Why You Should Pay Attention to Excessive Privilege in Active Directory
I addressed Active Directory excessive privilege in the past as part of other, broader topics. But recently I started thinking it’s a great time to dedicate an entire article to it. This is not a random thought on my part. All you need to do is look at a few facts to understand why you should review AD privileges in your organization soon, if not today:
- Active Directory excessive privilege exists in most companies, even today
- Errors (that can be devastatingly costly) are far more likely to occur with an unnecessarily large number of users who CAN make changes they shouldn’t be able to make
- As you know, AD-focused cyber-attacks use privilege escalation as a go-to method, and with many privileged users in your system, attackers can literally remain invisible, even if you do try to monitor AD activities
- You don’t want to realize you had that one over-privileged disgruntled employee (especially when it’s too late). It’s not as rare as you think. Verizon DBIR 2016 reports that nearly 8% of organizational data breaches are from intentional internal sources (malicious employee or former employee).
And now you know why I wanted to make this the topic of my post.
If everyone knows it’s bad, why is Active Directory over-privilege so common?
It happens that specific employees need to perform tasks that require more privileges. It’s normal for admins to allow these privileges, but does anyone remember to remove the additional privileges later on? In most cases, no. And it’s important to remember that employees are likely to point out they need a privilege they don’t have, but not likely to complain about having a privilege they don’t use. And excessive privilege can really accumulate over time in this way.
As privileged groups go, the most privileged roles in AD are usually Enterprise Admins, Domain Admins, and Administrators. And there are other roles that carry privileges that are sometimes automatically given to employees and hardly ever reviewed. Firstly, it’s important to note that not all people who are assigned to specific groups need all the privileges of their group. Secondly, think about the last time you looked at the number of people in your organization who had privileged accounts. It was probably a while back and there may be a few too many people on the list by now.
Another reason, which may be the key factor: while many of you know why excessive privileges are risky, getting started on reviewing all the privileges in the organization can be a disheartening task. It can take a lot of time and resources, and you have neither to spare. It’s an important thing to do, but it rarely appears to be urgent, so in many organizations, it is labeled as a lower priority.
What can happen if you do nothing
We mentioned the possibility of encountering a disgruntled employee scenario. It’s easy to understand why you would want to make sure that your data is safer and all your employees have ONLY the privileges they need to work right now (least privilege). You can never know which of your employees will go rogue, so limiting everyone’s access to the necessary minimum is a great way to prevent surprises.
Of course, not all problems are rooted in malicious intent. We are all humans and we all sometimes make mistakes. While it’s known that Active Directory is a very stable system, we’ve all heard at least one terrible “oops-moment” story at some point. When you remove unnecessary privileges, you can minimize the chance of such “oops-moments” that could otherwise happen.
We also mentioned the cyber-attack possibility. It’s not exactly breaking news that Active Directory is increasingly targeted by external hackers because it’s a fabulous gate through which an attacker can get a lot of information. If you have more privileged accounts than you must, should hackers gain access to your system, they will be harder to discover. Even when you monitor activity in Active Directory all the time, you don’t want to need to find a “needle in a haystack”. To increase your ability to detect attackers, you may want to minimize privileges as much as you can. And to add another reason, imagine one of your users inadvertently clicks or downloads something they should not and ends up launching a malicious code. If the user is logged in with administrator privileges, the virus may access quite a lot of data in your organization. If the malware is executed under a non-privileged account it will, at least at first, access only a single user’s data.
How to responsibly solve excessive privilege?
There are many things you can do to prevent excessive privilege, and it’s important to find the right balance for your team and your organization. Implementing the strictest policies sounds tempting as a way to err on the side of caution, but it may also add heavy workloads to the IT team – so assess your needs and your capabilities to choose the right plan. Let’s cover a few of the more manageable options here.
You can implement granular access controls that enforce least-privilege. In fact, Microsoft viewed excessive privileges in many of their customers and decided to publish a guide to help you with the task of implementing least-privilege administrative models.
To add to the above, when you do add privileges, make sure to set them up to be temporary for employees who make requests (limit to one week or one month). At worst, employees will reach out to ask for the same privileges again in the future. At best, you can spare your organization an unnecessary disaster.
Because the process of eliminating excessive privilege in the organization can appear daunting, try to divide and conquer it. Start by addressing the accounts that have privilege that bears the greater risk. It’s as simple as the Pareto Principle (or the 80/20 rule). You can sometimes eliminate 80% of the risk by addressing 20% of the causes.
The list of possible methods goes on and on, all the way to the most radical approach of having no privileged AD accounts in the organization at all. This is maintained by allowing administrators to access secure administrative hosts, where they will be allowed to perform all admin tasks. The reason I call it a radical approach is, as you must know, it will increase security, but make the task of maintaining a smooth operation a lot harder. In today’s organization, the workloads on AD professionals keep growing. In addition, resources for managing organizations’ AD needs don’t necessary grow as quickly as they should. So adding this layer of obstacles may seem a bit unproductive.
And when you seek a backup plan…
There are other factors that can cause an AD disaster, beyond the issue of over-privilege. You’re probably thinking about AD upgrades, targeted malicious intent attacks, or even natural disasters. So it’s always safer to have a solid Active Directory disaster recovery automation solution in your “toolbox”. These automation/orchestration technologies do not differentiate between disaster causes: It will not matter what caused the organization to have an AD failure, it only matters that recovery can be swift and easy. A good example for a solution you can leverage is Semperis Active Directory Forest Recovery, which minimizes recovery times and significantly simplifies the process of emerging from AD disasters.
You also want to ALWAYS have a good Active Directory backup to fall back on. In case you don’t yet have an AD DR technology you can fall back on, you can still improve your Active Directory backups. This will provide a much-needed safety net for any disaster scenario. You can watch this 20-minute AD backup best practices tutorial to see whether you current backup strategy answers all your needs (turn up your speakers :).
Everything I mentioned here about the benefits of reducing privilege for users also applies to servers, workstations, and applications – for similar reasons. The important thing to remember is that while the process of addressing the issue of over-privilege is long, there are best practices in place to help you get started, and technologies to help secure your AD – before, during, and after you completed the process.