Implementing a robust administrative template limits an attacker’s potential actions. Third-party or silo admin templates are particularly effective. This video explains how these templates work.
In addition to this administrative template, there are a number of other measures that can be implemented.
1. Protected Users
The Protected Users group is specifically designed to protect privileged accounts. It is an integral part of Active Directory, but empty by default. When accounts are added to this group, the security rules will automatically be applied. For example, Protected Users accounts can no longer be authenticated through NTLM, only with Kerberos. This prevents the administrator’s NT hash from being stored in the machine’s LSASS process.
Additionally, these accounts cannot be used for Kerberos delegation, and the lifespan of their TGT is reduced (four hours). These points may be useful, but be aware that this is not an exhaustive list. It is an important best practice to place your administration accounts in this group.
One of the group’s hardening features is that the login credentials of its members will never be stored on the machines. It’s a good security measure, but these accounts will never be able to connect to a server or machine without a connection to a domain controller. So, don’t place all your users in this group. Otherwise, they won’t be able to work on their workstation outside the company!
2. LAPS
Do you remember how I compromised a domain during my first audit? I used one workstation’s local administrator hash on the other workstations. This was possible because the local password was shared between all the workstations. To solve this problem, Microsoft has a free utility called LAPS (Local Administrator Password Solution). It allows each machine to manage its local administrator’s password and informs the domain controller of the current password. As a result, each workstation has a different local administrator, and the pass-the-hash technique immediately becomes much less useful. LAPS has been natively integrated into Windows since Windows 11 build 25145. You no longer need to install the agent on the workstations!
3. PPL and Credential Guard
Users’ login credentials are stored in LSASS when they log in. An attacker can then try to extract these credentials if they have compromised the workstation. But you can limit the damage by using the protection features provided by Microsoft. The first is called PPL (Protected Process Light), and when enabled, it makes password extraction in LSASS much more difficult. There are ways to get around it. That said, it’s a step in the right direction, and it applies to all versions of Windows. You can refer to Microsoft’s documentation for instructions on how to implement it.
Credential Guard significantly improves the protection of information stored in LSASS on more recent versions of Windows. This information is stored in a protected memory area, and no one can access it directly, as is the case with all current tools. This protection can be enabled using the Microsoft documentation.
3. PAW – Privileged Access Workstations
In the third-party admin template, administrative tasks should be carried out from a dedicated administrator workstation, which is different from the everyday workstation. This workstation is called a PAW (Privileged Access Workstation). This workstation needs to be extremely hardened to make it as difficult as possible to attack:
It must not be connected to the internet.
It must have minimal software installed on it.
It must be used exclusively for third-party administrative tasks (e.g., workstations, servers, or critical servers). Therefore, at least one PAW is required for each third party and each administrator.
Multifactor authentication should be implemented for connecting to this machine.
Ideally, the PAW should be a dedicated physical machine. A virtual machine can be considered, but it doesn’t offer the same level of security.
And what does Clément think of this third-party administrative template? What other recommendations can he give us?
Let’s Recap!
To properly protect your Active Directory environment, you can implement a strong administrative template using silo administration. Various additional measures can also be taken:
Protect privileged accounts with the Protected Users group.
Run the LAPS utility to allow each machine to manage its local administrator password.
Make password extraction in LSASS much more difficult with PPL and Credential Guard.
Use PAW, a more difficult workstation to attack.
This chapter marks the end of the measures you need to take to protect your information system and your Active Directory environment. Now that these measures are in place, it’s time to monitor events on the information system in order to keep it secure and detect any attempts to compromise it.
