ADDS Security: Difference between revisions
Jump to navigation
Jump to search
(6 intermediate revisions by the same user not shown) | |||
Line 11: | Line 11: | ||
* Passwords of users | * Passwords of users | ||
* Kerberos keys, golden/silver tickets/krbtgt hash | * Kerberos keys, golden/silver tickets/krbtgt hash | ||
* Kerberoast | |||
* Unexpected User User Account Control values | * Unexpected User User Account Control values | ||
** Store password using reversible encryption on accounts | |||
* SIDHistory values | * SIDHistory values | ||
* | * | ||
Line 26: | Line 28: | ||
* Definition of logon/startup scripts | * Definition of logon/startup scripts | ||
* Modification of logon/startup scripts in sysvol | * Modification of logon/startup scripts in sysvol | ||
* | * Unexpected User Rights Assignments | ||
** [http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/ SeEnableDelegationPrivilege] | |||
==On DC== | ==On DC== | ||
* Effective GPO settings (see above) | |||
* [https://mendel129.wordpress.com/tag/password-filter-a-dll/ Password Filter] | * [https://mendel129.wordpress.com/tag/password-filter-a-dll/ Password Filter] | ||
* DSRM Password | * DSRM Password | ||
Line 38: | Line 42: | ||
= Sources = | = Sources = | ||
* https://adsecurity.org/?s=sneaky | * https://adsecurity.org/?s=sneaky | ||
* https://adsecurity.org/?p=2293 | |||
* https://jumpespjump.blogspot.be/2015/03/thousand-ways-to-backdoor-windows.html | * https://jumpespjump.blogspot.be/2015/03/thousand-ways-to-backdoor-windows.html |
Latest revision as of 09:50, 31 January 2017
Things to audit
in AD
- Sensitive, well known security Groups (Domain Admins, Enterprise Admins, Administrators) and its members
- Issued Certificates for users in sensitive, well known security groups
- Issued Certificates with Authentication Mechanism Assurance
- ACL on root
- ACL on OU's/Users/Groups
- ACL on AdminSDHolder
- ACL on GPO's
- ACL with replication permission
- Passwords of users
- Kerberos keys, golden/silver tickets/krbtgt hash
- Kerberoast
- Unexpected User User Account Control values
- Store password using reversible encryption on accounts
- SIDHistory values
In Config Partition
In DNS
- Secure Updates
In Group Policy
- Creation of Security Groups or Users on clients
- Definition of logon/startup scripts
- Modification of logon/startup scripts in sysvol
- Unexpected User Rights Assignments
On DC
- Effective GPO settings (see above)
- Password Filter
- DSRM Password
- DSRMv2
- All autorun values
- Malicious Security Support Provider (SSP)