Active Directory (AD) Security
What is Active Directory Security?
Active Directory (AD) is prevalent among enterprises and small to medium businesses that use Windows devices because AD is a key component of the operating system’s architecture. It enables IT teams to exercise more control over access and security, serving as a centralized, standard system that enables system administrators to automatically manage their domains, account users, and devices (computers, printers, etc.) in their networks.
Active Directory also provides several functions: storing centralized data, managing communication between domains, and implementing secure certificates.
Active Directory security gives system administrators a means to successfully control passwords and access levels to manage various groups within their systems. Therefore, active directory security should help support user efforts to securely access resources across the network without impacting their ability to perform tasks and do their jobs.
Because Active Directory plays a key role in user access and security for many organizations, poor management practices and AD misconfigurations can allow attackers to access critical systems and deploy malicious payloads. A ransomware attack, for example, can paralyze a business, resulting in substantial financial losses and damaging public disclosure of sensitive data. Thus, for most businesses, Active Directory security that is particularly focused on privileged access must be a top priority. Should an attacker gain access to a domain admin account, the outcome could be catastrophic.
Active Directory Security and Hardening
What are the major Active Directory security risks?
Attackers focusing on Active Directory vulnerabilities call on various hacking techniques that exploit poor access management, misconfigurations, and unpatched systems.
Some of the more common causes of AD security incidents are:
Domain Users with local admin privileges
Placing Domain Users into a Local Administrator Group is a typical mistake in AD security. Suppose an attacker does not possess local admin rights in a system that was initially compromised. In that case, they can quickly attempt to discover misconfigurations and readily identify any networked systems with Domain Users in Local Administrator Groups. Their goal is to elevate credentials from Domain User to a local admin and roam the network undetected. Any attacker logging on to a Windows endpoint as a local administrator could easily leverage that compromised account as a staging system for making network changes, elevating privileges to full domain admin status, as well as disabling security settings.
Weak and reused passwords
As more businesses than ever before rely on remote access, attackers work overtime to exploit weak or reused passwords. Far too many organizations depend on passwords as the only security control protecting their privileged accounts and access. Weak or reused passwords are an open invitation for exploitation through a variety of techniques, including:
Brute force attacks
Your endpoints are being scanned by cybercriminals right now looking for Remote Desktop Protocol Enabled using various scanning tools such as Masscan or Nmap to discover systems with port 3389 open. Using proven tools like Crowbar, they launch brute-force attacks on weak credentials. When users unthinkingly reuse passwords for their Active Directory accounts, they compound the danger of any compromise. A data breach, for example, could expose passwords for millions of accounts, giving cybercriminals ready access to identities that can be used to search for other accounts using the same password.
Overuse of Domain Accounts
Systems administrators in AD environments have gotten into some questionable habits using domain admin accounts for just about everything. That means using them for service accounts, remote access into systems, or allowing automated scheduled tasks to run backups and other types of network management. This makes their lives easier in the short term, but it provides multiple opportunities for attackers to exploit. That’s because they can easily elevate from a local administrator account to gain full domain Admin rights.
A malicious intruder who possesses local admin privileges can use that system as a staging point to make small changes and then wait for the domain admin to make a common mistake when he or she logs on to a system where the attacker has local admin rights. The attacker can then modify the registry on a compromised system to keep a cached credential in memory in cleartext.
All the attacker has to do is wait and remotely access the staging system periodically to see if the domain admin left a footprint of the password that could be extracted in cleartext. Possessing local admin rights, the attacker can then disable security on the compromised staging system, run a mimikatz tool as a privileged user, and be able to extract the domain admin password in cleartext.
Overprivileged Service Accounts
Services Accounts are a favorite target for attackers since they are too often unmanaged and contain overprivileged permissions. In many cases, organizations create and configure their service accounts with elevated domain privileges to assure ready access to resources necessary for accomplishing their tasks. This makes service accounts especially vulnerable.
Active Directory security best practices
As a critical component for managing user access control and security, IT teams need to understand Active Directory security best practices.
Know who is using what – You need to determine which employees have access and permissions to specific resources. Since most users don’t need a high level of domain access, you should consider a “least privilege” strategy that enforces an AD security policy of granting only the minimum level of user permissions necessary to complete assigned tasks. In this way, you can limit the spread of potential risks, especially if a user account is compromised. It is not uncommon for a compromised account to unsuspectingly spread a hidden virus to the entire domain since the virus would have administrative access. Using a non- or limited-privileged account, however, would contain the damage locally.
Here's a brief Active Directory security assessment checklist
- Remove default permissions - AD assigns default permissions and rights to basic security groups, such as Account Operators. But these may not be appropriate for each user. By examining and customizing permissions, you can prevent attackers from easily exploiting default settings.
- Make timely patching mandatory - Patches are essential for resolving security vulnerabilities and improving software usability and performance. Yet lax patch management is a favorite exploit for attackers to malicious code.
- Never add Domain Users to the Local Administrator Group – You have to be ever vigilant in discovering this misconfiguration of AD security. If a Domain User temporarily requires local administrator privileges, you should have an Active Directory security policy that helps enforce the principle of least privilege. There are endpoint privilege security solutions that will elevate privileges on demand without the user needing to be a local administrator. If you have to add a user to the local admin group, this should only be temporary with a defined expiration date.
- Always use strong passwords - Strong passwords are an absolute must to assure Active Directory protection. That means using a Privileged Access Management solution that automatically creates strong passphrases, so employees don’t have to worry about or manage strong passwords.
- Safeguard RDPE - Remote Desk Protocol Enabled should never be directly exposed to the public internet without adding multi-factor authentication and privileged access security controls. Your Active Directory security audit should monitor for brute-force attempts and scanning attacks regularly.
- Limit Local Admin privileges - Prevent overprivileged users from obtaining local administrator privileges on your systems. Use endpoint application control to help prevent unauthorized applications such as Mimikatz from running even if the attacker gains local admin privileges. Audit your AD security environment for the registry settings that allow an attacker to extract passwords in cleartext.
More AD Security Resources: