cqrenet/antifragile
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
antifragile/antifragile-consulting/playbooks/ad-endpoint-hardening.md
Tomas Kracmar 763da003d3 Initial commit: antifragile cybersecurity consulting blueprint 
Complete repository of frameworks, playbooks, and assessment resources
for cybersecurity consultations focused on antifragile enterprise design.

Includes:
- Core philosophy and manifest (5 pillars)
- 12 modular engagement packages
- AI sovereignty and operations frameworks
- Zero-budget vulnerability discovery and hardening playbooks
- M365 E3 hardening and antifragile project plans
- Osquery sovereign discovery platform blueprint
- Perimeter scanning capability guide
- AI-assisted TVM blueprint for AI-powered adversaries
- Vertical specializations: banking, telco, power/utilities
- CIS Controls v8 and NIST CSF 2.0 mappings
- Risk registers and assessment templates
- C-suite conversation guide and business case templates
2026-05-09 16:53:22 +02:00

381 lines
15 KiB
Markdown
Raw Permalink Blame History

# On-Premises AD and Endpoint Hardening Playbook
> *"The cloud gets the glory. Active Directory gets compromised."*
This playbook covers the security of on-premises Active Directory, Windows endpoints, and the identity boundary between on-premises and cloud (hybrid identity). It is designed for consulting engagements where the client maintains on-premises infrastructure alongside M365—common in telco, power, and banking environments.
---
## The On-Premise Reality
Most M365 clients did not start in the cloud. They have:
- Active Directory forests with 10+ years of technical debt
- Group Policy objects (GPOs) that no one dares to change
- Service accounts with passwords set to "never expire"
- Admin accounts that log in from the same workstations as regular users
- Backup systems that have never been tested
- KRBTGT accounts that have never been rotated
Our job is not to shame them. Our job is to **fix the kill chain fast** and give them a path to sustainable hygiene.
---
## Phase 1: AD Kill Chain Assessment (Days 1-7)
### Identity Census
**Export and analyze the full AD estate**:
```powershell
# All users with properties
Get-ADUser -Filter * -Properties LastLogonDate, PasswordLastSet, PasswordNeverExpires, ServicePrincipalName, MemberOf | Export-Csv ad-users.csv
# All groups (especially privileged)
Get-ADGroup -Filter * | Where-Object { $_.Name -match "admin|operator|backup|account|server" } | Export-Csv ad-priv-groups.csv
# All computer accounts
Get-ADComputer -Filter * -Properties LastLogonDate, OperatingSystem | Export-Csv ad-computers.csv
# Service accounts (have SPN or description indicating service use)
Get-ADUser -Filter { ServicePrincipalName -like "*" } -Properties ServicePrincipalName | Export-Csv ad-spns.csv
```
**What to look for**:
| Red Flag | Risk | Action |
|----------|------|--------|
| Accounts with PasswordNeverExpires = $true | Credential stuffing goldmine | Force rotation; justify exceptions |
| Admin accounts with last logon > 90 days | Stale, possibly compromised | Disable; verify with owner |
| Users in Domain Admins who should not be | Lateral movement path | Remove; document justification for remaining |
| Computer accounts with last logon > 180 days | Ghost machines, easy targets | Disable; purge after 30 days |
| Service accounts with interactive logon | Violation of principle | Convert to managed service accounts or gMSA |
| Duplicate SPNs | Kerberos authentication failures, potential attack vector | Fix immediately |
### Privileged Access Assessment
**Map the tier model** (if it exists) or establish one:
| Tier | Scope | Examples |
|------|-------|----------|
| Tier 0 | Controls AD and identity | Domain Admins, Enterprise Admins, Schema Admins, Account Operators, KRBTGT |
| Tier 1 | Controls server workloads | Server Admins, Database Admins, Backup Operators |
| Tier 2 | Controls workstations | Workstation Admins, Help Desk |
**Immediate actions**:
- Remove Account Operators, Backup Operators, Print Operators from Tier 0 equivalents if possible (these groups have dangerous default permissions)
- Ensure no Tier 0 account ever logs on to a Tier 2 device (workstation)
- Document every member of Domain Admins with business justification
### The KRBTGT Account
The KRBTGT account is the **cryptographic foundation of the entire Kerberos realm**. Its password hash is used to sign all Kerberos tickets. If an adversary has this hash, they have permanent golden ticket capability.
**Check last password change**:
```powershell
Get-ADUser krbtgt -Properties PasswordLastSet
```
- If last changed > 180 days ago: **rotate immediately**
- If never changed (common in old forests): **rotate immediately, but plan carefully**
**Rotation procedure** (do not do this during business hours without planning):
```powershell
# Requires Domain Admin; do twice with ~10 hours between (replication window)
Reset-KrbtgtKeyInteractive -Domain "corp.example.com"
```
Or use the Microsoft KRBTGT rotation script: `https://github.com/microsoft/New-KrbtgtKeys.ps1`
**Warning**: Rotating KRBTGT invalidates all existing Kerberos tickets. Users will need to re-authenticate. Plan for:
- Off-hours execution
- Service account impact (may need restart)
- VPN reconnection requirements
---
## Phase 2: Endpoint Hardening (Days 8-14)
### Microsoft Defender Antivirus (E3 Baseline)
E3 includes Defender Antivirus but **not** the advanced EDR features. Maximize what you have:
**Enable all protection features** (often disabled by previous AV migration):
```powershell
# Check current state
Get-MpPreference | Select-Object Disable*, Exclusion*
# Enable real-time protection
Set-MpPreference -DisableRealtimeMonitoring $false
# Enable behaviour monitoring
Set-MpPreference -DisableBehaviorMonitoring $false
# Enable network protection (blocks malicious IPs/URLs at network layer)
Set-MpPreference -EnableNetworkProtection Enabled
# Enable attack surface reduction rules (audit mode - requires ASR-capable license for full enforcement, but audit logging works)
# Note: Full ASR enforcement requires Defender for Endpoint P2, but you can still configure audit mode
Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode
```
**Update signatures and engine**:
```powershell
Update-MpSignature
Update-MpThreatDefinitions
```
### Sysmon Deployment (Free Telemetry)
Since E3 lacks EDR, **Sysmon is non-negotiable**. It provides process creation, network connections, driver loading, and file creation telemetry.
**Deployment**:
1. Download Sysmon from Microsoft Sysinternals
2. Use the SwiftOnSecurity configuration: `sysmonconfig-export.xml`
3. Deploy via GPO or Intune:
```cmd
sysmon.exe -accepteula -i sysmonconfig-export.xml
```
**Log forwarding**: Configure Windows Event Forwarding (WEF) or use a free log collector (Wazuh agent, nxlog) to centralize Sysmon logs.
### LAPS (Local Administrator Password Solution)
LAPS is **free from Microsoft** and essential. It randomizes local admin passwords per machine and stores them securely in AD.
**Deployment**:
1. Download LAPS from Microsoft
2. Extend AD schema (one-time, irreversible):
```powershell
Update-AdmPwdADSchema
```
3. Set permissions for computer self-write:
```powershell
Set-AdmPwdComputerSelfPermission -OrgUnit "OU=Workstations,DC=corp,DC=example,DC=com"
```
4. Set read permissions for authorized admins only:
```powershell
Set-AdmPwdReadPasswordPermission -OrgUnit "OU=Workstations,DC=corp,DC=example,DC=com" -AllowedPrincipals "HelpDesk-Admins"
```
5. Deploy LAPS client via GPO
**The conversation**:
> *"Every workstation with the same local admin password is a domino. If I compromise one, I own them all. LAPS makes every password unique and rotates it automatically. It is free, from Microsoft, and takes one day to deploy."*
### Windows Firewall Hardening
Enable and log all profiles:
```powershell
# Enable all profiles
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
# Enable logging for dropped packets
Set-NetFirewallProfile -Profile Domain,Public,Private -LogBlocked True -LogFileName "%systemroot%\system32\LogFiles\Firewall\pfirewall.log"
```
**Block inbound by default** except:
- RDP (only via jump host or PAW)
- SMB (only server-to-server, block workstation inbound)
- Required application ports (documented)
### Credential Guard and Device Guard (Where Hardware Supports)
Credential Guard isolates LSASS to prevent credential theft (Mimikatz-style attacks).
**Requirements**: UEFI 2.3.1c+, Secure Boot, TPM 2.0, Hyper-V Hypervisor
**Enable via GPO**:
- Computer Configuration → Administrative Templates → System → Device Guard → Turn On Virtualization Based Security
- Enable Credential Guard
**Banking/telco/power**: These sectors often have hardware that supports Credential Guard. Enable it. It is free and dramatically reduces credential theft risk.
---
## Phase 3: Network Segmentation and Boundary (Days 15-21)
### The Active Directory Perimeter
Most AD environments are "flat": every workstation can reach every server, every VLAN trusts every other VLAN. This is the kill chain.
**Segmentation priorities** (work with existing network team):
| Segment | What It Contains | Access Rules |
|---------|-----------------|--------------|
| Tier 0 | Domain controllers, AD admin jump hosts | No inbound from Tier 1 or 2. Admin access only from PAWs. |
| Tier 1 | Servers, databases, applications | No inbound from Tier 2 (workstations) except required application ports. |
| Tier 2 | Workstations, user devices | Internet and internal app access only. No direct server admin access. |
| Management | Monitoring, backup, patch management | Outbound to all tiers for management traffic. Inbound restricted to admin sources. |
| OT Boundary | SCADA, ICS, control systems | **Air-gapped or one-way diode**. If integration required, use data diode or unidirectional gateway. |
### DNS Security
DNS is the most underrated security control. Most malware needs DNS to find its command and control.
**Immediate actions**:
- Point all endpoints to a DNS resolver with filtering:
- **Quad9** (9.9.9.9) — free, blocks known malicious domains
- **Cloudflare for Teams** (free tier) — filtering + logging
- **Microsoft DNS security** (if available)
- Enable DNS query logging on internal DNS servers
- Block DNS over HTTPS (DoH) at the firewall unless using a managed DoH provider (prevents DNS tunneling evasion)
### Network Monitoring on a Budget
**Zeek (formerly Bro)** — open-source network analysis framework:
- Deploy on a SPAN port or network tap at internet boundary
- Provides connection logs, DNS logs, HTTP logs, SSL certificate logs
- Feed into Wazuh, Splunk Free, or Elastic Stack
**Suricata** — open-source IDS/IPS:
- Deploy at internet boundary and critical internal segments
- Use Emerging Threats Open ruleset (free)
- Alert on known malicious indicators
**The conversation**:
> *"You do not need a $100,000 NDR platform to see malicious traffic. You need a SPAN port, an old server, and Zeek. We will show you the connections your firewall is allowing that it should not be."*
---
## Phase 4: Hybrid Identity Security (Days 22-30)
### Azure AD Connect Health
Most on-premises AD environments are synchronized to Entra ID (Azure AD) via Azure AD Connect.
**Immediate hardening**:
- **Secure the Azure AD Connect server**: Treat it as Tier 0. No interactive logon except admins.
- **Enable PTA (Pass-Through Authentication) or PHS (Password Hash Sync) + Seamless SSO**: Evaluate which is appropriate
- PHS: Better resilience (can authenticate even if AAD Connect is down)
- PTA: Passwords never leave premises (some regulatory preference)
- **Enable password hash synchronization even if using PTA**: Provides fallback auth and enables Identity Protection detections if you later upgrade to P2
- **Enable Seamless SSO**: Reduces password prompts, improves MFA adoption
**Azure AD Connect configuration audit**:
```powershell
# On the AAD Connect server
Get-ADSyncScheduler
Get-ADSyncConnector
```
Verify:
- Only required OUs are syncing
- No accidental filtering exclusions that hide accounts
- The sync account has minimal necessary permissions
### AD FS (If Present)
AD FS is a **high-value target**. If compromised, the adversary controls federation for all cloud apps.
**Immediate hardening**:
- **Upgrade to latest supported version** (AD FS 2019 or later)
- **Enable Extranet Lockout**: Prevents brute force against AD FS from the internet
- **Enable PPR (Protection Against Password Reuse) / Smart Lockout**
- **Require MFA for AD FS extranet access** (if MFA infrastructure exists)
- **Review relying party trusts**: Remove stale or unknown trusts
- **Enable AD FS audit logging**: Forward to SIEM
**The conversation**:
> *"If I compromise AD FS, I do not need to crack your passwords. I just federate myself as an administrator. AD FS is Tier 0. Treat it accordingly."*
---
## OT / Critical Infrastructure Specifics (Telco, Power)
### The IT/OT Boundary
In power and telco environments, the AD forest often extends closer to OT than it should.
**Rules**:
- OT networks must not trust IT AD forests directly
- If Active Directory is required in OT, use a **separate forest** with one-way trust or no trust
- SCCM / Intune patch management for OT systems must be on a separate hierarchy
- Administrative credentials for OT must never be used on IT workstations
### Control System Workstations
- Engineering workstations (EWS) and operator stations (HMI) must run **application whitelisting** (AppLocker or third-party)
- USB ports: disabled or strictly controlled
- No internet access from OT VLANs
- Antivirus signatures updated via offline mechanism, not direct internet
### NIS2 and Critical Infrastructure
For EU critical infrastructure (power, telco):
- Incident reporting to CSIRT/NIS authority within 24-72 hours
- Supply chain security: document every vendor with AD or network access
- Encryption: data at rest and in transit for sensitive systems
- Multi-factor authentication for all remote access to critical systems
See [Vertical: Power Utilities](../reference/vertical-power-utilities.md) for comprehensive OT alignment.
---
## Banking Specifics
### Privileged Access for Financial Data
- Database administrators with access to core banking systems: **vault all credentials**, require dual authorization
- SWIFT infrastructure: isolated network, dedicated workstations, no internet
- Audit trails for all financial transaction system access: immutable, 7+ years retention
### Regulatory Alignment
| Regulation | AD/Endpoint Implication |
|-----------|------------------------|
| **PSD2** | Strong authentication for payment service users; MFA for internal payment systems |
| **DORA** | ICT risk management includes identity and access; recovery testing mandatory |
| **GDPR** | Access to personal data must be logged, justified, and time-bounded |
| **NIS2** (for systemic banks) | Incident reporting, supply chain risk management, encryption |
See [Vertical: Banking](../reference/vertical-banking.md) for comprehensive regulatory alignment.
---
## 30-Day Checklist for AD/Endpoint Engagements
- [ ] Full AD identity census exported and analyzed
- [ ] KRBTGT password rotation completed (or scheduled with plan)
- [ ] All privileged groups documented and justified
- [ ] LAPS deployed to all workstations
- [ ] Sysmon deployed to all Windows endpoints
- [ ] Defender Antivirus fully enabled and updated
- [ ] Windows Firewall enabled and logging on all endpoints
- [ ] DNS filtering deployed (Quad9 / Cloudflare)
- [ ] Network segmentation plan documented (even if not fully implemented)
- [ ] Azure AD Connect server secured and audited
- [ ] AD FS hardened (if present)
- [ ] Backup of AD System State tested (verify you can restore a DC)
- [ ] Credential Guard enabled on capable hardware
---
*Previous: [M365 E3 Hardening](m365-e3-hardening.md)*
*Next: [Implementation Playbook](implementation-playbook.md)*
Reference in New Issue View Git Blame Copy Permalink