The "Monash Enterprise Access Model" (MEAM) is a model for tiering Active Directory that builds heavily on the Microsoft Enterprise Access Model.
The MEAM is developed by the Enterprise Engineering team at Monash University, Australia.
The MEAM builds on three core components:
- The administrative tier: a "macro" partition of AD based on the level of privilege & control.
- The zone: a horizontal split of a tier, where services are placed into silos preventing lateral movement.
- The service: a delegation target within a zone, containing computers and groups.
TL;DR: The MEAM brings microsegmentation to AD, using entirely built-in functionality.
The following is a list of some great built-in and third-party Active Directory security controls worth exploring:
Protected Users is a global security group for Active Directory (AD) designed to protect against credential theft attacks. The group triggers non-configurable protection on devices and host computers to prevent credentials from being cached when group members sign-in.
Anyone in this group:
- Cannot authenticate with old protocols like NTLM
- Cannot use outdated Kerberos encryption like DES or RC4
- Cannot have their account delegated
- Has their Kerberos TGTs limited to 4 hour sessions before they need to reauthenticate. Wherever they login:
- Their credentials are never cached
This is a protection that - for example - is a great security measure for your domain admins and privileged users.
Note: Do your reading on this first! This feature (deliberately) breaks NTLMv2 and Kerberos Delegation for users, so be careful to ensure this will not impact users within Protected Users.
Passwords are so last year!
Windows has had passwordless login forever; in the form of smart cards. And - fun fact - an ~$80 Yubikey can act as a PIV smartcard.
You can an ADCS certificate enrollment template let your admins self-enrol.
- Natively in AD, you can even enforce smart-card login for a user across the domain.
No more stealing the “domain admin password”!
This is also a great time to audit Active Directory Certificate Services! Check out Locksmith by @TrimarcJake.
References:
Authentication Silos and Authentication Policies are a new-ish AD feature, which became available in Server 2012 R2.
At the most basic level, they are an account/device firewall build into AD that locks specific accounts to specific machines, or vice-versa.
References:
- Authentication Silos build on Kerberos FAST and Kerberos claims, compound authentication and armoring.
- The documentation for 'Authentication Policies and Authentication Policy Silos' can be found here.
- For a getting-started guide on configuring Authentication Silos, check out this step by step guide.
- Another great reference is Protecting Tier 0 the Modern Way from the Microsoft
Core Infrastructure and Security Blog
Many organisations have "user"-type service accounts sitting around with passwords that never change; if the password leaks, it’s game over.
Many of these accoutns are ripe for Kerberoasting and PtH attacks.
AD has a special type of account called a gMSA (Group Managed Service Account)
- One or more computers can be delegated to read the encrypted password from AD
- AD rotates the password monthly to 256 random characters
These accounts are set & forget, and can be used in AD environments where an account is required for “service” or “background” jobs.
They even be used to login to things like databases!
Stop your users setting bad passwords!
Proactively protect users by ensuringe users pick strong passwords.
Lithnet Password Protection for Active Directory (LPP) is a free (MIT) tool that can enforce password quality - both at the time of set & change - in a number of ways:
- Every password change is compared against the a local copy of the HIBP list (nearly a billion known bad passwords!)
- Words can be banned:
- “P4$$w0rd” gets turned back into “password”
- You can ban passwords based off a single dictionary word, as well as things like a company name
- e.g., “M0na$h2023” doesn’t cut the mustard
- Complexity Rules:
- The longer your password, the less complex it needs to be
- Encourages users to pick strong passphrases
Windows LAPS is a feature that automatically manages and backs up the password of a local Administrator account on AD or Entra-joined devices.
Local admin passwords are automatically backed-up to the relevant authority (AD/Entra), and are accessible by delegated administrators.
Using LAPS to regularly rotate and manage local administrator account passwords helps protect against pass-the-hash and lateral-movement attacks
While you're here, make sure to enforce Network Level Authentication to prevent local accounts from being usable over the network.
Lithnet Access Manager (AMS) is a tool that allows you to safely delegate sensitive administrative access to computers in your organization in a modern and user-friendly way
It provides a web-based interface that allows users to request local admin/root passwords, BitLocker recovery keys, and grant just-in-time administrative access to their own accounts.
It is fully compatible and works out-of-the-box with Microsoft LAPS, but also comes with its own agent, which expands LAPS coverage to Azure AD joined and registered devices, as well as macOS and Linux devices.
LAPS: AMS allows users to retrieve LAPS apsswords over the web, using modern OIDC authentication and MFA.
JIT: AMS allows users to request "just-in-time" access to systems, preventing persistence of administrative privileges across the domain.
