Over the past year, we’ve been conducting extensive Microsoft Active Directory assessments across varying organizations. Our findings revealed the startling fact that nearly 100 percent of IT environments are susceptible to malicious attacks, thanks to just one critical application: Active Directory. Let’s discuss some of the reasons why this is.
Ease of Access
Although the Active Directory serves as an access point to more than 90 percent of all organizations’ IT systems, users, computers, apps, passwords and more, most organizations don’t treat it as the central hub that it is. Thus, the security of the Active Directory is often neglected.
In fact, many organizations believe that their IT environment can only be breached by highly sophisticated hackers. Rather than carrying out an elaborate attack, hackers will seek out the easiest method of entry, which in many cases is the Active Directory.
After all, if a hacker can gain access to a system by simply using privileged credentials from the Active Directory, why would they bother trying to breach the firewall an organization has so carefully set up?
Despite the ongoing efforts of IT departments to patch Active Directory vulnerabilities, professional penetration testers routinely report that the AD is easy to access undetected.
Given that free, easy-to-use hacking tools are now widely available on public platforms such as GitHub, it’s easier than ever. Just a few of the most commonly used tools include:
- Mimikatz: Allows hackers to view credential information.
- BloodHound: Quickly identifies hidden attack paths within Active Directory.
- PowerSploit: A suite of tools which helps hackers conduct recon, exploit weaknesses, gain dominance and exfiltrate data.
This means that an Active Directory breach will not only have catastrophic consequences, but will also be extremely difficult to identify and stop before the damage has been done.
Our comprehensive security assessments of various organizations brought several key Active Directory weaknesses to light. Here are some of our most significant findings:
- Over 50 percent of the enterprises we assessed allowed administrators to use the same account to configure Active Directory as they use for all other activities. This means that should an attacker succeed in accessing an administrator’s account, they will automatically have elevated rights upon entry.
- Even though Microsoft recommends implementing secure administrative workstations (SAWs) for Active Directory management, less than 10 percent of organizations have opted to do so.
- Although a multi-factor authentication (MFA) is one of the most effective ways to reduce the vulnerability of single-password protection, more than 25 percent of organizations neglected to use an MFA.
- Almost none of the enterprises we looked at implemented host-based firewalls to protect their domain controllers (DCs), and less than 15 percent implemented administrative whitelists to limit Active Directory access.
- Many mid-market enterprises are unaware of Microsoft’s recommendation to build an Enhanced Security Administrative Environment (ESAE), and thus they never think to implement one. In our assessments, we found no organization did so.
As you may have noticed, many of our findings highlight an overall lack of awareness rather than intentional neglect. Essentially, most organizations want to protect their Active Directory just as much as the rest of their IT environment, but they’re simply not sure where to start.
At this point, you might be wondering how you can go about beefing up your own organization’s Active Directory security and preventing malicious attacks. We suggest utilizing these four pillars of defense for maximum protection:
- Implement AD hygiene. This means that high-security accounts should not be permitted to do low-security tasks, secure password policies should be configured, and only a small group of accounts should have domain admin privileges.
- Make admin workstations secure. Implementing secure administrative workstations (SAWs) and requiring multi-factor authentication (MFA) can go a long way towards preventing credential theft and misuse.
- Protect DCs. You can prevent yourself from both internal and external threats by placing your DCs behind host-based firewalls, locking down inappropriate ports and protocols, continually inspecting suspicious events per protocol, and conducting ongoing verification of clean sources.
- Build an isolated admin forest. Large or complex enterprises can benefit from building an isolated and secure admin forest, which is exclusively reserved for privileged accounts. Only accounts with access to the Active Directory and other high-level management tools should be included in the forest.
You Don’t Have to be Part of the 90%
While it is certainly alarming to know that 90 percent of IT environments are easily hackable via Active Directory, simple steps can be taken to ensure that your Active Directory is protected and secure. If you’re unsure of whether your organization’s AD is vulnerable or not, let us provide you with a free assessment so you can find out, or download our eBook on securing your Active Directory here.