Cybercrime is now considered to be the most serious economic and security challenge facing businesses today. In 2020 we saw a 64% increase in email attacks alone, and this year global losses due to cybercrime are expected to exceed $6 trillion. Cybercriminals are very busy out there; meanwhile, 80% of IT executives believe their company has insufficient protection.
In our latest webinar, Hack Me If You Can, CrucialLogics experts Amol Joshi and Chris Diachok teamed up with ethical hackers Richard Rogerson and Ian Lin from Packetlabs. They discussed the latest security information and how to prevent a cyberattack, including their pick of the top 6 security vulnerabilities and accompanying remediation strategies.
Busy system administrators are constantly managing multiple Active Directories with thousands of user accounts. Occasionally, they simplify the job by storing account passwords in the Active Directory description fields, making it easy for hackers to access the directories. In addition, overly permissive Active Directory Discretionary Access Control Lists (DACLs) and Access Control Entries (ACEs) can also enable unprivileged groups to take over privileged accounts.
These access control issues can be remedied by implementing a regular internal IT audit and script review period of the description fields to identify keywords that have passwords in them. In addition, monitoring security permissions using an Active Directory Access-Control List (AD ACL) scanner tool delivers a snapshot of those permissions, allowing for the comparison between a baseline, where the drift of permission allocation has been happening, with sensitive accounts or domain admin level accounts that might be a target for compromise.
SMB signing is a security mechanism that ensures SMB packets have not been modified in transit and that their integrity is verified. This is a security setting that is not turned on by default for most servers, except for Domain Controllers, leaving the SMB relay open to attack. Another SMB relay vulnerability is forced authentication in shared folders or writable shares or when captured hashes are redirected to servers without SMB signing, leading to unauthorized access.
The best practice to secure against SMB relay is to implement the Microsoft security baseline Group Policy Objects (GPOs). This will ensure you’ve enabled Microsoft’s latest New Technology LAN Manager (NTLMv2), disabled anonymous SMBs, and removed your outdated SMBv1 protocols. Finally, audit file shares regularly to monitor them for misconfigurations.
Local administrator accounts are troublesome for system administrators because the same account name and password can exist on multiple computers and be used to log into multiple systems. This can compromise the endpoint server, leading to the compromise of the entire enterprise. System administrators need to consider the balance between security and usability.
The recommended solution is to install and implement the Local Administrator Password Solution (LAPS) to protect your local administrator accounts in the enterprise. Also, disable and remove all local administrator access, if possible. An alternative for Windows 10 workstations is to implement Microsoft Endpoint Manager and Azure AD to join the systems only. This helps to avoid the use of local administrator accounts that may be used in a compromise.
To ensure that your enterprise operates smoothly and you don’t have to input your password and username every five seconds to stay logged in, your system is caching your credentials and using them to keep you logged in. Problems occur when organizations using RDS servers have insufficient hardening processes or when domain administrators/privileged accounts log in to untrusted systems. Inadequate Antivirus and Endpoint Detection and Response (AV/EDR) – measures that give privileged users access to the operating system where credentials and hashes are kept – opens another path for hackers to access your cached credentials.
Implementing tiered access to your enterprise by delegating roles, like Server Admin Workstation Admin, and using a Privileged Access Workstation (PAW) – a unique login ID that can only log into specific servers – can help mitigate the possibility of a credential hack. Applying Microsoft security baseline GPOs in your policy settings and implementing Microsoft Defender for Endpoint offers additional antivirus safeguards, endpoint protection, and mobile threat defense.
Attackers can target a user’s credentials to access your networks in several ways. They can impersonate different services and force the user to access the services through legacy protocols, like Link-Local Multicast Name Resolution (LLMNR), NetBIOS Name Service (NBT-NS), and Multicast DNS (mDNS) protocols to capture your hashes/relay credentials. Spoofing your Simple Service Discovery Protocols (SSDP) and Universal Plug and Play (UPnP) devices is another way they coerce forced authentication. They can also hijack your workstation DNS servers and serve malicious Web Proxy Auto-Discovery (WPAD) files to capture hashes/relay credentials.
You can mitigate these risks with GPOs and scripting by disabling your NetBIOS over TCP/IP (NetBT) protocols. You can also add an entry for WPAD in your DNS zone, disable UPnP and TCP/IPv6, if possible, and monitor your network for passwords being transmitted in cleartext.
When organizations merge, there are complex security configurations and processes involved in aligning the domains. The boundary of security is shifted from the domain level to the forest level. This means the main domain is called the forest route, which can have child domains within the forest boundary. Problems can arise when the Domain Controller allows too many two-way trusts or trusts without proper security controls access to the Active Directory forests. Also, if an attacker can compromise a single machine with unconstrained delegation, like the Domain Controller in a foreign forest, this can be leveraged to compromise your primary forest and every domain within it.
The first step to take to prevent a boundary security breach is to implement a selective domain trust to limit trusted users and groups or, if possible, remove the two-way trust protocols altogether. Next, ensure Security Identifier (SID) history and SID filtering are configured properly, and disable the Kerberos delegation, where possible. Finally, enable the “Account is sensitive and cannot be delegated” attribute for privileged accounts.
During the webinar, the team discussed the benefits of Microsoft Defender for Endpoint and how continuous penetration testing services can help you become proactive in reducing exposure to drifting. They also presented a checklist of do-it-yourself-quick security fixes you can implement within your enterprise. For the full story on these and many more insider tips, watch the webinar Hack Me If You Can.