Attackers are persistent in their pursuit to compromise Active Directory services due to their role in authorising access to critical and confidential data. As organisations expand, their infrastructure becomes increasingly more complex, which makes them a lot more vulnerable to attack as it is harder to keep track of important system changes, events and permissions. It’s also becomes a lot harder for organisations to determine where their sensitive data is located, and the type of security policy that is most suitable for protecting this data.
The Lepide checklist:
1. Security Groups
Members assigned to security groups such as Domain, Enterprise, and Schema Administrators are granted the maximum level of privilege within an Active Directory environment. As such, an attacker, or malicious insider, assigned to one of these groups, will have free reign over your AD environment along with your critical data.
2. Inactive User Accounts
Inactive user accounts present a serious security risk to your Active Directory environment as they are often used by rogue administrators and hackers to gain access to critical data without arousing suspicion. It is always a good idea to disable inactive user accounts and place them in a separate OU. You could probably find a way to keep track of inactive user accounts using PowerShell, although this would require a specialised skillset. A simpler solution would be to use our Active Directory Cleanup feature. This feature allows admins to see a complete list of inactive user accounts, and organise them based on the last login date, OU, or user type. You can select which accounts you want to manage and automate account actions, which may include things like; moving inactive accounts to a different OU, resetting account passwords or deleting the accounts all together. Note that if you are using our LepideAuditor suite, you do not need to be concerned about account deletions as they can be easily restored if, and when required.
3. Local Administrators
It is very important for organisations to know what local administrators are up to, and how their access has been granted. When granting access to local administrators, it is important to the follow the “principle of least privilege” rule. We offer a free Local User Management Tool which allows admins to manage local user accounts associated with any domain. With this tool admins can manage password resets, enable and disable local user accounts.
4. Plaintext Passwords
Using Group Policy Objects (GPOs), it is possible to create user accounts and set passwords, including Local Administrator passwords, within Active Directory. Attackers or malicious insiders can exploit these GPOs to obtain and decrypt the password data without elevated access rights. Such eventualities can have sweeping repercussions across the network. This highlights the importance of ensuring that sysadmins have a means of spotting and reporting potential password vulnerabilities.
5. Domain Controller (DC) Logon Rights
It is very important that sysadmins have the ability to audit who logs on to a Domain Controller in order to protect privileged users and any assets they have access to. This is a common blind spot for organisations as they tend to focus on Enterprise and Domain administrators and forget that other groups may have inappropriate access rights to Domain Controllers.
6. LSASS Protection
Using hacking tools like Mimikatz, attackers can exploit the Local Security Authority Subsystem Service (LSASS) to extract user’s credentials, which can then be used to access assets that are associated with those credentials.
7. Password Status
Having an effective password policy is crucial to the security of your organisation. It is important for user’s to change their passwords periodically. Passwords that are rarely, or never changed, are less secure as it creates a greater opportunity for them to be stolen. Ideally, your organisation should have an automated system which allows passwords to expire after a given period of time. Additionally, the Lepide User Password Expiration Reminder is a useful tool which automatically reminds Active Directory users when their passwords are close to their expiry date.
8. Nested Groups
It is common for administrators to nest groups inside other groups as a means of quickly organising group membership. However, such nesting of groups presents a challenge to admins as it is harder for them to figure out who has access to which group, and why. It is important for you to be able to identify which groups have the highest number of nested groups and how many levels of nesting a group has. It is also important to know who, what, where and when Group Policy changes are taking place.
9. Open Access
It is common for well-known security identifiers such as Everyone, Authenticated Users, and Domain Users, to be used to grant inappropriate user privileges to network resources such as file shares. The use of these security identifiers can allow hackers to exploit the organisation’s network, as they will have access to a large number of user accounts.
10. Server Logon Rights
Local Security Policies are controlled by Group Policy via a number of user rights assignments, including:
- Allow log on locally
- Log on as a batch job
- Allow log on through Remote Desktop Services
- Log on as a service etc.
These assignments allow non-administrators to perform functions that are typically restricted to administrators. If these functions are not analysed, restricted, and carefully audited, attackers could use them to compromise the system by stealing credentials and other sensitive information.
If you haven’t already done so, make sure that you are using a comprehensive suite of Active Directory auditing tools. It is crucial that you have a set of tools which allow you to keep track of critical changes and provide real-time threshold alerting to inform you about such changes as they happen.