All an attacker needs is time and motivation to infiltrate your network. It’s your job to make their efforts to break in and remain undetected as difficult as possible. First, you must identify all of the weak points in Active Directory (AD) that an attacker can use to gain access and move through your network undetected. The Varonis Active Directory Dashboard shows you where you are vulnerable – and helps track your progress as you strengthen your defenses.
In this post, we’ll highlight 7 out of the over 25 Active Directory risk indicators that Varonis tracks in real-time.
Get the Free Pen Testing Active Directory Environments EBook
Attackers Target Certain Domain Configurations
Attackers use many tricks to take advantage of vulnerabilities to sneak around your network and escalate privileges. Some of those vulnerabilities are domain configuration settings that you can easily change, once you identify the problems.
The Varonis AD Dashboard shows you at a glance if you have domain configurations that risk providing attackers with Infinity Stone level access to your network.
Of course, you could look up those things up on your own: maybe set a calendar reminder to check, or schedule a PowerShell job to pull that data for you. The Varonis AD Dashboard updates automatically to provide a quick view of key metrics that highlight potential vulnerabilities so that you and your cybersecurity team can take action to remediate any issues immediately.
3 Domain Level Key Risk Indicators
Here are some AD widgets highlighted in the AD dashboard that are particularly useful to help harden and secure your network.
No. of Domains for Which the Kerberos Account Password Was Not Recently Changed
The KRBTGT account is the special service account in AD that signs all of the Kerberos tickets. Attackers that can gain access to a Domain Controller (DC) can use this account to create a Golden Ticket, which grants them unrestricted access to every system on your network. In one of the known instances of a successful Golden Ticket, an attacker had access to a company’s network for two years.
This AD widget will show you if your KRBTGT account password has not changed in the past forty days. Forty days is a long time for an attacker to have access to the network: if you standardize a process to change this password monthly, you’ll make it more challenging for an attacker to retain their access.
When you do change the KRBTGT password, you need to change it twice because that is the way Microsoft implemented Kerberos.
Let this AD widget tell you when it’s past time to change the KRBTGT account for any domains on your network.
No. of Domains on Which the Native Administrator Account (Administrator) Had Been Recently Accessed
The Principle of Least Privilege says that sysadmins need two accounts: one user account for normal day-to-day usage, and another for planned administrative changes. This means that no one should use the default administrator account for any reason, and if this AD widget shows you otherwise, you have a problem. It could mean that you have an active cyberattack in progress, or it could mean that someone is using administrative accounts incorrectly. In either case, this widget will give you the data you need to investigate and correct the issue.
Companies use the native administrator logins to make system management much simpler – and that can be a difficult habit to break. If you are a company that uses this login regularly, you will have a difficult time discerning proper use from potentially malicious access.
If this AD widget shows you anything other than zero, you should take steps to correct and limit access to the native administrator accounts.
Once you have gotten this number down to zero and your system administrators are not using this account for their work, any change in this number will indicate a potential cyberattack of some kind.
No. of Domains on Which the Protected Users Group Does Not Exist
Older versions of AD supported weak encryption, called RC4. Hackers cracked RC4 years ago, and it’s trivial for an attacker to break into an account that still uses RC4. Windows Server 2012 and later introduced a new kind of Users group called the Protected Users group. The Protected Users group provides additional security features and prevents users from authenticating with RC4 encryption.
This widget shows you if any of your domains don’t have this group so you can upgrade and enable the Protected Users group, and then use this new group to secure your permissions.
Easy Targets of Opportunity For Attackers
User accounts are the number one target for attackers – from their first attempts at infiltration to their ongoing privilege escalation and evasion efforts. Attackers look for the easy targets on your network using basic PowerShell commands that are difficult to detect. Remove as many easy targets of opportunity from AD as possible.
The Varonis AD Dashboard highlights vulnerable user accounts and allows you to drill down so you can remediate those issues and build better barriers that attackers have to navigate around. The more difficult you can make your network to attack, the better your chances of catching an attacker before they can do major damage.
4 User Account Key Risk Indicators
Here are some examples of Varonis AD Dashboard widgets that highlight risky user accounts in your Active Directory.
No. of Enabled Users with Passwords That Never Expire
Any attacker that gets ahold of an account with a password that never expires is a happy and entrenched attacker. Because the password never expires, they have a permanent foothold in your network they can use as a staging area for privilege escalation or lateral movement.
Attackers have access to millions and millions of user-password combinations they use in credential stuffing attacks, and the chances that your non-expiring user-password combination is on one of those lists is much greater than zero.
Accounts with no password expiration exist for ease of management, but they are no longer safe. Use this widget to find all of the accounts that don’t have expiring passwords. Immediately change that option, and update the password.
Once you have this widget cleared, any new accounts created with no password expiration will stand out on the dashboard.
No. of Admin Accounts with SPN
Service Principal Name (SPN) means that the account is a service account, and this widget shows you how many of your service accounts have full administrative privileges. Pro tip, it should be zero. SPNs with admin permissions happen because granting admin privileges is easy and simple for the software vendor and application administrators, but it also is a security risk.
Granting a service account administrative rights allows an attacker full access to an account that humans don’t use. Which means attackers with access to service accounts can move around freely and under the radar. Fix this issue by adjusting the permissions for your service accounts. Service accounts should follow the principles of least privilege and have only the access they need to do their job.
Once you have identified all of your SPNs that have administrative accounts with this widget, update their permissions and then make sure future SPNs follow the same least privilege access principles.
You can manage any new SPN’s that show up in the dashboard as they appear.
No. of Users That Do Not Require Kerberos Pre-Authentication
Ideally, Kerberos encrypts authentication tickets with AES-256 encryption, which is currently not crackable.
However, older versions of Kerberos used RC4 encryption, which is crackable in a matter of minutes. This widget shows you which of your user accounts are using RC4 and not AES-256. Microsoft still supports RC4 for backward compatibility, but that doesn’t mean you should allow it in your AD.
Once you have identified these accounts, you can uncheck the option “Do not require Kerberos preauthorization” in AD to make them use the stronger encryption.
Identifying these accounts in AD – without the Varonis AD Dashboard – is time-consuming, but staying on top of any accounts that get changed to use RC4 encryption is even more challenging.
Attackers will manipulate this flag to break into accounts, so if this widget changes in the future, there might be shenanigans afoot.
Accounts with No password Policy
Attackers use basic PowerShell to query AD for the “PASSWD_NOTREQD” flag. PASSWD_NOTREQD means that there isn’t a password requirement enforced – like length, complexity, or that there are even characters. How easy would it be for an attacker to steal an account with a simple or blank password? Now imagine that one of those accounts is an administrator.
What if one of the 1,000s of sensitive files open to everyone is the upcoming financial report?
Removing the password requirement is another shortcut for system administration that people used in the past, but it is not acceptable by modern security standards – and definitely not secure.
Fix this issue by changing the option to force a password and updating the password for the accounts.
Keep an eye on this widget in case future accounts are created without the password requirement, or if current accounts have their password requirement removed.
Varonis Evens the Playing Field
In the past, researching and gathering these metrics takes many hours and in-depth PowerShell knowledge: you’d have to dedicate resources to checking your risk positions every week or month. Doing this manually leaves plenty of time for attackers to infiltrate and steal data.
Varonis needs one day to populate the AD Dashboards with these – and many more – AD vulnerability metrics, and that AD dashboard automatically updates.
During a cyberattack, it’s a race between the attacker and defenders to see if the attacker can steal data before the defenders can close down the attacker’s access to the network. Early detection combined with a strong defense is key to keeping your data safe.
Check out the webinar “25 Key Risk Indicators to Help Secure Active Directory” for more metrics that you can see in the Varonis AD Dashboard and how to fix these issues.