Mimikatz to in effect determine the credentials of the entirety of your user populace, within minutes!
This is Preventable - Deny them the Access they Need
As serious as this is, it is easily preventable.
You can deny perpetrators the access they need to leverage the DCSync feature.
Thus, in your own best interest, you'll want to immediately minimize
(i.e. reduce down to a bare absolute minimum) the number of users who effectively
have this right granted, and from that point on not only afford those accounts the highest protection, but also verify and ensure that at all times (365-24-7), not a single individual more than is absolutely required to have this extended right, has this extended right effectively
granted to him/her.
The only ability you need
to deny perpetrators the access they need to use the DCSync feature of Mimikatz is the ability to accurately determine effective permissions in Active Directory
, so that you can accurately assess, audit and verify exactly who has the Get Replication Changes All
extended right effectively granted on the domain root object at all times.
Here's how you can lockdown Active Directory in 5 simple steps, to deny perpetrators the opportunity they need to leverage the DCSync feature of Mimikatz -
1. Identify all users who currently have the Get Replication Changes All extended right granted today on the domain root by determining effective permissions on the domain root.
2. Analyze this list of users to identify all users who should not be on this list.
3. For every user that should not be on this list, identify how he/she is being entitled to this effective permission.
4. For each such user, based on the above identification, proceed to lockdown the identified security permissions, such as by restricting access or modifying a group membership etc.
5. Finally, determine effective permissions on the domain root object again to verify the lockdown, and ensure that only authorized individuals effectively possess this right.
Using these steps, organizations worldwide can quickly lockdown
Active Directory to deny
perpetrators the opportunity required to leverage the DCSync Feature of Mimikatz to engage in domain-wide credential theft, thus thwarting
In order to enact the 5 steps outlined above, you can use any
Active Directory effective permissions tool that can help you -
1. Accurately determine effective permissions in Active Directory
2. Identify all users that have a specific effective permission granted on an Active Directory object
3. Identify how a specific user has a specific effective permission granted on that Active Directory object
Here's why - Accuracy is essential
. We need to identify all
such users, and we need to know the how to lockdown
One tool that I know of that meets these criteria is this
one. I know so because I architected it. In fact, so many
of the world's top business and government organizations worldwide use it to audit privileged access
in Active Directory. However, I do NOT
want my advice to sound biased so you do NOT
have to take my
word. Please feel free to do your own research. I will only say this much, and you can validate it yourself - stay away from this
tool and scripts on TechNet, as they are dangerously inaccurate.
In the interest of fairness and objectivity, I will repeat
this again - you can use any
Active Directory effective permissions tool you
want that can help you fulfill the above 3 essential needs. I've also provided the reasons as to why these 3 needs are essential.
It is critical to ensure that only the absolutely minimum possible number (0/1
) of users have this right effectively granted to them.
If even one additional user is effectively granted this critical right
, and the perpetrators can identify them and compromise their account(s) (credentials), then they will simply be minutes away from being able to steal the credentials of every user in the Active Directory domain, including all privileged users such as all Domain Admins, Enterprise Admins, Built-in Admins etc.
So, in a way
, today, the security of an entire Active Directory domain (and thus forest) depends on exactly who effectively has sufficient enough rights to be able to replicate secrets out of Active Directory!
In other words, to put it simply, if this security grant is not fully locked down at all times, it could be Game Over
Finally, to demonstrate just how deeply we
care about cyber security globally, any* organization that wishes to find out exactly how many
individuals effectively have this right granted today, can now do so completely free
(i.e. via the free Try Now
I wanted to keep this post short but perhaps you want more details. Complete details, including an example/illustration of the above 5 steps provided above, as well as the deficiencies in Microsoft's Effective Permissions Tab, and other relevant details can be found on my second blog at - http://www.active-directory-security.com
. Here's the url to the post that has the details -
How to Prevent a Perpetrator from Using Mimikatz DCSync feature to perform Credential Theft from Active Directory
In your own organization's best interest, it is imperative
to understand just how important this is to Active Directory security.
PS: Ideally, I could have conveyed this in one sentence - "Simply minimize the number of individuals who effectively possess the Get Replication Changes All on the domain root. Done!
" The keyword here is "effectively" i.e. "effective permissions"
PS2: By the way, detection (see PS3 of this
post) isn't sufficient, because by the time you detect and respond to an intruder replicating secrets out, it will have been too late because they will already have been replicated out. As such, when you can easily prevent something bad from happening, why merely rely on being able to detect it, especially when this is so
PS3: By the way, where is Microsoft
when it comes to providing some thought-leadership, as well as real-world advice and help on such critical cyber security issues? Also, what if solutions
to such fundamental cyber security challenges didn't exist today?