Active Directory Security Best Practices

Amritesh Singh by   04.11.2017   Data Security

Security Best Practices for Active Directory

Attackers are persistent in their pursuit to compromise Active Directory services due to their role in authorizing access to critical and confidential data. As organisations expand, their infrastructure becomes increasingly more complex, which makes them a lot more vulnerable to attack as it is harder to keep track of important system changes, events and permissions. It’s also becomes a lot harder for organisations to determine where their sensitive data is located, and the type of security policy that is most suitable for protecting this data.

Why Should You Care About Active Directory Security?

Active Directory is essentially the beating heart of your IT environment. Most attacks or security threats you will face will involve your Active Directory in some way, shape or form. An outsider looking to gain access to your data, for example, may look to steal credentials or install malware to compromise an account. Once inside your AD, they can escalate their privileges and move laterally through the system, gaining access to your sensitive data. That’s why it is vital to have good Active Directory security and ensure you are consistently monitoring and auditing changes to AD so that you can spot potential attacks and react in a timely manner.

Common Threats to Active Directory Security

Because Active Directory has been around for such a long time, attackers have found multiple ways to exploit security vulnerabilities. Microsoft has been proactive in plugging gaps in Active Directory security, but attackers will always find different ways to exploit the system and the humans that use them. Active Directory security threats fall broadly within two categories; system vulnerabilities and insider threats.

Active Directory System Vulnerabilities

Active Directory uses Kerberos authentication which has numerous vulnerabilities, such as Pass the Hash, Pass the Ticket, Golden Ticket and Silver Ticket. AD also supports NTLM encryption, a remnant of when NTLM encryption was actually used in AD, despite security being subpar. Brute force attacks are also a common method for attackers to force their way into AD.

Insider Threats in Active Directory

The most common way your Active Directory security is likely to be circumvented is through insider threats. Phishing attacks, social engineering and spear-phishing often succeed with your users that aren’t security conscious, allowing attackers to gain access to your AD with stolen credentials. Excessive permissions are also a common threat to Active Directory security, with users being either careless or intentionally malicious with data they should not have even had access to in the first place.

Best Practices for Active Directory Security

In order to effectively counter some of the Active Directory security vulnerabilities and risks that we have discussed in the above section, the AD experts here at Lepide have compiled a list of best practices that you can adopt.

1. Active Directory Security Groups

Members assigned to security groups such as Domain, Enterprise, and Schema Administrators are granted the maximum level of privilege within an Active Directory environment. As such, an attacker, or malicious insider, assigned to one of these groups, will have free reign over your AD environment along with your critical data.

2. Inactive User Accounts in AD

Inactive user accounts present a serious security risk to your Active Directory environment as they are often used by rogue administrators and hackers to gain access to critical data without arousing suspicion. It is always a good idea to disable inactive user accounts and place them in a separate OU. You could probably find a way to keep track of inactive user accounts using PowerShell, although this would require a specialized skill set. A simpler solution would be to use our Active Directory Cleanup feature. This feature allows admins to see a complete list of inactive user accounts, and organised them based on the last login date, OU, or user type. You can select which accounts you want to manage and automate account actions, which may include things like; moving inactive accounts to a different OU, resetting account passwords or deleting the accounts all together. Note that if you are using our LepideAuditor suite, you do not need to be concerned about account deletions as they can be easily restored if, and when required.

3. Local Administrators

It is very important for organisations to know what local administrators are up to, and how their access has been granted. When granting access to local administrators, it is important to the follow the “principle of least privilege” rule. We offer a free Local User Management Tool which allows admins to manage local user accounts associated with any domain. With this tool admins can manage password resets, enable and disable local user accounts.

4. Plain-text Passwords

Using Group Policy Objects (GPOs), it is possible to create user accounts and set passwords, including Local Administrator passwords, within Active Directory. Attackers or malicious insiders can exploit these GPOs to obtain and decrypt the password data without elevated access rights. Such eventualities can have sweeping repercussions across the network. This highlights the importance of ensuring that sysadmins have a means of spotting and reporting potential password vulnerabilities.

5. Domain Controller (DC) Logon Rights

It is very important that sysadmins have the ability to audit who logs on to a Domain Controller in order to protect privileged users and any assets they have access to. This is a common blind spot for organisations as they tend to focus on Enterprise and Domain administrators and forget that other groups may have inappropriate access rights to Domain Controllers.

6. LSASS Protection

Using hacking tools like Mimikatz, attackers can exploit the Local Security Authority Subsystem Service (LSASS) to extract user’s credentials, which can then be used to access assets that are associated with those credentials.

7. Password Status

Having an effective password policy is crucial to the security of your organisation. It is important for users to change their passwords periodically. Passwords that are rarely, or never changed, are less secure as it creates a greater opportunity for them to be stolen. Ideally, your organisation should have an automated system which allows passwords to expire after a given period of time. Additionally, the Lepide User Password Expiration Reminder is a useful tool which automatically reminds Active Directory users when their passwords are close to their expiry date.

8. Nested Groups

It is common for administrators to nest groups inside other groups as a means of quickly organizing group membership. However, such nesting of groups presents a challenge to admins as it is harder for them to figure out who has access to which group, and why. It is important for you to be able to identify which groups have the highest number of nested groups and how many levels of nesting a group has. It is also important to know who, what, where and when Group Policy changes are taking place.

9. Open Access

It is common for well-known security identifiers such as Everyone, Authenticated Users, and Domain Users, to be used to grant inappropriate user privileges to network resources such as file shares. The use of these security identifiers can allow hackers to exploit the organisation’s network, as they will have access to a large number of user accounts.

10. Server Logon Rights

Local Security Policies are controlled by Group Policy via a number of user rights assignments, including:

  • Allow log on locally
  • Log on as a batch job
  • Allow log on through Remote Desktop Services
  • Log on as a service etc.

These assignments allow non-administrators to perform functions that are typically restricted to administrators. If these functions are not analysed, restricted, and carefully audited, attackers could use them to compromise the system by stealing credentials and other sensitive information.

Audit Active Directory Changes

If you haven’t already done so, make sure that you are using a third-party Active Directory auditing solution. It is crucial that you have a set of such solutions that allow you to keep track of critical changes and provide the visibility you need to make security decisions.

If you’re looking for an Active Directory auditing solution that provides real time alerts and pre-defined reports, it’s worth checking out LepideAuditor for Active Directory. LepideAuditor for Active Directory comes with a 15-day free trial to help you evaluate the solution.