Active Directory Security outlook

-




Active Directory is essential to any Microsoft network built on the client-server network model. It provides a simplified query for administrators and users to manage resources, sites, services, and users on a network
Active Directory was first provided in Microsoft Windows 2000. It is often managed and controlled through the MMC (Microsoft Management Console).
In this post, I will be discussing the most common Active Directory Security issues.

Before we begin, lets get familiar with some Active Directory concepts.

Domain
A domain is basically a set of resources, like users, passwords, printers, etc which are managed by a domain controller. The key benefit of this is the fact that any user that is in the system can login to the arbitrary machine in the network with the same username and password. In a Windows environment, all the information is stored in an Active Directory (AD).

Domain Controller
A domain controller (DC) or network domain controller is a Windows-based computer system that is used for storing user account data in a central database. A domain controller in a computer network is the centrepiece of the Active Directory services that provides domain-wide services to the users, such as security policy enforcement, user authentication, and access to resources [2].
Domain controllers can greatly simplify the administration, since we can use it to grant or deny access to resources in the network, such as printers, documents, and shared folders, with one single user account. By using the domain controller, a user can also get access to his personal resources like files on a Desktop from anywhere in the network; all he has to do is login with his existing user account.

With that being said, let us now take a look at the Security /Risk concerns common with Active Directory


1. Numerous Domain Admins

By default, Domain Admins group members have full administrative rights on all workstations, servers, Domain Controllers, Active Directory, Group Policy etc. This is too much power for any account in an organization. Only Active Directory Administrators require Domain Admins privileges. Whoever is not actively managing Active Directory, should not be in Domain Admins group. Delegations must be used if in case someone need to work on specific part of the Active Directory. Also service accounts should not be in this group.

2. Delegated Access are not tracked
Default groups in Active Directory provide too much privileges. Ensure you know the function of the default group before granting it to any user.

3. Service Accounts with short password and over-permissioned
I have seen many times when vendor simply ask for Domain Admins rights for its service account which is actually may not be needed at all. Hackers are fond of privileged accounts and specially loves service accounts because it is less attentive. Additional privileges to service accounts can be used maliciously to escalate privilege on network. It should be noted that service accounts credentials are in protected memory of LSASS process, thus an attacker can easily extract that password which may lead to compromise.
Another mitigation against Kerberos brute force attack (offline) is to use the password longer than 15 characters. This can be achieved by configuring the fine grained password policy for service accounts.

4. Using credential in Group Policy Preferences (GPP)
Windows 2008 came out with Group Policy Preferences which provide additional functionality to system administrators. They can manage local accounts and credential, local groups and  schedule task etc. This has created a big issue because encrypted credentials are stored in XML file which are located in SYSVOL share. This share can be access from any domain joined systems. If the credential is already configured in GPP, remove it immediately. Delete the XML files from the SYSVOL. Microsoft also release the patch MS14-068 to address this vulnerability which remove the functionality to manage credentials.

5. Unpatched Servers and workstations
Regular patching of servers have been an issue in many organization. Records have consistently proven that the vulnerabilities exploited were successful as a result of servers that have not been patched for more than a year. Patching is the most critical for maintaining the security of the systems. Its is actually not realistic having a system not patched for months when a vendor released a patch. Unpatched systems provide the ability to attackers to gain privileged access to the systems.
see this link to learn more 


6. Unmanaged Admin group membership
Most of the time group membership keep increasing. Admin groups especially in Active Directory need to be monitored and scrutinized closely. Some of them, Domain Admins, Administrators group, Account Operators, and any other user-created group which provide privileged access to systems, if not monitored can be a serious cause for concern.

7. Local administrator account password is same across the network
Local account is used to logon to the system when Active Directory is not available. Most of the time, system administrators build servers with the same password for local administrator account. It may happen that all systems will have the same password for local administrator account. If the account is hacked, this will provide the access to all the system, making life easy for hackers. Therefore, each system must have unique password for its local administrator password. There are many software available that will not only manage the unique password but also rotate them on regular basis.

8. Unmanaged inactive user and computer accounts
Enabled redundant/inactive accounts in Active Directory always attract the attackers because it can be leveraged to get access to resources without being noticed. There are few different ways to take control of the account, since it is inactive, most probably the usage will not be noticed. We should have a plan to deal with inactive users accounts.

9. No isolation for highly privileged accounts and systems
pass-the-Hash attack is the perfect example for such type of environment where same privilege account is being used to logon to servers, domain controllers and workstations. We have been talking about this attack for so many years but still organizations are lacking behind. Imagine if the malware get onto computers inside the network. Attackers using this malware will search for the credentials to steal and re-use it. if the privileged accounts logon to various computers, those credential on the system can be stolen. It is important that all highly privileged accounts must be isolated. Domain Admins account must not be used to logon to workstation and member servers. Regular accounts must not be given administrative level of privileges on any system, rather separate accounts must be created for admin level of work.

Comments

Post a Comment

Popular posts from this blog

Auditing Virtualization

-
Image
Virtualization is the process of creating virtual, representation of an entity, such as virtual applications, servers, storage and networks. It is the single most effective way to reduce IT expenses by reducing hardware footprint while boosting efficiency and agility for all size businesses. However good as it is, virtualization can create a single point of failure if poor implementation introduced a security flaw to the system. In this post I will be sharing with you how to audit virtualization.
Read more

How to Identify if the capacity of your FLASH storage device is genuine or counterfeit

-
Image
Have you at some time purchased a flash drive  or memory card that always stored corrupt data? You paid for a 64gig memory card and all you stored in it is simply just got corrupted. I have been a victim several times even with reputable retailers. These counterfeit flash storages are low capacity in nature, devices that have been maliciously altered so that they appear to have much more capacity than its original. An example is the 64 gig memory card I purchased which ended up having actual capacity of 2gig. So I actually paid for 2gig. Now I didn't get to know this on time because I actually copied a video file inside it as a test which checked out fine. The video file size was 1.5gb. I was able to play the video with no issue of corruption. Thus I "Assumed" the flash was genuine. Boy was I wrong. Later in the week I decided to do a major backup of my mobile phone since I was purchasing another one. After the backup, I formatted ...
Read more

Address Resolution Protocol (ARP): Understanding the basics

-
Image
Address resolution Protocol or ARP for short is basically used to resolve an IP address to a MAC address. A MAC address is a unique identifier for any device. And since we are talking networking today, The mac address we will be concentration on is that of a network device. Its important to note that, no two device can have the same mac address. Whenever a network device needs to communicate with another network device in a Local Area Network, it needs the MAC address of that device. This is where ARP comes to play. Lets take a look at the scenario bellow to clearly understand this concept: 1. There are 2 computers say A and B on the network. 2. They have both been assigned an IP address as seen below:        A: 192.168.0.1        B: 192.168.0.2 3. Computer A needs to communicate with computer B. 4. It looks at a list for the IP address to see if it has a corresponding MAC address. This list is called an ARP Cache. 5. If the en...
Read more