Essential Active Directory Security DefensesLock Down Directory Management Environment to Block Abuse by Hackers
(This is part two of a two-part series.)
See Also: Move Beyond Passwords
Many organizations' principle Active Directory problem is that they don't know they have a problem.
The vast majority of businesses today use Active Directory as their domain network management tool of choice. They use it to organize their users and systems into groups, allow systems to communicate as well as set and maintain security policies and permissions. Active Directory provides great ease of use. But security experts say that hackers who manage to gain access to AD functionality also find it easy to use. (For more information, see part one of this two-part series.)
Potential exploitable vulnerabilities abound, says Huy Kha, an information security professional at a Dutch law firm who's an expert on Active Directory security. A common Active Directory security problems, he says, is built-in administrator accounts, which too often can be accessed via the same password - on every workstation in an organization - as well as provide admin-level rights. Another problem is that by default, Active Directory workstations can communicate with each other, which attackers can abuse to move laterally across networks. In addition, many organizations fail to update AD admin passwords. Over time, attackers can potentially recover and reuse old passwords unless they've been changed.
Ignorance of these risks abounds, Kha tells Information Security Media Group. "Most companies think attackers won't be able to get a foot inside the network because they have some firewalls, or they use spam filtering, and that these are silver bullets and no one will ever get into the internal network," he says. "That is why Active Directory is sometimes overlooked - or actually, most of the time."
Not Always High Profile
Such concerns are widespread in the IT security community. "Security teams should pay way more attention to AD as it really is the crown jewels," tweets British security expert Kevin Beaumont.
But wielding lightweight directory access protocols can resemble a dark art. "Designing and implementing a properly secured Windows environment is very difficult," says Jerry Bell, a director of cybersecurity management at IBM, on Twitter. "When I point out to people that they need to very carefully structure permissions and tightly control admin rights, what admins can do, and where the can connect from ... it's seen as overwhelmingly complex and of little value."
So here I am, asking you to PLEASE take AD and network design and operations seriously. It is complex. It will impinge on the power mad domain admins. But I know you won't. It's too big. Too complex. You have 500 other priorities. But at least do this: 8/— Jerry Bell (@Maliciouslink) July 19, 2019
Retire Outdated Windows Systems
One quick-hit improvement - with upsides for Active Directory security as well as security in general - is to retire outdated Windows systems, says Tod Beardsley, director of research at Rapid7. As evidence, he points to a new report - "Under the Hoodie 2019" - based on 180 penetration testing engagements his company conducted over a nine-month period.
Rapid7's testers recorded a year-on-year decline in SMB relay attack exposure, due to a lack of SMB signing, as well as a sharp decline in the number of AD domain controller null sessions, both of which can potentially be exploited by attackers to gain a foothold in enterprise networks.
This decline is good news, Beardsley says, although he notes that ideally, every Windows environment would use SMB signing and have zero Active Directory domain controller null sessions. To help make that happen, Rapid7's report can give AD administrators "ammunition in the fight against old, end-of-life Windows hosts in their environment, since these statistics illustrate the continuing risk that these older operating systems pose," he says.
By comparison, retiring old Windows systems makes attackers' job tougher. "Penetration testers and criminals alike seek out these older targets, since the attack techniques are basically commodity at this point," he tells ISMG. "Once those end-of-life endpoints get properly retired out of the corporate fleet, the job of exploitation gets much harder for everyone."
Recruit AD Experts
To improve the security of Active Directory, security leaders recommend that more organizations retain dedicated experts.
Adam Sen (@securityfreax), a security expert with German Railways (DB Systel), for example, recommends that Active Directory be managed by "dedicated security operations teams" educated in all of the nuances of AD.
AD should be run by dedicated security operations teams. Maintaining security for large scale AD's is challenging - securing AD is a discipline in itself. Most IT Managers didn't get that, still running AD like an business app. https://t.co/6cSmt9ilLY— securityfreax (@securityfreax) July 20, 2019
Having a plan of attack is also essential. Kha recommends finding a good framework for approaching Active Directory and ensuring that it has been hardened, for example, by implementing Microsoft best practices and also migrating to a "Red Forest" architecture.
Kha says he also keeps abreast of sites such as Active Directory Security, which is run by AD security expert Sean Metcalf (@PyroTek3), and he continues to study the latest attack methods, such as how to create a backdoor to silently take over an object - meaning a user or system - in AD.
How to Safeguard Active Directory
To ensure that an organization's Active Directory environment is as secure as possible, Kha recommends all organizations have, at a minimum, the following seven defenses in place:
- Use LAPS: Microsoft's local administrator password solution enables local administrator account passwords to be randomized.
- Block default admin: "Deny access from a built-in local administrator account," Kha advises, noting that these will be present by default on all Windows systems.
- Use strong passwords: All service accounts should have at least 25-character passwords to make them more resilient to kerberoasting attacks. Plus, these accounts should be part of an AD group that remains actively managed, including passwords being regularly changed, Kha says.
- Deny communications: Deny workstation-to-workstation communications "because it gives an attacker a very easy way to perform lateral movement."
- Avoid built-in groups: "Try to avoid built-in AD groups, because those have way too many permissions in AD," Kha says. Instead, delegate rights.
- Check permissions: "For OUs - organizational units - check their permissions, because there might be wrong delegated permissions," Kha says, such as a sales user having been placed in a financial group. Organizational units are AD subdivisions into which administrators can place users, groups, computers, and other organizational units.
- Monitor: Monitor events in Active Directory to help spot signs of attack.
Kha's advice for securing Active Directory can largely be summarized as "assume nothing, verify everything."
He recommends security teams audit their organization's AD implementations as often as possible - preferably at least weekly. "Why? Because in a company, every day, people are making changes - you have sysadmins or help-desk employees providing access to a group - and you need to keep track of that," in part to help spot attempted attacks, he says. "What if someone today goes to reset the password of the CFO, but he was on vacation?"