9Mar
What is a secure way to log onto the domain controller?
On a pentest we found that a kerberos ticket under account name administrator
was cached on one of the SQL database servers, which allowed us to steal the ticket, pass-the-ticket and log onto the domain controller. The logon type was remoteinteractive
which suggests that a user from SQLDB01 made a RDP session to DC01. In terms of recommendations, I believe restricted admin mode does not protect against this attack as this protection just forces kerberos ticket to default.
- What other recommendations are there?
- Use credential guard to protect against dumping of kerberos tickets (?)
- What is the correct/secure way to log onto the DC? I assume a jumpbox?