Microsoft Active Directory (AD), the primary identity store used by most enterprises worldwide, has become a favourite playground for hackers. Once compromised, this central directory service gives intruders access to other permissions and resources in a company network. It allows them to move laterally and expand their attack to their victim’s on-premises and cloud assets.
Businesses are starting to wake up to the risks associated with AD. One crucial aspect, however, that is often overlooked is the wealth of default read permissions that Microsoft has granted to any user and computer in AD. The built-in permission delegation capabilities, designed over 23 years ago, were a cornerstone of AD’s success as they greatly simplified administrative tasks. Unfortunately, they also pose a considerable security risk.
Active Directory is organised into so-called AD forests. Each forest shares a global address list and a security boundary. Yet, this boundary also marks out the scope of reach for an intruder. An attacker who gains a foothold in an organisation’s network – for example, by using stolen user credentials to establish a remote connection – can access all AD objects within the forest. It means they can use AD as a tool to locate and target privileged user accounts. This allows them to gain further control over the network.
By exploiting vulnerabilities in AD as well as the operating system and unpatched endpoints, attackers can discover the credentials of other users and systems, gain administrator privileges, and, finally, disable protections to reach their ultimate target: domain dominance. From there, they will launch their core attack, whether that’s stealing business data or installing ransomware.
Misconfigurations accrue over time
One of the riskiest aspects of AD is that its default permissions are far too open. They give users seamless access to business applications, which simplifies day-to-day work. However, these default permissions also give away sensitive information to anyone who accesses the directory with malicious intent.
To complicate matters, AD is an old technology. Most AD infrastructures were implemented years or even decades ago and managed by different administrators over time. They have accrued a substantial misconfiguration debt. Often, there are multiple inactive user accounts lingering in the directory. This includes legacy admin accounts that adversaries could easily misuse.
For these reasons, following the best practice of the least privileged model, in which users are granted only as many permissions as they need to do their job, is an important step in securing AD. This approach might mean removing permissions. However, administrators need to weigh the pros and cons of how those changes could affect critical business applications. IT and security teams need to plan changes carefully and ideally try them first in a test environment to assess their impact. Documenting changes will allow organisations to revert to the original permissions if needed.
Several free tools are available to check the security of all domains in an AD forest. Among these are Purple Knight and Forest Druid. These community tools from Semperis require no installation beyond downloading and unpacking a zip file. Purple Knight scans the environment for indicators of exposure. These are vulnerabilities that an intruder could use to attack AD. Forest Druid takes it one step further, helping to find other attack paths against your most privileged AD objects.
Lockdown can stop intruders from using AD against you
When locking down permissions, the first areas to consider are privileged accounts and groups. These include enterprise and domain admin groups and their members, as well as account operators and server operators. Behind the scenes, the ‘admin security descriptor holder’ object in AD (AdminSDHolder) contains the special permissions for each privileged object. Its default settings can be changed, and permissions removed to make the environment more secure.
For example, in a properly configured AD, the business applications should not use those privileged accounts and groups. Neither should they need to perform a lookup to find out who is a member of the domain admin group to work correctly. Locking down those permissions is a low-risk security measure and unlikely to impact day-to-day operations.
In addition, privileged AD accounts or groups should never be replicated to Azure AD. It could lead to additional attack paths between the on-premises and cloud directories.
Reducing the attack surface
Cutting off users and computers from reading information about privileged objects effectively reduces the AD attack surface. If the privileged accounts and their potential vulnerabilities are not easily visible to attackers, finding the weak spots to attack AD and using attack vectors such as pass-the-hash becomes much more difficult.
Hiding privileged accounts with permission lockdown is, however, not enough. Organisations should also be serious about tiering their AD infrastructure. At a minimum, the highest privileged accounts should never log on to any system other than the domain controllers or other highly trusted systems.
Even after the lockdown of the AdminSDHolder, other vulnerabilities in AD may remain, such as domain trust to a third-party domain without quarantine. Intruders could still use these for attack planning. Ongoing monitoring of AD and all endpoints for any suspicious changes is, therefore, key.
Removing risky permissions is key
For administrators, understanding the built-in logic that Microsoft has added to AD is crucial. This permission-granting mechanism has its benefits, but it also introduces weaknesses that attackers can use to their advantage.
Removing risky default read permissions will pay off by making it much more difficult for intruders to perform reconnaissance that helps them in planning their next moves to take control of your infrastructure.
With the continuing rise of identity-based attacks, securing your AD has never been more important. By minimising the visibility of objects, you will ultimately make AD safer.
A more detailed paper on removing risky permissions in AD can be found at: https://www.semperis.com/resources/improving-your-active-directory-security-posture-adminsdholderto-the-rescue
For security teams charged with defending hybrid and multi-cloud environments, Semperis ensures the integrity and availability of critical enterprise directory services at every step in the cyber kill chain and cuts recovery time by 90%. Purpose-built for securing hybrid Active Directory environments, Semperis’ patented technology protects over 50 million identities from cyberattacks, data breaches and operational errors. The world’s leading organisations trust Semperis to spot directory vulnerabilities, intercept cyberattacks in progress and quickly recover from ransomware and other data integrity emergencies. Semperis is headquartered in Hoboken, New Jersey, and operates internationally, with its research and development team distributed throughout the United States, Canada and Israel.