Active Directory Security Risk Factors and What to Do About Them (Part 1)
Active Directory security is a critical infrastructure issue for almost all large global organizations, including those using identity-as-a-service (IDaaS) solutions. IDaaS deployments frequently synchronize cloud-based directory accounts or passwords from the premise-based AD installation. Or, even if the IDaaS (e.g., Okta, OneLogin, Microsoft Azure AD) directory is considered the master directory, many organizational security policies still require or encourage keeping keys and credentials in-house. In that case, the IDaaS authentication function gets federated back home to – you guessed it – Active Directory.
Many attack paths lead through the directory. AD holds the user and computer accounts, groups, and other objects or containers to provide security and control over critical IT systems and infrastructure.
The Soft Underbelly of AD
AD permissions to control structures and resources are complicated and difficult to manage centrally, especially when organizations have multiple domains and forests. Thus, AD security is rarely well-maintained. We often find over-provisioning of privileges, out-dated information after users leave or move to new roles, and structural surprises due to inheritance, impersonation, delegation, Group Policy, and other mechanisms.
Compounding systemic vulnerability, administrators have a lot of power. It is as if DA’s are the Gods of Windows. With the right permissions, attackers can obtain any privilege and bypass nearly any security controls.
Once inside the domain, attackers can move laterally towards the target by gaining control of a System or Domain Administrator (DA) account that has privileges over the target network, server, database, or application. Or, the attacker can add an already-compromised account to an AD group controlling access to the target.
Once attackers have a foothold on almost any domain account – even a lowly laptop or employee’s – they can perform LDAP lookups against the directory. Reconnoitering the IT environment, they can discover user titles and roles, service names, and user/service relationships. Imagine having a Google-like tool to discover the paths of privilege through AD to the “crown jewel” IT assets. It exists. Tools such as PowerSploit and Bloodhound make it relatively easy for a “script kiddie” type to plan the cyberattack.
Threats are Increasing
The attacks discussed so far aren’t new. However, they are becoming more widely known and used with the increased level of cybercrime and breaches. In the last year or two, however, ransomware has added another dimension to the IT infrastructure risk environment. Until recently, the majority of cyberattacks targeted information and therefore threatened confidentiality. However, ransomware threatens the availability of companies’ IT systems, funds lost to extortion, and the integrity of business systems and operations.
Ransomware attacks may target AD directly or indirectly. Indirectly, ransomware exploits may use AD to reconnoiter the IT environment, find targets, and possibly manipulate privileges to help spread their malware component. Directly, ransomware could encrypt or corrupt domain controller (DC) storage and other critical objects.
What to Do?
Please continue reading Part 2 of this post, which contains an Active Directory Protection Matrix identifying good practices for countering a variety of AD technical vulnerabilities or exposures likely existing in your environment. Check out the related KuppingerCole Webinar on AD Disaster Recovery (login required). And as always, feel free to contact us with any questions or opportunities.