Attackers are persistent in their pursuit to compromise Active Directory services due to their role in authorizing access to critical and confidential data.
As organizations expand, their infrastructure becomes increasingly more complex, which makes them a lot more vulnerable to attack as it is harder to keep track of important system changes, events and permissions.
It’s also becoming a lot harder for organizations to determine where their sensitive data is located, and the type of security policy that is most suitable for protecting this data.
In this blog, we’re going to go through some Active Directory best practices that will help you improve the overall security of your Active Directory environment.
Why Should You Care About Active Directory Security?
Active Directory is essentially the beating heart of your IT environment. Most attacks or security threats you will face will involve your Active Directory in some way, shape or form.
An outsider looking to gain access to your data, for example, may look to steal credentials or install malware to compromise an account. Once inside your AD, they can escalate their privileges and move laterally through the system, gaining access to your sensitive data.
That’s why it is vital to have good Active Directory security and ensure you are consistently monitoring and auditing changes to AD so that you can spot potential attacks and react in a timely manner.
Common Threats to Active Directory Security
Because Active Directory has been around for such a long time, attackers have found multiple ways to exploit security vulnerabilities.
Microsoft has been proactive in plugging gaps in Active Directory security, but attackers will always find different ways to exploit the system and the humans that use them.
Active Directory security threats fall broadly within two categories; system vulnerabilities and insider threats.
Active Directory System Vulnerabilities
Active Directory uses Kerberos authentication which has numerous vulnerabilities, such as Pass the Hash, Pass the Ticket, Golden Ticket, and Silver Ticket. AD also supports NTLM encryption, a remnant of when NTLM encryption was actually used in AD, despite security being subpar. Brute force attacks are also a common method for attackers to force their way into AD.
Insider Threats in Active Directory
The most common way your Active Directory security is likely to be circumvented is through insider threats. Phishing attacks, social engineering, and spear-phishing often succeed with your users that aren’t security conscious, allowing attackers to gain access to your AD with stolen credentials.
Excessive permissions are also a common threat to Active Directory security, with users being either careless or intentionally malicious with data they should not have even had access to in the first place.
Active Directory Security Best Practices
In order to effectively counter some of the Active Directory security vulnerabilities and risks that we have discussed in the above section, the AD experts here at Lepide have compiled a list of best practices that you can adopt.
A summary of our Active Directory security best practices checklist is below:
- Manage Active Directory Security Groups
- Clean-Up Inactive User Accounts in AD
- Monitor Local Administrators
- Don’t Use GPOs to Set Passwords
- Audit Domain Controller (DC) Logons
- Ensure LSASS Protection
- Have a Stringent Password Policy
- Beware of Nested Groups
- Remove Open Access
- Audit Server Logon Rights
- Adopt the Principle of Least Privilege for AD Security
- Back Up Your Active Directory and Have a Method for Recovery
- Enable Security Monitoring of Active Directory for Signs of Compromise
- Audit Active Directory Changes
1. Manage Active Directory Security Groups
Members assigned to Active Directory security groups such as Domain, Enterprise, and Schema Administrators are granted the maximum level of privilege within an Active Directory environment. As such, an attacker, or malicious insider, assigned to one of these groups, will have free reign over your AD environment along with your critical data. You need to limit access to these groups to only those users that require it.
2. Clean-Up Inactive User Accounts in AD
Inactive user accounts present a serious security risk to your Active Directory environment as they are often used by rogue administrators and hackers to gain access to critical data without arousing suspicion.
It is always a good idea to manage inactive user accounts. You could probably find a way to keep track of inactive user accounts using PowerShell or by using a solution like Lepide Active Directory Cleanup.
3. Monitor Local Administrators
It is very important for organizations to know what local administrators are up to, and how their access has been granted. When granting access to local administrators, it is important to follow the “principle of least privilege” rule.
4. Don’t Use GPOs to Set Passwords
Using Group Policy Objects (GPOs), it is possible to create user accounts and set passwords, including Local Administrator passwords, within Active Directory.
Attackers or malicious insiders can exploit these GPOs to obtain and decrypt the password data without elevated access rights. Such eventualities can have sweeping repercussions across the network.
This highlights the importance of ensuring that sysadmins have a means of spotting and reporting potential password vulnerabilities.
5. Audit Domain Controller (DC) Logons
It is very important that sysadmins have the ability to audit who logs on to a Domain Controller in order to protect privileged users and any assets they have access to.
This is a common blind spot for organizations as they tend to focus on Enterprise and Domain administrators and forget that other groups may have inappropriate access rights to Domain Controllers.
6. Ensure LSASS Protection
Using hacking tools like Mimikatz, attackers can exploit the Local Security Authority Subsystem Service (LSASS) to extract user’s credentials, which can then be used to access assets that are associated with those credentials.
7. Have a Stringent Password Policy
Having an effective password policy is crucial to the security of your organization. It is important for users to change their passwords periodically. Passwords that are rarely, or never changed, are less secure as it creates a greater opportunity for them to be stolen.
Ideally, your organization should have an automated system that allows passwords to expire after a given period of time. Additionally, the Lepide User Password Expiration Reminder is a useful tool that automatically reminds Active Directory users when their passwords are close to their expiry date.
One problem that many seem unable to overcome is that complex passwords cannot be remembered easily. This leads to users writing the password down or storing it on their machine. To overcome this, organizations are using passphrases instead of passwords to increase complexity without making passwords impossible to remember.
8. Beware of Nested Groups
It is common for administrators to nest groups inside other groups as a means of quickly organizing group membership. However, such nesting of groups presents a challenge to admins as it is harder for them to figure out who has access to which group, and why.
It is important for you to be able to identify which groups have the highest number of nested groups and how many levels of nesting a group has. It is also important to know who, what, where and when Group Policy changes are taking place.
9. Remove Open Access
It is common for well-known security identifiers such as Everyone, Authenticated Users, and Domain Users, to be used to grant inappropriate user privileges to network resources such as file shares. The use of these security identifiers can allow hackers to exploit the organization’s network, as they will have access to a large number of user accounts.
10. Audit Server Logon Rights
Local Security Policies are controlled by Group Policy via a number of user rights assignments, including:
- Allow log on locally
- Log on as a batch job
- Allow log on through Remote Desktop Services
- Log on as a service etc.
These assignments allow non-administrators to perform functions that are typically restricted to administrators. If these functions are not analyzed, restricted, and carefully audited, attackers could use them to compromise the system by stealing credentials and other sensitive information.
11. Adopt the Principle of Least Privilege for AD Security
The Principle of Least Privilege is the idea that users should only have the minimum access rights required to perform their job functions – anything more than this is considered to be excessive.
You should audit your Active Directory to determine who has access to your most sensitive data and which of your users have elevated privileges. You should aim to restrict permissions to all those who do not need it.
12. Back-Up Your Active Directory and Have a Method for Recovery
It’s recommended that you back up your Active Directory on a regular basis, with intervals that do not exceed 60 days. This is because the lifetime of AD tombstone objects is, by default, 60 days. You should aim to include your AD backup within your disaster recovery plan to help you prepare for any disastrous events. As a general rule, at least one domain controller should be backed up.
You may want to consider using a more sophisticated recovery solution that will help you backup and restore AD objects to their original state. Using solutions instead of relying on the native recovery methods will end up saving you buckets of time.
13. Enable Security Monitoring of Active Directory for Signs of Compromise
Being able to proactively and continuously audit and monitor your Active Directory will enable you to spot the signs of a breach or compromise. In most cases, serious security breaches can be avoided by the use of monitoring solutions.
Recent surveys have suggested that, despite evidence that monitoring helps to improve security, more than 80% of organizations still do not actively do it.
14. Audit Active Directory Changes
It is crucial that you must keep track of all changes made to Active Directory. Any unwanted or unauthorized change can cause serious damage to your Active Directory security.
How to Secure Active Directory with Lepide
At Lepide, our Active Directory Auditing and Monitoring Solution allows you to get real-time, actionable insight into the changes being made to your Active Directory. You will be able to spot the signs compromise in real-time and take action faster to prevent potentially disastrous incidents.
If you’re looking for an Active Directory auditing solution that provides real-time alerts and pre-defined reports, it’s worth checking out Lepide Active Directory Auditor.