How to Efficiently Protect Active Directory from Credential Theft & Large Scale Compromise – An Approach Based on Real-World Expertise presented at Troopers 2015

by Friedwart Kuhn,

Summary : Credential theft and Pass-the-Hash (PtH) attacks are nowadays current threats to Active Directory environments. This is not simply due to Microsoft´s implementation of weak protocols (i. e. LM, NTLMv1, WDigest) but mainly due to Single-Sign-On (SSO) functionality requirements in multi-authentication protocol environments. The official statement of Microsoft is now “assume breach”. But – assuming breach – how should you efficiently protect your Active Directory from credential theft and large scale compromise? In order to perform this task, operationally feasible solutions will be presented and concisely characterized upon the background of so called ‘green table’ controls which could often not be implemented due to a gap to real-word operation (as for example “Rebuild your Active Directory”). It will be shown that there is a way and what it looks like, but that this way is a (probably) long-term process that requires the implementation of organizational /operational changes together with some important technical controls. Going that way may lead to a sustainable and secure operation of Active Directory environments defeating credential theft and PtH attacks at the root.