Securing Microsoft Active Directory (AD) involves dealing with a mixed bag of risks, ranging from misconfigurations to unpatched vulnerabilities. That's why many current cyber-attacks involve a breach of Active Directory somewhere along the way.
Consultants at incident response company, Mandiant, reported that Active Directory is a common attack vector in 90% of the breaches they investigate.
Although the complete list of AD weak spots is long, one vulnerability that tops the list of fixable problems is poor authentication security. By closing this common security gap, organizations can significantly improve their overall security posture. Let's look at some of the vulnerabilities related to authentication and how to fix them.
Take Caution with Application Authentication
One common example of a risky authentication security practice arises from the need to allow access by users to corporate applications. Let’s say an organization wants to allow access to a third-party or home-grown application that doesn’t integrate with Active Directory. But that application needs to query AD for active users, enabling the app to pull in corporate user IDs – if not the passwords themselves –to use locally on the application. Application owners can be impatient when new users need to be onboarded. A simple way for a busy AD administrator to quickly make that application accessible to a user is to enable anonymous access to Active Directory.
While this action might make sense from a productivity standpoint, from a security perspective, it also allows unauthenticated users to query AD. If that capability is enabled without mitigating controls, the risk profile of the organization will increase substantially.
With anonymous access to AD enabled, intruders who access your corporate network can query Active Directory for resources without adequately authenticating.
"With anonymous access to AD enabled, intruders who access your corporate network can query Active Directory for resources without adequately authenticating"
One well-known risk that could arise is Zerologon, first reported in 2020 and quickly exploited by attackers because it allows them to forge an authentication token, conduct an elevation of privilege, and then gain domain admin rights. Let’s be clear: The results of a successful Zerologon exploit could be catastrophic. Weak passwords, non-expiring passwords, no passwords – all are warning signs that an organization's AD environment is not secure.
Modern password policies should be the order of the day in an Active Directory forest. Any account with the ‘password not required’ flag set should automatically draw scrutiny. I can’t think of a reason to have this configuration.
Additionally, service account passwords should be rotated periodically. Leaving passwords weak or unchanged for lengthy periods of time increases the likelihood of a successful Kerberoasting attack, which will crack the service account’s password as attackers will have more time to take swipes at it.
"If you are feeling overwhelmed when you think about everything that might be wrong with your Active Directory security, download the free security assessment tool Purple Knight"
You are wrong if you think that everyone knows that passwords shouldn’t be easily guessable, and this problem never comes up anymore.
Tactics like password spray are still a tried-and-true tactic for cyber-criminals. You can think of password spray as an upside-down brute force attack: Instead of attacking one user with multiple potential passwords, the adversary takes a common password and attacks many users until it finds an unlucky victim with that same password.
Password spray still works like magic for cyber-criminals precisely because of lax or outdated password practices. In fact, password spray was a key factor in the devastating SolarWinds attack.
Common Authentication Security Problems
So what are the primary problems to watch for that lead to poor authentication security?
- Computers and Group Managed Service Accounts objects with passwords set over 90 days ago (these passwords should be automatically rotated)
- Reversible passwords found in Group Policy Objects
- Anonymous access to Active Directory enabled
- Unpatched Zerologon vulnerability
My last tip: If you are feeling overwhelmed when you think about everything that might be wrong with your Active Directory security, download the free security assessment tool Purple Knight. It will quickly scan your environment and uncover 70-plus indicators of exposure and compromise. You'll get a full report of what to fix, with clear priorities and additional guidance from identity experts.
Although closing up every security gap in Active Directory requires focus and commitment, the effort is well worth it because AD is a juicy target for attackers. Every weakness you can find and fix will help bolster your company's overall security posture.