When it comes to cybersecurity—especially the security of critical identity infrastructure—the minimum expectation for every organization should be closing known vulnerabilities and configuration gaps. Welcome to the second of our three-part discussion of how the CISA and NSA top ten cybersecurity misconfigurations list applies to hybrid Active Directory environments and how you can remediate these issues in your own organization.
Related reading: NSA Top Ten Cybersecurity Misconfigurations + AD Security (Part 1 of 3)
About this series
Part 1 of this series addresses the first three items on the CISA and NSA top ten cybersecurity misconfigurations list. This post discusses the next four items. I’ll finish up the list next week, in Part 3.
To recap: Active Directory is the core identity system for most organizations, regardless of industry. In this series, I provide:
- A quick explanation of each vulnerability as it relates to a hybrid Active Directory identity environment
- Associated risks
- Indicators of exposure (IOEs) and indicators of compromise (IOCs) in Semperis Directory Services Protector and the free Purple Knight community tool that can alert you to the vulnerability or potential attempts to exploit it
Let’s dive in.
4. Lack of network segmentation
Network segmentation involves dividing a network into multiple subnets to minimize the number of hosts that can interact directly with each other. Without proper segmentation, an organization’s network is essentially flat. Once an attacker gains access to one part of the network, they can potentially access all other parts without encountering internal barriers.
Identity security risks
A lack of segmentation fails to contain security breaches and can enable rapid lateral movement by malicious actors. In a flat network, all systems are more easily accessible from any given entry point, increasing the potential impact of a compromise. Critical systems, such as sensitive databases and servers that host Active Directory, are much more vulnerable to cyber threats because internal defenses are minimal.
Without segmentation, cyber threats such as ransomware can spread more quickly throughout your organization’s network. Active Directory is particularly at risk because it is a prime target for attackers who want to elevate privileges and gain administrative control over network resources.
Addressing the identity risk
In cybersecurity, the focus on segmentation extends beyond the network. Segmentation also encompasses identity.
Trust segmentation surpasses the traditional (and insufficient) reliance on the Active Directory forest as the sole trust boundary. Instead, it necessitates a granular level of control, known as micro-segmentation, that aligns with the Zero Trust framework. Resource access should be contingent on a multifaceted evaluation of trustworthiness.
For a robust security posture, decision-making should be informed by a comprehensive analysis of various data points. Tools like Forest Druid enable administrators to pinpoint the position of each identity relative to Tier 0 assets, providing the detailed intelligence you need to make informed security decisions. Such tools facilitate the exportation of Tier 0 objects into authentication systems, thereby enabling the implementation of additional safeguards, such as two-factor authentication (2FA), or the activation of advanced auditing features, enhancing your overall security.
5. Poor patch management
At its core, poor patch management refers to the lack of systematic processes for identifying, acquiring, testing, and installing software updates and patches in a timely and reliable manner. This negligence can lead to outdated systems running within the network. Such systems can harbor known vulnerabilities. For complex environments, including those that leverage both Active Directory and Entra ID, patch management is crucial given the integral role that these services play in network security and identity management.
Identity security risks
Any system or application that is not patched regularly is a potential target for exploitation. The stakes are even higher for directory services. Active Directory, the central authority for authentication and policy enforcement in most Windows-based environments, is particularly at risk. If an Active Directory domain controller is compromised because of an unpatched vulnerability, the entire domain—possibly the entire forest—is at risk.
The potential consequences of poor patch management are extensive and can include:
- Data breaches
- Malware infections
- Ransomware attacks
- Loss of service
Indicators of exposure and indicators of compromise
In Purple Knight and Directory Services Protector, the following indicators can alert you to poor patch management issues:
- Enterprise Key Admins with full access to domain. This issue was corrected in a release of Windows 2016. However, if the fix has not been applied, members of this group can replicate all changes from Active Directory, as is seen in DCSync attacks.
- Computers with older OS versions. Computers running older and unsupported OS versions can be targeted with known or unpatched exploits.
- SMBv1 is enabled on Domain Controllers. SMBv1 is an old protocol (deprecated by Microsoft in 2014), which is considered unsafe and susceptible to all kinds of attacks.
- SMB Signing is not required on Domain Controllers. Unsigned network traffic is susceptible to attacks that abuse the NTLM challenge-response protocol.
- Zerologon vulnerability. Without this patch, an unauthenticated attacker can exploit CVE-2020-1472 to elevate their privileges and gain administrative access on the domain.
- Computer accounts leveraging specific CVEs. An alert on these indicators can signify that an attacker has exploited the specified vulnerability to escalate privileges to a domain controller.
6. Bypass of system access controls
A bypass of system access controls typically occurs when security mechanisms are improperly configured or when flaws in the system design are exploited. Threat actors can use such a bypass to gain unauthorized access to systems or data. This misconfiguration or exploit can stem from a variety of issues:
- Insecure default settings
- Flawed authentication processes
- Ineffective access control lists (ACLs)
- The exploitation of system vulnerabilities
Identity security risks
Systems with improperly enforced access controls are inherently vulnerable to unauthorized use. This issue is critically pertinent to identity and access management systems like Active Directory and Entra ID.
These systems, which are central to the security infrastructure, manage user identities and control access to resources across the network. If an attacker can bypass these controls, they might gain the same level of access to resources as legitimate users—or worse yet, escalate their privileges.
If the bypass remains undetected, it can potentially enable persistent access for an attacker. In such cases, an attacker continues to exploit system vulnerabilities and access sensitive data over an extended period. Persistence not only endangers the integrity, confidentiality, and availability of your systems but might also put your organization in violation of compliance requirements.
The bypass of system access controls encompasses activities that deviate from standard operational procedures. Consider an adversary who compromises a domain controller through direct physical interaction with the system. This breach can expose sensitive components, such as the system disk and Active Directory backups, to unauthorized access. An inadequately secured Directory Services Restore Mode (DSRM) password presents a significant vulnerability in this situation. The attacker could disrupt services, introduce malicious payloads into the Active Directory database, and execute a system restart to put these changes into effect.
Addressing the identity risk
Integrating critical systems with a comprehensive monitoring solution can offer visibility into unauthorized activities. Regular (or better yet, continuous) monitoring of Active Directory can help you quickly detect and respond to identity security incidents.
7. Weak or misconfigured MFA methods
Weak or misconfigured multifactor authentication (MFA) can occur in various ways:
- Allowing insecure fallback options
- Failing to enforce MFA across all user accounts
- Using default settings without tailoring the configuration to your organization’s needs
- Failing to keep MFA software up to date
Attackers can exploit these gaps to bypass the additional security layer that MFA was designed to provide.
Any user account, application, or system that relies on MFA for security can be compromised if MFA is not configured robustly. The risk is heightened for administrative accounts, particularly in Active Directory or Entra ID environments. There, such accounts have elevated privileges that can be exploited to cause widespread damage within the organization’s IT infrastructure.
Identity security risks
The misuse of MFA can reduce user confidence in the system’s security, potentially leading to risky behavior or non-compliance with security policies. Moreover, if MFA is deemed unreliable, your organization might face regulatory scrutiny and reputational damage, particularly if a breach occurs due to the misconfiguration.
Indicators of exposure and indicators of compromise
In Purple Knight and Directory Services Protector, the following indicators can alert you to MFA-related issues:
- MFA not configured for privileged accounts in Entra ID. Accounts with privileged access are more vulnerable targets to attackers. The compromise of a privileged user represents a significant risk and requires extra protection.
- Check for users with weak or no MFA in Entra ID. A malicious user can vish or smish (forms of social engineering attacks) codes and trick users into providing authentication.
- Check if legacy authentication is allowed in Entra ID. Allowing legacy authentication increases the risk that an attacker will log on using previously compromised credentials.
- Conditional Access Policy does not require MFA on privileged accounts. Requiring MFA on privileged accounts strengthens tenant security and ensures that privileged accounts identify themselves by having to provide more than a username and password.
- Conditional Access Policy that does not require MFA when sign in risk has been identified. A medium or high sign-in risk represents a medium-to-high probability that an unauthorized authentication request was made.
- Number Matching enabled in MFA in Entra ID. When number matching is enabled in MFA, users are prone to MFA fatigue attacks.
Detect Active Directory and Entra ID misconfigurations
Next week, I’ll cover the Active Directory implications of the final three items in the CISA and NSA top ten cybersecurity misconfigurations list. For now, you can download our free community tools, Purple Knight and Forest Druid, and get a jumpstart on detecting these misconfigurations in your Active Directory environment.