What Is 'ntds.dit'?
The ‘ntds.dit’ file is the database used by Microsoft Active Directory Domain Services (AD DS). It stores:
- User Data: Includes account details, password hashes (e.g., NTLM), and security identifiers (SIDs).
- Schema Definitions: Information about object types and attributes used in the directory.
- Configuration Data: Domain structure, replication settings, and more.
- Replicated Data: Copies of objects synchronized across domain controllers.
How Attackers gain access to the 'ntds.dit' file:
1. Exploiting Backups
Domain controller backups often include the 'ntds.dit' file. Attackers may:
- Access Backups: If backups aren’t encrypted or are stored in unsecured locations.
- Compromise Backup Solutions: Vulnerabilities in backup systems or accounts can give attackers access.
2. Volume Shadow Copies
The Volume Shadow Copy Service (VSS) creates snapshots of the system, including the 'ntds.dit' file. Common techniques include:
- Using VSSAdmin: Attackers can list and manipulate shadow copies to extract the file.
- Mounting Shadow Copies: With tools or PowerShell, attackers access shadow copies for data extraction.
3. Direct Access
Once attackers have sufficient privileges on a domain controller, they will use various tools, which wont be named here, to extract the information.
Protecting Against 'ntds.dit' dumping:
1. Secure Backups
- Encrypt Backups: Use strong encryption for all domain controller backups. (Veeam has you covered with the option to enable backup encryption: https://helpcenter.veeam.com/docs/backup/vsphere/encryption_backup_job.html?ver=120)
- Restrict Access: Ensure backups are stored in secure, access-controlled locations. (Veeam has you covered again! Backups to Tape, but more importantly Immutable backups and hardened repositories: https://www.veeam.com/blog/immutable-backup.html & https://www.veeam.com/blog/installing-ubuntu-linux-veeam-hardened-repository.html)
- Monitor Backup Access: Regularly audit backup permissions and access logs. (Covered again with SIEM integration: https://www.veeam.com/blog/siem-integration-with-backup.html & https://helpcenter.veeam.com/docs/backup/vsphere/mfa.html?ver=120)
2. Mitigate Volume Shadow Copy Abuse
- Disable VSS on Domain Controllers: Unless necessary, disable VSS to reduce potential exposure.
- Monitor VSS Activities: Log and alert on unusual VSS-related activities using tools like Sysmon.
3. Secure the 'ntds.dit' File
- File Permissions: Ensure only the LocalSystem account can access the file.
- Disk Encryption: Use full-disk encryption (e.g., BitLocker) to protect domain controller disks.
4. Monitor and Harden Domain Controllers
- Limit Admin Access: Restrict administrative privileges to essential personnel.
- Log Auditing: Track access to the 'ntds.dit' file and system registry for Syskey extractions.
- SIEM Alerts: Set up alerts for suspicious behaviour on domain controllers.
5. Regularly Rotate Passwords
- Frequently update passwords for high-privilege accounts to minimize the impact of leaked hashes.
Advanced Protection
1. Read-Only Domain Controllers (RODCs):
- Deploy RODCs in environments like branch offices. These store limited credentials and don’t hold writable 'ntds.dit' files.
2. Privileged Access Management (PAM):
- Implement PAM solutions to tightly control and monitor the use of privileged accounts.
3. Incident Response Plans:
- Prepare a response plan for suspected breaches of domain controller data, including steps to reset accounts and investigate the intrusion.