In Part 1 of our series ‘Protecting Active Directory – Understanding Targeted Attacks’, we acknowledged how widely used Active Directory is and how it must be protected since critical systems and sensitive data depend on it. This article will outline several near-term, ‘quick win’ activities an organisation can implement to reduce the risk of compromise.
1. Dedicated Admin Accounts
Within Active Directory, there are three built-in groups which comprise the highest privilege groups in the directory: the Enterprise Admins group, the Domain Admins group and the built-in Administrators group.
A fourth group, the Schema Admins group has privileges which, if abused, can damage, or destroy an entire Active Directory Forest, this group is more restricted in its capabilities than the other groups.
In addition to these four groups, there are several additional built-in and default accounts and groups in Active Directory, each is granted rights and permissions which allow specific administrative tasks to be performed.
To be sure, users who have elevated privileges through membership in the above groups are well sought after by threat actors. Having a separate user account solely for elevated activities (ideally on a strongly secured, dedicated workstation) will reduce the threat vector that human error may impose and prevents cross contamination from everyday standard end user tasks.
2. Local Admin Passwords
Local accounts on a computer can log on to this local computer whether it is joined to Active Directory or not. Malicious actors can steal and reuse password hashes for the local admin accounts, allowing them to take control of computers which utilize a common local admin account with an identical password. One solution offered by Microsoft to mitigate this risk is ‘Local Administrator Password Solution (LAPS)’. Per Microsoft, ‘LAPS resolves this issue by setting a different, random password for the common local administrator account on every computer in the domain.’
LAPS is an effective mitigation tool against privilege escalation and lateral movement. By enforcing unique, complex passwords across all local administrator accounts, an attacker compromising one local administrator account cannot move laterally to other systems which may share this same password.
3. Admin Workstation
Workstations used by individuals with elevated access are appealing targets for attackers. A compromised privileged account will allow the attacker to impersonate the user or increase the access they have to the organisation. For this reason, each highly privileged user should limit the number of systems they interactively logon to and only perform elevated activities from a strongly secured, dedicated workstation.
Microsoft has developed the Privileged Access Workstation (PAW) which provides a hardened workstation configuration designed for extremely sensitive roles which, if compromised, would have a significant or material impact on the organisation.
4. Threat Detection
A solid event log monitoring system is a crucial part of any secure Active Directory design. Many Active Directory security compromises could be discovered early if an effective event log monitoring and alerting system is in place.
Microsoft Defender for Identity (formerly Azure Advanced Threat Protection, also known as Azure ATP) is a cloud-based security solution which leverages on-premises Active Directory signals to identify, detect and investigate advanced threats, compromised identities and malicious insider actions directed at an organisation.
Per Microsoft documentation, Microsoft Defender for Identity allows for the following:
- Monitor users, entity behaviour and activities with learning-based analytics
- Protect user identities and credentials stored in Active Directory
- Identify and investigate suspicious user activities and advanced attacks throughout the kill chain
- Provide clear incident information on a simple timeline for fast triage
Microsoft Defender for Identity works by analysing information collected from various data sources, such as event logs, network events and domain controller traffic. It then begins to learn and profile user, device and resource behaviours using Microsoft’s machine learning technology. Once it detects a threat, it alerts and presents information on the Microsoft Defender for Identity workspace portal, including a clear view of who, what, when and how, and recommends actions for remediation. My colleague, Rahul Singh shares more on Microsoft Defender for Endpoints here.
Although threats continually evolve, the way systems and networks are managed often have not. Organisations continue with the same operations and support pattern even though internal systems are compromised regularly. The recommendations outlined in this article can serve as a starting point for Active Directory risk remediation to better protect your organisation. Achieving quick and effective wins can help you gain the upper hand in mitigating the attack techniques most attackers try first. For a deeper dive into the Secure Workplace, try our Secure Workplace Story series from Head of Advisory Services, Lee Foster.
