Introduction to AD attacks and prevention measures 2

Following the previous article on common AD attacks and preventive measures, we will continue to introduceADOfAttackAnd knowledge of preventive actions.

Attack 4: DoS attacks based on over-creating AD objects

Excessive creation of new objects by users with administrator permissions can cause DoS attacks on the AD. For example, authorizing users to constantly create AD objects until the disk space of the domain controller is exhausted will cause the AD server to crash. Another example is to authorize a user to use a command to add thousands of members to a group, which also causes server crash.

Attack 4 Prevention Measures

To prevent such attacks, you must be especially careful with the person who grants the AD object creation permission. You can also use the AD object quota function in WindowsServer2003, while the object quota function in Windows2000 is limited.

The AD object quota limits the number of objects that can be owned by NamingContext, NC, or directory partitions created based on specific security items. Each ADNC and directory partition can independently set and manage the AD object quota. However, the AD object quota cannot be defined in SchemaNC. For each ADNC and partition, you can define the default quota. If there is no special definition, there is no limit on the quota.

ADtombstone objects owned by security items are also included in the AD object quota. The tombstone object is a temporary object created when the AD object is deleted. It is used to maintain data consistency between the domain controllers of the AD object. For each NC and partition, you can specify the tombstone quota parameter to determine the tombstone Object Weight in the quota. For example, if the tombstone quota parameter is set to 25 for NC or partition, a tombstone object in the partition is calculated as 0.25 of a common AD object. The default tombstone quota parameter for each partition is 100, that is, a tombstone object has the same weight as a common AD object.

You can assign a quota for each security item, including the user, computer, group, and inetOrg-Person. A security item can have multiple quotas. For example, a user can be assigned an independent quota and his/her group has another quota. In this case, the maximum value is used for the quota. The domain administrator group and the Enterprise Administrator group do not have the AD object quota limit.

The AD object quota is stored in ADNC or the NTDSQuotas container of the partition. It belongs to the msDS-QuotaControl class. In the Accounting domain NC, set the AD object quota of user Joe to 10. You can use the following Dsadd command:

 
 

  
  
Dsaddquota  
  
  
 
  
  
-partDC=Accounting,DC=COM 
  
  
 
  
  
-acctAccounting\Joe  
  
  
 
  
  
-qlimit10  
  
  
 
  
  
-desc"QuotaforJoe"  
  
  
 
 
 

Set the tombstone quota parameter of the Accounting domain NC to 25. You can use the following Dsmod command:

 
 

  
  
Dsmod  
  
  
 
  
  
partitionDC=Accounting,DC=COM 
  
  
 
  
  
-qtmbstnwt25  
  
  
 
 
 

Set the default object quota of the Accounting domain NC to 0. You can use the following Dsmod command:

 
 

  
  
Dsmod  
  
  
 
  
  
partitionDC=Accounting,DC=COM 
  
  
 
  
  
-qdefault0  
  
  
 
 
 

Only the domain controller running WindowsServer2003 can force a quota. It can only force a quota when a directory operation is initiated, but cannot be used in a copy operation. To effectively use the AD object quota in the directory partition of the AD domain, all the domain controllers in the domain must run WindowsServer2003. If the AD object quota is used in the AD configuration partition, all domain controllers in the forest must run WindowsServer2003. For example, all domains and forests must run the WindowsServer2003 function level2 ).

The AD object quota function is independent of any specified function level-it can be used on any WindowsServer2003 domain controller. If there is a Windows2000 Domain Controller in the WindowsServer2003 domain that defines the quota, you can continue to connect to these domain controllers and be limited by the quota.

Compared with the quota system of WindowsServer2003AD, the quota function of Windows2000 is very limited. In Windows2000, the administrator can limit the number of computer accounts created by a user account. The ms-DS-MachineAccountQuota attribute in the AD domain object must be used, this restriction does not apply to Members in the domain administrator group and account operator group. WindowsServer2003 supports the ms-DS-MachineAccountQuota attribute. The default value is 10 ). If you want to disable adding a computer account, you can set this attribute value to 0.

For authenticated user groups, deleting "add workstation to domain" in user permissions can also achieve the same purpose. In WindowsServer2003 and Windows2000, the authenticated user group has this permission by default.

Attack 5: DoS Attacks Based on the MaxTokenSize attribute

Microsoft has extended the basic Kerberos protocol by using Kerberos authentication ticket to contain authentication data. WindowsKerberosticket and TicketGrantingTicketTGT) both contain a special region called permission attribute verification PrivilegeAttributeCertificate and PAC. You can transmit authentication data using Kerberos protocol, such as user group and user permissions in Kerberos authentication ticket.

Kerberosticket has a fixed size, which indirectly limits the size of PAC. If a user belongs to many groups, such as 100 or more, the ticket size of the user may exceed the limit, and the Windows Authentication and Group Policy processing will fail. Therefore, users with the permissions to create and modify AD groups can exploit this vulnerability to initiate DoS attacks against the administrator account. This attack will cause the Administrator account to be unable to log on to the network.

Attack 5 Prevention Measures

To prevent such attacks, you must assign AD management permissions to group management carefully, and restrict the permissions of members of the Management administrator account. In the forest, administrators can manage local and global groups. Adding any user account requires no special permissions, so it is difficult to restrict the default permissions in AD. Therefore, the account of the Enterprise Administrator group or domain administrator group must be placed in a special organization unit OU without the permission to be read by the Delegated Administrator.

In addition, you can set the Registry

HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Lsa \ Kerberos \ Parameters \

The MaxTokenSize value increases the maximum size of javasosticket,

Refer to the Microsoft Knowledge Base Article "A New Way to Solve user problems in multiple groups" http://support.microsoft.com/kb/327825 ).

You must modify the value of MaxTokenSizeREG_DWORD for all Windows systems that use the Kerberos primary domain. In Windows2000, the default value of MaxTokenSize is 8000 bytes. In Windows2000SP2 and later versions, and WindowsServer2003, the default value of MaxTokenSize is 12000 bytes.

To reduce the size of the PAC, Microsoft also adopted a new method in Window2000SP4 to store authentication data in the PAC. The new data storage method for PAC authentication is as follows:

If it is a local group or from another domain, all SID of the Group, such as the S-1-5-21-1275210071-789336058-1957994488-3140, is saved in the PAC.

If the global group to which the user belongs is located in the local domain of the user, only the relative identification number RelativeIdentifier, RID of the group is stored ).

Microsoft adopts a special processing process in the Windows authentication process. The RID format is decomposed on the client and server to the SID format. It should be noted that, even if the new data storage method with PAC authentication is adopted, you still need to modify the MaxTokenSize or reduce the number of user groups.

To avoid the waste of space in the Kerberostiket PAC domain, when migrating from the WindowsNT4.0 domain to the WindowsServer2003 domain or Windows2000 domain, you should delete the SIDHistory attribute of the AD account, see the Microsoft Knowledge Base Article "how to clear SidHistory with Visual Basic Scripts" http://support.microsoft.com/kb/295758 ).

Microsoft released the Tokensz tool for solving Kerberos token size-related issues, which can be removed from http://www.microsoft.com/downloads/details.aspx? Familyid = 4a303fa5-cf20-43fb-9483-0f0b0dae265c & displaylang = en download. The following Tokensz command lists the MaxTokenSize value of the current system and the current token size:

 
 

  
  
tokensz/compute_tokensize  
  
  
 
  
  
/package:negotiate  
  
  
 
  
  
/use_delegation  
  
  
 
  
  
/target_server:  
  
  
 
 
 

For more information about how to use Tokensz, see the Microsoft whitepaper "solve Kerberos errors" http://www.microsoft.com/downloads/details.aspx? Familyid = 7dfeb015-6043-47db-8238-dc7af89c93f1 & displaylang = en ).

Comprehensive Competition

The attack methods mentioned in this Article demonstrate the importance of using multiple measures to protect the AD architecture. In addition to technical security measures, physical and organizational security measures must also be taken into account. Physical security measures include physical security access to Windows domain controllers, network facilities, and corporate buildings; organizational security measures include the establishment of security rules and operation steps, conducts regular external security audits on the AD architecture, and continuously trains Administrators and Users on security risk knowledge and operation practices. In the company, protecting the security of AD is an important task, which should be put as a high priority and should be completed by establishing a joint team technically, physically and in the Organization.

It is hoped that the system administrator will pay attention to AD security through the introduction of AD attacks and prevention measures.