Daniel Petri

Welcome to the final installment of this series discussing CISA and NSA top ten cybersecurity misconfigurations in the context of hybrid Active Directory environments. Active Directory is the identity system for most organizations: a critical part of your infrastructure, and a prime target for cyberattackers.

This week, I’ll discuss the final three misconfigurations on the CISA/NSA list. Read on for:

  • A quick explanation of how each vulnerability affects hybrid Active Directory identity environments
  • Risks to Active Directory and Entra ID
  • Indicators of exposure (IOEs) and indicators of compromise (IOCs) that Semperis Directory Services Protector and Purple Knight use to alert you to the existence of the vulnerability or attempts to exploit it

Read the series from the start: NSA Top Ten Cybersecurity Misconfigurations + AD Security (Part 1)

8. Insufficiently configured access control lists on network shares and services

Access control list (ACL) misconfiguration, from an Active Directory security standpoint, typically means that permissions are either too permissive or incorrectly assigned. ACLs that are too permissive can allow unauthorized users to access, modify, or delete data. Incorrect assignments might grant users access rights that are unnecessary for their role or function. Either issue can result from one of the following:

  • A lack of understanding of the principle of least privilege
  • A misinterpretation of access requirements
  • Simple oversight in the complex task of managing access rights

Identity security risks

The primary vulnerability related to ACL misconfiguration lies with the network shares and services that the ACLs protect. However, the potential impact extends to the entire organization. Improper access control can lead to:

  • Data breaches
  • • Unauthorized data manipulation
  • • Disruption of services

In the context of Active Directory and Entra ID, ACLs play a critical role in securing the authentication and authorization infrastructure. The risks are amplified because of the services’ central role.

Indicators of exposure and indicators of compromise

In Purple Knight and Directory Services Protector, the following indicators can alert you to insufficient ACLs:

  • Non-standard schema permissions. By default, modification permissions on the schema are limited to Schema Admins. These permissions grant the trusted principal complete control over Active Directory.
  • Delegation changes to Domain NC head. Changes in the delegation to this special object could enable unprivileged users to synchronize the Active Directory database for offline cracking (i.e., a DCSync attack).
  • Non-default principals with DC Sync rights on the domain. Security principals with these permissions on the domain naming context object can potentially retrieve password hashes for users in an Active Directory domain (i.e., a DCSync attack).
  • Permission changes on AdminSDHolder object. This security indicator could indicate an attempt to modify permissions on privileged objects that are subject to AdminSDHolder.
  • Write access to RBCD on krbtgt account. Attackers that gain write access to role based constrained delegation (RBCD) for a resource can cause the resource to impersonate any user.
  • Azure application registration granted read/write access. A malicious or misconfigured application can lead to data exposure or compromise on an Azure tenant.
  • Check for risky API permissions granted to application service principals. A malicious application administrator could use these permissions to grant administrative privileges to themselves or others.
  • Non-admin users can register custom applications in Entra ID. If non-admin users are allowed to register custom-developed enterprise applications, attackers might use that loophole to register nefarious applications. The attackers could then leverage those apps to gain additional permissions.
  • Security defaults not enabled in Entra ID. Security defaults require multifactor authentication (MFA), block legacy authentication, and require additional authentication when accessing the Azure portal, Azure PowerShell, and the Azure CLI.
  • AAD privileged users that are also privileged in AD. A compromise of an account that is privileged in both Active Directory and Entra ID (formerly Azure AD or AAD) can lead to the compromise of both environments.
  • AD privileged users that are synced to AAD. When a privileged Active Directory user is synchronized to Entra ID (formerly AAD), a compromise of the Entra ID user can lead to a compromise of the on-premises environment.

9. Poor credential hygiene

Poor credential hygiene might involve:

  • Using weak passwords
  • Reusing passwords across multiple accounts
  • Sharing credentials between users
  • Failing to change default usernames and passwords
  • Failing to update credentials regularly
  • Failing to use MFA
  • Improper storage of credentials (e.g., writing them down on paper, storing them in unprotected digital files, using insecure password management tools)

Identity security risks

Poor credential hygiene can put your entire network ecosystem at risk. The risks are particularly severe in environments that use Active Directory for network resource management and Entra ID for cloud services.

In an Active Directory context, poor credential hygiene can lead to:

  • Unauthorized domain access
  • Lateral movements within the network
  • Privilege escalation

In short, this type of misconfiguration can enable attackers to gain persistent access to your systems and compromise sensitive data.

Indicators of exposure and indicators of compromise

In Purple Knight and Directory Services Protector, the following indicators can alert you to poor credential hygiene:

  • Admins (or any users) with old passwords. If Admin account passwords are not changed regularly, the accounts can be ripe for password guessing attacks.
  • Built-in domain Administrator account with old password. If this password is not changed regularly, the account can be vulnerable to brute force password attacks.
  • Kerberos krbtgt account with old password. If the krbtgt account password is compromised, threat actors can perform Golden Ticket attacks to obtain access to any resource in an Active Directory domain.
  • Privileged accounts (or any users) with a password that never expires. User accounts with passwords that never expire are ripe targets for brute force password guessing. Accounts that are also administrative or privileged accounts are an even bigger target.
  • Privileged users with weak password policy. Weak passwords are easier to crack via brute-force attacks and give attackers the opportunity to move laterally or escalate privileges. The risk is even greater for privileged accounts. When compromised, these accounts improve an attacker’s chance of quickly advancing within your network.
  • User accounts that store passwords with reversible encryption. Attackers might be able to derive these passwords from ciphertext and take over the accounts.
  • User accounts that use DES encryption. Attackers can easily crack DES passwords by using widely available tools, making these accounts ripe for takeover.
  • Custom banned password protection not in use in Entra ID. Organizations that do not use custom banned password protection are more susceptible to password guessing attacks.

10. Unrestricted code execution

Unrestricted code execution can stem from various misconfigurations, including:

  • Overly permissive user permissions
  • Lack of application whitelisting,
  • Disabled or misconfigured security features
  • Inadequate use of sandboxing techniques

Identity security risks

Systems with unrestricted code execution vulnerabilities are at risk of unauthorized activities by both external attackers and insider threats. In Active Directory environments, unrestricted code execution can enable an attacker to escalate privileges or execute lateral movement within the network. In Entra ID, this type of misconfiguration could permit the execution of malicious code that can compromise cloud services and data.

Indicators of exposure and indicators of compromise

Malicious changes that take advantage of these vulnerabilities in Active Directory bypass the security event log and cannot be spotted using standard monitoring tools. To help mitigate these risks, organizations should use tools that provide expansive identity threat detection and response (ITDR). For example, DSP and PK can scan Active Directory and Entra ID for evidence of a Mimikatz DCShadow attack.

Fortify your identity defenses

This list of CISA and NSA top ten cybersecurity misconfigurations pose significant security challenges, especially in Microsoft Windows and Active Directory environments. However, such vulnerabilities are not confined to these environments. Rather, they indicate potential issues in a variety of network setups.

Semperis highlights that security tools like DSP-I and PK can detect potential security exposures and compromises, offering a way to monitor and rectify changes in AD infrastructure.

Implementing robust cybersecurity measures, regular audits, and adopting a proactive approach to network configuration management can help to mitigate these risks. In addition, robust identity threat detection and response (ITDR) tools like Directory Services Protector and Purple Knight—which is free to download and use—can help network defenders prevent or mitigate exploitation by malicious actors. A fortified defense and regular (or better yet, continuous) monitoring of your hybrid Active Directory environment is the best way to keep these common but critical misconfigurations from making a cyberattackers day—and ruining yours.

Previous posts in this series