This assessment will focus on the perspective of the attacker. The output of the assessment includes recommendations on what configurations to harden within the Active Directory environment that would be specifically targeted by an adversary to expand and escalate their presence on the network.
Key focus areas include:
The importance of securing your Active Directory (AD) can be summarized quickly: Microsoft Windows is the foundation of nearly all IT environments worldwide and AD is the foundation of Windows networks. Consequently, the threat posed by a compromised AD is huge: Once an attacker gains access to your network, they can use a variety of tools and techniques to either access higher permission tiers (privilege escalation) or spread to additional systems and devices (lateral movement). If a hacker manages to spread across your AD or gain administrator privileges, they can cause enormous damage. Intruders with control of your AD can not only steal and destroy large amounts of data, but also shut down your IT operations entirely. No one in your entire network can use their PC or log in to Windows until the attack has been fought off and your AD has been restored. Depending on your level of preparation, that can take quite a lot of time.
The best way to monitor for compromises in your AD is to use an event log monitoring system. According to Verizon’s 2021 Data Breach Investigations report, 84% of entities that had a breach had evidence of the breach in their event logs. By monitoring the activity in these logs, entities can catch any compromises before more damage occurs.
When monitoring your event logs, look for signs of suspicious activity, including the following events:
Privileged account activity: Attackers commonly exploit a privilege vulnerability and attempt privilege escalation, increasing the privileges of a compromised user account. Alternatively, you might notice after-hours activity on a privileged user account or a sudden increase in the amount of data accessed by the user account.
Login failures: Repeated failures to log in to an account can be a sign that a threat actor is trying to gain access.
Remote logins: Malicious users often attempt to access your system remotely. If you notice a login from an Internet Protocol (IP) address in a different country or locale, it could be a sign that your AD is compromised.
Just like there can be many different signs of an AD compromise, there are many types of vulnerabilities. Let’s take a look at some of the most common vulnerabilities that malicious users can exploit.
By default, any domain user can add workstations to the domain. The risk of this configuration is that users can join personal computers to access your corporate domain too. Personal computers might not have protection from your antivirus or endpoint detection and response software. Your entity’s settings and policies might not apply on the added workstations. This AD configuration also allows users to have local administrative privileges on their machines. Local administrative privileges on personal machines pose a security risk because users can perform actions that could attack other systems on the network.
To limit this vulnerability, adjust the ms-DS-MachineAccountQuota attribute to limit the ability to add computers to your domain. You can delegate permissions for creating computer accounts to specific users or a group of users that you specify instead.
The risk of a domain compromise increases when you increase the number of users in a privileged security group like an AD group of domain administrators or enterprise administrators. A domain administrator, or domain admin, has full control of the domain. A domain admin is typically a member of the administrator’s group on all domain controllers, all domain workstations and all domain member servers. Because these user accounts have extensive security privileges, your domain could become compromised if a threat actor steals the credentials of the users in these security groups.
To limit this vulnerability, review privileged access management and group policy management settings and policies regularly. Make sure that users have only the permissions necessary to perform their jobs. Add users to these privileged security groups only when it is essential so that the groups do not grow too large.
There are different philosophies on how to best balance password security with convenience. If an entity requires users to create complex passwords and change them frequently, users might forget their passwords and store them in an insecure way. If an entity allows less complex passwords, hackers might more easily gain access to the system.
To limit this vulnerability, entities should set a conservative password policy and ensure there are other security controls in place in case a password is compromised. For example, if your access rights manager needs to trigger a password reset for an AD user, there should also be security controls to verify the user’s identity.
Many malicious users breach your system using compromised credentials. As a result, it’s important to follow AD best practices to avoid unnecessary security risks. The best way of hardening your AD is to implement the following security measures:
Some default AD settings, like the setting allowing all users to add workstations to your domain, gives unnecessary privileges to users in your entity. When you install AD, review the security configuration and make changes to fit your entity’s needs. You should also review all user permissions to ensure you’re granting only the minimum level of access needed.
By limiting permissions, malicious users are less likely to gain privileged access, and employees at your entity are less likely to abuse privileges. To adjust default security settings, you can manually change attribute values and permissions or use AD tools that help you configure these settings.
The most important backup measure for securing AD is to make sure you back it up regularly and at least every 60 days. The lifetime of AD tombstone objects is 60 days. You can prevent errors about expired tombstone objects by having an AD backup that is less than 60 days old. It’s also a best practice to have more than one backup stored in different locations in case a backup is also compromised.
The most important recovery measure for securing AD is outlining a disaster recovery process. This process should indicate the steps your security team needs to take when recovering from a breach. You need to consider the recovery sequence and dependencies because a domain controller, for example, needs to be recovered before you can recover other machines.
By centralizing security management and reporting, entities have a dedicated team that is responsible for AD security. These employees can gain expertise and respond quickly to an attack. A comprehensive threat detection tool can also help your security team review and monitor the system using one program that allows them to investigate alerts quickly.