How can protection against attacks on Microsoft Active Directory be strengthened?

ANSWER

There has recently been heightened interest in two Microsoft Active Directory security vulnerabilities (CVE-2021-42287 and CVE-2021-42278). These vulnerabilities, along with their respective patches, date from November 2021; however, experience shows that many organisations have still not applied them. Exploiting the first vulnerability allows an attacker to take over the domain controller server by impersonating the sAMAccountName. The second vulnerability affects the PAC certificate and consequently enables an attacker to escalate privileges.

Combining these two vulnerabilities poses an extremely serious risk, as a successful attack could result in privilege escalation within the Active Directory environment, even without access to a standard user account.

Recommended mitigations:

1. The first and most obvious mitigation is to install the 9 November 2021 updates on all domain controllers, and then activate enforcement mode;
2. it is advisable to change the default Machine Account Quota value from 10 to 0, in order to prevent unprivileged accounts from adding computers to Active Directory.

In the context of the recent high-profile Log4j vulnerabilities, it is also worth bearing in mind other vulnerabilities that could prove equally catastrophic in their effects. It should be noted that these vulnerabilities received a CVSS score of 7.5, indicating a very high level of risk.

Additional information on how attacks work and how to defend against them is also published by security-focused websites and Microsoft itself:

1. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287
2. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278
3. https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e