Microsoft Defender for Identity Recommended Actions: Stop clear text credentials exposure

by thalpius

Microsoft Secure Score helps organizations get insights into security posture based on security-related measurements. Microsoft Defender for Identity leverages Secure Score with twenty-seven recommended actions. In a series of blog posts, I will go through all twenty-seven recommended actions and what they mean, a plan of approach, their impact, and my security recommendations, hopefully helping others. The seventh one in the series is the “Stop clear text credentials exposure” recommended action.

Introduction

You have twenty-seven recommendations if you filter the Secure Score recommended actions for Microsoft Defender for Identity.

  • Resolve unsecure domain configurations
  • Resolve unsecure account attributes
  • Remove dormant accounts from sensitive groups
  • Protect and manage local admin passwords with Microsoft LAPS
  • Configure VPN integration
  • Reduce lateral movement path risk to sensitive entities
  • Stop clear text credentials exposure
  • Disable Print spooler service on domain controllers
  • Stop weak cipher usage
  • Remove unsecure SID history attributes from entities
  • Modify unsecure Kerberos delegations to prevent impersonation
  • Install Defender for Identity Sensor on all Domain Controllers
  • Set a honeytoken account
  • Start your Defender for Identity deployment, installing Sensors on DC’s and other eligible servers
  • Accounts with non-default Primary Group ID
  • Change Domain Controller computer account old password
  • Reversible passwords found in GPOs
  • Unsafe permissions on the DnsAdmins group
  • GPO assigns unprivileged identities to local groups with elevated privileges
  • Remove access rights on suspicious accounts with the Admin SDHolder permission
  • Remove local admins on identity assets
  • Remove non-admin accounts with DCSync permissions
  • GPO can be modified by unprivileged accounts
  • Built-in Active Directory Guest account is enabled
  • Change password for krbtgt account
  • Change password of built-in domain Administrator account
  • Ensure that all privileged accounts have the configuration flag

Some recommended actions are easy to configure, but others require time, proper planning, auditing, and expertise. This blog post will review the recommended action of “Stop clear text credentials exposure.”

Update: Microsoft keeps updating the recommended actions list. I will do my best to keep the list up-to-date.

LDAP Bind Operation

To authenticate to Active Directory, clients use a Bind operation. There are several ways to authenticate to Active Directory, including a Simple Bind, which is the most common one. Using a simple Bind, a client authenticates either anonymously or by providing a Distinguished Name of the user and its corresponding password.

Unfortunately, simple authentication sends the password to authenticate in plain text over the network. With a man-in-the-middle attack, a malicious actor can read the password in plain text, which could lead to a disastrous result.

Here is an example of a simple authentication showing the plain-text password in Wireshark.

Image 1: Plain-text password SimpleLDAPBind01!

As you can see, the password sent to authenticate is in plain text.

Simple LDAP Bind Tool

I created a tool to perform a Simple LDAP Bind, which you can use to test the recommended action “Stop clear text credentials exposure” and the plain-text password using Wireshark.

Image 2: Tool to authenticate using Simple Authentication

Performing a Simple LDAP Bind results in “Exposed entities” in Microsoft Defender for Identity Recommended Actions “Stop clear text credentials exposure.

Image 3: Exposed entities in Microsoft Defender for Identity Recommended Actions

Mitigation

The Microsoft Defender for Identity sensor detects clear text credentials by decoding the Bind request, looking for “Simple” authentication. Luckily, a Domain Controller audits unsigned LDAP binds, including a Simple Bind, using Event ID 2887 in the Directory Service log, which is on by default. Event ID 2887 reports every twenty-four hours; only reports performed unsigned LDAP Binds.

Unfortunately, it does not say which account and IP address performed the Bind. To see who performed an unsigned Bind, you must enable diagnostics on every Domain Controller using the following command.

New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics' -Name "16 LDAP Interface Events" -Value 2 -PropertyType DWORD -Force

Once enabled, Event ID 2889 in the Directory Service log shows who performed the Bind, including the IP address and account.

Once no unsigned LDAP Binds are shown for at least a month, you can enable LDAP signing, preventing Simple LDAP Binds and sending the password in plain text over the network.

Conclusion

The Microsoft Defender for Identity Recommended Action, “Stop clear text credentials exposure” is a perfect way to eliminate the plain-text password going over the network to lower the risk of a malicious actor getting a plain-text password. Using the events in the event viewer is also possible, but with Microsoft Defender for Identity, every clear text credential is in one place, which makes it a lot easier.