Microsoft’s Active Directory is at the heart of many enterprise organization’s authentications and access management mechanisms. Active Directory serves as the center of mechanisms that allow users and computers to authenticate as well as applications to integrate and make use of user permissions to run services, database engines, backup processes, and many other business-critical services and applications.
Needless to say, Active Directory is critically important to overall business-critical applications. If there is a problem with Active Directory, it can literally take down everything from authentication, access permissions, email, network access, network authentication, and a long list of extremely critical services. The costs of having an entire network and all the mechanisms that go along with it go down due to an Active Directory issue is very concerning. Active Directory is often the target of attackers looking to steal credentials or abuse privileges.
Let’s take a look at what organizations can do to protect their Active Directory infrastructure from security compromise.
Identifying Threats to Active Directory
Active Directory is a critical component of an organization’s infrastructure. It is generally at the center of all authentication traffic, how permissions are assigned, makes email configuration and flow possible, enables backup processes to run, allows critical web infrastructure to be serviced, databases to run and secured, and many other extremely important critical functions. Needless to say, it is important! Security threats must be identified and efforts put forth to minimize the attack surface on Active Directory as much as possible.
One of the ways that can pay dividends when looking to detect dangers to Active Directory via an attacker or other security vulnerability is Monitoring.
Monitoring of user behavior can go a long way in detecting and being proactive in discovering threats to Active Directory. Monitoring user behavior is a key area since a change in behavior of a particular user may indicate a compromised account or a user that has become disgruntled for one reason or another. One area that is often overlooked is monitoring the end user workstation. Attacks on Active Directory and privileged accounts often do not come from the server side, but often start on the workstation side of things. Detecting which programs users are running can indicate the use of possibly malicious tools to steal Active Directory information.
What types of events should monitoring look for?
- Failed authentication/access attempts
- Massive changes to AD or permissions
- Changes to privileged groups/accounts authentication/access
- Use of unusual tools such as Sysinternals tools, MimiKatz, Adsiedit, etc
What are insider threat activities?
- Brute Force attack
- Data exfiltration
- Snooping user
- Abnormal AD activity
- Malware
- Abnormal system access
- Scripted account use
- Privilege elevation
- Lateral movement
A user who is snooping for information is a common one that borders anywhere from malicious to someone simply wanting to access files they shouldn’t have access to given their current role out of curiosity or looking for specific information.
For the purposes of discussing monitoring, what types of events could indicate this type of behavior?
- A high number of file access attempts in a short period of time
- A high number of failed file access events
- Attempts to access file servers and folders the user has never, or rarely, accessed in the past
It can be difficult to correlate user behavior patterns. However, these correlations can be key to identifying what an end user might be attempting to do. A few indicators of risky or unusual behavior may include off-hours access even though the job duties do not warrant it, multiple failed logon attempts, abnormal workstation detected, failed access to restricted data, a large number of files accessed in a given period of time, multiple sensitive group memberships changed.
Threat detection is key to seeing potential risks in the environment to the Active Directory infrastructure. Threat Detection and Risk Analysis are key mechanisms to both detecting threats and analyzing the risk associated with various user behaviors.
Minimizing Active Directory Attack Surface
What are some areas that broaden the attack surface on Active Directory and other infrastructure?
The following are a few areas that often lead to Active Directory compromise and breach.
- Incomplete Patching
- Outdated Operating Systems and Applications
- Misconfiguration
Incomplete Patching
Patching is a subject that is often treated with disdain among IT. This often leads to patch management strategies that are poorly implemented and left with gaps in coverage. Often, it is found among Windows systems there are inconsistently patched systems that have outdated patches or no security patches applied at all. Systems running non-Windows operating systems are often not patched at all or very irregularly without any routine maintenance windows to accomplish this.
In many environments, network devices are almost never patched with the latest firmware after they enter production service. Off-the-shelf applications may be left running business-critical applications long after support for the product ends or is no longer being manufactured or patched. Domain controllers running Active Directory Domain Services may be neglected in regards to patching.
All of these types of systems provide an entry point for attackers looking for access to any system through a vulnerability that may not have been patched to close the security hole. Once an attacker is able to gain access to any type of system, often the goal is to move laterally across the network, attempting to harvest credentials to hopefully stumble onto a domain administrator or SQL DBA credential set.
Outdated Operating Systems and Applications
It can be surprising to learn how many enterprise environments are still running legacy Windows or other operating systems that have long gone end-of-life without any further patch releases or support from Microsoft and other vendors.
A classic example of this is Windows Server 2003.
Windows Server 2003 has been at the end of support since 2015. However, there is a surprising number of Windows 2003 servers still in operation, running business-critical applications or file servers.
In regards to Active Directory, running legacy versions of Windows operating systems can require lessening the security configuration in regards to authentication protocols and others to support the lesser capabilities of those operating systems. Legacy applications may require the use of legacy authentication protocols by vendors who are no longer supporting the application and these may not be able to be rewritten to support the newer, stronger authentication protocols. Active Directory may still be configured to use LAN Manager hashes or reversibly encrypted passwords to support those legacy applications.
All of these scenarios lead to tremendous vulnerabilities to Active Directory and other infrastructure from attack or security breach. All it takes is one legacy application or legacy operating system to introduce domain or forest-wide vulnerabilities because Active Directory is configured to support the required legacy authentication protocols.
Misconfiguration
Even if a Windows Server or workstation or other system is completely patched to 100% of the latest and greatest version and patch level, a misconfiguration can undermine any amount of patching. Misconfiguration exposes the system to being compromised. Once a single system is compromised by an attacker, this provides a temporary location where the attacker can start to move laterally across the network.
In regards to Active Directory, what are some common misconfigurations or non-optimal configurations from a security standpoint that often can lead to security compromise?
High privilege groups in Active Directory such as the Domain Admins, Enterprise Admins, Schema Admins, or built-in Administrators groups are often configured with unneeded group members. Membership in these groups should be reduced to the smallest number of members possible. In doing so, the attack surface is reduced. Permanent membership in these groups can also be eliminated and only granted as needed or in the JITA or Just in Time Administration methodology where permission is time-based.
Additionally, on Domain Controllers or the specialized servers that house the Active Directory Domain Services, it is often found that DCs are configured with the same applications and utilities that are found on members servers, which may open up security holes. Unneeded ports may be opened, or service accounts needed for these utilities or applications. Web browsing may be allowed or even used regularly on Domain Controllers, exposing the DC to downloaded content from the Internet.
Domain controllers need to be treated as highly-secured, valuable components of infrastructure more so than the file, print, or other application servers. They should not run unneeded software applications or run any other functions that could broaden the attack surface. They should not be permitted to access the internet.
Backing up Active Directory
Active Directory should be one of the core infrastructure components that organizations look to add to their data protection mechanisms. Today’s modern backup solutions are able to perform application-consistent backups of critical applications such as Active Directory. These application-consistent backups provide consistent, versioned, backups of Active Directory and allow restoring Active Directory objects in a granular fashion.
Vembu’s application-consistent backup solution found in BDR Suite v4.0 allows performing these effective, efficient, application-consistent backups of Microsoft’s Active Directory infrastructure, allowing organizations to be protected against losing business-critical data housed in Active Directory.
Thoughts
Active Directory is a critical component of modern enterprise architecture. It provides a centralized mechanism for authentication and assigning permissions to resources within the infrastructure. Organizations must protect Active Directory as a business-critical application.
When Active Directory goes down, it takes down a large portion of functionality with it as so many of today’s applications require and interact with Active Directory to function. Monitoring for threats and minimizing the attack surface goes a long way in protecting Active Directory infrastructure.
Additionally, by using effective backup solutions such as Vembu’s BDR Suite v4.0, businesses are able to protect Active Directory and even recover objects that have been protected by Vembu’s application-consistent backup process.
Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.
