Ever-Evolving Threats in Active Directory

Although there are no official statistics illustrating the number of organizations that use Active Directory and on-premises, it’s safe to assume that most do in some shape, way, or form. This statement is not just based on conjecture, but a reflection of my experience through multiple engagements throughout the years, including several breaches. 

TEC Talk: Active Directory, when old age is both a curse and a blessing

Join this FREE webinar and learn how to modernize, secure, and reduce the attack surface in your Active Directory

In the current cyber security landscape, organizations face an uphill battle against a wide variety of threats:  

  • An increasing number, sophistication, and variety of attacks. 
  • More and more Supply Chain Attacks, whereby compromised vendors lead to an increased security risk. 
  • Maintaining (cloud) security; the complexity, diversity, and proliferation of cloud solutions used in an organization, increase the risk of misconfiguration, the lack of visibility, and thus increase the overall risk to the environment. 
  • Keep IoT and OT devices secure, as these become an increasingly important attack target. 
  • The rise of AI used both for offensive and defensive elements of cybersecurity. 
  • The shortage of skills
  • Increased regulations and demand for compliance. 

Active Directory has been around for almost 25 years. As such, one might expect that – by now – we would have figured out to keep it safe against attacks. Yet, it remains a weak point in many organizations’ cybersecurity defenses. When coupled with the challenges mentioned above, this can be a recipe for disaster. Why is this the case?  

Here are some common issues that I frequently come across: 

Insecure Defaults 

A lot of organizations use, or have used, the default settings when deploying or setting up Active Directory. While this may be functional, there are several elements that could be modified to enhance your security posture. For instance, it’s advisable to delegate access to the directory, limit access for regular users, enhance logging, and disable unused features and legacy (insecure) protocols. 

Technical debt 

Being close to 25 years old, many on-premises Active Directories were installed a long time ago. Often by people who are no longer with the organization, leaving a potential gap in the configuration of Active Directory or – more importantly – the context of why some elements have been configured in a certain way. The missing information and insecure elements, such as the use of older protocols, often leave organizations inert as they fear breaking systems that may depend on them. The IT department often doesn’t prioritize the investigation of systems that depend on specific configurations, which, along with remnants of past migrations and consolidations, often create unknown and undetected sources for breaches. 

Too Many Domain Admins 

In my experience, many customers have multiple accounts with either domain administrator or enterprise administrator privileges, including the IT department’s own accounts. Service accounts also frequently receive these privileges, often for the wrong reasons, as vendors fail to invest time and resources in defining specific permissions they require. This is primarily because domain admin permissions tend to “just work.” Handing out an excessive number of these privileges increases the risk of account abuse, particularly when passwords are not frequently changed, which is often the case with service accounts. 

TEC Talk: Active Directory, when old age is both a curse and a blessing

Join this FREE webinar and learn how to modernize, secure, and reduce the attack surface in your Active Directory

Unpatched systems 

In most cases, attackers exploit vulnerabilities to initiate a compromise of an organization’s security, unless the account credentials are accessible and can be used from outside the organization, such as to log in to a VPN. These vulnerabilities may be client-side or server-side. Attackers can then move laterally from one system to another through lateral movement, ultimately gaining control of the entire environment. Keeping your systems up-to-date reduces the risk of exploiting vulnerabilities, but it does not rule out zero-day vulnerabilities. However, it makes it significantly more challenging for attackers to infiltrate or move around in the first place. 

Lack of tiered administration 

To move from one system to another, attackers need to exploit vulnerabilities or privileges they have acquired earlier in their attack. Unfortunately, accounts with domain admin credentials are often used to manage various systems across the environment. However, this practice is likely the single most dangerous thing to do. A system through which domain administrator credentials are exposed becomes a prime target and significantly simplifies attackers’ activities or their ability to move from one system to another.

Implementing tiered administration, where access and management of systems are segregated into different tiers and where domain administrators can only manage and access Tier 0 resources, significantly enhances security, despite the additional effort it imposes on administrators. Many organizations fear that introducing a tiered administration model will drive up complexity and cost. Although a tiered administration model can quickly become a burden, there are a few quick wins through a handful of GPOs, or the use of a third-party Privileged Access Management tool. 

Growing lack of skills 

Years ago, when I first started in IT, it seemed like almost everyone I knew had at least some Active Directory skills. However, with the rise of cloud technology and the allure of new technologies, a skill gap is emerging for this critical product. Despite many organizations continuing to rely on Active Directory in the foreseeable future, people entering the workforce often have little to no knowledge about Active Directory, let alone the intricacies of how it operates and how to secure it properly. The experience required to manage Active Directory effectively is not gained overnight, leaving organizations vulnerable not only from a technical standpoint but also in terms of human resources. 

Lack of Monitoring 

Due to its configuration defaults and missing functionality, monitoring Active Directory, including how it’s used, abused, or misconfigured, is one of the top risks associated with it. To mitigate these challenges, organizations need to rely on additional tools. For instance, using Microsoft Defender for Identity can help detect anomalous activities in the environment. Increasing the security event logs on servers and setting up alerts when someone clears such logs can aid with forensics and detecting tampering. Finally, regularly reviewing the security posture through solutions like BloodHound may provide the insights you need to prioritize activities to increase the overall security posture. 

Avoid These Shortcomings

Although this is just a brief overview of some of the common issues I have seen in the field, it is a great starting place to address them. If you are interested in hearing some insights about what to do against these shortcomings, join our upcoming TEC Talk: Active Directory, When Old Age is Both a Curse and a Blessing, on April 27, 2023.

Michael Van Horenbeeck is an expert in Cloud Security, Compliance, and Identity Management, holding both the Microsoft Certified Solutions Master (MCSM) certification and the Microsoft Most Valuable Professional for Security (MVP) award simultaneously. As CEO and Sr. Architect at The Collective, he leads their security practice, delivering specialized services such as a managed detection and response (MDR) service. He has assisted customers of all sizes globally in designing, implementing, securing, and managing solutions based on Microsoft 365 and Azure. He is an active community member, author and inspirer of the Microsoft 365 Security for IT Pros e-book, and frequently speaks at events around the world. Follow his insights on Twitter @vanhybrid, or on his websites m365securitybook.com, insight365.eu and thecollective.eu.

Comments

  1. Mike Lewis

    Great article. Hits home on every point.

    How can we stay in touch?

Leave a Reply