Credential theft and Pass-the-Hash (PtH) attacks are nowadays current threats to Active Directory environments. This is not simply due to Microsoft´s implementation of weak protocols (i. e. LM, NTLMv1, WDigest) but mainly due to Single-Sign-On (SSO) functionality requirements in multi-authentication protocol environments. The official statement of Microsoft is now assume breach. But assuming breach how should you efficiently protect your Active Directory from credential theft and large scale compromise? In order to perform this task, operationally feasible solutions will be presented and concisely characterized upon the background of so called green table controls which could often not be implemented due to a gap to real-word operation (as for example Rebuild your Active Directory). It will be shown that there is a way and what it looks like, but that this way is a (probably) long-term process that requires the implementation of organizational /operational changes together with some important technical controls. Going that way may lead to a sustainable and secure operation of Active Directory environments defeating credential theft and PtH attacks at the root.
Friedwart Kuhn is a renowned expert for Active Directory security and has performed a huge number of projects both in the concept and design space and in the pentesting and incident analysis field.