Internal penetration tests are the most frightening assessments that an institution can subject themselves to. They can also be one of the most educational assessments.
Penetration testers are often able to quickly gain domain administrator access in an environment, making management aware that good security means more than just patching.
After seeing many of these tests, we have put together this list of items that will likely lead to a penetration tester being unable to gain privileged access in well-patched environments:
- Local Administrators: Penetration testers will seek to gain access to user IDs that are local administrators on workstations, as they can use this local administrative access as a first step to install tools and gain other information needed to eventually gain administrator access to the entire domain. Prohibiting local administrator access for any user is highly recommended because it makes it difficult for the tester to get this initial foothold.
Prohibiting local administrator access by users is only part of the story here, because every workstation still has at least one ID that is a local administrator on each workstation. This ID is used by IT to configure and patch the workstation. If IT uses the same ID and password on every workstation and the tester gains access to this ID, they now control every workstation. That is why you also want to make sure every workstation has a unique password for the local administrator account. You should also periodically change these local administrator passwords. - Hardened Authentication Methods: In many networks, older authentication methods are left active or newer controls are not enabled because of a fear that something will break if they are disabled. Because of the way that they work, these authentication methods will often (if not always) allow a tester or attacker to gain domain administrator access without ever guessing a single password by executing “pass-the-hash” attacks. This can work in even fully patched environments. The specifics of each method or control are too technical for this article, but just know that you should ask your IT department to do these things to harden systems against these weak methods:
1. Disable LLMNR on all systems
2. Disable Netbios on all systems
3. Limit caching of credentials on all systems
4. Require NTLMv2 only for all Windows systems
5. Enable SMB signing on all systems.
- Workstation Firewall: Simply enabling and properly configuring a workstation firewall on each user workstation will protect against many methods a tester will attempt. Windows Firewall is included with Windows but is sometimes disabled by IT to make it easier to support systems. Make sure the firewall is enabled.
- Limit Administrator Activities to Secure Systems: A tester or attacker will usually attempt to identify who the IT administrators are and will focus on their systems. For this reason, it is best practice to not allow administrators to use their workstations to directly manage systems on the network. Instead, institutions should build a few very secure systems from which all administration is performed. Access to these secure systems should be locked down so that only truly trusted workstations can access them, and multi-factor authentication should be used by users to access these systems.
If you're like most people, you'd like to rest easy knowing your environment is secure from attackers. We'd love to walk you through the process of accomplishing just that.