STEALTHbits’ products provide a multitude of ways to detect, prevent, and mitigate NTDS.dit Password Extraction.
The best detection is to look for unexpected access events on the NTDS.dit file.
NTDS.dit File Access
Monitor for access to the NTDS.dit file in the following ways:
In order to prevent malicious access to the NTDS.dit file, you can implement blocking rules.
NTDS.dit File Access Blocking
Block access to the NTDS.dit file through Volume Shadow Copies and direct access on the file system. This will ensure even if an attacker stops Active Directory to unlock the file and has full admin rights, they will not be able to gain access to it directly.
The best way to protect against attacks leveraging the NTDS.dit file is to tightly control the administrative groups that provide access to your domain controllers.
DC Logon Groups
Perform reviews of all domain groups which provide logon rights to domain controllers (e.g. Domain Admins, Server Operators) as the members of these groups can gain access to the Ntds.dit file which resides on the file system of the domain controller. Perform regular reviews and remove unnecessary members.