Securing Domain Controller Environments From The Ground Up — Print Spooler Edition
With the latest CVE around the print spooler service this is a good time to update my guidance on securing domain controller environments with security hardening policies.
Just for reference at the time of this posting there is an RCE going around with the print spooler service which can be extremely dangerous if you have it left running on a domain controller.
Currently there are two free methods to downloading readily available group policy content and importing them to your active directory environment. Microsoft provides downloadable toolkits and security baselines for Windows Server 2012 and up. They also provide security baseline content for Windows 10 builds.
The DoD Cyber Exchange also hosts downloadable group policy stig content at the following URL:
They provide both server and Windows 10 hardening content as well.
I do not arbitrarily recommend that you import an entirely new security baseline or over write your existing security baselines without proper testing. Microsoft also provides a tool called Policy Analyzer that is available in the security compliance toolkit if you need to analyze and compare your current security baseline posture with the policy baselines that I mentioned above.
Once you extract Microsoft policy baseline for Server 2019 you will need to do a few things before starting. From the templates directory you will need to copy the admx and adml files to “c:\Windows\PolicyDefinitions” and “c:\Windows\PolicyDefinitions\en-US” respectively.
Next if you launch group policy management console you will see a folder called Group Policy Objects. This is where you will create your policies and extract the GPO templates to the policies.
Inside the 2019 baseline folder you should find a list of reports of all the GPO content along with their names.
I will focus my attention on the following highlighted policies
Inside of group policy management right click on the Group Policy Objects folder and select new
Select one of the report names that you want to work with first and populate it in the name field as shown below. Select OK.
Right click on your new group policy object and select import settings
Navigate to the GPO’s folder in the wizard and select ok. In this example the folder I extracted the Server 2019 content to was a folder I created called Server 2019.
After the GPO folder is selected you will be asked which Source GPO you would like to import. In this example I selected the 2019 domain controller.
When you finish the wizard congratulations you have a fully populated GPO for a 2019 domain controller. Repeat these steps for the rest of the GPO’s highlighted nelow.
Once you are finished you should have the following in your Group Policy Objects Folder.
Next click on link an existing gpo and link all the policies except for the domain security one.
In your group policy link order. It should look as follows:
Take note the Default Domain Controllers Policy at the bottom. The reason for this is because there are some insecure policy settings inside it and you don’t want them gaining inheritance over your domain controller security GPO. One setting in particular that can cause a misconfiguration in your active directory environment is clear LDAP communication over port 389. This is the actual policy setting in the Default Domain Controllers Policy.
Note about virtualization based security. Since the domain controller I am on is running inside of vmware workstation I’ve done the following to make VBS working on my DC.
In options advanced I’ve enabled VBS and in turn it enables secure boot as well. The 2019 template by default runs a UEFI bios.
I also encrypted my VM and added a virtual TPM chip to the server as well.
The GPO I left out is the domain security GPO. It enforces longer password policies and defines an account lockout policy. Normally I suggest changing the default domain policy than merging this one in with your domain. For now I will leave it out.
One you are finished you can update the group policy on the domain controller and reboot it.
Now that I have a domain controller that is secured with Microsoft Security Baseline Policies, I will scan it for vulnerabilities with my Kali Linux Box since I have Nessus loaded onto it.
Without doing any manual mitigation I find my domain controller has the following three vulnerabilities:
Starting from the most critical and to my surprise is to find my DC vulnerable to boothole. Microsoft has the following document to fix this issue. Microsoft will supposedly be addressing this vulnerability mid to late 2021.
Next is dealing with Speculative Execution. Microsoft has the following guidance article on this vulnerability:
Its a long article but basically since I am running a intel processor I will be doing the following mitigation.
Code:
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverride /t REG_DWORD /d 72 /f
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
Now that I carried out my subsequent scans what is next?
Lets start next with evaluating system services:
In these guidelines these are specific to Server 2016. Since then all the system service disable recommendations have been included in server 2019 by default. So the more organizations drift towards Server 2019….the better. One thing to note with the print spooler service and why it still remains enabled to this day on servers and especially DC’s is because of print ques that may exist in active directory.
So where did disabling the printer spooler come into play and why have some orgs never implemented disabling the print spooler service?
If you worked in a high security organization where nation states are in your threat model then you will probably understand where disabling print spooler guidance came from. Back in 2010 Microsoft released the following advisory for MS10–61:
MS10–61 was also used in a Nation State piece of (NSA maybe?)software called flame. It largely targeted middle eastern countries and used MS10–061 to laterally move across a network. This is actually well documented in the Mitre Att&k Framework and is definitely worth the revisit.
Since then and hopefully high security organizations just started disabling print spooler services on member servers and domain controllers where there was no need for print services. If you kept deflecting this risk from the days of MS10–61, please pat yourself on the back!
At the time of this writing Microsoft finally released an advisory on this issue and you can read more on the advisory and mitigation strategy below.
I would prioritize doing the mitigations on Domain Controllers first and working your way down to member servers that are not using printing functionality.
Applying print spooler mitigations via group policy (Option 1 from MS article:
In Group Policy management
Give the GPO a name
Edit the newly created policy and navigate to services under preferences > Control Panel Settings > Services
Right click on anywhere in the open area and choose New > Service
Locate the Print Spooler Service
Select Startup to disabled and the service action to stop the service.
The reason for doing this is preferences instead of in the system services section of of group policy under security settings is because you want to ensure the service action is being told to immediately stop the service. The other way should disable as well. Below I see the service is in a stopped state and immediately disabled as well, which is what we want.
Beyond printers everyone should really take a look at Microsoft’s best practice guidelines for securing active directory. Especially the sections on securing domain and enterprise admin accounts and preventing lateral movement across your network to highly privileged accounts. I’ve included a few other of my go to references for security infrastructure and improving the protection of privileged access.
