Active Directory

Active Directory is the way to manage an organisation that has multiple computers.

Samba Active Directory

Samba Active Directory is the free and open source implementation of Microsoft Active Directory. It is suitable for both small and large environments, but requires significantly more configuration and tweaking than Microsoft Active Directory. On the other hand, you don’t have to pay exorbitant sums of money for the Windows Server licenses. You can both set up a new domain or add Samba domain controllers to an existing domain.

Before setting up a Samba domain, think carefully which identity mapping and DNS back ends to use. The ad identity mapping backed is a pain to manage when creating new users and groups, but it might be necessary in your environment.

Securing an Active Directory domain

• Keep your domain controllers up to date
• Use strong passphrases
• Don’t run any other services on the domain controllers. Instead, create additional virtual machines if your licensing permits it.
• Don’t use domain admin credentials on other machines. Instead, create additional admin accounts with only the necessary privileges.
• Harden the server and client settings with group policies.
• See the official best practices by Microsoft.

Group policies

Before you start configuring individual policies, set up the latest policy templates on your domain controller SYSVOL according to the Microsoft instructions for Managing policy templates.

Policies for additional software can be downloaded here:

• Chrome
• Edge
• Firefox
• Group Policy Administrative Templates Catalog
• Samba (by running samba-tool on a DC or a domain member)

Windows hardening

• Account lockout
• BitLocker
• Disable AutoPlay
• Disable Microsoft spyware
  • Advertising ID
  • Consumer experiences
  • Set diagnostic data to required only
  • Block consumer Microsoft account authentication
  • Disable improvement of inking and typing recognition
• Network connectivity
  • Disable old protocols (SMBv1, SMBv2 etc.)
  • Force encryption and signing
• Windows Defender
• Windows hardware security

Password hardening

Windows password security is fundamentally broken to maintain backwards compatibility. The legacy LM hash used to store the password is based on 64-bit DES, and the “newer” NTLM hash is based on unsalted MD4. The NT and NTLM hashes are so weak, because before January 2000, the US law was interpreted to prevent the export of stronger cryptography. (Big thanks to the PGP developers for appealing this!)

LM hashes are disabled by default on Windows Vista and newer, and you can disable them on Windows XP with a group policy. Setting this group policy also for newer devices is a good idea to reduce the risk of an attacker enabling the LM hashes.

NTLM authentication should be restricted to the latest NTLMv2 version with a group policy.

Windows 10 encrypts the MD4-based NTLM hash with AES, but since AES is symmetric encryption, the original hash can be extracted with tools such as Mimikatz. To mitigate against this, enable Credential Guard with a group policy. However, Credential Guard does not protect the password from being stolen with a keylogger or a malicious Security Support Provider (SSP) when you log in.

All Windows passwords should contain both lower and uppercase characters and numbers and be at least 10 characters long, preferably significantly longer. Otherwise the NTLM hash can be trivially cracked with an easily available rainbow table using free software such as Ophcrack. You should enforce this with a group policy.

Backing up an Active Directory domain

The domain controller should preferably be virtualized so that it can be easily backed up as a whole. In addition to this, I recommend setting up Windows Server Backup. However, it should be noted that configuring a scheduled Windows Server Backup to a remote machine, the machine must be joined to the same domain as the server, and the same user should have admin both access to the domain controller and write access to the backup server. This is an unfortunate limitation of the Windows Server Backup software. It should be noted that this kind of a configuration makes the backup server vulnerable to ransomware, as if the attacker has access to the domain controller, they can use either the domain join or the backup credentials to destroy the backup. Therefore this backup server should be backed up further to another backup server with a pull-type configuration where the second backup server has only read access to the first.

Active Directory Certificate Services

Active Directory Certificate Services (AD CS) is the platform for setting up a public key infrastructure for a Windows domain.

• Microsoft instructions
• Certification Authority Guidance
• 3rd party instructions
• Decide a name for the CA
  • The default format is Company-ServerName-CA, e.g. MyCompany-AD-CA
  • Please see the CA naming rules
• If you have enough Windows Server licenses, set up a separate virtual machine (VM) for the certificate authority (CA)
  • Once the CA is configured, the VM can no longer be renamed, promoted to a domain controller (DC) or demoted. Therefore, if you have to use the CA machine as a domain controller, you should promote it to a domain controller before setting up the CA.
  • If possible, Keep the CA offline and stored in a physically secure location.
• Use the default settings for the CA root key
  • Cryptographic provider
    • If you have a hardware security module (HSM), use it, but ensure that you create at least two copies of the root key. Preferably one should be in a secure safe, and the ones connected to running servers should be on hardware security modules (HSM).
    • If you don’t have a hardware security module, use RSA#Microsoft Software Key Storage Provider as the cryptographic provider when creating the key. This is the Microsoft recommendation. A TPM-based key store would be more secure, but cannot be backed up, and if the CA server is compromised, the attacker can issue arbitrary certificates anyway.
  • Key length: 4096
    • The default is 2048
    • Do not use a shorter key than 2048, as they are insecure and many systems will refuse to work with them!
    • A quantum computer with 20 million qubits should be able to crack 2048-bit RSA in 8 hours
  • Hash algorithm: SHA256
    • Supported from Windows XP SP3 and Windows Server 2003 SP2 ->
    • Windows 7 and 8 require an update to enable SHA512 for TLS 1.2
• Have a look at keylength.com when deciding your settings
• Recommendations to use the defaults
  • Cloud Infrastructure Services (2019->)
  • social.technet.microsoft.com (2015)
  • Zindagi Technologies (2021)
• Recommendations to configure for higher security
  • Techgenix
  • social.technet.microsoft.com
  • social.technet.microsoft.com

Windows Server IKEv2 VPN

This setup is rather complex, and it’s easy to make mistakes that affect its security negatively. For smaller environments, consider using OpenVPN instead. The primary benefits of Windows Server -based IKEv2 are that the clients are configured automatically, and that the user certificates can’t be extracted from the clients if they are stored on a TPM.

• First set up Active Directory Certificate Services with the instructions above
• To prevent extraction of keys from the clients, they should have TPM 2.0 with support for key attestation
• Microsoft instructions
• It’s highly recommended to run the DC, CA, NPS and RAS/VPN on different servers, and this is what the Microsoft instructions implicitly assume.
• Settings for the VPN User Authentication template
  • Cryptography
    • Provider Category: Key Storage Provider
    • Algorithm name: RSA
    • Minimum key size: 2048 (You can’t set a longer one, or the Microsoft Platform Crypto Provider will disappear from the provider list.)
    • “Requests must use one of the following providers”
    • Providers: Microsoft Platform Crypto Provider (this is the TPM-backed provider)
    • Request hash: SHA256
  • Security
    • Authenticated users (or at least the CA server) should have read permissions. Otherwise you will get the error 0x80094800
  • Key Attestation
    • Key Attestation: Required
    • Perform attestation based on: user credentials
• If you have your CA on the same server as the RAS/VPN and you get any certificate errors when attempting to connect to the VPN, you may have to go to Certificates (Local Computer) -> Personal -> Certificates -> your root certificate -> Properties -> General and set Certificate purposes: Enable only the following purposes and remove IP security IKE intermediate, and possibly Server Authentication and User Authentication as well.
• In the Network Policy Server settings use the certificates of the NPS, not the RAS/VPN server.
• Create a VPN configuration on the client
  • Set Networking -> IPv4 -> Properties -> Advanced -> Disable Use default gateway on remote network
• The default settings use broken cryptography. At least in 2018 the encryption has been based on 3DES, SHA-1 and the 1024-bit Diffie-Hellman group 2. None of these are secure.
  • Run my script both on the client and the server to harden the VPN connection.
  • “Classified documents published by Der Spiegel indicate that NSA is passively decrypting IPsec connections at a significant scale. – The documents published by Der Spiegel describe a system named TURMOIL that is used to collect and decrypt VPN traffic. The evidence indicates that this decryption is performed using passive eavesdropping and does not require message injection or man-in-the-middle attacks on IPsec or IKE. – decrypted VPN traffic is reinjected into TURMOIL processing infrastructure and passed to other systems for storage and analysis. – The details of their attack systems are consistent with an efficient break for 1024-bit Diffie-Hellman.” (weakdh.org, research article) Data from the TURMOIL system is automatically sent to XKeyscore for further analysis.
• Test that the connection works.
• Run another script to create a configuration profile from the VPN connection on the client.
• Deploy the profile using a configuration management tool such as Puppet or Intune, or deploy it as a scheduled task with a group policy. If configuring with a scheduled task, note the following:
  • General: select “Run with highest privileges” so that the script runs in the security context of the user but has the permissions to configure the VPN. However, this requires that the users have local admin privileges, which is a security risk. Therefore, using a configuration management tool or deploying the VPN configuration manually is highly recommended.
  • Trigger the task to run at the log on of “%LogonDomain%\%LogonUser%”.
  • Don’t use the “Display a message” feature for debugging. It’s deprecated and will prevent the task from executing.
  • Check the other tabs and ensure that the settings are correct.
• If you get a policy mismatch error, follow these instructions.
• Errors and debugging
  • Error 20271 in the event viewer, and “The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server.” in the client
    • A wrong certificate is selected for the NPS server.
    • Go to NPS -> Policies -> Network Policies -> Virtual Private Network (VPN) Connections -> Properties -> Constraints -> Authentication Methods -> EAP Types -> Microsoft: Protected EAP (PEAP) -> Edit… and select the certificate of the NPS server, not the VPN server. In this window, go to EAP Types -> Smart Card or other certificate -> Edit, and select the same certificate. After this, you may have to restart the NPS service.
  • Error 8007042a when starting Routing and Remote Access: go to NPS -> Accounting -> Log File Properties -> Change Log File Properties and disable “If logging fails, discard connection requests.”
  • “IKE authentication credentials are unacceptable” in the client
    • The VPN server certificate has expired