企业活动目录域服务安全防护措施探讨

信息安全研究 ›› 2021, Vol. 7 ›› Issue (1): 95-100.

• 技术应用 • 上一篇

企业活动目录域服务安全防护措施探讨

李东,张德政

核工业计算机应用研究所

收稿日期:2021-01-10 出版日期:2021-01-05 发布日期:2021-01-10
通讯作者: 李东
作者简介:李东理学学士，信息安全工程师，主要研究方向为网络安全、红蓝对抗. lidong@cnnc.com.cn 张德政工学学士，信息安全工程师，主要研究方向为网络安全、数据分析、安全防护. zhangdezheng@cnnc.com.cn

Discussion on Protective Measures of Enterprise Active direcorty Domain Service

Received:2021-01-10 Online:2021-01-05 Published:2021-01-10

摘要/Abstract

摘要： 当今，随着信息技术在企业科研生产应用中的不断深入，越来越多的企业采用了集约化的网络架构及统一的管控模式，这种方法优点在于支撑业务高效运行的同时，可快速降低企业资源投入的成本。从网络安全方面来看，原有分散式的IT资产所暴露的安全风险将收敛减少，而关键节点的核心IT资产所面临的安全风险将呈倍增加，如何保障企业中核心资产的网络安全，本文将以现实中企业应用最多的架构模式Windows域环境（活动目录域服务）为例，以攻击者视角，试图将活动目录域服务常见攻击方法进行归类，分析各个环节中各类攻击方法的特点，并针对不同特点的攻击方法，提出一种让企业依据PDCA循环，依次开展域环境加固、流量监测、日志分析及安全检查等全生命周期安全防护措施的思路，以实现降低活动目录域服务安全风险的目的.

关键词: 信息技术, 企业安全, IT资产, PDCA循环, 域防护

Abstract: Nowadays, with the deepening of information technology in the application of enterprise scientific research and production, more and more enterprises adopt the intensive network architecture and unified management and control mode. The advantage of this method is to support the efficient operation of the business, at the same time, it can quickly reduce the cost of enterprise resource investment. From the perspective of network security, the security risks exposed by the original decentralized IT assets will converge and reduce, while the security risks faced by the core IT assets of key nodes will increase exponentially. How to ensure the network security of core assets in enterprises, this paper will take Windows domain environment (Active Directory Domain Service), which is the most widely used architecture mode in enterprises, as an example,from the perspective of attackers, this paper attempts to classify the common attack methods of active directory domain services, analyzes the characteristics of various attack methods in each link, and puts forward an idea that enterprises can carry out the whole life cycle security protection measures such as domain environment reinforcement, traffic monitoring, log analysis and security inspection in turn according to PDCA cycle, so as to achieve the reduction The purpose of active directory domain service security risk.

Key words: information technology, enterprise security, IT asset, PDCA cyc, domain protection

李东张德政. 企业活动目录域服务安全防护措施探讨[J]. 信息安全研究, 2021, 7(1): 95-100.

参考文献

[1] 获取AD域中SYSVOL和组策略首选项中的密码[OL].(2017-06-01)[2020-08-01].https://www.cnblogs.com/backlion/p/6927322.html [2] [MS-SAMR]: Security Account Manager (SAM) Remote Protocol(Client-to-Server)[OL].(2020-10-30)[2020-08-10].https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/4df07fab-1bbc-452f-8e92-7853a3c7e380?redirectedfrom=MSDN [3] 域渗透：SPN和Kerberoast攻击[OL].(2019-10-20)[2020-08-07].https://www.cnblogs.com/zpchcbd/p/11707776.html [4] Joe Bialek. Additional information about CVE-2014-6324[OL].(2014-11-18)[2020-08-10].http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx [5] Harmj0y.Roasting AS-REPs[OL].(2017-01-17)[2020-08-11].https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/ [6] Harmj0y.Kerberoasting without Mimikatz[OL].(2016-11-01)[2020-08-11].http://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/ [7] [MS-DRSR]:Directory Replication Service (DRS) Remote Protocol[OL].(2020-10-30)[2020-08-16].https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47 [8] Abusing active directory ACLs/ACEs[OL].[2020-08-16]. https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces [9] Raj Chancel. Kerberos brute force attack[OL].(2020-04-25)[2020-08-17].https://www.hackingarticles.in/kerberos-brute-force-attack/ [10] 丝绸之路.域控权限持久化之DSRM[OL].(2015-10-10)[2020-08-17].https://www.freebuf.com/articles/system/80968.html [11] Sean Metcalf. Sneaky active directory persistence #12: Malicious security support provider (SSP)[OL].(2015-09-16)[2020-08-18].https://adsecurity.org/?p=1760 [12] Sean Metcalf. Sneaky active directory persistence #14: SID history[OL].(2015-09-19)[2020-08-18].https://adsecurity.org/?p=1772 [14] Sean Metcalf. Kerberos golden tickets are now more golden[OL].(2015-08-07)[2020-08-18].https://adsecurity.org/?p=1640 [15] Sean Metcalf. How attackers use kerberos silver tickets to exploit systems[OL].(2015-08-07)[2020-08-18].https://adsecurity.org/?p=2011 [16] Vesel『无心』.域渗透 | 白银票据防御[OL].(2019-10-30)[2020-08-20].https://blog.csdn.net/qq_18501087/article/details/102828802 [17] 彪锅.使用LAPS管理本地管理员密码(1)[OL].(2015-12-24)[2020-08-20].https://blog.51cto.com/38088444/1727817 [18] PowerShell Team. PowerShell ♥ the Blue Team[OL].(2015-06-09)[2020-0715].https://devblogs.microsoft.com/powershell/powershell-the-blue-team/ [19] 操作系统推荐的审核策略[OL].(2015-05-31)[2020-07-29].https://docs.microsoft.com/zh-cn/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations#recommended-audit-policies-by-operating-system [20] 事件监视器[OL].(2018-07-30)[2020-07-29].https://docs.microsoft.com/zh-cn/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor [21] 0Kee Team.WatchAD[OL].(2019-11-13)[2020-08-14].https://github.com/0Kee-Team/WatchAD/blob/master/README_zh-cn.md

企业活动目录域服务安全防护措施探讨

Discussion on Protective Measures of Enterprise Active direcorty Domain Service

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 3

编辑推荐

Metrics

[1]	张放李朝伟张宁王上. 整机信创生态发展面临的问题及对策研究[J]. 信息安全研究, 2020, 6(10): 0-0.
[2]	宝达. 基于国际标准CC 和CEM 的计算机系统信息安全性评估认证支持平台[J]. 信息安全研究, 2017, 3(7): 638-646.
[3]	刘文. 信息安全审计问题与应用创新策略研究[J]. 信息安全研究, 2017, 3(10): 0-0.