Today, Microsoft Active Directory (AD) is seen as a utility for the enterprise that powers the business by controlling access to applications, data, systems and services.
Unfortunately, utilities aren’t glamorous and they don’t receive attention to ensure they are safeguarded. That is, until the utility is targeted, compromised and the critical service it provides is disrupted.
You may recall the recent Russian hacking of a United States electrical grid, showing how vulnerable utilities can be, and the potential for disaster.
Just like an electrical grid, AD is a utility that must be secured, because it is critical infrastructure for your entire organization, and its security is paramount. However, most organizations only focus on operating rather than safeguarding AD against attack.
According to Verizon’s 2016 Data Breach Investigations report, 63 percent of all data breaches are credentials driven —all of which are often managed by AD in most organizations.
What this means is that both large and small organizations have a lot at stake when it comes to AD security.
Active Directory Security: Which Camp Do You Fall Into?
Most organizations are not sure how secure their AD environment is, how they compare to others or how to express the risk it poses to the business.
To answer these questions, we developed an AD risk assessment program, and have been conducting security reviews for both large and small organizations.
We’ve seen two types of profiles emerge as a result of our engagements.
If you’re a small to mid-market org …
You tend to recognize that AD security is important, but may lack the bandwidth, experience or funding to take steps towards building the necessary level of security.
After all, it can be challenging for smaller organizations to properly protect their AD when they’re unsure of where to start in the first place, right? Because of this, you benefit most from general guidance and easy to deploy and operate solutions.
For example, we found in our assessments that over 50 percent of organizations allow administrators to use the same account to configure AD as they use for everything else.
Additionally, less than 10 percent of the organizations we assessed heeded Microsoft’s recommendation to implement secure administrative workstations (SAWs) for AD management, and less than 25 percent protected their information with multi-factor authentication (MFA).
These kinds of mistakes can usually be attributed to a general lack of expertise, which can be quickly exploited by hackers.
If you’re one of the bigger guys …
On the other hand, if you’re a big organization, you usually employ a team IT professionals who regularly work on AD and have already taken significant steps towards building and maintaining its security.
However, even with adequate funding, knowledge and experience, it remains challenging to secure a large-scale environment. There are often too many “cooks in the kitchen,” lack of consistency in the systems and tooling used, and ambiguity of who is ultimately responsible for safeguarding AD, its tooling and its infrastructure.
And there is often uncertainty as to whether AD is already compromised, since it is difficult.
This is illustrated by the fact that, unlike mid-market organizations, large enterprises often invest in an isolated Enhanced Secure Administrative Environment (ESAE) for Active Directory to ensure the administrative kernel of AD is clean.
Our Solution for Active Directory Vulnerability
From Microsoft’s guidelines for securing privileged access, we’ve identified four of the most vital security measures which, when implemented together, can greatly decrease AD vulnerability for all organizations.
- AD Hygiene: AD Hygiene is kind of like flossing: while most people make some sort of effort to maintain it, crucial areas are often left overlooked. To remedy this, organizations should limit who has domain admin privileges, prevent low-security tasks from being completed by high-security accounts, configure secure password policies, engage in regular patching and strictly limit admin group membership.
- Secure Administrative Workstations: Just like only trained cooks should be allowed in the kitchen of a restaurant (primarily because they know how to handle food to prevent contamination), it’s essential that organizations implement secure administrative workstations (SAWs) to prevent their domain controllers (DCs) from being infected with malware. For additional security, multi-factor authentication should be required to access SAWs.
- Domain Controller Protection: Since DCs provide a convenient pathway for cyber criminals to follow, they need to be appropriately protected. Even if your house is locked and your street has a neighborhood watch, you’d still use a safe to protect your gold bars hidden at home. The implementation of host-based firewalls and administrative whitelists can be essential to protecting DCs from internal and external threats alike.
- Isolated Admin Forest: Just like Department of Defense has the Pentagon and the White House has the Situation Room, large organizations should have an isolated admin forest in which a few authorized staff can oversee and control the entire environment. Microsoft itself recommends that organizations build an Enhanced Security Administrative Environment (ESAE), and so do we. Organizations should make sure that their admin forest is isolated and secure as well as reserved exclusively for privileged accounts.
How Our Findings Can Help You
The considerable AD vulnerabilities we’ve discovered don’t only apply to the organizations we assessed: you can put our findings to good use by proactively identifying your AD’s weak spots before someone else has the chance to take advantage of them.
If you’d like us to help you review your Active Directory security, sign up for your free security assessment now.
-Russell Rice, senior director of product management, Skyport Systems