Beyond the MCSE: Active Directory for the Security Professional

Presented at Black Hat USA 2016, Aug. 3, 2016, 10:20 a.m. (50 minutes)

Active Directory (AD) is leveraged by 95% of the Fortune 1000 companies for its directory, authentication, and management capabilities. This means that both Red and Blue teams need to have a better understanding of Active Directory, it's security, how it's attacked, and how best to align defenses. This presentation covers key Active Directory components which are critical for security professionals to know in order to defend AD. Properly securing the enterprise means identifying and leveraging appropriate defensive technologies. The provided information is immediately useful and actionable in order to help organizations better secure their enterprise resources against attackers. Highlighted are areas attackers go after including some recently patched vulnerabilities and the exploited weaknesses. This includes the critical Kerberos vulnerability (MS14-068), Group Policy Man-in-the-Middle (MS15-011 & MS15-014) and how they take advantages of AD communication. Some of the content covered: Differing views of Active Directory: admin, attacker, and infosec. The differences between forests and domains, including how multi-domain AD forests affect the security of the forest. Dig into trust relationships and the available security features describing how attack techniques are impacted by implementing these trust security features. AD database format, files, and object storage (including password data). Read-Only Domain Controllers (RODCs), security impact, and potential issues with RODC implementation. Key Domain Controller information and how attackers take advantage. Windows authentication protocols over the years and their weaknesses, including Microsoft's next-generation credential system, Microsoft Passport, and what it means for credential protection. Security posture differences between AD on-premises and in the cloud (Microsoft Azure AD vs Office 365). Key Active Directory security features in the latest Windows OS versions - the benefits and implementation challenges. Let's go beyond the standard MCSE material and dive into how Active Directory works focusing on the key components and how they relate to enterprise security.

Presenters:

  • Sean Metcalf - Trimarc
    Sean Metcalf is founder and principal security consultant of Trimarc, an information security consulting firm focused on improving enterprise security. He is one of about 100 people in the world who holds the Microsoft Certified Master Directory Services (MCM) certification, is a Microsoft MVP, and has presented on Active Directory attack and defense at BSides, Shakacon, Black Hat, DEF CON, and DerbyCon security conferences. Sean has provided Active Directory and security expertise to government, corporate, and educational entities since Active Directory was released. He currently provides security consulting services to customers and regularly posts interesting Active Directory security information on his blog, ADSecurity.org. Follow him on Twitter @PyroTek3

Links:

Similar Presentations: