In Part 2 of our series ‘Protecting Active Directory – Near Term Wins’, we outlined several near-term, ‘quick win’ activities an organisation can implement to reduce the risk of compromise. This article will build on the mitigations from the previous article and move the defense into a more proactive posture.
1. Leaked Credential Protection
Many organisations are in a hybrid identity configuration with Azure Active Directory. Azure AD Connect is the Microsoft tool designed to enable hybrid identity features such as user and group object synchronization and password hash synchronization (PHS), a sign-in method which synchronizes a hash of a user’s on-premises AD password with Azure AD. My colleague Hambik Matvosian spoke about Azure AD Connect in a previous edition of his monthly Fast Track Update.
When enabling PHS, it also enables leaked credential detection for your hybrid accounts. When cybercriminals compromise valid passwords of legitimate users, they often share those credentials. This sharing is typically done by posting publicly on the dark web, paste sites, or by trading and selling the credentials on the black market. When the Microsoft leaked credentials service acquires user credentials from the dark web, paste sites, or other sources, they are checked against Azure AD users’ current valid credentials to find valid matches.
Microsoft works alongside dark web researchers and law enforcement agencies to find publicly available username/password pairs. If any of these pairs match those of our users, the associated account is moved to high risk.
2. Enable Credential Guard on User Workstations
Previous versions of Windows stored secrets in the Local Security Authority (LSA). Malicious actors who can gain privileged access to an endpoint can query the LSA for the secrets in memory and compromise a hash or ticket which could then be used in a Pass-The-Hash or Pass-The-Ticket attack allowing them to move laterally within an organisation.
Windows Defender Credential Guard is a security feature in Windows 10 Enterprise and Windows Server 2016 and above which uses virtualization-based security to protect credentials. Credential Guard is a way to protect against LSA attacks, as a new component called the ‘isolated LSA process’ which stores and protects the secrets when it is enabled is not able to be queried by attackers.
3. Privileged Access Management
Humans are always the weakest link in the cybersecurity chain. Knowing the more privileges and access a user is granted, the greater the potential for abuse, exploit, or error, it is vital to secure and monitor these core enterprise identities.
Privileged Access Management (PAM) refers to cybersecurity strategies and technologies to control, monitor, secure and audit all privileged identities and activities across an enterprise IT environment. A central goal of PAM is the enforcement of least privilege, where users are only delegated the minimum levels of access required to perform their job functions at the right time.
All IT organisations need to apply some control over privileged accounts, and how each approach this depends on many factors. A small IT organisation may be able to govern privileged access through manual controls. For larger, more complex IT organisations, PAM software should be employed.
PAM solutions vary in scope and features. Most have capabilities to assign privileged account access, manage passwords and track privileged account sessions. When choosing a PAM solution an organisation must consider their unique security, IT, business and organizational requirements.
My colleague Dan Snape wrote more about PAM (and PIM) in this blog.
4. Privileged Access Strategy
Microsoft’s Privileged Access Strategy, built on Zero Trust principals of explicit validation, least privilege and assumption of breach, underscores the concept that user access to resources and data must be kept separate from privileged access, with appropriate controls and pathways for accessing the various tiers. The strategy is to create an isolated virtual zone where sensitive accounts can operate with low risk. By securing privileged access, you can effectively block unauthorized pathways and leave a select few authorised access pathways which are protected and closely monitored.
One component of this strategy is a bastion environment, a hardened, dedicated Windows Server 2016/2019 Active Directory forest (shadow forest) which enables organisations to manage administrative accounts, workstations and groups in an environment which has stronger security controls than their existing production environment. Some core components to make up the bastion environment include a Privileged Identity Management (PIM) trust, shadow principals and temporary group memberships.
Active Directory still plays a vital role in access and security for many organisations, both on-premises and now in the cloud. The aim of this series was to assert how important it is to put strong Active Directory security in place. Poor management and misconfiguration of Active Directory can enable a criminal attacker to gain access to an organizations’ critical systems and deploy malicious payloads, like ransomware, bringing business to an abrupt halt.
To recap, head back to Part 1 and Part 2 of this series.
Recommended Additional Reading:
