Sean Deuby

More than 20 years after its introduction, Microsoft Active Directory security remains integral to keeping businesses available and focused on their bottom line. In this post, learn what Active Directory security requires and which best practices can help you keep ahead of attackers.

What is Active Directory security?

At its core, Active Directory security is about enabling legitimate users to authenticate on the network and access the applications and data they need while protecting against anyone trying to access resources or elevate privileges they aren’t authorized for.

Active Directory effectively holds the “keys to the kingdom” by controlling authentication and authorization to most of an organization’s on-premises applications and data. Therefore, Active Directory security is a mission-critical priority for your business.

What are the top risks, vulnerabilities, exposures, and threats to Active Directory security?

Managing Active Directory can be complex. Yet, given Active Directory’s purpose, security is paramount. Configuration mistakes, over-permissioned users, and unpatched vulnerabilities can all contribute to cyberattackers’ ability to exploit Active Directory.

Active Directory is often a target for cybercriminals looking to elevate privileges to penetrate a compromised network. An example of this type of activity can be found with the CL0P ransomware gang, which has been observed using Cobalt Strike to expand network access after gaining access to an Active Directory server.

Just as compromising Active Directory is a top priority for attackers once they breach your network, securing it must be a priority for enterprises. Hardening Active Directory begins with understanding your environment and how threat actors target it. Here are a few significant configuration and security issues that negatively affect Active Directory and increase the risk of a cyberattack.

Unconstrained Kerberos delegation

Threat actors exploit unconstrained delegation to escalate their foothold in the targeted environment. Abusing this setting is another example of attackers using legitimate functionality for malicious ends. In Active Directory, delegation allows a computer to save a user’s Kerberos authentication tickets and then leverage those tickets to impersonate that user and act on their behalf. When unconstrained delegation is enabled, a threat actor can masquerade as a legitimate user and access undetected resources.

A high number of users in privileged groups

It is not uncommon for accounts to have privileges that exceed what is necessary. For example, a user might switch job roles and have a new set of permissions added, without having the old ones they no longer need revoked. Or granting excessive privileges to a user might be seen as a quick way to make an application work. This situation is a red flag—as these users are added to privileged groups, the risk they pose to the organization if compromised increases, as each account represents a potential pathway to privilege escalation for attackers seeking to move laterally throughout the environment. There is also the potential that a legitimate user may accidentally make unauthorized changes to Active Directory that impact security and compliance efforts.

Service accounts with elevated privileges

Service accounts are essentially user accounts that are given specific permissions in applications that enable them to run these services or applications. Sometimes, however, these accounts are assigned administrator rights that are not required for any potential operational issues because it’s a quick way to solve otherwise time-consuming configuration issues. The fact that service accounts often have weak passwords that are set to never expire only adds to their risk. Using the Kerberoasting technique, a threat actor can obtain the weak password for a service account in minutes—and if that account has elevated privileges, gain control of Active Directory.

Poor password and authentication practices

Failing to implement secure password policies and practices can undo the best technology. Weak passwords can be cracked using brute force and dictionary attacks. Common passwords can be guessed using password spray attacks. Based on evidence from large cloud identity providers, NIST and other organizations have recommended changes to timeworn password policies such as not expiring password, decreasing complexity while increasing length, and banning common passwords.

Configuration mistakes can exacerbate problems as well. For example, the Store Password Using Reversible Encryption setting is necessary to support legacy applications that need passwords in cleartext to function normally. However, since these passwords are reversible instead of hashed, an attacker who cracks the encryption can hijack the account. Any application that still requires this setting is long overdue to be retired – especially when weighed against the increased risk to Active Directory it poses.

Users having rights to add computers to a domain

If a user has the “Add workstations to domain” security setting enabled, by default, they will be able to add up to 10 computers to the domain. The challenge here is that an attacker can use this ability to bypass your endpoint security controls. Anyone who adds a machine account automatically becomes the owner of that machine object.

One common vulnerability is caused by operators joining future domain controllers to their Active Directory domain before promotion. If ownership of the computer object is not transferred, that operator will have administrative control over the domain controller once it has been promoted. This capability should be restricted to specific accounts that need it.

Examples of recent Active Directory breaches

You don’t need to look far to find examples of Active Directory breaches that have caused significant havoc—and severe repercussions for the victimized organizations.

  • The cities of Dallas, Texas, and Oakland, California, have both been working for months to recover from cyberattacks that affected city services.
  • London’s Barts Health NHS Trust, serving more than 2 million patients, was a victim of a BlackCat/ALPHV attack.
  • School district attacks across the country, including Minnesota, Colorado, and California, have exposed private student data to threat actors.
  • SolarWinds, a victim of one of the most well-known cyberattacks in recent history, recently announced that its executives expected to face US SEC charges related to their handling of the incident.
  • Dish Network reported a ransomware attack in March that compromised Active Directory, then its VMware infrastructure, affecting millions of subscribers for over a month.

Attackers know that compromising Active Directory opens the door to all manner of malicious activities, from data theft to ransomware. In the Barts Health NHS Trust attack, terabytes of data were reportedly stolen. A successful attack can equal downtime, unfavorable media coverage, and negative impacts on the customers whose data is compromised. Once attackers are inside your network, limiting the damage they can do will rest partly on your ability to block them from accessing critical resources. At the center of those efforts is Active Directory security.

Active Directory security and Governance, Risk, and Compliance

Monitoring and securing Active Directory is important for more than cyber defense. Active Directory is a vital source of information for compliance regulations that require audit trails and evidence of access controls and policies around sensitive data. Regular auditing and comprehensive visibility are necessary to meet the demands of regulations and standards like HIPAA and PCI DSS. A robust Active Directory security monitoring strategy provides important insight for compliance purposes.

What are the best practices for protecting your Active Directory?

The key to preventing many of these issues rests with your ability to detect risky configurations and monitor for any accidental or malicious changes. On a fundamental level, reducing risk is about raising the barrier to entry for attackers—closing security holes before attackers can walk through them.

By running regular security assessments, you can detect potential threats before they are exploited. A permission change on the AdminSDHolder object or a recent change to the default security descriptor schema can be signs of an ongoing attack. If those changes were not approved, an immediate alarm should sound.

The good news is that organizations can follow several tips to limit the Active Directory attack surface.

Implement effective password policies

Protecting passwords and enforcing password complexity is critical as your first line of defense. Complex passwords should be at least seven characters long and include numerals, both uppercase and lowercase characters, and non-alphanumeric characters, such as exclamation points and dollar signs. Organizations should consider using the fine-grained password policies feature instead of Group Policy Objects (GPOs) to implement stricter rules. For example, policies can be created to apply different account lockout rules to specific sets of users on a single domain.

Follow NIST guidelines for password policy, summarized earlier. Passwords should be stored in an air-gapped vault. Additionally, organizations should ensure Group Policy passwords are not stored anywhere in SYSVOL, which is a directory that resides on each domain controller (DC) within a domain. SYSVOL contains the GPOs and logon scripts that clients need to access and synchronize between DCs. If admins store credentials in SYSVOL folders, those credentials can be stolen by an attacker in control of a compromised account.

Apply the principle of least privilege

Following the principle of least privilege is essential to reducing your Active Directory attack surface—the various attack vectors your organization needs to guard against. This approach calls for all users, devices, and applications to be provided only the minimum number and level of permissions they need to function.

Whether improperly inherited, granted by accident or malicious action, or simply granted for expediency, excessive user permissions pose a direct security threat to your environment. There may also be implications related to regulatory compliance in certain industries. From the outset, your environment should be designed to give accounts only the minimum rights necessary. Privileged groups should have a limited number of members, and some, such as Printer Operators, should arguably have none or be restricted to allow temporary membership only.

Handling this properly will involve clearly understanding user roles, who in the organization will have the authority to add users to groups, and when they can do so. Audit your environment regularly to reduce risk and eliminate over-privileged accounts.

Complicate Active Directory reconnaissance

Attackers often perform Active Directory Lightweight Directory Access Protocol (LDAP) reconnaissance to gain insight into the environment and continue their attack. Active Directory was designed to be an open book, making preventing this reconnaissance difficult. However, by removing local administrator rights and monitoring for suspicious LDAP requests, enterprises can complicate matters for attackers. Additionally, by leveraging just-in-time provisioning and renaming organizational units (OUs), you can limit the visibility of an attacker armed with a legitimate account.

Retire legacy protocols

Best practices call for eliminating legacy protocols such as TLS 1.0 & 1.1, Server Message Block v1 (SMBv1), Digest Authentication, and Lan Manager (LM) / NTLMv1 and NTLMv2. These protocols were not designed with today’s threats and security needs in mind and can form a weak point in your organization’s defense. NTLMv1 and NTLMv2, for example, are vulnerable to threats such as brute-force and man-in-the-middle attacks, and organizations are advised to switch to Kerberos. Before retiring these protocols, however, the Active Directory team should ensure they fully understand how these protocols are used in the environment to avoid breaking the functionality of any applications in use.

Patch Active Directory vulnerabilities and insecure configurations

Vulnerabilities like Zerologon (CVE-2020-1472) pose a significant risk to Active Directory if enterprises are behind in their patching. Due to Active Directory’s criticality in your IT environment, patches should be prioritized, tested, and deployed as quickly as possible. Attackers will look to strike known vulnerabilities first. To reduce risk, enterprises should scan their systems regularly and prioritize patching vulnerabilities according to their severity and the potential impact on business operations if they are exploited. In addition, outdated software should be identified and updated as quickly as possible.

Going after low-hanging fruit does not stop with patching vulnerabilities. It also involves identifying insecure settings that grant users unneeded permissions or facilitate privilege escalation. Whether those configuration errors are due to negligence, accidental changes, or malicious actions, conducting periodic security assessments is a necessity.

By taking these steps, your organization can build walls around your users, sensitive data, and systems that will reduce the risk and make the Active Directory environment more resilient in the face of attack.

How can Semperis help you ensure Active Directory security?

At Semperis, we help organizations ensure the integrity and availability of on-premises Active Directory and Entra ID with solutions that can help them identify, recover from, and respond to attacks.

Discover expert identity threat detection and response (ITDR) and Active Directory security and recovery solutions.

Learn more about Active Directory security risks & best practices