In a recent post, I mentioned that Windows 10 can block zero-day attacks without being patched. In another Microsoft report, the antivirus suite contained in Windows 10 detected a 400% increase in ransomware attacks from December 2015 to July 2016. These attacks leave you vulnerable to attacks of Active Directory (AD), which manages access to almost every piece of a Windows IT infrastructure. CSO has identified several steps you can take to protect Active Directory.
- Assume a breach. Start from a position of "zero trust" and apply controls around AD that assume the network and other systems are not secure.
- Only approve a few admins. Everybody doesn't need to be an administrator. Only a handful (or just one) of people require the ability to make domain-level changes.
- Separate admin and user accounts. The default operation should be to run at a user level and not administrator.
- Whitelist admin workstations. Besides controlling administrator accounts, only allow administrator tasks from specific computers.
- Use strong authentication. Don't reuse passwords and implement multifactor authentication.
- Use a SAW. Like whitelisting, use a virtual or physical Secure Administrative Workstation.
- Block Internet access for admins. Domain controls should have tight restrictions and only allowed to communicate to the internal network.
- Safeguard against Active Directory attack tools. Make sure you know what tools are available to attack AD.
- Restore from a clean state. If you do get compromised, restore Active Directory from a known clean backup.
- Build an isolated admin enclave. Separate systems and people responsible for AD changes from the production environment.
E-mail: email@example.com Phone: 703.359.0700
Digital Forensics/Information Security/Information Technology