There are a few essential questions that anyone maintaining security on a Windows network needs to ask right now to avoid engaging in some very risky behavior, but there’s one that may be the most important of all — are you aware of tools in your network that may be bringing more risk?
Many of us have moved at least partially into the cloud and, as a result, have a mix of on-premises and cloud assets. The blend of access procedures this brings can often create entry points into a network.
That’s why we should be asking even more questions that spring from the first:
- Are you educating administrators to review their processes and ensure they are not an entry point for an attacker?
- Are you re-evaluating the tools used by your networking staff?
- Are you reviewing the settings you made years ago for Microsoft 365 and comparing them to industry benchmarks?
Start by assessing your risk with Entra ID Connect
A good place to start evaluating your risk is with Azure Active Directory Connect (now replaced by Entra Connect), as attackers often target this connection point because of the additional rights that the account often has in a domain.
In particular, review the SQL server installation and ensure that it was set up with the minimal rights needed for installation. Too often defaults are taken during the installation process, and no audit is done to review the permissions after the fact.
Trimarc Security points out the following areas that need to be reviewed if Azure AD Connect was installed prior to version 1.1.654.0 — you need to ensure that the Connector account has the following permissions adjusted:
- Disable inheritance on the service account object.
- Remove all access control entries (ACEs) on the service account object, except those specifically for SELF.
- Apply the permissions referenced in Microsoft’s article under the Lock-down access to the AD DS account section.
If you’ve migrated completely to the cloud, you’ll want to ensure that you’ve removed Azure AD Connect completely from your organization, including any SQL server instance that was installed as part of the process. Ensure that you review your network for installed traces of this software that could bring risk into your network.
Some tools can allow attackers to move from on-prem to cloud assets
Next, consider tools that you are using to assist you in your work with Entra ID (formerly Azure Active Directory) which may also introduce risk.
AADInternals as Mandiant points out, is a PowerShell module that when abused, can allow attackers to pivot from on-premises to cloud assets. You’ll want to ensure servers or workstations using the module are set up appropriately and always use Privileged Access workstations when managing cloud assets.
A module called AADIntPTASpy can be utilized by attackers to allow them to log in as any user that attempts to authenticate using Pass-Through Authentication and be granted access.
As Mandiant points out, “an attacker has gained access to an on-premises domain and is able to laterally move to the AADConnect / PTA Agent Server. From this server, an attacker can potentially leverage the AADInternals PowerShell module and invoke the Install-AADIntPTASpy function.” This attack turns from on-premises to cloud assets.
Mandiant also points out that the risk for direct cloud compromise is triggered “if an attacker has successfully compromised an Azure AD global admin account, an attack can be conducted from an attacker’s own infrastructure. An attacker can install a Pass-Through Authentication Agent on a server they manage and register the agent using the compromised global administrator account.”
It may take special attention to identify anomalous activity
These are not easy attacks to mitigate and detect. Often it takes special attention to reviewing authentication logs for anomalous activity. Threat actors such as Midnight Blizzard (Microsoft’s designation for a group also known in the security industry as Nobelium or APT29) and Octo Tempest, have abused AADInternals to persist within cloud environments and access both cloud and on-premises resources.
AADInternals is a valuable tool for various tasks. For example, you can use the module to:
- Enumerate Entra ID users.
- Register devices to Entra ID using the device join module.
- Create new Entra ID users.
- Disable multifactor authentication (MFA) for a specific user.
- Use the VM agent to run commands on Azure VMs.
- Collect information on cloud services including SharePoint and Office 365.
- Access cloud storage using OneDrive.
- Modify the registry.
- Dump local security authority (LSA) secrets.
- Forge Kerberos tickets.
- Use OneDrive for Business APIs including features like downloading files.
It is actually easier to use this module to generate automatic Entra ID join tokens using this toolkit than anything Microsoft provides for the process. So, blocking this module is normally not something you want to do, as it provides too many good tools for an administrator.
Limit access and federation between on-prem and cloud
One should limit access and federation between on-premises and cloud assets where one can. Yes, we’ve built up reliance on this ability to share data and authentication between cloud assets and on-premises, but too often it’s also introducing weaknesses.
A recent ProPublica article claims that a whistleblower pointed out these risks to Microsoft years before attacks based on them occurred. While the SolarWinds supply chain attacks were the entry points, it was misuse of Active Directory Federation Services that allowed attackers to gain more access. Thus understand the risk involved and add more monitoring resources to review authentication processes.
Finally, if you’ve been a customer of Microsoft 365 for a while, and you haven’t reviewed your security defaults and settings, it’s now time to review those settings. From Microsoft to the Center for Internet Security, various entities have updated and revised benchmarks over the years. Some benchmarks have more manual steps and some are more automated.
In addition, you may want to review the additional benchmarks released to review Intune settings. One called OpenIntuneBaseline is a GitHub repository that combines the learnings from several other benchmarks:
- NCSC Device Security Guidance.
- CIS Windows Benchmarks.
- ACSC Essential Eight.
- Intune Security Baselines for Windows, Edge, and Defender for Endpoint.
- Microsoft Best Practices.
As noted on the site, “additional configurations were then layered using information from various MVP blogs and community resources, as well as significant personal experience across multiple customer environments.”
The benchmark includes settings for the following key settings:
- Core device security hardening.
- Device Encryption via BitLocker
- Google Chrome (Note: Policies are quite “Anti-Chrome” to encourage the use of Edge).
- Microsoft Edge (Split into multiple policies for easier management).
- Microsoft Office (Including OneDrive Known Folder Move).
- Microsoft Defender for Endpoint (AV, Firewall, ASR Rules).
- Windows LAPS.
- Windows Update for Business (Delivery Optimisation, Telemetry & WUfB Reports).
- Windows Update Rings (3-ring model of Pilot, UAT & Production).
- Windows Hello for Business.
Use the resources of these settings to ensure that your network is hardened in order to withstand known attack sequences. Following these benchmarks will assist you in limiting impact. Reevaluate the connections you have between on-premises and cloud resources to determine if it poses an acceptable risk to your organization.
More by Susan Bradley:
- 3 Windows vulnerabilities that may not be worth patching
- Reduce security risk with 3 edge-securing steps
- What CISOs need to know about Microsoft’s Copilot+
- How to future-proof Windows networks: Take action now on planned phaseouts and changes
- Looking outside: How to protect against non-Windows network vulnerabilities