STEALTHbits’ products provide a multitude of ways to detect, prevent, and mitigate NTDS.dit Password Extraction.
The best detection is to look for unexpected access events on the NTDS.dit file.
APPROACH
NTDS.dit File Access
DESCRIPTION
Monitor for access to the NTDS.dit file in the following ways:
PRODUCT: StealthDEFEND
In order to prevent malicious access to the NTDS.dit file, you can implement blocking rules.
APPROACH
NTDS.dit File Access Blocking
DESCRIPTION
Block access to the NTDS.dit file through Volume Shadow Copies and direct access on the file system. This will ensure even if an attacker stops Active Directory to unlock the file and has full admin rights, they will not be able to gain access to it directly.
PRODUCT: StealthINTERCEPT
The best way to protect against attacks leveraging the NTDS.dit file is to tightly control the administrative groups that provide access to your domain controllers.
APPROACH
DC Logon Groups
DESCRIPTION
Perform reviews of all domain groups which provide logon rights to domain controllers (e.g. Domain Admins, Server Operators) as the members of these groups can gain access to the Ntds.dit file which resides on the file system of the domain controller. Perform regular reviews and remove unnecessary members.
PRODUCT: StealthAUDIT