Active Directory (AD) is a powerful authentication and directory service used by organizations worldwide. With this ubiquity and power comes the potential for abuse. Insider threats offer some of the most potentials for destruction. Many internal users have over-provisioned access and visibility into the internal network.
Insiders' level of access and trust in a network leads to unique vulnerabilities. Network security often focuses on keeping a threat actor out, not on existing users' security and potential vulnerabilities. Staying on top of potential threats means protecting against inside and outside threats.
Active Directory Vulnerabilities
From the outside, a properly configured AD domain offers a secure authentication and authorization solution. But with complex social engineering and phishing email attacks, an existing AD user can become compromised. Once inside, threat actors have many options to attack Active Directory.
With "Bring Your Own Device" (BYOD) growing, there is increased device support and security complexity. If users connect a device that is already compromised or has inadequate security measures, attackers have a simple way to gain access to the internal network.
In the past, an attacker would have to sneak in to install a malicious device. Now, however, a user with a compromised device does the hard work for them. Moreover, many workers may also connect their smartphones or tablets to the network. This means that, instead of a single work-issued laptop, you may have two or three user devices that are not subject to the same security measures.
Adding complexity to internal security is the common issue of over-provisioned access. Organizations often tend to expand access instead of restricting it. A single act of convenience to solve a problem can have the unintended consequence of creating a potential attack vector, which is then often forgotten.
For those users that are also administrators, there is not always a highly secure "Administrative" account created to separate the different access levels. In this way, the convenience of allowing Administrative tasks via a standard user account opens the door to rampant abuse due to a compromised and highly privileged account.
Weak Password Policies
Many organizations, especially larger ones, may have weaker password policies due to the various applications they support. Not all applications are the same, and some do not support the latest security standards. Examples of this include those that do not support LDAP signing or TLS over LDAP with LDAPS.
A weak password policy coupled with a lack of multi-factor authentication makes it easy to crack a retrieved hash through a technique such as Keberoasting via a privileged internal account. This is in stark contrast to a strong password policy and multi-factor authentication, which makes it much harder to gain access to a system or network by cracking a hash.
Best Practices for Securing Active Directory
To secure Active Directory, there are many best practices to follow. Based on the previously outlined security themes, here are several:
- Restrict access to systems and networks to those with a legitimate business need.
- Ensure connected devices meet a minimum standard of security.
- Configure Active Directory securely with LDAP signing and LDAPS requirements, regularly rotate the KRBTGT password and use group-managed service accounts (gMSA) to rotate service account credentials.
- Enable multi-factor authentication and a strong password policy, augmented by solutions such as Specops Password Policy.
- Separate permissions from the typical user account and assign them to special administrative accounts.
- Ensure that users know the dangers of phishing emails and social engineering, such as clicking on attachments.
Training users to identify potential phishing emails and social engineering attacks is essential. Additionally, users should be discouraged from clicking on any attachments, and organizations should use systems that scan for malicious content. These measures can help to reduce the risk of a successful attack.
But, assume that AD has already been compromised. An organization can and should take an in-depth look into the permissions assigned to active and non-active or decommissioned users and systems. Are there ways to separate permissions from typical user accounts and assign them to special administrative accounts with a higher security level?
Enabling multi-factor authentication with a strong password policy is essential for creating some of the strongest protections available. As many social engineering attacks rely on learning and compromising a user's external sites where a reused password could offer a foothold, an organization must mandate strong passwords.
Keeping Active Directory Secure with Specops Password Policy
Underpinning many of the security recommendations is a strong password policy. The default Active Directory configurations and user tools are inadequate. To ensure users comply with password policies such as NIST, CJIS, and PCI, and block weak passwords, organizations can use Specops Password Policy. It gives your organization the ability to create custom dictionary lists and block user names, display names, specific words, consecutive characters, incremental passwords, and reusing a part of the current password; while providing real-time feedback for users.
The Breached Password Protection add-on further enhances security by alerting users in real-time if their chosen password is on a list of breached passwords. It also provides in-depth scanning to detect over 3 billion compromised passwords on accounts throughout an AD domain.
Protecting Active Directory from Insider Threats
Though it may be impossible to protect against every threat, by taking in-depth looks into existing permission structures, active users, and the technical implementation of Active Directory, an organization can go a long way to securing its environment. With Specops Password Policy, take your password policy to the next level through Breached Password Protection and mandating unique and secure passwords across the board.