Article Details

How to harden your Active Directory against Kerberoasting. Kerberoasting is a common attack targeting Microsoft Active Directory, enabling attackers to compromise service accounts with low risk of detection. Because it manipulates legitimate accounts, it can be highly effective. However, robust password security can keep the criminals at bay. First, what is Kerberoasting? The name comes from ‘Kerberos’, the authentication protocol used in Active Directory, which verifies a user’s identity or that of a computer requesting access to resources. Kerberoasting is a privilege escalation attack where a perpetrator in control of a standard Windows user account attempts to crack the password for an account with a Service Principle Name (SPN); if successful, they can then escalate their attacks to threaten any part of the architecture connected to the targeted account. Multi-pronged attack How does an attack work in practice? It’s slightly complex, but there are five key stages: Secure your Active Directory passwords with Specops Password Policy Verizon’s Data Breach Investigation Report found stolen credentials are involved in 44.7% of breaches.    Effortlessly secure Active Directory with compliant password policies, blocking 4+ billion compromised passwords, boosting security, and slashing support hassles! Adversary advantages Kerberoasting is a complex process, with a range of tools available online to both detect accounts with an associated SPN and to then break into the ticket. However, it has significant advantages for attackers: How to protect your Active Directory It’s easy to see why Kerberoasting would appeal to cybercriminals. However, organizations can take steps to protect their AD from the danger. Scan your AD for stale accounts Specops Password Auditor is a read-only tool that lets proactively scan for weak, reused, and breached passwords in your Active Directory environment. It help audit service accounts in the domain for password security and help give visibility to service accounts with administrator permissions. Your exportable report gives you a full view of stale accounts in your organizations, which are often a starting point for Kerberoasting attacks. Download your free tool here. Prevent Kerberoasting attacks Kerberoasting is a complex form of attack, built across different stages. However, one thing is certain: password security sits at the heart of your defense. This works on two major levels. First, before attackers can request a service ticket tied to an SPN account, they need to have access to another user account that they can manipulate. They target this through well-known means, such as phishing or malware. Multi-factor authentication (MFA) is also key to protecting accounts against this danger, with passwords a key component. By ensuring your passwords meet the most stringent security demands, you can protect your organization – and its employees – from the first stage of a Kerberoasting attack. Second, there’s the attack itself. As we’ve seen, Kerberoasting and brute force tactics struggle against lengthy, unique passwords of 25 characters or more. By ensuring all your SPN-linked accounts are protected by such passwords, you take a huge step towards securing your Active Directory. Specops Password Policy makes it easy to block weak passwords and enforce the creation of strong, unique passphrases. On top if that, it continuously scans your AD against a growing list of over 4 billion compromised passwords, alerting end users if their password is found to be breached. Interested to know how this could work in your environment? Get in touch for a demo. Sponsored and written by Specops Software.