Active Directory is used by approximately 90% of organizations, yet keeping your AD secure still presents a significant challenge due to the large amounts of critical data that it handles. According to a recent security assessment of Active Directory carried out by Skyport Systems, poor visibility and weak passwords are the leading cause of Active Directory security breaches.
The problems arise as sysadmins struggle to keep track of who has – and who should have – administrative rights to what data. After all, should a rouge employee gain access to an account with elevated rights, they could easily enable and disable certain controls that will compromise the security of Active Directory. Skyport also found that more than 50% of companies allow their administrators to use the same account for AD configurations, as they would for accessing other non-critical services.
Hackers often gain access to Active Directory through un-patched legacy applications that have known security vulnerabilities. Once they gain access to the system, they can elevate their privileges and begin to wreak havoc. However, it is more often the case where user credentials are obtained via phishing attacks, which may be targeted, in an attempt to obtain specific information, or to simply see what credentials they can obtain.
In the event of a data breach, there will be a very high chance that the attacker will have changed something in your Active Directory. In some cases, it will be easier and safer to simply rebuild AD from scratch. For example, if an attacker breaks in and creates thousands of accounts with elevated privileges, it will be very hard to safely remove these accounts and restore the system to a secure state.
Weak passwords present a huge security risk for Active Directory. AD acts as a font door for large amounts of sensitive data, and thus represents a “single point of failure.” As you might expect, Active Directory credentials are keenly sought after by cyber-criminals. As previously mentioned, they are usually obtained through social engineering or phishing attacks. However, such methods are often unnecessary, as AD passwords are often weak, despite being encrypted. There are a number of tools that are freely available for hackers to use which can easily crack weak passwords.
Additionally, it is sometimes the case that users store an unencrypted copy of their password on their device, which can be found by an attacker.
How can you Better Secure your Active Directory?
It is crucial that your organisation knows exactly who has access to what data, and when. That way, if you notice that you have users with unnecessary access to sensitive data, you can address that potential weakness in your security. Of course, you will also need a way to accurately identify excessive access rights and be able to revoke those rights in a timely manner. By doing this, you can ensure that you are following a policy of least privilege, where your users only have access to the data they need in order to do their job. For this to be possible, you need to know who has permissions to what and be alerted whenever critical permission changes take place. Essentially, better visibility through continuous and proactive auditing is the key to better Active Directory security.
While Active Directory does provide tools for native auditing, the logs that are produced contain a lot of noise, and it can be very difficult to extract any meaningful information from them. Additionally, if you want to generate any reports from the data, you will be required to do this manually, which takes time, knowledge and effort.
In most cases, you would be better off using a specialised solution which aggregates the log data and presents it in a meaningful format via a centralised pane.
LepideAuditor will give you much more visibility over Active Directory permissions than what you would get using the native auditing tools. It will provide a summary of how permissions are granted, and when they change. It will also automatically generate alerts and reports when users are added to privileged security groups. Likewise, it can detect user account modification/deletion, which can help to ensure that user accounts aren’t being created without good reason. This enables you to maintain responsible levels of access and reduce risks of account abuse.
LepideAuditor can detect and manage inactive user accounts and automate the process of reminding users to reset passwords. This last point is very important, as people often use the same passwords for a number of different accounts – both personal and work related. Naturally, they do this to avoid having to remember lots of different passwords. However, should a website or application that stores user credentials get compromised, the stolen credentials could be used to compromise other accounts that have access to critical data.
By automating the process of reminding users to reset passwords, it forces them to use a different password than what they would otherwise use by default. Additionally, regularly rotating passwords means that hackers have less time to crack the passwords using brute-force methods and limits the opportunity for hackers or ex-employees to misuse inactive user accounts.