The business world is well accustomed to the services, tools, and benefits that Microsoft Active Directory (AD) can provide to organizations. It is used by millions of organizations with billions of users authenticating through it each week and is arguably unmatched by other services when it comes to managing authentication for large organizations. That being said, security around Active Directory is often a high priority for those organizations that utilize it, and rightfully so.
Keeping Active Directory secure and well-managed typically fosters thoughts of risks such as having too many administrators or weak password requirements. While those are crucial risks to consider, it should not stop there. Below I will cover five lesser known risks that Active Directory is subject to and how to best address them for a secure and well-managed AD.
1.) Keeping Active Directory system default settings untouched
A large risk is faced when the default security settings for Active Directory are assumed to be adequately secure for organizations. Default Microsoft settings focus on aiding compatibility across Microsoft products rather than being the most secure options. This means organizations need to alter several security settings and policies to improve Active Directory and adequately mitigate security risks.
2.) Unmanaged Active Directory inheritance and group nesting
Active Directory provides various ways of organizing users and managing their privileges. Organizations typically use custom groups, such as administrator groups, to grant similar users access to different resources as needed. Groups can be further nested within each other on a parent-child hierarchy basis, decreasing the administrative burden of assigning group memberships. For example, if a group is nested under an administrative group, that new group will inherit all of the administrative privileges from its parent group. Therefore, too many nested groups can quickly create an environment of inherited privileges that cannot be properly managed.
A complex and unmanaged group nesting structure can potentially allow inadvertent access to sensitive information by unauthorized personnel. If attackers are aware of this condition, they may leverage that to gain privileged access without being detected. Therefore, proactive group membership auditing and least-privilege models should be enforced to ensure group nesting remains controlled and appropriate.
3.) Over-delegation of Active Directory tasks
A benefit of Active Directory is the ability to administer it by creating custom groups and delegating specific privileges to these groups or specific individuals. Delegation allows an AD domain administrator to grant a non-domain admin privileges allowing specific controls over Active Directory. For example, individuals at an organization may be granted specific access allowing them to perform account management tasks (e.g., resetting user account passwords) but would not be granted any other typical administrator privileges.
While this is a valid and efficient mechanism, delegation can get out of control if it is not managed properly. The risk is that over-delegation may enable far greater access to resources for accounts than originally intended. Enforcing least-privilege models is the best way to mitigate this risk, coupled with proactive auditing of groups and their access to ensure access levels are controlled and appropriate. Temporary access should be authorized as needed and tracked until the access is revoked. This allows for tasks to be completed while privileged access is closely monitored.
4.) Ignoring stale Active Directory users and devices
Leaving inactive user and device accounts enabled in Active Directory poses attractive targets to external and internal attackers. These accounts can be used to get access to resources without being noticed since it’s through a valid, enabled account. Since inactive accounts do not have owners, usage of inactive accounts may go unnoticed. Performing periodic access/account reviews to locate and investigate stale accounts is the best way to ensure inactive accounts are properly disabled and not available to be exploited.
5.) Lack of Proactive Monitoring of Domain Controllers Use
Domain Controllers (DC) are the servers that respond to security authentication events and therefore are the central component to Active Directory. Use of domain controllers should be limited to a small number of trusted individuals that require the access to perform their jobs. Not knowing who has the ability to login to your domain controller and who is currently logging in to your domain controllers threatens the protection of privileged identities and other sensitive information in AD.
The specific individuals with domain controller access should be continuously tracked and updated as needed. There should be additional methods in place to continuously and proactively keep track of DC logins to immediately detect and quickly react to anomalies. Domain controller audit policies allow for the logging of successful and failed logins to be configured along with other logon-related events. Configuring these audit settings is necessary to capture and retain the events; however, if no further processes are in place for aggregating and analyzing such audit events, the risk is not properly addressed.
Foremost, Windows Event Log should be properly configured to have enough space to retain audit events so they can be analyzed or pulled at a later time for investigative purposes. However, configuring the log to forward events to a Security Information and Event Management (SIEM) solution is best way to proactively monitor these events and automate the analyzing process so anomalies can be automatically alerted to appropriate personnel.