ao link
Business Reporter
Business Reporter
Business Reporter
Search Business Report
My Account
Remember Login
My Account
Remember Login

Active Directory security

Guido Grillenmeier at Semperis explains why, In a convoluted security landscape, organisations should prioritise Active Directory security

 

As purse strings continue to tighten in a difficult economic climate, organisations are increasingly scrutinising the value of tools, applications and technologies.  

 

Security solutions are not an exception to this. Indeed, organisations are looking to streamline operations, reduce expenditure and consolidate the security stack. But what exactly should firms be looking to prioritise when pivoting the security strategy in this way? 

 

In what can be a convoluted landscape, my advice is simple – Active Directory (AD) security must always take precedence.  

 

AD is a foundational, fundamental tool for any business for three key reasons: 

  1. All companies need a way of identifying users in their internal networks – a process known as authentication.  
  2. They then also need a way to assign permissions for those users (either directly or as a set of users within a group) to access and use the IT resources they work with – be it file shares, specific folders, business applications, or specific functions within those business apps. This process is known as authorisation. 
  3. Companies additionally need to understand who has undertaken what actions within their IT infrastructure, based on the identity of those users. This is what auditing is all about – understanding who did what and when, and on which systems. 

At its core, AD is the identity service that allows all three of those important capabilities – authentication, authorisation and auditing – to be performed within a company’s on-prem IT environment. That’s why it is so important. 

 

All too often, AD is left under-protected 

Despite this, AD all too often fails to be prioritised in the same way as other security areas, with some CISOs and other security decision-makers instead focusing on endpoint security or even business application security.  

 

This is not to say that these areas are not important. Rather, that there also needs to be the same level of recognition and awareness of the importance of protecting AD. 

 

Critically, it only takes a single compromised endpoint for an intruder to line their sights on the next target. In most cases, this next target is AD, providing the means for threat actors to elevate their privileges and in turn gain access to business-critical data.  

 

The statistics speak for themselves – it’s estimated that approximately nine in 10 cyber-attacks involve AD in some way.  

 

First, find out where you are vulnerable 

This tide has started to change in recent times.  

 

Awareness of the criticality of AD security is improving, with Gartner having shone a spotlight on Identity Threat Detection and Response (ITDR) as a top security trend since 2022. However, the gap still needs to be bridged in many instances. 

 

So, how can that be achieved? 

 

First, it’s critical to secure a deep understanding of your security posture and potential vulnerabilities in relation to AD – a process that is made easy thanks to the use of free Active Directory assessment tools such as Purple Knight

 

Critically, companies should run these in their own environments as a normal user – not an administrator. More often than not, threat actors will find themselves with the same permissions as an ordinary user when they first break into a network. Therefore, by undertaking assessments from the perspective of a normal user, organisations will be able to look at their AD through the eyes of an intruder. 

 

After that, weaknesses can be identified and ironed out. For the intruder, the goal is to find attack paths allowing them to elevate their privileges, of which there can be many in AD. Again, here, assessment tools will help to uncover those vulnerabilities, as well as offer guidance as to how to address them.  

 

Two common AD vulnerabilities 

Of course, there are many common weaknesses which typically need to be addressed, with one such example being accounts that have a service principle assigned to them.  

 

An intruder can quickly find out which accounts have that service principle and they can even quickly determine which of those accounts is a privileged account in Active Directory through relatively simple reconnaissance. Further, they may also be able to see which accounts haven’t changed their passwords in a long time.  

 

Armed with this information, it is not difficult for the intruder to choose which account with an SPN they may want to attack. Depending on the age of the password, it may well not be very strong and be vulnerable to a Kerberoasting attack. This is where the intruder hacks the hash of a particular account’s password, which they retrieve by leveraging the mechanism of the SPN negotiation that is freely passing along the account’s hash without triggering any alarms. Once cracked – which is easier and faster than you may think – it quickly becomes game over. 

 

In addition, a second common vulnerability is badly configured certificate templates, allowing an intruder to impersonate any user – even an AD domain administrator. Unfortunately, these are frequently found in our security analysis. Yet often organisations simply aren’t aware that they exist or are problematic. 

 

The importance of proceeding with caution 

Given the potential impacts of these vulnerabilities, it is vital that AD security is made a priority when consolidating the technology stack and streamlining the security strategy. However, there are several important considerations to keep in mind during such a process.  

 

While using tools such as Purple Knight may serve as a vital leg up in identifying potential vulnerabilities, organisations should proceed with caution when making the necessary changes to rectify them. 

 

Making drastic changes in the IT environment could result in highly damaging business outages. Therefore, to tighten up security without impeding productivity, it is important that the potential impacts are understood on the application side.  

 

Changes need to be planned, with ongoing dialogue with application owners to see if changes were successful. In addition, organisations should seek support from partners that have already completed AD tightening or hardening projects, retrieving key insights, advice and “dos and don’ts” from experienced parties.  

 

With that said, it’s important to understand that security changes cannot always be made without impeding productivity. In these instances, alternative approaches include recategorizing the application as security critical, and potentially even putting it into a different isolated network. 

 

This leads us onto the topic of backup and recovery.  

 

Ensuring that you have a tried and tested plan to be able to recover your forest - the highest level of organisation within AD - fully automatically is vital. In today’s world, there is no such thing as 100% guaranteed security. While significant steps can be taken to minimise the attack surface and reduce the likelihood of an attack, that likelihood will never be 0%. 

 

If AD can’t be fully secured, because certain business-critical applications need riskier settings to work as intended, then it becomes even more important to ensure that you can recover quickly in the face of a breach. 

 

Consider support from external consultants 

From identifying vulnerabilities to finding workarounds that won’t result in dramatic outages and establishing effective recovery and backup strategies, managing the various aspects of AD security effectively is a delicate balancing act.  

 

It is also a skill that is becoming increasingly rare to find. Active Directory is not sexy for the next generation of security professionals – ultimately, young people don’t want to take on older technologies, instead focusing their efforts on what’s new, and what’s next.  

 

For this very reason, it can be hard for companies to develop adequate AD knowledge and skill levels internally. Yet it cannot be ignored – AD security must be a key priority. 

 

In such scenarios, organisations should consider seeking outside support, working with external experts and consultants to plan out improvement plans and remediation paths rather than trying to build up the capacity to do so in-house.  

 


 

Guido Grillenmeier is Principal Technologist at Semperis. Semperis have seasoned professionals to support organisations with finding, explaining and fixing AD-vulnerabilities 

 

Main image courtesy of iStockPhoto.com

Business Reporter

Winston House, 3rd Floor, Units 306-309, 2-4 Dollis Park, London, N3 1HF

23-29 Hendon Lane, London, N3 1RT

020 8349 4363

© 2024, Lyonsdown Limited. Business Reporter® is a registered trademark of Lyonsdown Ltd. VAT registration number: 830519543