During the TEC 2023 event in Atlanta, GA, I enjoyed attending a session by Sean Metcalf (Microsoft Certified Master – founder of Trimarc Security) called “The Current State of Microsoft Identity Security: Common Security Issues and Misconfigurations.”
Sean did a fantastic job identifying multiple security issues facing today’s Active Directory and Entra ID environments and providing many call-to-action items to remediate issues for administrators listed below.
Active Directory Lessons
Account Security
- Privileged and service accounts with old passwords – Ensure any privileged and service account passwords are changed annually. Older passwords can be simple and easier to guess.
- Limit password attack capability – Implement a password filter to reduce non-secure password patterns. Fine-grained password policies allow flexibility to set different password policy settings for different types of accounts. Leverage Group Managed Service Accounts (GMSAs) where possible that automatically rotate passwords within Windows Server for applications.
- Default Domain Administrator Account Issues – The default domain administrator account that is created when an Active Directory forest is created should be enabled and used only as an emergency break glass account. If in a scenario where all Global Catalog servers are unavailable in Active Directory, this is the only account that can be used for local login to perform forest recovery operations. The account password should be rotated via Windows LAPS or a 3rd party solution.
- Perform Account Cleanup – Disable accounts that are no longer in use. Remove accounts from privileged groups.
Domain Controller Security
- Print Spooler Service Issue – Disable the print spooler service on all domain controllers. The print spooler service can receive notifications with non-constrained Kerberos delegation that can potentially expose the computer credentials of the domain controller.
- Application and Agent Installations – If agents and applications are needed on a domain controller, ensure they are all running on the latest version and patched often.
- OS Version and Patching – Ensure all domain controllers are running current and supported Windows versions. Windows Server 2012 and 2012 R2 leave extended support on October 10th, 2023.
Entra ID Lessons
Account and Application Security
- Standard User Accounts Issued Global Administrator rights – Do not assign the Global Administrator role to a standard user account. Enable Entra ID PIM and assign eligible service accounts and emergency break glass accounts with the ability to use the GA role.
- Administrator Accounts without MFA Enabled – All administrator-privileged accounts in Azure should be enabled behind some form of MFA. However, one account designated as an emergency break glass account should have MFA disabled in case there is an MFA service authentication issue or outage so that it is able to perform administrative duties if necessary.
- Over Privileged Application Permissions – Overprivileged application permissions over time are susceptible to the risk of being used to take control of Entra ID and make changes to directory role membership assignments. Use the concept of least privileged access to only assign the role permissions necessary for an application to function.
Protect The Directory
Active Directory and Entra ID are prime targets for ransomware attacks – as evidenced by the recent incidents at MGM Resorts International and Caesars Resorts. Sean’s message on how these attacks were performed within each step of the attack progression emphasizes a message – always keep a security focus at the forefront of protecting the entire directory. Identifying the common security issues and resolving them improves the system security, identity security and breach resilience of your directory.
The Microsoft 365 Kill Chain and Attack Path Management
An effective cybersecurity strategy requires a clear and comprehensive understanding of how attacks unfold. Read this whitepaper to get the expert insight you need to defend your organization!