Late last year, the United States National Security Agency’s (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) released a list of the most common vulnerabilities in large computer networks. This list of CISA and NSA top ten cybersecurity misconfigurations reveals systemic weaknesses, particularly in (though not limited to) Microsoft Windows and Microsoft Active Directory environments.
Scan your hybrid Active Directory environment: Download Purple Knight
Whether your environment relies on Active Directory alone or in combination with other identity systems, like Entra ID or Okta, addressing these vulnerabilities should be a top priority.
What is the CISA and NSA top ten cybersecurity misconfigurations list?
Based on Red and Blue team assessments conducted by the NSA’s Defensive Network Operations (DNO) and CISA’s Vulnerability Management (VM) and Hunt and Incident Response teams, the CISA and NSA top ten cybersecurity misconfigurations list spans both government and private sectors. The advisory also discusses the tactics, techniques, and procedures (TTPs) that malicious actors deploy to exploit the detailed vulnerabilities. Network owners and operators, regardless of their specific software environments, are advised to rigorously scrutinize their systems for these misconfigurations.
Why should you focus on Active Directory?
Not every issue on the CISA/NSA list directly involves Active Directory—but many do. The most recent Microsoft Digital Defense Report (MDDR, 2023) backs up the urgency of addressing Active Directory security.
The MDDR noted that nearly half the customers involved in Microsoft Incident Response engagement have insecure Active Directory configurations. Furthermore, the report states:
The most prevalent gaps we found during reactive incident response engagements were:
- Lack of adequate protection for local administrative accounts.
- A broken security barrier between on-premises and cloud administration.
- Lack of adherence to the least privilege model.
- Legacy authentication protocols.
- Insecure Active Directory configurations.
These gaps enable attacker tactics ranging from Initial Access to Lateral Movement and Persistence.
Microsoft Digital Defense Report 2023
Active Directory is the core identity system for most of today’s organizations, both public and private. This directory service is central to identity and access management. The age of the service—developed decades ago—and its critical role in managing access throughout the environment make it a key target for cyberattacks. Hybrid Active Directory environments (those that use Active Directory plus Entra ID or another identity system) increase the attack surface and can complicate security efforts.
How can you address Active Directory misconfigurations?
At Semperis, our Research team maintains a library of security indicators to help you assess your security posture, close attack paths, and spot nefarious behavior. Indicators of exposure (IOEs) flag vulnerabilities that cyberattackers can (and often do) exploit. Indicators of compromise (IOCs) alert you to patterns that are associated with suspicious behaviors—often the sign of a breach, backdoor accounts, and other active threats.
Our Active Directory audit tools, Directory Services Protector and the free Purple Knight community tool, use these indicators when scanning your Active Directory infrastructure. The results provide a comprehensive picture of your Active Directory security posture, with prioritized guidance on mitigating the identified issues or, in the case of Directory Services Protector, automated remediation options.
Semperis has reviewed the CISA and NSA top ten cybersecurity misconfigurations from an Active Directory perspective. This post—the first of a three-part series—will give you:
- A quick explanation of each vulnerability as it relates to a hybrid Active Directory identity environment
- Associated identity security risks
- Indicators to watch for in Purple Knight or Directory Services Protector
I’ll cover the first three items in this post, then address the remaining misconfigurations over the next two parts in the series.
1. Default configurations in software and applications
Out-of-the-box settings can be a significant security concern. This is primarily because they are well-known and often insufficiently secure for production environments.
Default settings are typically designed for ease of deployment and user experience rather than security. They might include:
- Simple passwords
- Unnecessary open ports
- Enabled guest accounts
- Excessive permissions
These shortcomings are particularly dangerous when it comes to network infrastructure and mission-critical applications such as Active Directory and Entra ID.
Identity security risks
Active Directory is the repository for all network resources, including user accounts, group policies, and access controls. If compromised, it can provide an attacker the “keys to the kingdom.” Entra ID, which extends these functionalities to cloud resources, can also be a lucrative target. If either directory service is compromised, the effects can be catastrophic, leading to data breaches and unauthorized access to sensitive resources.
The use of default configurations can lead to several security risks, including:
- Unauthorized access
- Privilege escalation
- Lateral movement within the network
- Data exfiltration
In the context of Active Directory, an attacker might exploit default settings to gain an initial foothold by compromising weak default credentials.
Indicators of exposure and indicators of compromise
In Purple Knight and Directory Services Protector, the following indicators can alert you to the existence or exploitation of default configurations:
- Print spooler service is enabled on a DC. Several critical flaws have been found in Windows Print Spooler services. These flaws directly affect print spoolers that are installed on domain controllers, enabling remote code execution.
- Unprivileged users can add computer accounts to domain. Kerberos-based attacks can abuse this capability.
- Anonymous access to Active Directory enabled. Anonymous access can enable unauthenticated users to query Active Directory.
- NTFRS SYSVOL replication. NTFRS is an older protocol that has been replaced by DFSR. Attackers can manipulate NTFRS vulnerabilities to compromise SYSVOL and potentially change GPOs and logon scripts to propagate malware and move laterally across the environment.
- Unsecured DNS configuration. Attackers can leverage this type of configuration to add a new DSN record or replace an existing DNS record to spoof a management interface. They can then wait for incoming connections and steal credentials.
- Non-admin users can create tenants in Entra ID. Badly configured tenants that are linked to users from the parent (organization) tenant are easier to compromise. Such tenants are not properly monitored or secured.
2. Improper separation of user/administrator privilege
Inadequate privilege separation is a pervasive issue in many IT environments. This practice often leads to the granting of administrative rights to users who do not require them for daily tasks—a violation of the principle of least privilege.
Users are typically granted administrative privileges by being placed in privileged groups (like Domain Admins in Active Directory) or by being granted local administrator access on their workstations. The culprits vary:
- Legacy access models
- Convenience
- Poor access controls
- Oversight
The issue is exacerbated by granting persistent privileges rather than granting privileges conditionally, as needed.
Identity security risks
This misconfiguration makes the entire network vulnerable. Users with administrative privileges can make broad changes to Active Directory, affecting group policies, security settings, and other critical infrastructure components.
Entra ID faces similar risks. In addition, integrated SaaS applications and cloud-based resources could be compromised.
Indicators of exposure and indicators of compromise
In Purple Knight and Directory Services Protector, the following indicators can alert you to improper separation of privileges:
- Built-in domain Administrator account used within the last two weeks. Pay careful attention to this indicator, as it might flag a compromised user.
- Changes to privileged group membership in the last 7 days. This indicator can flag an attempt to escalate privilege.
- Computer accounts in privileged groups. If a computer account is a member of the domain privileged group, anyone that compromises the computer account can act as a member of that group.
- Enabled admin accounts that are inactive. Attackers that compromise these accounts can then operate unnoticed.
- Ephemeral Admins. Such short-lived accounts might indicate malicious activity.
3. Insufficient internal network monitoring
This misconfiguration is a critical oversight. It can leave your organization vulnerable to undetected intrusions, insider threats, and malicious activities.
Insufficient internal network monitoring can stem from several issues:
- A lack of proper tools
- Insufficient coverage of network traffic
- Inadequate alerting mechanisms
- An absence of a dedicated team to analyze monitoring data
Many organizations focus on perimeter defense. But internal traffic is often neglected, on the assumption that the internal network is secure. This oversight is problematic. Once an attacker breaches the perimeter, they can often move laterally with little resistance or detection.
Specifically, critical internal assets such as Active Directory, which acts as the backbone for authentication and authorization in Windows-based environments, are high-value targets. A lack of robust Active Directory monitoring can leave your organization blind to internal anomalies that signal a breach or unauthorized activities.
Identity security risks
In an Active Directory context, this misconfiguration can lead to missed indicators of compromise, including:
- Unusual login attempts
- Changes to group policies
- The creation of privileged accounts
In Entra ID, insufficient monitoring can lead to the failure to catch:
- Abnormal sign-in activities
- Unauthorized access to cloud resources
- Irregular usage patterns
These risks can lead to data breaches, disruption of services, and significant operational and reputational damage.
Indicators of exposure and indicators of compromise
Semperis focuses on evaluating and enhancing the security posture of on-premises Active Directory and Entra ID, rather than on monitoring network traffic. Our core objective is to provide insights into the dynamics within a hybrid Active Directory environment, identifying:
- Which modifications are being made
- Who is initiating changes
- The nature of user activities
Purple Knight conducts a point-in-time assessment of the hybrid Active Directory environment. The tool then provides a prioritized list of security indicators and actionable remediation guidance.
Directory Services Protector conducts ongoing surveillance of critical identity components such as Group Policy Objects (GPO) and access permissions. By continuously monitoring your Active Directory security stance, you can ascertain whether your security posture is improving or degrading. You can also configure automated rollback of suspicious changes as well as custom triggers and alerts.
Don’t delay—audit Active Directory today
That’s it for this post. The next post in this series covers the Active Directory implications of the next four items in the CISA and NSA top ten cybersecurity misconfigurations list. In the meantime, why not download Purple Knight—it’s free—and see whether your organization is at risk from the indicators discussed this week.