EN

EN

ARTICLE

Securing Active Directory: How to avoid common mistakes and ensure resilience to attacks

Illustration

For over two decades, Active Directory has reigned supreme as the go-to solution for managing identities and access within organizations. The technology itself hasn't undergone significant changes. System administrators know it very well — and so do hackers.

This lack of innovation necessitates a fresh perspective on securing AD infrastructure and the broader network resources it safeguards. Attackers, leveraging advanced techniques, have breached AD from both external and internal vantage points. Unfortunately, traditional security tools and strategies have proven inadequate, as evidenced by the rising number of successful attacks and the persistent vulnerabilities plaguing AD. While a single solution cannot eliminate all security concerns associated with AD, employing the right tools and adopting a comprehensive approach can significantly bolster defenses and mitigate attacks.

This article will discuss modern AD threats and ways to confront them.

Illustration

What you should know about AD

Active Directory has been around for a long time — over 20 years! While some things haven't changed, like the information it stores, this lack of updates has both good and bad sides.
The good news: admins already familiar with AD don't need much extra training, since it hasn't changed much.
The bad news: attackers know this too. They can use this knowledge to find weaknesses and launch complex attacks to take control of an entire network.
So, if organizations don't update their defenses, attackers will find ways to get in. So, new security approaches need to break this cycle to keep networks safe.
Let's highlight the following points related to AD protection: ● Environment is based on domains and forests ● Users, groups, and computers are the core objects ● Each domain is broken down for the management of objects using organizational units (OUs) ● Group Policy is the preferred method for controlling users and computers ● Required services such as DNS and DHCP remain consistent ● Kerberos and NTLMv2 remain the preferred authentication protocols ● Password policy controls remain unchanged and stagnant

Illustration

AD Security Solutions

Microsoft has tried different tools to secure on-premises Active Directory over the years, but most haven't lasted long. They either stop being supported or get replaced with other solutions.

The one exception is Group Policy. It's like the old reliable tool in the toolbox. It's been updated with the inclusion of many ADM/ADMX customizations, Group Policy Preferences, and Advanced Audit Policy. Still, the core of Group Policy has mostly stayed the same.

Here are other security solutions introduced over the years:
● Auditing and Advanced Auditing ● Security Configuration Wizard (SCW) ● Security Compliance Manager (SCM) ● Desired State Configuration (DCM) ● Local Administrator Password Solution (LAPS) ● Protected Users group

The other security tools for on-premises Active Directory struggle to provide comprehensive protection. They often have limited impact, only affecting specific computers, settings, and threats. Additionally, some valuable tools suffer from low adoption due to a lack of awareness. This combination significantly weakens their ability to fully secure Active Directory environments.

Learn more about how to protect Active Directory from modern attacksRegister for our webinar!

Illustration

New AD Attacks: Hide & Seek

Unchanging infrastructure and unreliable security tools have created a prime target for attackers. Active Directory incidents have become more frequent and sophisticated, with hackers seeking ways to infiltrate the system undetected.

Many in the industry point to inherent vulnerabilities in the initial design of Active Directory as the root cause. These fundamental security flaws persist due to the lack of significant improvements, leaving the system vulnerable.

New sophisticated techniques exploit inherent weaknesses in Active Directory's foundations, rendering traditional monitoring solutions ineffective. Attackers leverage these vulnerabilities to move laterally through the network, escalating privileges to achieve complete control (domain domination) within a short timeframe (hours or days).

Some modern attack methods plaguing AD today include:
● DCSync ● DCShadow ● Password spray ● Pass-the-Hash ● Pass-the-Ticket ● Golden ticket ● Service Principal Name ● AdminCount and adminSDHolder

Illustration

Detection Is a Challenge

Modern attacks operate under the radar of existing security tools. They exploit weaknesses in the very foundations of Microsoft, Windows, and Active Directory, making them incredibly difficult to detect. While attackers employ diverse methods to bypass monitoring and logs, it's important to remember that not every attack follows the same playbook.
Here's the list of the most popular ones.

Illustration

Time-Consuming Attacks

Some attacks operate silently, mimicking regular network activity. This allows attackers to gather valuable information quickly without raising suspicion. Such attacks often target user account passwords to gain access without needing elevated privileges.

A prime example is a password-spraying attack. Speculating on the common misuse of weak passwords, attackers exploit readily available usernames (retrievable by any user from Active Directory) and attempt logins with a limited list of common passwords. The trick lies in staying below the account lockout threshold, accessible to any user within the domain. This allows criminals to test numerous accounts without triggering security measures.

Illustration

Attacks That Use Core Technology and Configurations

Active Directory, born in 2000, has remained mostly unchanged in its core functionality. While this consistency initially offered seamless communication, it has also made the system susceptible to attacks over time. Attackers have exploited information about privileged accounts, easily discoverable within the system. This highlights the need for continuous improvement and adaptation in cybersecurity practices.

Some common built-in technologies being used against the AD environment include:
● Service Principal Names ● Admincount and adminSDHolder SIDHistory ● User Primary Group ID

While security and consistency were the original goals of these design choices in Active Directory, attackers now exploit them to establish persistent, undetected backdoors. These attacks often manipulate core functionalities, making them difficult to detect without constant vigilance.

One example is the adminCount and adminSDHolder attack. It's pretty simple in concept and, thus, requires meticulous security monitoring as it's nearly impossible to stop. Attackers modify the adminSDHolder object's access control list (ACL) to include their controlled account, granting them either “Modify” or “Full Control” permissions. Subsequently, a background process automatically applies this modified ACL to all objects with the "adminCount" attribute set to 1, inadvertently granting the attacker elevated privileges on these sensitive objects.

Illustration

Attacks That Bypass Logging

Advanced techniques allow attackers to maintain long-term, undetected access within Active Directory. These sophisticated attacks typically rely on initial privilege escalation, achieved through various means, to establish persistence within the system. Their primary goal is to remain hidden while granting ongoing access and control to the attacker.
The two attacks that fall under this category include: ● DCSync ● DCShadow
DCSync focuses on acquiring password hashes for offline brute-force attacks. DCShadow involves creating a deceptive domain controller to manipulate the replication process and alter sensitive data without detection.
Both attacks bypass the logs. By mimicking legitimate domain controllers, they exploit a blind spot in security solutions that rely solely on event logs for monitoring. This includes AD monitoring tools, SIEM solutions, and even some agent-based security measures.

Illustration

Attacks That Impersonate Other Users

The following attack categories continue to evolve, posing new threats to Active Directory security: ● Pass-the-Hash ● Pass-the-Ticket ● Silver Tickets ● Golden Tickets

Attackers typically leverage stolen credentials to gain unauthorized access and elevated privileges within Active Directory. These compromised credentials can belong to both regular and privileged users, allowing attackers to move laterally and escalate their control over the environment. Pass-the-Hash and Pass-the-Ticket use the raw hashed information to impersonate the user. At the same time, Silver and Golden Tickets take over part of the Kerberos authentication process, allowing access to services and all accounts in the enterprise.

Illustration

Enhancing Active Directory Resilience

Many Active Directory environments were established years ago, predating the emergence of today's prominent security threats. To prevent potential attacks, organizations must actively identify and address security vulnerabilities within their Active Directory infrastructure. Traditional monitoring and SIEM solutions may not comprehensively assess these specific vulnerabilities.

However, some solutions can scan your Active Directory environment and identify potential security issues, aiding in remediation efforts. For example, Tenable Identity Exposure provides a list of existing problems and misconfigurations that need to be fixed immediately.

Additionally, continuous monitoring is crucial to ensure ongoing security due to the dynamic nature of Active Directory environments. Settings can change due to various factors, including human error, software installation, updates, and even malicious activity. Therefore, constant vigilance and proactive security measures are essential for safeguarding your Active Directory infrastructure. The faster you identify attacks, the more chances you have to prevent them.

AD monitoring and SIEM solutions use the data from security logs to check the AD environment. Tenable Identity Exposure utilizes alternative data sources beyond traditional ones to gain more in-depth insights into potential threats within Active Directory. This approach can offer advantages in terms of early detection and faster response compared to relying solely on log analysis. It's noteworthy that Tenable Identity Exposure can send the information it finds to a SIEM, which is why SIEMs are a vital component of any organization's overall security.

Illustration

Summary

Active Directory's established nature can make it susceptible to smart attacks requiring minimal privileges. These attacks challenge traditional security solutions because they can bypass logging mechanisms. To safeguard your environment, a comprehensive security strategy that prioritizes proactive measures is critical. This includes continuous monitoring for vulnerabilities and misconfigurations and employing robust detection and prevention tools.

Tenable Identity Exposure provides immediate information regarding misconfigurations and real-time detection of any new misconfigurations or attacks—with no agents or privileges.

BAKOTECH is the official distributor of Tenable in Azerbaijan, Georgia, Armenia, Moldova, Ukraine and Central Asia.

Contacts

+380 44 273 3333
moc.hcetokab%40elbanet

Follow for updates:

Subscribe to see unique news