Blog Post

Core Infrastructure and Security Blog
9 MIN READ

Protecting Tier 0 the Modern Way

DagmarHeidecker's avatar
DagmarHeidecker
Icon for Microsoft rankMicrosoft
Feb 19, 2024
How should your Tier 0 Protection look like?   Almost every attack on Active Directory you hear about today – no matter if ransomware is involved or not – (ab)uses credential theft techniq...
Updated Feb 19, 2024
Version 5.0
DagmarHeidecker
deji1935's avatar
deji1935
Copper Contributor
Feb 26, 2024

.... think of a virtualized Domain Controller and what the admin of the virtualization host can do to it, like dumping the memory or copying the Domain Controller’s hard disk with all the password hashes. Consequently, virtualization environments hosting Tier 0 computers are Tier 0 systems as well. This also applies to the virtualization Admin accounts.

This paragraph sounds like FUD to me. I may not be understanding the point it's trying to make, so please permit me to document my thinking here, in the hope that I can learn from the Experts.

 

IF a virtualized DC is in a virtual environment where proper RBAC is already in place (which should be a standard practice in 2024), then permissions in the virtual infrastructure (VI) should have no bearing on the permissions and authorization on a DC. The VI administrator does not (should not) have ANY access to a Domain Controller just by virtue of being a VI Admin. If they don't have access to AD, then stealing a virtual or physical DC disk shouldn't give them that access.

 

Yes, the VI Admin has access to the VM in which a DC role is installed (and configuration files, e.g. disks backing the VM). But this in and of itself does not give the VI admin any AD access or roles.

 

Yes, the VI Admin can copy the VM's disk. But, this in and of itself still does not grant the VI any access to AD

 

Yes, the rogue VI Admin can attach the disk to another VM. There are 3 (very) strong mitigations for this scenario:

1. VM Generation_ID, which kicks in as soon as the new VM is powered on. The "DC Safety" part of Gen-ID was designed to make the copied DC useless.

2. VM encryption. Once the disk is copied and taken out of the VI environment, encryption makes it unusable

3. Even if the previous 2 "safegurads" were defeated, and the rogue Admin was able to use the disk to power on a stolen DC, what then? The rogue VI will boot up to Windows and...? Whatever happens from that point is not a function of virtualization. It is back to RBAC. If the VI Admin didn't originally have permission to log into a DC or perform AD roles, being able to boot a virtual (or even a physical) DC still won't magically give them that ability.

 

Hopefully, I will learn something new here. Thanks

 

- Deji