At its core, Active Directory domain services (AD DS) is a structured data store of objects in the domain controller. It is a directory service from Microsoft for identity management and access control in Windows domain networks. Active Directory can authenticate users, groups, services and computers to protected information. In addition to that, AD DS also helps to implement security policies and permissions. AD DS enforces them for all computers in your network.
AD DS helps in the centralized management of accounts from the domain controller. A major advantage of the global catalog of AD DS is that stored objects are easily searchable. The logical and hierarchical nature of objects is dictated by the schema, which defines objects and attributes. Due to the multiple benefits of AD DS, it has become ubiquitous for authentication and authorization in organizations of all sizes.
As AD DS is critical in the everyday operation of your business, you must ensure that it's well protected. Security loopholes will allow cybercriminals and hackers to gain access to secure personal data, which they can use for various nefarious purposes. So, hardening AD DS is something you need to seriously think about. This article will help you get started on your AD DS security through the following topics:
- What is Active Directory security?
- Why is there a need for Active Directory security?
- What are the security vulnerabilities in Active Directory?
- What are the best practices for Active Directory security?
Why Active Directory security?
Ensuring the identity of users and devices accessing data on your network is an important IT function of your business. Your stakeholders must have secure access to the resources required to perform their duties. The various stakeholders include regular employees, temporary contractors, suppliers, vendors and clients. As your organization grows, the number and complexity of stakeholders becomes complex. Multiple domain controllers and multi-forest configurations add to this complexity as well. The identity requirements get more complicated in parallel.
Microsoft Active Directory is the most widely used platform for identity management. But AD DS is a legacy technology that was not designed to withstand modern cyberattacks. This makes it vulnerable to attacks like the following:
In a study conducted by Semperis, 97 percent of organizations cited AD DS as mission critical for their business. Eighty-four percent of the respondents said an Active Directory outage could have a catastrophic impact on their business. This is a serious problem as cybercriminal attacks have a 40 percent rate of success on Active Directory.
Digital transformation and the exponential rise in remote work have also made cybersecurity problems worse. These changes have reduced visibility, increased the attack surface, and created identity silos. Attacks originating at one vector of Active Directory can propagate through the cloud, and the cybercriminal could gain a golden ticket to access your infrastructure.
According to Crowdstrike, eight out of ten data breaches are identity-driven. Attackers can move laterally within the organization, undetected for a long period of time. The attacker exploits misconfigurations and access privileges to increase attack efficacy.
Since the credential in such attacks is valid, it is extremely difficult to identify. Breaches with stolen credentials can take an average of 250 days to detect and an additional 91 days to contain, according to the Cost of a Data Breach 2021 report by the IBM-Ponemon Institute. Your organization should not fall prey to such an attack due to poor Active Directory hygiene. You should take every opportunity to identify the security vulnerabilities in your AD DS configuration and beef up your security before you fall prey to an attack.
Active Directory vulnerabilities
Cyberattacks using stolen credentials typically have five steps:
- Attackers might have obtained compromised credentials or execute brute-force attacks to compromise user credentials. This is characterized by a large number of failed logins followed by a successful one, a login at an unusual time, and a login from a suspicious system.
- Attackers make a lateral movement across AD to gain widespread access. This is identified by logins to multiple accounts from the same IP address.
- Attackers obtain advanced privileges by being part of privileged groups.
- Backdoor accounts are created in AD with privileged access.
- The next step is data exfiltration, where all passwords and user PII data is harvested.
Some common vulnerabilities attackers exploit to gain credentials are discussed in the following sections.
Sloppy password practices are one of the most common vulnerabilities in all organizations. The use of simple, easy-to-guess passwords is a huge problem. Some organizations still have passwords that were created many years ago. These passwords could have been shared among various employees, and some of those might have left the organization. Such sloppy practices make it easy for cybercriminals to access systems with valid credentials.
Service accounts represent nonhuman users that perform some tasks in the system. Service accounts commonly have very old passwords as the service has to be offline to change the password. Some organizations still have services that are no longer used. This eats up resources and opens up another attack vector.
Service accounts generally have a lot of additional permissions that are not required for their operations. They also have unconstrained delegations, meaning they can impersonate any account. This helps cybercriminals impersonate another account and elevates privileges.
While administrators create new roles, it can take considerable time and effort to identify the access and permissions required for each. Thus, some end up settling with access that is much broader than necessary. This means users can access systems, services and data they do not need access to. An attacker using a compromised account with broad access can exfiltrate more data and also easily move laterally within the organization.
Lack of visibility
Administrators in many organizations do not have information on different events in AD servers. For example, if the administrator has real-time visibility into failed login attempts, anomalous login attempts can be detected. This helps the admin take the necessary steps to prevent an attack in real time. Such information can also be used for improving security protocols.
The vulnerabilities mentioned in the previous section can be exploited by attackers to compromise your systems. Most of the vulnerabilities can be easily fixed. Common attacks can be thwarted by following some best practices to manage Active Directory.
As discussed in a previous section, using default settings is a common vulnerability observed in organizations. You should change the default settings and passwords as the very first step in using any system. This goes beyond use in Active Directory and is good practice in general. For AD DS, group policy objects are the settings that manage operations, control security and auditing. Some group policies that you need to change to prevent security breaches include the following:
- Moderating access to command prompt and control panel
- Disabling guest accounts and forced system restarts
- Prevent storage of password hashes by Windows
- Setting password hygiene measures such as minimum password length, maximum password age, etc.
- Disabling removable media devices such as pen drives, DVD, CD, etc.
Better password practices
Implementing better password practices goes a long way in securing your systems. The following are some good password practices your organization should be following:
- Ditch passwords and use passwordless authentication.
- Use longer passwords that are easy to remember but difficult to guess.
- Use unique passwords for each account. You should not be using the same password for different accounts, even if it is a complex one.
- Enforce password best practices by using a password policy.
- Change passwords at regular intervals.
- Change passwords when a user leaves the organization.
These simple password practices will hugely reduce the chance of leaked credentials. Brute-force attacks are much more difficult with strong password practices. Passwordless access systems are gaining prominence due to the difficulty in enforcing secure password practices.
Multi-factor authentication (MFA) adds a layer of security to user accounts. The probability of breaching an account with MFA is significantly less than an account with just a password. MFA can be implemented with authenticator applications, text-based OTPs and hardware authentication.
Users should have access only to services they need to accomplish the task at hand. Each user role should not have more access than required. This is referred to as "least-privilege administration." It helps to contain the damage in the event of a breach. The first step towards taming the privilege problem is identifying accounts, and groups that have built-in privileges in Active Directory. Privileged local accounts on workstations and member servers also need to be identified.
You must take steps to secure these accounts and ensure they are not in regular use. Accounts with built-in privileges such as domain admins should not be used as service accounts on member servers and should not be used to log on to local computers. You should also configure group policy objects to restrict administrator accounts of domain-joined systems.
Secure your domain controller
The domain controller provides physical storage for data in Active Directory. Cybercriminals gaining access to domain controllers can corrupt stored information. This can be mitigated by better physical security and hardening your domain controllers against software-based attacks. You can use managed Active Directory services like Azure AD to set up and secure your domains and forests. Managed AD services also help to organize and manage group policies, backup and recovery. Using managed AD services lets you use existing credentials to access services and applications connected to the managed domain without compromising usability and security.
Software and systems should be regularly updated to receive the latest security patches. You should enable automatic updates so that patches are applied as soon as they are available. Operating systems and software that are no longer supported by developers or publishers should be replaced as soon as possible.
Regular auditing and monitoring
You should perform regular auditing of users, roles, groups, access, admin accounts and policies. The results of audits should be reviewed and assessed for any new changes required. This helps you stay on top of the security requirements of your systems. In addition, you should also set up dashboards to monitor the events happening in real time. This improves visibility into your system and helps you to prevent attacks.
In most common cyberattacks, the criminal gains unauthorized access to a workstation and moves laterally within the organization. Manipulating Active Directory is a potent way to gain more access and authorization within the digital infrastructure. When you detect unauthorized access at a workstation, you should immediately isolate the system and cut off access to the active directory. This will thwart any attempts to move laterally within the organization. This is another reason to not use privileged accounts, as they can be used to manipulate AD.
You should automate many processes to make AD management streamlined and easy. For example, when a user is assigned to a new department, the user roles and permissions should automatically be updated. You need to look for similar avenues to automate the processes in Active Directory.
Active Directory: security tools
The security of Active Directory is critical in maintaining the data integrity of your digital infrastructure. You have various tools at your disposal to manage the security of your Active Directory setup. These tools can be segregated into three broad categories.
Active Directory protection tools
Security tools that focus on enforcing security practices for Active Directory fall in this category. These tools have features to block access to AD, prevent AD changes that try to bypass security standards, unearth dangerous permissions, etc. Some of the prominent tools in the market to protect AD are as follows:
Active Directory monitoring and management tools
Regular monitoring of Active Directory helps managers have an eagle-eye view of the AD environment. Regular reporting is also an important part of AD tools for monitoring and management. Most AD management tools have features to automate various AD processes. Some of the popular tools to monitor and manage AD environments are the following:
Active Directory auditing tools
AD auditing tools investigate users, groups, units, activity, policies, and settings for security loopholes. Such tools help to identify vulnerabilities in the AD environment and secure it. The following are some common AD auditing tools in the market:
- Netwrix Auditor for Active Directory
- Lepide Data Security Platform
- Ossisto Active Directory IT Health & Risk Scanner
- Teleport Audit Log
Active Directory is a popular directory service from Microsoft. It helps to manage user and device access to your IT infrastructure. But sloppy practices in the use and management of Active Directory introduce different vulnerabilities that cybercriminals can exploit. The danger of Active Directory exploits is that when cybercriminals access your systems, they use valid credentials and appear as if they are legitimate users. AD security is of paramount importance to protect the infrastructure of your organization and prevent data exfiltration. This article explored some common vulnerabilities and best practices to thwart AD attacks. It comes down to commonsense actions performed with consistency and without fail.
At Teleport we worked extensively with Active Directory when creating Teleport Desktop Access Protocol, that allows you to access your Windows desktops and servers without passwords. Providing centralized access management for Windows Servers, the implementation uses the x509 certificates and a virtual smart card interface to provide access to your Windows desktops and servers.
Passkeys for Infrastructure
By Ben Arent
SFTP: a More Secure Successor to SCP
By Andrew LeFevre
SELinux, Dragons and Other Scary Things
By Jakub Nyckowski