Privilege escalation begins when an attacker gets hold of low-level credentials and uses them to move up the ladder until they control sensitive AD accounts. Obtaining access to privileged AD accounts provides hackers with the opportunity to gain unauthorized access to systems, steal data, set up persistent backdoors, or pivot and launch their attack throughout the organization.
There is no single solution for preventing escalation; rather, it requires several practical controls, visibility, and a shift in general behavior.
12 Common Control Implementations to Mitigate Privilege Escalation
Privilege escalation usually begins with small gaps. Excessive access, weak authentication, or privileges that were never reviewed. Addressing these issues early reduces attack paths and limits the blast radius if credentials are compromised. The following controls focus on closing the most common doors attackers rely on.
- Enforce strong authentication: Implement long and complicated passwords in addition to multi-factor authentication for users who can access sensitive systems or request a privilege escalation. Password length is more important than crazy complexity requirements. Multi-factor authentication can stop many types of credential-based attacks, including when passwords have been compromised.
- Apply least privilege: Give users only the access rights necessary to perform their job functions. Regularly review user group membership and remove any broad administrator group memberships. Use role-based access control (RBAC) instead of ad-hoc privilege assignments.
- Reduce the number of privileged accounts: Each additional administrator account is another opportunity for the hacker to compromise their environment. Consolidate everyone’s access, remove those individuals whose accounts are no longer used, and do your best to avoid long-term administrator credentials. If at all possible, use temporary elevated privileges instead of an administrator account.
- Use a tiered admin model and privileged access workstations: Each function performed by an administrator should have a specific layer of authority associated with that function; for example, privileged access roles should only use dedicated workstations that have been hardened against known vulnerabilities (e.g., email, browsing), and therefore if a hacker uses a compromised workstation to gain access to the network, he/she will not be able to use that access to gain control of the domain because the location will be invalid.
- Adopt just-in-time (JIT) and approval workflows: Use Just-in-time (JIT) secured workflow processes to elevate access for only as long as required and require approval or automated processes to log the request. By providing time-limited access, only provides access for as long as needed reducing the potential for credential abuse if there is a compromise.
- Harden service accounts and Kerberos usage: Properly secure your Service Accounts & Kerberos usage by frequently changing service account credentials, ensuring high-level privileged accounts are not used as service accounts and using managed service accounts when available. Limit the number of publicly available Service Principal Names and monitor Kerberos ticket requests for deviations from normal patterns.
- Patch and manage system updates: Patching all your equipment (domain controllers, servers, and all endpoints) is very important. Many privilege escalations can exploit a known vulnerability that the vendor has already patched.
- Remove and monitor inactive accounts: Identify Stale User and Service Accounts and Disable/Delete them from your Network. Inactive accounts are low-effort targets for an attacker.
- Centralize logging and monitor behavior: Enable AD auditing for the creation of accounts, group membership changes, logging into privileged accounts as well as all delegated resource events. Send logs to a SIEM or use an analytics engine and utilize UEBA to flag any unusual actions such as unexpected logins, ticket requests, or mass permission changes.
- Run regular vulnerability assessments and attack-path analysis: Automated vulnerability assessments and attack-path solutions help identify misconfigured resources and potential escalation paths prior to the attacker exploiting those weaknesses. Once identified, prioritize remediation on closing the direct attack path to a high-value account(s).
- Segment networks and limit lateral movement: Use network segmentation and Least-Privileged Network Access Restrictions to prevent unauthorized access between domain controllers and administration consoles when a workstation has been compromised.
- Practice incident response and limit blast radius: Use emergency administrator accounts and conduct simulated drills for containment & recovery so that all teams respond to incidents in a timely and coordinated manner based on previously established policies/procedures.
How Lepide Helps
The Lepide Active Directory Auditing Tool enables effective monitoring, auditing, and reporting on all Active Directory states and changes including the User Password Reset and Change Attempts Report which tracks all password changes, identifying and removing inactive user accounts and the Excessive Permissions by Users reports which highlights excessive permissions.
If you’d like to see how Lepide Auditor can help to audit Active Directory changes, try Lepide for free by downloading the free trial or schedule a demo with one of our engineers.
