Active Directory Best Practices That Frustrate Pentesters

Join us in the Black Hills InfoSec Discord server here: https://discord.gg/BHIS to keep the security conversation going! Reach out to Black Hills Infosec if you need pentesting, threat hunting, ACTIVE SOC, incident response, or blue team services -- https://www.blackhillsinfosec.com/ 00:00 - Introduction 01:49 - Active Directory Best Practices to Frustrate Attackers 03:55 - Infrastructure Overview 04:50 - AWS Quick Start 07:09 - AWS vs. Pentesters 09:51 - More Overview 11:30 - "Domains" Overview 15:54 - Naming Conventions - Users 18:27 - Naming Conventions - File Shares 20:19 - Naming Conventions - Groups 22:22 - Naming Conventions - JUGULAR 27:14 - Group Policies Summary 28:35 - Default Domain Policy 28:55 - Can you keep a secret? GPP can't. Neither can Sysvol 30:13 - This is Microsoft Failing Us All 31:15 - Host Based Firewalls Everywhere 33:55 - Minimum Password Requirements 38:13 - Password Policy 38:34 - Disable Weak Password Storage 40:31 - Attack Tactics 44:08 - LLMNR - Attacks 44:20 - LLMNR - Disable It 44:47 - More on LAPS 45:06 - Last LAPS Slide 45:49 - Application Whitelisting 46:50 - PowerShell and CMD Restrictions 49:03 - Sessions Left Lying Around 51:40 - Last Minute Things Description: Join Jordan and Kent as they walk through an Active Directory best practices environment. The deployment includes two Amazon Web Services (AWS) Active Directory Domain Controllers in a multi-availability zone configuration. The best practices will also cover some AWS basics, deploying your domain in the cloud, and lots more. Sysmon? Yeah! Password policy? Yeah! Naming conventions? Yeah! ACLs? Yeah! And much, much more. Slides available here: https://blackhillsinformationsecurity.shootproof.com/gallery/7214618/ Black Hills Infosec Socials Twitter: https://twitter.com/BHinfoSecurity Mastodon: https://infosec.exchange/@blackhillsinfosec LinkedIn: https://www.linkedin.com/company/antisyphon-training Discord: https://discord.gg/ffzdt3WUDe Black Hills Infosec Shirts & Hoodies https://spearphish-general-store.myshopify.com/collections/bhis-shirt-collections Black Hills Infosec Services Active SOC: https://www.blackhillsinfosec.com/services/active-soc/ Penetration Testing: https://www.blackhillsinfosec.com/services/ Incident Response: https://www.blackhillsinfosec.com/services/incident-response/ Backdoors & Breaches - Incident Response Card Game Backdoors & Breaches: https://www.backdoorsandbreaches.com/ Play B&B Online: https://play.backdoorsandbreaches.com/ Antisyphon Training Pay What You Can: https://www.antisyphontraining.com/pay-what-you-can/ Live Training: https://www.antisyphontraining.com/course-catalog/ On Demand Training: https://www.antisyphontraining.com/on-demand-course-catalog/ Educational Infosec Content Black Hills Infosec Blogs: https://www.blackhillsinfosec.com/blog/ Wild West Hackin' Fest YouTube: https://www.youtube.com/wildwesthackinfest Active Countermeasures YouTube: https://youtube.com/activecountermeasures Antisyphon Training YouTube: https://www.youtube.com/antisyphontraining Join us at the annual information security conference in Deadwood, SD (in-person and virtually) — Wild West Hackin' Fest: https://wildwesthackinfest.com/ #bhis #infosec