An estimated 95% of companies use Microsoft’s Active Directory as the main identification and authentication (IAM) platform. While some in the industry may wish to see this change, Active Directory (AD) shows no sign of decline. “The 1990s called and want their IAM back” is the mantra of many technologists, but the reality is that the forklift it would take to change is a non-starter for many organizations. Since it’s pervasive and seemingly not going anywhere soon it’s important as security professionals we understand how to secure it, because clearly the threat actors know how to exploit it.
Some of the biggest threats revolve around credentials – especially for privileged accounts and service accounts. Often administrators will try to make their lives more convenient by not taking the time to use very complex passwords for administrator accounts, instead they will use these privileged accounts for daily use, and they will just make every service account a domain administrator because that way it will have the rights to do what it needs to perform the service.
These practices are 1990’s thinking for a 1990s IAM. All privileged accounts in AD should be used as minimally as possible, only when absolutely necessary. How many people use an administrator account to add and remove user accounts, to reset passwords, and create and manage groups? Why is this done rather than using an ‘account operator’ account? Many allow the Help Desk to have administrator accounts to perform these duties that a lesser privileged account can perform.
Service accounts are another favorite target of threat actors and penetration testers alike. Sometimes we can’t even blame the administrators as bad programming can lead to an application or service requiring domain administrator level accounts. Other times it’s just laziness. First a review of your service accounts and what needs them should be done. If an application needs domain administrator rights consider replacing it, as the risk is likely higher than what benefit you receive. You should incorporate this concept into procurement and investigate before purchase of any new products you may be considering. Next you will want to make sure that whatever role the service account needs, restrict it from interactive logon, and that you allow it access only to the IPs that it needs to be used on (a setting right within AD). Heavily monitor these accounts. By gathering a baseline of normal logs for these accounts, you can then be alerted to abnormal activity which may be an abuse of the account by a threat actor.
Log out! Do not allow privileged accounts to stay logged in to servers or workstations for that matter. The time an administrator account is logged into the computer is the time it is at most risk. Make sure it is logged out and create group policies to force a log off after a certain amount of idle time.
At this point it’s important to talk about the advances made in AD that take it from the 1990s to today, because some of these are great tools for alleviating some of the old risk associated with AD. As of Windows 2012 R2, Microsoft introduced a group called ‘Windows Protected Accounts’. If your domain is at a functional level of 2012R2 there are a multitude of protections with this security group but even if not, there are still some protections with this group. In Windows 10 Enterprise a feature called ‘Credential Guard’ is available which gives some of the same protections, however our auditors have almost never seen these settings enabled.
All privileged accounts should have at least 16-character non-string passwords, making them difficult to crack. The argument against this is that people have trouble remembering them and use poor practices like saving them in text documents or browsers and such. That concern is easily mitigated using tools (from free tools with minimal abilities all the way up to enterprise solutions with tons of features). What needs to happen is someone in management needs to work with the teams to come up with a process that is functional and works for everyone that also protects these credentials.
Active Directory is a huge threat vector in most organizations. It is imperative that we understand this threat and minimize the risk as best we can.