Active Directory
Penetration testing of
Active Directory environments
During a penetration test of an Active Directory environment, the system is examined for security-relevant vulnerabilities from the perspective of an attacker. The focus of the investigation is on identifying deficiencies in the configuration of the overall system, which can lead to a serious escalation of rights or the complete compromise of the Active Directory.
The object of investigation is an on-premise, cloud (Azure AD) or hybrid environment of Microsoft Active Directory.
When examining an Active Directory environment, we follow the procedure model of the National Agency for Information Security (CERT-FR) from our neighbors in France.
Why Active Directory Penetration Testing?
Active Directory Domain Services (AD DS) – abbreviated to Active Directory below – is a central directory for managing identities and authorizations within an organization and is a particularly sensitive component. Compromising this system can enable attackers to take control of numerous resources (servers, workstations, databases) within a company.
An organization’s Active Directory is therefore a particular focus of attackers and requires increased attention when hardening the configuration. The more than 20-year history of the product leads to considerable complexity, which can pose a challenge when it comes to security.
The analysts at SmartTECS Cyber Security GmbH therefore bring in the perspective of an attacker in order to identify vulnerabilities in the Active Directory and formulate concrete measures to eliminate them.
Goal
The aim of penetration testing an Active Directory environment is:
In addition to the scope of the test, the specific test objectives and their prioritization are determined individually in advance in consultation with the client and the investigation is adapted accordingly.
General test methodology
The test methodology for testing an Active Directory environment by SmartTECS Cyber Security GmbH is based on the specifications of the German Federal Office for Information Security (BSI) for securing Active Directory [1] and on recommendations from the manufacturer Microsoft [2]. In addition, the checklist of the French National Agency for Information Security (CERT-FR) is used [3].
Next Steps
Once the study has been completed, there are various starting points for effectively continuing the previous analysis.
Red Teaming
As part of a Red Team engagement, the focus can be placed on detecting and initiating countermeasures against an attacker in the company network. The focus is on optimizing processes and training the defenders (blue team).
Further analyses of the Active Directory
Security consulting
On the basis of the knowledge gained, targeted measures can be taken to raise the security level of the Active Directory environment that go beyond the mere elimination of vulnerabilities. This includes, for example, the implementation of the Enterprise Access Model [4] in accordance with Microsoft’s recommendations or the targeted placement of traps (decoy users/objects) for attackers within the Active Directory.
Sources
[1] Federal Office for Information Security(BSI): Building block for securing Active Directory, https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-GS-Kompendium_Einzel_PDFs_2023/06_APP_Anwendungen/APP_2_2_Active_Directory_Domain_Services_Edition_2023.html
[2] Microsoft: Best Practices for Securing Active Directory, https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory
[3] National Agency for Information Security (CERT-FR), France: Active Directory Security Assessment Checklist, https://www.cert.ssi.gouv.fr/uploads/guide-ad.html
[4] Microsoft: Enterprise Access Model, https://learn.microsoft.com/en-us/security/compass/privileged-access-access-model