Legacy Active Directory (AD) environments are often hotbeds of cybersecurity vulnerabilities because of misconfigurations that have accumulated over time. In education organizations, the challenges of securing AD are compounded by the constant onboarding and offboarding of students and faculty. Uncovering unknown vulnerabilities in the AD environment he inherited was a key driver for Jim Shakespear, Director of IT Security at Southern Utah University (SUU), to explore Purple Knight, Semperis’ free AD security tool.
“I inherited management of our Active Directory environment quite a few years ago,” said Shakespear. “It was already up and running when I arrived ten years ago. One of the reasons I initially investigated Purple Knight is because I’m just highly interested in Active Directory security…. I’ve used several other tools in the past, and I wanted to see what Purple Knight had to offer.”
Watch Shakespear talk with Petri IT Knowledgebase about SUU’s experience using Purple Knight in securing AD.
The challenges of legacy technology in securing AD
Configuring that older environment to securely manage user accounts for the university’s students, faculty, and IT personnel has been challenging, to say the least. Account management requires an especially notable effort, even with the necessary best practices in place. The presence of legacy technology such as NTLM, which Shakespear is currently attempting to deprecate, further complicates the task.
“Since we’re a university, the bulk of our users are students,” said Shakespear. “Traditionally, one of our biggest issues involved onboarding and offboarding student users. We have that automated to a good extent, so I feel fairly comfortable with where we’re at there.”
The benefits of automation
Automation is at the heart of much of what SUU does with Active Directory. It heavily leverages automated reports from PingCastle, and Shakespear has regularly participated in penetration tests with BloodHound to find insights that might relate to his own environment. Purple Knight has, he said, meshed perfectly with this approach.
“I like Purple Knight because it runs very quickly through different indicators of compromise and is quick to provide a report that’s easy to follow,” Shakespear said. “One of my most recent reports, an eye-opener for me, was that I hadn’t changed the KRBTGT password in some time. I had a process in place to automate that, and it hadn’t been running properly.”
Speed is far from the only benefit Purple Knight has brought to the university in terms of securing its Active Directory deployment. When Shakespear and his team first began running scans with the tool a year ago, Purple Knight detected several SIDs tied to orphaned and deleted accounts. Those have since been cleaned out, and Shakespear is currently working on automated scanning and report generation.
Getting a baseline
“Purple Knight is easy to use, with an excellent interface, and just being able to share the scorecard with members of IT so they get an overall picture of where we’re at in Active Directory is very beneficial,” Shakespear said. “Being able to run those reports quickly and get that baseline also gives us a good idea of where to target our penetration tests. And when we’re talking with our clients, we can give them a quick, easy overview of items they can work on right away to improve their security posture.
“I would definitely recommend Purple Knight to other organizations,” he said. “I already have — I’ve presented at conferences, talked with colleagues, and mentioned the tool to other penetration testers. It’s a great tool, especially for Active Directory environments.”