Making Lateral Movement Difficult in an Active Directory Environment

2017-09-01 Read original →

This post examines Group Policy Object (GPO) configurations that mitigate lateral movement attacks in Active Directory environments, particularly addressing scenarios where shared local administrative credentials exist across multiple endpoints.

The Problem

Organizations frequently implement identical local administrative accounts across all endpoints. From an attacker’s perspective, compromising a single workstation grants access to numerous machines. Once credentials are obtained through hash dumping or credential extraction, attackers can attempt lateral movement to identify sensitive accounts like Domain Admins.

I demonstrate using CrackMapExec to test local administrative credentials across networked machines, showing how a single compromised credential set enables widespread access without triggering typical SOC alerts (since these are local authentication attempts).

The GPO Solution

Configuration Location

Settings are found in: Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → User Rights Assignment

Key Technical Details

The GPO leverages special Security Identifiers (SIDs) introduced in KB 2871997:

S-1-5-113: NT AUTHORITY\Local account
S-1-5-114: NT AUTHORITY\Local account and member of Administrators group

These SIDs allow the GPO to apply restrictions uniformly across all local accounts without requiring explicit enumeration.

Implemented Restrictions

The configuration denies:

Local accounts from authenticating over the network
Domain Admins from local logon or Remote Desktop access
Pass-the-Hash techniques using local credentials

Results Demonstrated

After GPO application:

Blocked local credential lateral movement – CrackMapExec authentication attempts fail
Domain Admin restrictions – Even high-privileged accounts cannot access restricted systems
Pass-the-Hash failure – Hash-based authentication is rejected

Broader Context

This GPO functions as one component of comprehensive Privileged Access Management strategies. Combined with segregated Privileged Access Workstations, it prevents Domain Admins from exposing credentials on less-trusted endpoints while making lateral movement significantly more difficult for attackers.

References

CrackMapExec: https://github.com/byt3bl33d3r/CrackMapExec
Original Microsoft guidance by Jessica Payne
ADSecurity resources on credential protection
Microsoft Privileged Access Workstation documentation