Upcoming Webinar - How to Detect and Respond to a Ransomware Attack Register Now

Hardening Active Directory and Securing Unstructured Data Stores

Danny Murphy by    Published On - 06.30.2020   Data Security

Unstructured data is any data that is not stored in a pre-defined schema, and can include Word, text and PDF documents, photos, videos, MP3s, emails, data obtained via social media platforms and various types of personal data.

According to a forecast by the IDC, 80 percent of global data will be unstructured by 2025.

Unlike a relational database, for example, unstructured data can be difficult to identify, and thus protect. This is likely to be the main reason why 65% of organizations can’t analyse or categorize all the consumer data they store, according to the Data Security Confidence Index.

Additionally, according to an article by itproportal.com, 65% of businesses are collecting too much data, and can’t find the time or resources to analyse all of it. With this in mind, a good place to start would be to remove or achieve any data that is not necessary for day-to-day business operations.

Perhaps the simplest and most effective way to identify unstructured data – especially data that is sensitive, is to use data discovery and classification tool. However, in order for these tools to be effective, we need to ensure that the access control protocols and policies we have in place have been hardened, as to prevent users from accessing resources that are not relevant their role.

90% of organizations across the globe use Microsoft Active Directory (AD) as their primary access control solution. AD enables administrators to organize users into logical groups and subgroups, with each group having its own set of permissions.

Before we can secure our unstructured data, we must carefully review these groups and their permissions, and “harden” them to ensure that users are not able to access resources they do not require. Below are some basic steps to follow.

Use Passphrases as Opposed to Complex Passwords

Naturally, strong passwords are the pinnacle of effective data security. It is becoming more popular to use passphrases as opposed to passwords as they are easier to remember, yet still sufficiently complex.

If the passphrase is easy to remember, the user may not need to write it down, thus making it more secure.

A common practice is to choose at least three unrelated words, and insert numbers and special characters between them, for example, tree4door!cat#boat, or summer42shirt/bulb.

Clean up Unused Objects

To ensure basic AD hygiene, some initial housekeeping is required. This involves conducting a review of all users, groups and computers that are no longer being used. This will not only help to reduce the attack surface but will also make it easier to manage.

When dealing with objects that are used infrequently, you will need to do some research into what these objects are, who is the owner of the objects, how they are being used, and why they are necessary. You can use this information to add some context to the object, for future reference.

Lock Down Service Accounts

A service account is a special type of account which allows applications to authenticate to AD, and thus gain access to the underlying operating system. These types of accounts are frequently targeted by attackers as they are rarely monitored, have elevated privileges, and use passwords which don’t expire.

It is crucial that service accounts are closely monitored, and that access permissions have been hardened. You may need to check with the vendor to find out what privileges the application needs. Any passwords associated with service accounts need to be periodically rotated.

Monitor and Remove All Other Admin-Like Permissions

Permissions which allow users to reset passwords, make changes to group memberships, and make changes to accounts or objects that facilitate replication, must also be locked down to prevent unauthorised access.

Likewise, employees should not be allowed to access admin accounts on their workstations, as an attacker might gain control of the workstation, install malicious software, and so on. Any permissions that are not required, must be removed and permissions that cannot be removed must be carefully monitored.

Administrators need to be alerted, in real-time, when they change, and by whom.

Eliminate Permanent Membership in Security Groups

Were an attacker to gain access to security groups such as Enterprise Admin, Schema Admin, and Domain Admin, they will have free reign to do pretty much anything that want. As such, it is crucially important that access to these groups is immediately revoked when they are no longer relevant.

Since Enterprise Admin and Schema Admin groups are not used often, restricting access to these groups won’t be much of a problem. However, Domain Admin groups are typically used more frequently, and so you will need to adopt a pro-active approach to granting and revoking permissions.

Data Discovery and Classification

So now that we’ve reviewed all permissions to ensure that accounts are granted the least privileges they need to carry out their role, the next step is to classify our unstructured data. Naturally, if we are to stand any chance of keeping our data secure, we need to know exactly what data we have, where it is located, and how sensitive the data is.

The good news is that we don’t have to do this manually. Most sophisticated auditing solutions provide tools which can automatically discover and classify unstructured data containing a wide range of data types, including Social security numbers, payment card information, protected health information, and so on.

Real-Time Auditing

We also need an inventory of important events involving our unstructured data, which includes information about who, what, where and when, the events took place. A real-time auditing solution can keep track of all changes to AD permission, as well as any files and folder containing sensitive data.

Any suspicious events will be reported to the relevant personnel where they can review the changes and take action accordingly. Such events will include permission and configuration changes, files and folders that have been accessed, moved, copied, modified or deleted.

Attackers will often try to hijack user accounts that are inactive, as they provide them with a way to infiltrate a network without arousing too much suspicion. Fortunately, most real-time auditing solution can automatically detect and manage inactive user accounts.

If you would like to see how the Lepide Data Security Platform combines data classification, user behavior analytics and access governance into one scalable solution, schedule a demo with one of our engineers today.

Comments are closed.