Microsoft’s Active Directory (AD) is a directory service that allows for the management of users and other objects within an enterprise network to be centralized. It is primarily used to authenticate and authorize objects in a windows domain. With 90% of organizations worldwide utilizing AD, it has become a prime target for cybercriminals as its compromise facilitates the cyber kill chain process. Compromising AD security allows the attackers access to potentially to all connected systems, data, user accounts, applications, and more. This often results in catastrophic consequences for the organization.
The threats to AD security can be classified into system vulnerabilities and user-related threats.
- AD system vulnerabilities: AD is susceptible to ticket-stealing and replay attacks like Pass the Ticket, Pass the Hash, Golden Ticket and Silver Ticket. This because AD still uses the flawed Kerberos authentication scheme. AD also supports NTLM encryption which is very weak by today’s standards. AD is vulnerable to brute force attacks as well.
- AD user-related threats: Social engineering attacks like phishing and its more targeted variant spearphishing are often used against AD users in order to gain access using stolen credentials. This is the most common way AD security is compromised. Excessive permissions also pose a common threat to AD security. Users can carelessly or maliciously wreak havoc on resources they should not have been able to access in the first place.
Organizations must ensure AD security as a compromise fundamentally subverts the integrity of the enterprise identity management system. Best practices to mitigate AD security threats and risks include:
- Documenting your AD: All devices, user accounts, domain, and organizational unit naming conventions must be properly identified and documented. Details like the organizational unit hierarchy, DNS configuration, DHCP configuration, and network numbering conventions should be recorded. The policy for user restrictions and adding/revoking user accounts must be documented as well. Knowing everything about the AD is essential to securing it.
- Educating users and enforcing safe practices: Cybercriminals continually target users as they the weak link in a cybersecurity defense plan. Users should be trained on how to recognize security threats and must be able to notify the security team if they suspect their account has been compromised. Users must also be prevented from making administrative changes on their devices. A good password policy must be enforced throughout the organization. It is also good practice to provide administrators with two accounts. One should be used for standard actions while the other is used for administrative functions only. Administrative accounts should be limited to assigned systems so that a single Admin account that can open all the “doors.”
- Securing the domain controller: The security of the domain controller must be ensured. The security team should configure the enterprise network such that the domain controllers can only be accessed from a hardened computer not connected to the internet. This would help to reduce the risk of outside intrusion and lateral movement on the domain controller as well as privilege escalation attacks from insider threats.
- Implementing the principle of least privilege: The principle of least privilege prescribes that each user account must be granted only the least amount of permissions required to do their job. This minimizes the risk of data theft or system damage should any account be compromised.
- Actively monitoring your AD for compromise: This practice is crucial to ensuring AD security. Changes to AD objects like organizational units and group policy objects, login requests, file activity as well as user behavior should be tracked and analyzed to detect unusual activity.