The traditional network perimeter is vanishing, making identity the most important thread protecting the services, users, and machines that populate enterprise IT ecosystems.
Attackers have realized that too, and the number of breaches involving credential theft continues to climb. At the center of the storm is Active Directory (AD). With its foundational role in enterprise access and authentication, AD sits at the heart of identity management—a status that makes it attractive to attackers seeking access to sensitive systems. Unfortunately, many organizations are a step behind in securely managing AD, particularly as they support an expanding ecosystem of mobile workers, cloud services, and devices. Between the risk of stolen credentials and the use of hacking tools like Bloodhound, AD security has never been more critical. In this addition to IDSA’s IAM best practices blog series, we will discuss how to secure Active Directory and close the door on attackers trying to move through your environment.
Minimize the attack surface
Shrinking the attack surface reduces the risk of compromise. Just like with other systems and applications, implementing the principle of least privilege prevents unauthorized users from accessing critical systems. For AD, this includes locking down administrative access to the AD service through administrative tiering.
In an administrative tier model, IT assets are categorized by their sensitivity, and administrative accounts are categorized by their access rights. The top asset tier contains AD domain controllers which can only be managed by top tier AD administrators. The middle tier is for application servers and the administrative accounts that can manage them. The third tier covers workstations and includes the accounts for administrators that access end-user devices. In this approach, the administrator accounts from each tier can manage assets in the same or a lower tier but can only login interactively to systems at the same or a higher tier. This prevents sensitive administrative credentials from being cached on less sensitive but more easily compromised systems.
Limiting privilege is only one way to minimize the attack surface, however. Regularly scanning for misconfigurations reduces the attack surface by uncovering issues —whether accidental or malicious—that can expose an AD forest to attack. This type of vulnerability assessment should be an ongoing activity. Once inside your network, threat actors will often perform AD enumeration and look for accounts with excessive privileges to exploit so they can strengthen their foothold. Regular scanning can detect these issues before they are leveraged in an attack.
Monitor AD and roll back unauthorized changes
Catching malicious activity is also made possible through the continuous monitoring and auditing of object and attribute changes at the directory level. Traditionally, organizations have used their security information and event management (SIEM) tools to monitor AD change events. However, event logs do not always capture changes caused by sophisticated attacks. For example, DCShadow, a feature in the mimikatz tool, can modify any portion of Active Directory while evading event logs entirely. For organizations to establish comprehensive visibility, they need to adopt an approach that monitors all aspects of AD, from event logs to the replication stream. With effective monitoring and logging, your organization can view and flag suspicious events and determine the extent of any damage—or, hopefully, catch these actions before any actual damage can take place.
These changes must be undone when detected, requiring that organizations have the ability to rollback changes, which is invaluable in the event of an attack by a cyber-criminal or a mistake by an administrator.
Plan for a compromise
As much as it hurts to say, attackers are going to penetrate the network, and Active Directory will be among their targets. Preparation for this possibility is critical, and Microsoft has published a detailed guide online for recovering AD forests. In the aftermath of an attack, AD needs to be recovered from backup quickly, and a manual process will be error-prone and cause unnecessary downtime. In the face of a large-scale compromise, enterprises should implement an approach to recovery that is highly automated and includes offline backups for all the components of your infrastructure.
The rise of ransomware and other malware targeting AD means organizations need the ability to recover from attacks that compromise domain controllers without re-introducing malware into the environment. Additionally, any recovery plan should include the ability to recover to replacement hardware in the event the firmware is compromised.
Protect the keys to the kingdom
For roughly 20 years, Active Directory has represented the proverbial keys to the kingdom for enterprises around the world. Just as important, it also provides a treasure map of trust relationships that can be exploited by a skilled attacker. As AD security goes, so too goes security for the entire organization. By focusing on security and recovery, enterprises can raise a shield in front of a crucial part of their infrastructure.
About the Author: Gil Kirkpatrick is the Chief Architect at Semperis. He has been developing commercial products for enterprise IT for more than 40 years, focusing on identity and access related technologies since the mid-1990s. In addition to writing Active Directory Programming, the first book on Active Directory for software developers, he has written dozens of identity and security-related articles for various publications. Gil is well-known as the founder of the Directory Experts Conference, a technology conference for IT professional specializing in Microsoft identity and access technologies, and more recently he co-founded the Hybrid Identity Protection Conference. Gil has held senior technology leadership roles at NetPro, Quest Software, ViewDS Identity Solutions, and Semperis, and has been named a Most Valuable Professional by Microsoft for each of the last 15 years.