Active Directory (AD) is often the first port of call in cyberattacks. Mandiant consultants estimate that about 90% of the attacks their team investigates involve AD in some form, whether it was the initial attack vector or targeted to achieve persistence or privileges. Because it is the primary method for authentication and authorization for 90% of the world’s enterprises, AD contains a myriad of valuable company and employee data. Targeting AD provides attackers with the wealth of information needed to access sensitive data, deploy ransomware and a host of other nefarious activities.
Despite the high volume of attacks, AD still works brilliantly for businesses worldwide (including most of the Fortune 1000) that use the technology for managing permissions and network access. And, with more users working from home on multiple devices and cloud-based apps, AD has become foundational to the hybrid identity architectures we now see in enterprises —making AD more important than ever.
Because almost every attack involves Active Directory, better AD security is essential to today’s modern enterprises. Fortunately, there are a few ways organizations can fight back.
Let’s look at the top actions every organization can take to protect AD from attacks.
- Implement good identity processes. From small organizations to large, multinational companies, user provisioning — the process of creating user accounts and adding them to groups — is easy. When it comes to removing inactive users that are no longer needed, this is a different story. More than 10% of user accounts in AD have been detected as inactive, representing a significant security risk as external attackers could use those accounts to infiltrate an organization. With utilities like PowerShell, enterprises can easily identify and remove inactive users and computers. Regularly reviewing sensitive access, or privileged groups, will also help manage administrative access. With the emergence of Kerberoasting, regularly updating service accounts with strong, random passwords also will reduce the threat of attackers breaching AD environments.
- Configure secure forest trusts. A forest trust connects two distinct AD domains (or forests) to allow users in one domain to authenticate against resources in the other, providing a seamless authentication and authorization experience. Within an AD forest, trust relationships between domains are normally two-way and transitive by default. Ensuring SID filtering is active across all trusts between AD forests prevents privileged groups from being impersonated. Enabling selective authentication provides another layer of security by allowing only users within a certain department or group to use resources across the trust.
- Back up every domain controller for every domain — especially the root. Even if organizations back up all domain controllers and their domains, but forget to back up the root domain, they will be unable to recover their forests. Furthermore, backing up two or more domain controllers per domain will ensure that there is more than one instance an organization can use to restore the entire domain in case one domain controller is unavailable. When conducting backups, it’s important to use supported backup methods and ensure that backups are malware-free. Finally, don’t forget to keep offline copies of backups.
- Test backups regularly. Backups aren’t any good if an organization can’t (or doesn’t know how to) recover them. According to a recent Semperis study, over 50% of organizations have no AD disaster recovery plan or haven’t tested the plan. Without regular assessment, recovery processes might have out-of-date information about AD topology, which can hamper recovery times in the event of an incident.
- Reset KRBTGT account passwords. Every AD forest has an associated KRBTGT account to encrypt and sign all Kerberos tickets issued in the domain. When a user authenticates to a domain, they are provided a Ticket Granting Ticket (TGT) that grants them the ability to request a service ticket from the Kerberos Key Distribution Center to access a service (for example, a file server). The TGT acts as a proof of identity when a user signs in that provides details about who the user is and what groups the user is in, allowing them to get access to other services on the network. While TGTs are good only for a certain period of time, if an attacker gains control of the KRBTGT account, they can create fraudulent TGTs to access any resources they want. One way to prevent these kinds of Golden Ticket attacks from occurring is to reset the password of the KRBTGT account in every domain every 6-12 months. Microsoft MVP Jorge de Almeida Pinto built a KRBTGT password reset script available on GitHub that is continuously updated enables organizations to reset the KRBTGT account password and related keys while minimizing the likelihood of Kerberos authentication issues being caused by the operation.
- Deter lateral movement. One of the hallmarks of today’s cyberattacks is lateral movement. After gaining initial access into an organization’s domain, an attacker moves horizontally across the network in search of sensitive data and other high-value assets. Implementing Microsoft’s Local Administrator Password Solution (LAPS) deters jumping from one workstation to another with the same Administrator password by generating unique, randomized passwords for each local administrator account and protects them so that only eligible users can read them or request a reset.
- Minimize privileged group membership. Privileged groups are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in an organization’s AD. Within any organization, there should be only a handful of domain admins that are responsible for running the service of AD. By implementing the principle of least privilege, users’ access rights are restricted to only those that are strictly required to perform their job functions. Because most advanced attacks rely on the exploitation of privileged credentials, providing users the minimum possible levels of access drastically decreases the cyberattack surface.
- Harden privilege access. Once the security team has thinned out administrative accounts, a best practice is to use separately named administrative accounts. This ensures that everything that shows up in the audit log is sent to a particular user instead of one account that could include multiple users. Deploying a tiered administrative model is another way to prevent escalation of privilege by restricting what administrators can control and where they can log on — to prevent, for example, using a tier 0 domain administrator account to log into a tier 0 user’s workstation, as happened during the catastrophic cyberattack on Maersk.
- Limit hypervisor admin privileges. With the rise in popularity of cloud applications, it’s important to understand the underlying infrastructure that supports an AD environment. It’s safe to say that most organizations operate in the cloud and, therefore, run their AD on at least some virtual domain controllers. Hypervisor admins have the ability to shut down, delete, alter or interfere with those domain controllers, meaning organizations need to pay attention to who has admin rights.
- Harden domain controllers. The default settings of domain controllers are not hardened, which means there are several privilege escalation paths to domain admin. With these default settings, domain controllers can run other services that give them control of AD. For example, the Print Spooler service on domain controllers allows any authenticated user to remotely connect to a domain controller’s print spooler service and request an update on new print jobs. Users can also tell the domain controller to send the notification to the system with unconstrained delegation, which exposes the domain controller computer account credential. Disabling the Print Spooler service on all domain controllers and removing unnecessary server roles and agents limits the possibility for exposure.
- Monitor for unusual activity. As state-sponsored threats continue to rise, continuous monitoring of AD for suspicious activity is a key component of preventing, detecting, and stopping malicious activity. Implementing a security information and event management (SIEM) solution with user and entity behavior analytics allows organizations to aggregate and analyze activity across their entire IT infrastructure, including any changes in membership changes to privileged accounts and groups.
Keeping AD secure and well-maintained is crucial to stopping the tactics that have given way to some of the most devastating cyberattacks in recent history. Yet, AD management and security is something many organizations continue to struggle with. The best practices outlined above can help organizations eliminate some of the most common AD vulnerabilities, obstruct attackers’ efforts to escalate privileges, and place organizations in a position to recover quickly, completely and cleanly when an attack occurs.