Full Report
Kerberoasting gives attackers offline paths to crack service account password, without triggering alerts. Learn from Specops Software how to protect your Active Directory with stronger SPN password policies and reduced attack surfaces. [...]
Analysis Summary
# Best Practices: Mitigating Kerberoasting Attacks in Active Directory
## Overview
These best practices address Kerberoasting, a privilege escalation attack in Microsoft Active Directory where an attacker compromises a low-privileged user account to request and crack the password hash of a Service Principal Name (SPN)-enabled service account. The primary defense focuses on enforcing extremely robust password hygiene for SPN accounts and hardening Kerberos configuration.
## Key Recommendations
### Immediate Actions
1. **Enforce Long, Random Passwords for SPN Accounts:** Ensure every account enabled with an SPN is protected by a non-reusable password that is **25 characters or more** in length to significantly diminish offline brute-force cracking success rates.
2. **Implement Multi-Factor Authentication (MFA):** Deploy MFA on all user accounts, especially those used to initiate logons, to prevent attackers from gaining the initial foothold necessary to begin reconnaissance for Kerberoasting stages.
3. **Scan for and Identify All SPN Accounts:** Inventory all accounts currently configured with a Service Principal Name (SPN) attribute to establish a baseline of assets requiring enhanced password protection.
### Short-term Improvements (1-3 months)
1. **Migrate SPN Accounts to AES Encryption:** Configure Domain Controllers and Kerberos settings to prioritize and enforce **AES256 encryption** for service tickets instead of the legacy RC4 encryption, making hash cracking substantially more difficult.
2. **Audit and Restrict Service Account Privileges:** Review the permissions assigned to all SPN accounts. Restrict access so they only possess the minimum necessary permissions for their function, and ensure they are **not members of high-privilege groups** (e.g., Domain Admins).
3. **Deploy Kerberos Traffic Monitoring:** Configure Security Information and Event Management (SIEM) solutions to monitor Kerberos traffic for reconnaissance indicators, specifically looking for unusual patterns like **spikes in Ticket Granting Service (TGS) requests targeting a single SPN**.
### Long-term Strategy (3+ months)
1. **Minimize the SPN Footprint:** Conduct a thorough audit to consolidate duplicate SPN-enabled accounts or disable accounts that no longer have a legitimate service function. The goal is to aggressively reduce the total number of credentials needing defense.
2. **Implement Group Managed Service Accounts (gMSAs):** Transition appropriate service accounts to **gMSAs** to automate password management, which inherently enforces stronger password security and reduces the risk associated with manual credential management.
3. **Establish a Tiered Administration Model:** Implement strict administration tiers to ensure that if a service account associated with an SPN is compromised, the attacker cannot easily escalate privileges to achieve domain-wide control.
## Implementation Guidance
### For Small Organizations
- Focus all initial efforts on enforcing the **25+ character password policy** immediately for all existing SPN accounts.
- Utilize readily available, read-only audit tools to **scan the AD environment for stale/weak passwords** on service accounts to quickly identify low-hanging fruit attackers might exploit.
- Ensure existing user passwords are being screened against **breached password lists**.
### For Medium Organizations
- Prioritize the **migration away from RC4 towards AES256** encryption across the Kerberos environment.
- Begin the **inventory and consolidation process** to rationalize the number of SPN accounts.
- Implement basic **SIEM alerting** specifically for patterns indicative of SPN enumeration/TGS request spikes.
### For Large Enterprises
- Initiate a widespread deployment of **gMSAs** for new and reconfigured services.
- Formally document and enforce a **Tiered Administration Model** across the entire infrastructure.
- Integrate **specialized password auditing tools** into the regular security change management process to continuously check adherence to the 25-character minimum and check membership in high-privilege groups.
## Configuration Examples
* **Strong Kerberos Encryption:** Configure Domain Controllers to explicitly favor AES-based encryption over RC4. (Specific configuration varies between Windows Server versions, typically involving Domain/Policy settings that deprecate the use of older encryption types.)
* **Password Policy Enforcement:** Utilize tools like Specops Password Policy to block passwords found in known breach lists (e.g., blocking over 4 billion compromised passwords) and enforce passphrase complexity/length requirements across the domain.
## Compliance Alignment
- **NIST SP 800-53 (AC-2, IA-5, SC-12):** Focuses on account management, authentication requirements (MFA), and cryptographic protection for communications.
- **CIS Benchmarks for Windows Server/Active Directory:** Addresses secure configuration of domain controllers and strong password policies.
- **ISO 27002 (A.9.2, A.12.1):** Relates to access control (limiting privileges) and operational security procedures (monitoring traffic).
## Common Pitfalls to Avoid
- **Treating the initial compromise as the only risk:** Kerberoasting begins with a standard user account compromise; *failing to secure standard user accounts* (via MFA and strong passwords) enables the attack chain.
- **Ignoring non-malware-based attacks:** Assuming antivirus is sufficient. Kerberoasting relies on legitimate protocol manipulation (Kerberos) and offline cracking, bypassing many endpoint detection tools.
- **Prioritizing speed over length for passwords:** Focusing only on complexity metrics (mixed case, symbols) while neglecting the critical length requirement (25+ characters) necessary to defeat current cracking hardware.
## Resources
- **Tool for Auditing Weak Passwords/SPNs:** Read-only tools designed to audit AD environments for weak/reused passwords and service account visibility.
- **Tool for Policy Enforcement:** Solutions to continuously enforce strong passphrase creation and scan passwords against lists of known compromised credentials.
- **Microsoft Documentation on gMSAs:** Official guidance on deploying Group Managed Service Accounts for automated password management.