Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

October 2022

4 Active Directory Attacks and How to Protect Against Them

I was speaking with an Active Directory security engineer at a global pharmaceutical company recently, and I asked him the most classic question in the product management handbook: “What keeps you up at night?” So cliché (I know), but sometimes instead of an eye roll, you get a real gem, which is exactly what happened.

How To Secure Default IIS Site & Enable Windows Authentication

By default, when you create a new Internet Information Services (IIS) website, it’s open to everyone with anonymous access enabled — anyone can access and view the data being hosted by that site. Obviously, this is a security concern for most organizations. Indeed, I’m often asked by clients and colleagues how to lock down an IIS site so only the desired people can access it.

Group Scope in Active Directory

IT pros are well aware that Active Directory has two types of groups: security groups, which are used to assign permissions to shared resources, and distribution groups, which are used to create email distribution lists. But not everyone understands that each of these Active Directory groups has a scope — and understanding how scope works is vital to security and business continuity. This blog post dives into what group scope is and exactly why it’s important.

Securing Your Group Managed Service Accounts

Abusing a gMSA is relatively simple conceptually. First, get its password using a tool like Mimikatz or by querying it directly due to insecure configurations in Active Directory. Since gMSAs are service accounts, they’re usually relatively privileged, so you’ll usually be able to move laterally or escalate. Let’s walk through an example scenario.

How to Configure Internet Explorer Settings and Open IE11 inside Edge through Group Policy

In this video, we explore a useful feature of Netwrix PolicyPak — the ability to configure Internet Explorer settings to dynamically set Internet Explorer Enterprise and Document modes. We also explain how to open an Internet Explorer tab inside Microsoft Edge.

Configure Group Policy Settings to Deploy Real GP using SCCM or Other Management Systems

Do you have endpoints that you'd love to manage using real Group Policy, but want to deploy the settings using something else? This video explains how to deliver Group Policy settings with Netwrix PolicyPak, including how to deploy templates, preferences and security settings to your endpoints using SCCM, KACE, Altiris or another desktop management system.

WDigest Clear-Text Passwords: Stealing More than a Hash

Digest Authentication is a challenge/response protocol that was primarily used in Windows Server 2003 for LDAP and web-based authentication. It utilizes Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges to authenticate. At a high level, a client requests access to something, the authenticating server challenges the client, and the client responds to the challenge by encrypting its response with a key derived from the password.

What DNS over HTTPS (DoH) Is & How to Enable in Windows 10

When your web browser accesses a website, it needs to first translate the friendly URL (such as Netwrix.com) to the public server IP address of the server that hosts that website. This is known as a DNS lookup. Traditional DNS is unencrypted, unlike modern HTTPS web traffic that’s almost entirely secured via HTTPS these days.

How to Use Group Policy and Netwrix PolicyPak to Remove Local Admin Rights

This video explains step-by-step how you can use Group Policy and Netwrix PolicyPak to get out of the local admin rights business. Start out by finding where you have local admin rights, and then remove the source using in-box GP preferences. Then use Netwrix PolicyPak to elevate your now-standard users so they can keep doing the (admin-like) things they always have.

Compromising Plaintext Passwords in Active Directory

A lot of attention gets paid to preventing pass-the-hash and pass-the-ticket attacks, but these tactics limit adversaries to what they can perform from the command line. Compromising a plaintext password gives an attacker unlimited access to an account — which can include access to web applications, VPN, email and more. One way to extract plaintext passwords is through Kerberoasting, but this brute-force technique takes a lot of time and patience.

Privilege Escalation with DCShadow

DCShadow is a feature in the open-source tool mimikatz. In another blog post, we cover without detection once they’ve obtained admin credentials. But DCShadow can also enable an attacker to elevate their privileges. How can a Domain Admin elevate their access even higher? By obtaining admin rights in other forests. Leveraging SID History, an attacker can add administrative SIDs to their user account and obtain admin level rights in other trusted domains and forests.

Overpass-the-Hash Attack: Principles and Detection

The overpass-the-hash attack is a combination of two other attacks: pass-the-hash and pass-the-ticket. All three techniques fall under the Mitre category “Exploitation of remote services.” In an overpass-the-hash attack, an adversary leverages the NTLM hash of a user account to obtain a Kerberos ticket that can be used to access network resources.