AD security on the test bench

Sicherheit (Pexels, allgemeine Nutzung)[German]Another topic for administrators responsible for using a Microsoft Active Directory (AD) in the enterprise. Rumor has it that many companies rely on Microsoft's AD for their IT in business operations. The stuff has been on the market for 20 years and is arguably quite reliable. But what about security? According to security vendor Semperis, 20-year-old AD technology presents some security challenges.


I found the perspective taken by Sean Deuby, Director of Services at Semperis, quite intriguing. In a post, he does acknowledge that Active Directory did its job for a long time without any problems in the IT of many companies. But now Sean Deuby points out that AD on a network is now increasingly coming into focus from a security perspective. When I blog about security incidents here, where a little more is revealed about the attack vector, the topic of "compromising Active Directory" often comes up.

That's because an AD is essentially the gateway that connects employees to their resources (such as email or network file shares) on the corporate network. Administrators use AD to manage each user's permissions, authenticate them at logon and determine which resources they can access. This has many advantages. AD is easy to use, has been around for many years, and is very reliable.

The catch: if an attack on AD succeeds, the attacker can misuse these permissions for his own purposes – which, after all, can now be observed frequently in security incidents. However, many companies are not aware of the security risks associated with AD.

AD as a problem solution

Sean Deuby, traces the history: Prior to the introduction of AD in 2000, Microsoft's IT Directory servers were not scalable to the extent that they could meet the needs of medium and large enterprises, so many servers were required. A company with about 1,000 employees sometimes needed 200 servers. This posed a major problem for companies. This was not only because all these individual servers were difficult to manage, as each one required unique credentials. It was also that activities such as file sharing were difficult because they could not easily communicate with each other.

AD solved this challenge. By easily integrating with applications and providing single sign-on capabilities across the enterprise environment, it transformed the network experience and quickly became ubiquitous. Its prevalence has not changed in the last two decades. This nearly quarter-century-old technology is more important today than ever, forming the foundation for most cloud identity systems used by enterprises around the world. While AD is still essential to most businesses around the world, it has also become a security concern.


Why AD is a problem today

AD is vulnerable for several reasons. First, it was not designed to handle complex security threats. It was developed at a time when there was no ransomware, no sophisticated state-sponsored cyberattacks, and no widespread use of cloud computing. It is a technology from a different time – and therefore it cannot effectively counter many of the modern threats we face today.

Second, AD was designed as an open system to make it easier to use. It trusts users logged into a network to provide a seamless user experience. However, this very openness is a difficult challenge for defenders today because it presents few obstacles to successful intruders.

Third, the age of the network means that in many cases there have been over 20 years of poor security decisions that were originally made for expediency. These have accumulated into a massive attack target that even amateurs can handle.

For these reasons, about 90 percent of all organizations are exposed to security breaches that stem from AD vulnerabilities, and nine out of 10 of all cyberattacks involve AD in some form. Such statistics are not reassuring, nor is the simplicity of the attack methods used to target AD. The typical attack process is gradual:

  1. Attackers compromise a PC through phishing. They send fraudulent emails that aim to trick users into revealing confidential information, such as their credentials for AD.
  2. An attacker then tries to gain privileges on a local machine. Attackers can elevate their privileges on the machine in a number of ways, exploiting vulnerabilities in the device.
  3. They do this by using AD to find other devices and capture all devices connected and used on that network.
  4. Next, they target other devices. From here, they move around a network and perform hard-to-detect reconnaissance by attacking many computers to find one that has AD administrator privileges.
  5. Finally, they gain access to the credentials of a privileged or administrative account. Once they have these, they have full control over AD – and everything that depends on it.

An example of a popular AD attack is the so-called "golden ticket" attack. The golden ticket is well known from the novel "Charlie and the Chocolate Factory" by Roald Dahl. In the digital world, these golden tickets also provide access to a company's IT environment. A golden ticket attack gives threat actors unfettered access to network resources and the ability to stay on networks indefinitely, disguised as legitimate users with administrative privileges.

Scope of the threat


AD is not only a problem because it is easy to attack, the profits for attackers are also significant. AD is essentially the key to the kingdom. AD is like a safe where a company keeps the physical keys to its offices. It's the central hub for accessing critical systems – computers, software applications and other resources.

This attack method is dangerous because it is both easy and lucrative. In 2021, companies paid ransoms of up to $40 million to regain access to the network. At the same time, the barriers to entry for attackers are getting lower. Thanks to the booming Ransomware-as-a-Service (RaaS) market, they no longer need to be technically savvy. Instead, they simply buy tools and services from the pros. This is a devastating cycle. Profit for attackers increases while the technical skills required continue to decrease, exponentially expanding the attack landscape.

It's easy to see, then, why International Data Corporation's Ransomware Study 2021 recently found that more than one-third (37 percent) of global organizations will be victims of a ransomware attack in 2021. Indeed, the odds are clearly in favor of the attackers.

How can enterprises respond?


Companies need to respond to stop this flood of threats. To minimize their vulnerabilities, they must first know where they are vulnerable. For many companies, trying to gain this understanding can feel overwhelming. This is especially true for those with little or no cybersecurity knowledge. There are solutions and the right support to help.

Purple Knight, a free Active Directory security assessment tool, is a good place to start. Developed and managed by a leading group of Microsoft identity experts, it can help identify Active Directory vulnerabilities before attackers find them. It also identifies common vulnerabilities that should be addressed.

The latest Purple Knight report lists quite a few potential vulnerabilities. For starters, however, here are some common examples:

  • Configuration mismatch: Configuration mismatch is the result of years of poor AD practices. Applications need to be configured in AD to work, but that takes time. A quick fix for this problem is to give the application too many administrative rights. This is something companies have done in the past because they wanted to get their shiny new tool up and running as quickly as possible. As a result, the administrative accounts in AD pile up. Thus, only one of these accounts needs to be attacked to cause catastrophic consequences.
  • Obsolete administrator accounts: Older administrator accounts pose similar problems. They are the skeletons in the closet. If an attacker manages to gain access to these privileged accounts, they spell doom for organizations.
  • Weak or common passwords: attackers also still try to access multiple accounts by trying a series of commonly used passwords. This is known as password spraying. This technique can be easily thwarted by administrators preventing the use of weak or commonly used passwords on their network.

Of course, identifying and fixing these vulnerabilities is only a small piece of the puzzle, says Sean Deuby. To effectively combat the growing threat of cybercrime over the long term, companies must actively implement a number of best practices, the Semperis expert says. These range from conducting regular internal security audits and making key operational improvements to providing regular employee training on phishing. It also makes sense to invest in recovery processes to ensure a rapid response in the event of an attack, he said.

Most companies are in need of support or guidance in developing a strong defense. They should seek advice from professionals who specialize in AD security, Deuby said. That's the only way to understand the key changes administrators need to make to AD, he said. Attacks on Active Directory are no longer a question of if, but when, the expert is certain. If companies eliminate their critical AD vulnerabilities, they have a good chance of being armed against such attacks.

Cookies helps to fund this blog: Cookie settings


This entry was posted in Security, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *