Active Directory security is important because Active Directory(AD) represents the keys to the kingdom. Imagine that box where your store all of the physical keys to every door in the office building. AD is just like that box, but for every computer, software application, and service you run on your entire network. You keep that physical box of keys protected and secured – or you should – and you need more security to protect AD from cyber attacks.
Verizon’s security team researched over 53,000 cyber attacks for their 2018 Verizon Data Breach Investigation Report. During that research, Verizon confirmed 2,616 data breaches. For comparison, in 2017, the FBI tracked 19,502 burglaries of offices in the United States. It stands to reason that your digital presence is a much bigger target than your physical office space, so let’s dig into AD security and establish best practices to prevent data breaches with a well defended Active Directory.
Why is Active Directory Security Critical?
Why is Active Directory security so important? Because Active Directory is central to all of the steps of the cyber kill chain. To perpetuate an attack, attackers need to steal credentials or compromise an account with malware, then escalate privileges so they have access to all of the resources they need. If you don’t have proper security and audit controls for AD in place attackers could hide and steal any data they wanted, and you might never know.
Common Active Directory Security Risks
Active Directory has been around since Windows 2000, and that is quite enough time for attackers to figure out many different ways to exploit vulnerabilities in and around the system, including the humans who use the system.
Common Active Directory Security Vulnerabilities
- Active Directory currently uses Kerberos authentication, which itself has several vulnerabilities
- AD used to use and still supports NTLM encryption, which is very weak in today’s standards
- Attackers can use a brute force approach to break into Active Directory
- Phishing and malware are very common methods of stealing user credentials
User-Related Active Directory Security Threats
- Phishing also falls under this category, because phishing doesn’t always attack AD directly, but it takes advantage of the human’s desire to click a link
- Social engineering is phishing but more in person, like someone calling you and saying they are from the IT department and you need to log in with your user and password, but they aren’t from IT, and they just stole your credentials
- One element of social engineering is spear phishing – impersonating a high ranking officer of a company to deceive others to steal money or data
Active Directory Security Best Practices
To counter the many vulnerabilities and attacks used to break into AD, security experts have developed a set of best practices for securing active directory.
Document Your Active Directory
To keep a clean and secure AD, you must know everything about that AD – and I do mean everything. Document naming conventions and key security policies in addition to every user, service account, computer, and access group.
Here’s a good first checklist:
- Identify all of your computers, users, domain, and OU naming conventions.
- Describe your OU hierarchy, DNS configuration, network numbering conventions, and DHCP configuration.
- List the main functions of your GPOs and the process of organization.
- Take note of the locations of AD’s Flexible Single Master Operation Roles (FSMO) roles.
- Identify the organization’s policy when adding new user accounts or when revoking user accounts.
- Describe the organizations’ policy for user restrictions.
Enforce Safe Practices Among Users
Once you have the rest of your security stack tightened up, the weak link in your data security will be the humans themselves. Research shows that humans will click a phishing link or get fooled by a whale phishing or social engineering scam – it’s going to happen. It is vital that you prepare and train your users to recognize these threats and have the ability to notify the Incident Response team if they suspect an attacker compromised their account.
Here are some other basics to enforce with your users:
- Enforce a good password policy. What is a good password policy? That is still up for debate. NIST recently updated their policy, and other security experts recommend an encrypted password manager to keep randomized long passwords safe. In any case, the longer the password with more character options the better.
- Train users to recognize phishing attacks.
- Prevent users from making administrative changes on their laptop that could compromise their security.
- Give System Administrators two accounts: one for normal usage and an Administrator account to perform changes.
- Limit administrative accounts to the assigned systems, with redundancies in place of course. You don’t want a single Admin account that can open all the “doors.”
Secure Domain Controller
Make it close to impossible to reach your Domain Controllers. You can configure your network to allow access to DCs only from a hardened and secured computer without access to the internet. Adding this layer of security will keep your DC safer from outside intrusion and lateral movement or privilege escalation attacks from inside your network.
Employ the Least Privilege Model
The least privilege model is one of the best investments you can make to keep your networks secure from cyberattacks. Least privilege says that each user only has access to the resources they need to do their job, including admins and service accounts. If any account gets compromised, using the least privilege model will minimize your overall risk of exposure to data theft.
Monitor Active Directory for Compromise
Lastly and most importantly, monitor Active Directory. You should know every change, every login request, and every GPO change that happens on your DCs. That’s a huge amount of data and will require automation to analyze. Varonis monitors Active Directory and correlates perimeter telemetry, file activity, and user behavior to detect unusual activity or abnormal behaviors. You can uncover critical misconfigurations, monitor & alert on changes to security groups, GPOs, OUs, and other AD objects. Varonis then leverages advanced data security threat models to determine if there are current behaviors or events that indicate a possible cyberattack.
For example, a user logging in after-hours isn’t necessarily all that interesting, but a user logging in after-hours from a different country and then accessing sensitive credit card data is! Varonis makes sense of the chaos in your data so you can protect AD and prevent data breaches.
Monitoring Active Directory is so important, in fact, that we’ve created a dashboard just for that. You can track disabled accounts, accounts without passwords or non-expiring passwords, and even any accounts with weak encryption settings. These metrics represent areas of risk in AD, and provide a way for you to prioritize resolving those issues.
Want to learn more about Active Directory cyberattacks – and how to stop them? Check out our on-demand webinar 25 Key Risk Indicators to Help Secure Active Directory – and see our dashboards in action.
Tracking this data daily will show you if someone creates a new account incorrectly, if an attacker has changed the encryption type, or any number of other indicators of a cyberattack.