Microsoft Active Directory security involves dealing with a mixed bag of risks, ranging from management mistakes to unpatched vulnerabilities. We often write about the fact that cyber-attackers are targeting AD to elevate privileges and gain persistence in the organization. Investigate a typical data breach, and you’ll find that stolen credentials likely were used—sometimes for initial entry, sometimes for accessing critical systems, but always to the detriment of the targeted organization.
Hardening AD begins with getting a handle on the vulnerabilities and common configuration and management mishaps that pave the road to compromises. To defend AD, administrators need to know how attackers are targeting their environment. How many, however, can pass a pop quiz about the types of security holes threat actors are sneaking through as they move through the steps of the breach?
Related reading
Authentication fail
It seems ironic, but some of the most prevalent and damaging configuration errors impacting Active Directory are related to the authentication process. Consider a scenario where an organization wants to allow a third-party or home-grown application that doesn’t integrate with AD, but wants to query AD for active users. The easiest route is to simply enable anonymous access to Active Directory. While this action might make sense from a productivity standpoint for busy administrators, it also allows unauthenticated users to query AD. If that capability is enabled without mitigating controls, the risk profile of that organization is going to increase substantially.
The Zerologon vulnerability reported in 2020 was quickly exploited by attackers because it allowed them to change or remove the password for a service account on a domain controller. The results of a successful exploit could be catastrophic. Weak passwords, non-expiring passwords, no passwords—all these are warning signs that an organization’s AD environment is not secure.
Secure password policies should be the order of the day throughout the Active Directory infrastructure. Any account with the PASSWD_NOTREQD flag set should automatically draw additional scrutiny and have a justifiable reason for its configuration. Additionally, passwords—especially service account passwords—should be periodically rotated. Leaving passwords unchanged for lengthy amounts of time increases the likelihood of a successful brute force attack, as attackers will have more time to take swipes at them.
Authentication issues to watch for include:
- Computers and Group Managed Service Accounts (gMSA) objects with passwords set over 90 days ago
- Reversible passwords found in Group Policy Objects (GPOs)
- Anonymous access to Active Directory enabled
- Zerologon vulnerability (CVE-2020-1472) if the patch is not applied.
Permitting excessive permissions
As most AD environments have been in production for many years, their attack surfaces have grown. Many of a forest’s accumulated vulnerabilities can be traced back to the pattern that someone needs something done, usually in a hurry, and the least–privilege path to get that done is too time-consuming, not easily available, or simply not known. As a result, the user or group or permission is over-privileged just to ensure the request will be satisfied and the ticket closed. And of course, that entitlement is never ever removed, so the attack surface simply grows and grows.
In reality, it’s not uncommon for AD environments to have unnecessarily high numbers of domain administrators—a fact that can be even more troubling if those accounts are orphaned and are simply waiting to be leveraged in an attack. Service accounts with excess permissions also pose a high risk because their passwords are usually set to not expire, and many of them will have weak passwords (which makes them a good kerberoasting target). As the number of users with administrative privileges grows, so does the attack surface that needs to be protected. Membership to these groups should be tightly controlled.
Mistakes happen, of course. As an AD environment grows larger and more complex, for example, someone might fail to properly account for inherited permissions and inadvertently grant an account too many privileges. But even properly managing privilege delegation is not enough with attackers taking the offensive.
As an example, consider the impact of an AdminSDHolder attack. Just as a refresher, the AdminSDHolder container stores the Security Descriptor applied to privileged groups. By default, every 60 minutes, the Security Description Propagation (SDPROP) process compares the permissions on protected objects and reverses any discrepancies according to what is defined in AdminSDHolder.
In an AdminSDHolder attack, threat actors exploit SDPROP to maintain persistence by replacing the permissions of an object with the attacker’s unauthorized modifications. If the permission changes are identified and undone, but the unauthorized changes to AdminSDHolder are undetected, the attacker’s changes will be reinstated.
Auditing permissions and monitoring for suspicious activity is the best defense against the abuse of privileges.
Permission issues to watch for include:
- Privileged objects with unprivileged owners
- Permission changes on the AdminSDHolder object
- Unprivileged users with DC Sync rights on the domain
- Default security descriptor schema changes in the last 90 days
Cheat sheet for security
Armed with information about indicators of exposure (IOEs), organizations can strengthen their AD’s security. One tool that can help is Purple Knight, a free AD security audit tool that Semperis released in March. Purple Knight queries your Active Directory environment in “read-only” mode and performs a comprehensive set of tests against the most common and effective attack vectors to uncover risky configurations and security weaknesses.
Scanning Active Directory provides insight into its security posture and reduces the risk of unauthorized changes or misconfigurations going undetected. AD administrators need to know more than their craft; they also need to know the tactics of their adversaries. By keeping critical warning signs top of mind, they can harden AD against common attacks.