Hello fellow PowerShell Engineers, as I promised in my last video and newsletter, I have been working on some great content on securing Active Directory (AD) using PowerShell and other essential tools. This material stems from months of preparation, culminating in a presentation I delivered at the Michigan Association of Educational Data Systems (MAEDS) conference. While it doesn’t include many PowerShell demos, the tools and philosophies discussed here lay the groundwork for my upcoming book, PowerShell for Security Engineers—expected this winter!

The Assumed Breach Mindset

The cornerstone of modern security is shifting from "if" a breach will happen to "when." I always make sure to communicate this to those I work with and for; if nothing else for the added benefit of having highlighted a potential cybersecurity outage. Assuming a breach has already occurred helps us proactively identify what damage an attacker could do if they compromised your most privileged accounts. What would happen if someone with domain admin credentials gained access to your systems?

This mindset compels us to examine:

1. Potential attack paths attackers could exploit.

2. System hygiene practices to limit the blast radius.

We’ll explore configurations, settings, and tools to bolster your defenses.

The ACT Security Cycle

A critical concept introduced during my presentation is the ACT Cycle—a streamlined approach to security management:

1. Assess: Identify vulnerabilities and misconfigurations.

2. Configure: Implement changes to reduce risk.

3. Test: Verify the effectiveness of configurations.

I wanted to come up with a model unlike the traditional “Plan-Do-Check-Act” cycles; ACT focuses directly on security tools and actionable steps specific to Active Directory and PowerShell.

Core Security Principles

• Least Privilege: Grant users access only to what’s essential for their roles.

  • Benefits: Reduces unauthorized access and limits the impact of compromised accounts.

• Minimize Privileged Accounts: Too many privileged accounts expand your attack surface.

  • Best Practices: Use Role-Based Access Control (RBAC) and provide temporary elevated access as needed.

Why Active Directory is a Security Risk

AD is an incredible tool for managing identity, but it’s not a security platform. Misconfigurations and hidden risks make it a prime target for attackers. AD:

• Centralizes network control, making it a high-value target.

• Hides potentially disastrous configurations (e.g., overprivileged group memberships).

• Lacks built-in warnings for poor setups.

Recent breaches like the Colonial Pipeline attack underscore the importance of securing AD environments.

Step 1: Assess Your Environment

Here are tools that provide actionable insights into AD vulnerabilities:

1. Ping Castle: Generates health reports, identifying risks like outdated policies and privilege escalation paths. Run it quarterly for maximum effect.

2. ADeleg: Audits delegation rights, exposing overprivileged accounts and unnecessary permissions.

3. Script Sentry: Reviews PowerShell scripts for malicious or unauthorized content, such as hardcoded credentials.

4. Locksmith: Detects and fixes common misconfigurations in Active Directory Certificate Services.

Step 2: Configuration Recommendations

After assessment, the next step is addressing vulnerabilities. Here’s a roadmap:

• Secure Domain Admins:

  • Ensure only essential accounts are part of this group.

  • Remove LDAP service accounts from Domain Admins—they rarely need write permissions.

• Rotate KRBTGT Passwords:

  • Prevent Golden Ticket attacks by rotating the KRBTGT password hash at least twice annually. Microsoft’s script, New-KrbtgtKeys.ps1, makes this process straightforward.

• Restrict PowerShell Execution:

  • Set execution policies to "Restricted."

  • Disable PowerShell remoting if not required.

• Disable SMBv1:

  • Outdated and vulnerable, SMBv1 should be permanently disabled, especially in ransomware-prone environments.

Step 3: Test Your Defenses

The final step is penetration testing. Tools like Kali Linux, Mimikatz, and Hashcat can simulate real-world attack scenarios to verify your defenses. Always obtain formal approval and test in a controlled environment.

Bringing It All Together

As I mentioned earlier, security is a journey, not a destination. The ACT Cycle ensures continual improvement:

1. Assess your AD environment regularly with free tools.

2. Configure systems to reduce risks.

3. Test defenses to ensure effectiveness.

By following these steps, you’ll significantly bolster your Active Directory security and limit potential attack vectors.

Stay tuned for in-depth guides on these tools in upcoming newsletters. Let’s keep securing systems one script at a time.