In any of your security/Active Directory audits, have you ever come across access to the NTDS.DIT (e.g. backups?) database external to the domain controllers themselves? e.g. I have found instances of backups of sensitive SQL databases on everyone accessible shares in audits of years gone by, which got my thinking that it would just be useful to get experiences from during your penetration tests/vulnerability assessments/security audits etc – whether is it common to find access to NTDS.DIT data, domain password hashes etc in ‘unprotected’ locations across your network?
Any horror stories most welcome, to help gauge realistically if this is something that does happen, or in your experience as AD admins have you ever come across instances where the data(base) may be ‘overly accessible’ and therefore pose a serious security risk - we can obviously audit who has administrator access to the domain controllers themselves to check that is appropriately restricted, but is that enough and everything you should check for piece of mind access to the data(base) is controlled? I suspect that may only be part of the picture but as I don't work as an AD admin it is worth getting ideas from support personnel who look after AD - as we are trying to map out where else the data(base) could reside to check permissions etc? For info they are VM's running on ESXi host servers.
There are a few ideas in here, but its fairly common sense:https://www.ultimatewindowssecurity.com/blog/default.aspx?d=10/2017
The best way to stay protected against this attack is to limit the number of users who can log onto Domain Controllers, including commonly protected groups such as Domain and Enterprise Admins, but also Print Operators, Server Operators, and Account Operators. These groups should be limited, monitored for changes, and frequently recertified.