Auditing Administrator Access Rights in Active Directory

IT administrators require elevated rights in Active Directory to carry out certain tasks, a fact that we can’t deny. However, should an attacker gain access to a user account in AD with admin-level privileges, they will have free reign to do pretty much anything they choose.

They can potentially download a database containing large amounts of PII, or access folders containing valuable company secrets. They may choose to install a backdoor for later access, or infect the system with malware.

This is why it is crucially important that we know exactly which accounts have admin-level privileges and know exactly why such privileges are necessary. We also need to know what these accounts are up to and be able to verify the authenticity of the actions that are performed by these accounts.

Even-though Privileged Access Management (PAM) is touted as one of the most important areas of data security, and is a mandatory requirement for data protection regulations, such as the GDPR, many organizations are still struggling to identify their privileged accounts, let alone monitor them for suspicious behaviour.

In fact, according to Verizon’s 2019 Data Breach Investigations Report (DBIR), nearly half of the companies surveyed are not aware of how many privileged accounts they have.

Privileged Account Management Objectives

Naturally, before we attempt to secure the privileged accounts we have, we need to make sure that the number of accounts which have admin-level privileges are reduced to an absolute minimum. One of the biggest mistakes we make when it comes to managing privileged accounts is that we fail to revoke privileges when they are no longer required.

While periodically rotating passwords can help to minimize the chance of an attacker gaining persistent access to our network, a lot more needs to be done to prevent privileged account abuse.

The first question we need to ask ourselves is, how do we identify our privileged accounts? Of course, most privileged accounts will be easy to find through a simple search, however, some will be hidden. As such, it is imperative that we use a sophisticated Active Directory auditing solution that gives use the visibility we need to identify all privileged user accounts at the click of a button. Once we know what we are dealing with, we can then start to setup the controls to protect them.

Classifying User Accounts

The second step involves creating a simple classification schema which our user accounts will fall into. For example, most user accounts fall into one of three categories, which include:

• Super User – sometimes referred to as “Administrator” or “Root”.
• Power User – this would include a subset of the Super Users’ privileges.
• Normal User – these accounts have relatively few privileges compared to the previous two.

You can setup as many categories as you like, and call them whatever you like, as long as you are able to easily differentiate between the different levels of access.

Identifying Privileged Account Owners

In order to determine if or when the privileged accounts in question need the privileges they have been assigned, we need to identify the owner of the account. This is not always as easy as it sounds. If there is no clear documentation that states who the owner of the account is, you can examine certain account specific attributes such as User Profile Last Modified Date, User Profile Size, Currently Logged On User, Last Logged On User, Service Type and Authentication Source.

Looking at these attributes will give you a clue as to which user is the most active, and what applications, services and workstations the account is associated with, which in turn will provide further clues about the true owner of the account.

Communicating with Privileged Account Owners

Naturally, it is a good idea to talk with privileged account owners to determine whether the privileges they have been assigned is still relevant, assuming they were necessary in the first place. You will need to arrange a formal interview, which includes a list of questions, and all answers must be documented for later use.

Again, you will need to ask questions relating to what the account is being used for, if it is really necessary, and if/when they need privileged access.

Remove Any Redundant Privileged Accounts

Based on the information obtained by speaking with account owners, begin removing all privileged accounts that are no longer required. Likewise, all unnecessary privileges should be revoked. It is a good idea to start with the accounts that have access to the most critical resources first.

Employ Just-in-Time (JiT) Access

Just-in-Time (JiT) is a methodology used to prevent “standing access” by elevating privileges on-the-fly, and typically consists of the following three stages.

1. A human or non-human user requests privileged access to a server, virtual machine or network device.
2. The request is either checked against a pre-defined set of rules and approved automatically, or by an administrator who will grant or deny the request at their discretion. If the request is approved, the users’ privileges will be escalated, even if only for a few minutes.
3. Once the task has been completed, the user will log off and their access is revoked. Alternatively, access may be revoked after a specified period of time.

Monitor Access to Privileged Accounts

Given how important it is that privileged accounts are secured through restricting and monitoring access, it makes sense to ensure that you are using the latest and greatest tools available to streamline the process.

Most sophisticated, real-time Active Directory auditing solutions use machine learning algorithms to detect and respond to privileged account abuse. They start by monitoring privileged accounts for a period of time to establish typical usage patterns.

If a privileged account deviates from their typical usage pattern beyond a certain threshold, and alert will be raised, which the security team can review to determine the legitimacy of the action.

In some cases, an alert can be raised based on a pre-defined threshold condition such as multiple failed logons or when multiple files are encrypted within a given timeframe. A custom script can be executed automatically to respond to the incident, which may include disabling a user account, stopping a specific process, adjusting the firewall settings or simply shutting down the affected server.

One of the main benefits of using a real-time auditing solution is that they are able to aggregate event data from a wide range of sources and present the information via an intuitive dashboard, which makes monitoring and restricting access to privileged accounts much easier.

If you would like to see how the Lepide Data Security Platform helps audit administrator access in Active Directory, schedule a demo with one of our engineers today.