troubleshooting Question

Active Directory data(base) security

Avatar of Pau Lo
Pau Lo asked on
Windows OSActive DirectoryOS SecuritySecurity
1 Comment1 Solution26 ViewsLast Modified:
In any of your security/Active Directory audits, have you ever come across access to the NTDS.DIT (e.g. backups?) database external to the domain controllers themselves? e.g. I have found instances of backups of sensitive SQL databases on everyone accessible shares in audits of years gone by, which got my thinking that it would just be useful to get experiences from during your penetration tests/vulnerability assessments/security audits etc – whether is it common to find access to NTDS.DIT data, domain password hashes etc in ‘unprotected’ locations across your network?  
Any horror stories most welcome, to help gauge realistically if this is something that does happen, or in your experience as AD admins have you ever come across instances where the data(base) may be ‘overly accessible’ and therefore pose a serious security risk - we can obviously audit who has administrator access to the domain controllers themselves to check that is appropriately restricted, but is that enough and everything you should check for piece of mind access to the data(base) is controlled? I suspect that may only be part of the picture but as I don't work as an AD admin it is worth getting ideas from support personnel who look after AD - as we are trying to map out where else the data(base) could reside to check permissions etc? For info they are VM's running on ESXi host servers.

There are a few ideas in here, but its fairly common sense:
https://www.ultimatewindowssecurity.com/blog/default.aspx?d=10/2017
The best way to stay protected against this attack is to limit the number of users who can log onto Domain Controllers, including commonly protected groups such as Domain and Enterprise Admins, but also Print Operators, Server Operators, and Account Operators. These groups should be limited, monitored for changes, and frequently recertified.


ASKER CERTIFIED SOLUTION
David Johnson, CD
The More I know, the more I don't know
Join our community to see this answer!
Unlock 1 Answer and 1 Comment.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 1 Comment.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros