5 misconfigurations that make Active Directory a rich target for cybercriminals

As we delve deeper into high profile cyberattacks such as SolarWinds and Microsoft Exchange, it’s clear that an organization’s Active Directory (AD) is highly sought after by cybercriminals and grossly overlooked by organizations.

What is Active Directory?

Microsoft AD is the dominant identity management platform in enterprise environments used for authentication and control of permissions and privileges. The use of AD is so common that 90% of Fortune 1000 organizations use AD as their primary method to provide seamless authentication and authorization.

Once an attacker gains control of AD, they effectively have the “keys to the kingdom”, which they can use to move laterally to any device, gain control of privileged accounts, leave backdoors, add new machines to the network, deploy ransomware, compromise sensitive systems and steal sensitive data.

Given the fluid nature of AD, it can change to adapt to an organization’s architecture and changes are made constantly. That means if AD security hygiene isn’t managed or secured properly, it can get ugly really fast. Here are five AD misconfigurations security teams need to resolve now.

Users are over privileged: One of the most common mistakes that pave the way for a compromised AD is when administrators give too many users access to privileged groups to make the job easier - opting for the path of least resistance. But more often than not, when users are granted domain access, they are allowed to operate with these privileges for a longer than necessary period of time.

The greater the number of users with Domain Admin privileges, the greater the odds that an attacker will be able to find an unsuspecting victim and use their privileges to move laterally throughout the organization.

AD administrators must follow the path of least privilege. This means providing users with only the privileges they need to perform a particular task. This access should be given and revoked for the duration of the task. Administrators must also rectify accounts with too much access periodically.

Kartik Shahani, Country Manager, Tenable India

Lack of change monitoring: AD requires continuous monitoring and analysis so security teams can stay on top of changes to environments and group policies. Adding to this complexity, the event logs from AD would require security teams to manually search for anomalies, sifting through the volumes of false-positives. It is a time-consuming process to collect and aggregate Windows event logs making AD a prime target for cybercriminals who know that manually monitoring it is next to impossible.

Weak user account security hygiene: In many organizations, privileged access is granted to service accounts and are left unmonitored. Security teams do not have full visibility into all accounts with domain admin access as inactive accounts of former employees are often forgotten.

As AD configurations remain unchanged, weak and non-expiring passwords, no password lockouts and weak encryption are often present. These misconfigurations are what cybercriminals look for while trying to gain access to the AD. Since security teams do not have full visibility into the misconfigured systems, breaches may go undetected for weeks, months and sometimes even years.

Vulnerabilities in Active Directory: While vulnerabilities that directly impact AD are not commonplace, attackers tend to chain vulnerabilities together to gain access to legitimate accounts and perpetrate attacks on sensitive systems on a network. Two prominent vulnerabilities — Zerologon (CVE-2020-1472) and ProxyLogon (CVE-2021-26857 and others) are commonly used by attackers.

Zerologon allows attackers to impersonate any system on the network and reset the domain controller’s password. ProxyLogon could be used along with other Exchange Server vulnerabilities to plant webshells on affected hosts. Attackers can compromise service accounts and move laterally within the network.

Existing tools to secure AD are not enough: Existing tools do not contribute to continuously monitor AD. Adopting automated tools that can holistically map the AD network, monitor Group Policy Object changes, monitor unencrypted passwords and send alerts for deviations regularly can go a long way in providing full visibility into AD. Automated tools can identify weaknesses and fix them, detect threats real-time and monitor attack pathways before they can be exploited.

Despite AD forming the backbone of organizations worldwide, not enough attention is given to AD security. The reality is that as the demands on AD grow, it will very often deviate to an insecure, non-compliant state where it becomes an organizational risk rather than the trusted platform that facilitates business optimisation and growth. Neglecting to effectively manage security configuration errors pose a great risk to an organization. Therefore, enforcing AD security in the five circumstances mentioned above is paramount.

Author: Kartik Shahani, Country Manager, Tenable India