Active Directory is one of the most important components of your network. Yet protecting Active Directory can be one of the most challenging tasks on your to-do list.
The problem is that AD changes so often and on such a large scale that it’s effectively immune to ordinary change management. It’s also something of a study in contrast: You need the flexibility to change AD quickly, but even a small change can have organization-wide ramifications. Finally, as AD continues to evolve, bad actors are constantly discovering new attack paths.
If attackers know what they’re looking for, AD is an open book. Once attackers have the lay of the land, it’s just a matter of using that information to move around the network. What can you do to prevent such attacks?
1. Understand the Active Directory attack cycle
If you are attacked, Active Directory will be part of that kill chain. In some cases, it’s even the first target for threat actors because of its importance in most organizations. With the majority of midsize to large enterprises currently running AD, that’s unlikely to change anytime soon.
Although bad actors can launch many types of attacks, they typically use AD for reconnaissance. Once attackers get into the system, they’ll look for anything they can use to further their goals. People of interest, systems of interest, misconfigurations—it’s all visible, making it easy for attackers to speed their transit time through the network.
2. Look beyond admin privilege escalation
A lot of people make the mistake of treating domain administrator accounts as the goal. Smart attackers, however, know that plenty of valuable non-administrative accounts are available. A service-level user who has access to a database that contains personally identifiable information may be just as interesting to an attacker as a domain admin account.
In this regard, a domain admin account is really just a brass ring for gaining access to valuable assets. It’s the easiest way to steal credentials and exfiltrate data, but it’s far from the only way.
3. Think like an attacker when protecting Active Directory
A mistaken idea exists that attacks such as ransomware are automated, operating on a predefined playbook without much human intelligence behind them. This view is inaccurate. Attackers actually spend a great deal of time studying the environment, looking for certain patterns and configuration flags, such as privileged groups or important resources attached to known organizational units (OUs).
They aren’t just trying to build automated bots for the sake of destruction. They’re actively executing scripts to look for vulnerabilities and making intelligent assumptions on how shops operate their Active Directory environment. The result of all this effort is the proliferation of tooling that makes attacks easier to execute than ever.
4. Make life more difficult for threat actors
There are plenty of stories about highly sophisticated attacks like SolarWinds. Certainly, nation-state threat actors with this level of sophistication exist, but most ransomware gangs aren’t that advanced. The likelihood that you’ll suffer an advanced attack rather than being targeted by an opportunist is quite low.
Most bread-and-butter ransomware gangs, especially those that are buying ransomware as a service (RaaS), are looking to make a quick buck. They’re using basic commands, exploiting known vulnerabilities and “lay of the land” tools, and using simple attack paths to collect information. It follows that they don’t want to work hard.
That’s why you must make them work hard. Lure them into honeypots that force them to make detectable mistakes. Give them false targets and implement defenses that make it difficult for them to move laterally.
At some point, many will decide that you aren’t worth the effort and move on.
5. Work around AD’s open-book nature
A common piece of security advice for Active Directory is to deny read access to certain privileged groups. Unfortunately, that doesn’t really work for most organizations. AD was designed many years ago to be an open book to legitimate users, and every unit installed has read access on pretty much everything out of the box.
It’s extremely difficult to turn that off without breaking something. You have to face the reality that if an attacker gets into your network and mimics a legitimate user, that attacker will be able to see what’s going on. Instead of trying to restrict visibility and prevent reconnaissance, therefore, obfuscate the network through just-in-time provisioning and renamed OUs.
6. Consider using something other than Group Policy (sometimes)
Within Active Directory, Group Policy objects (GPOs) are generally used for security hardening. Realistically, the only things that need to read GPOs are domain computers. Authenticated users don’t generally need access. And by restricting users’ access, you can reduce the visibility of your hardening posture to attackers.
Another option is to use nonstandard technologies instead of GPOs. Every attacker looks at the default domain policy to determine how you set your password policy. If you use a fine-grained password policy instead, the attacker won’t know where to look.
7. Clean up your access hygiene
All the standard advice for passwords applies to Active Directory. Create complex passwords, store them in an air-gapped vault, and rotate those passwords regularly. If your goal is security, incorporate a few additional best practices, as well:
- Group Policy preferences passwords should not exist anywhere in your SYSVOL. All they’re good for is helping attackers.
- Treat any account that has service principal names defined as highly privileged, and secure it accordingly.
- Move to group service–managed accounts. If that isn’t possible, make sure that service accounts are not privileged.
8. Use tiering and least privilege
Least privilege is one of the most important principles, where Active Directory is concerned. No account should have access to anything that isn’t absolutely necessary for its functionality. To that end, be aware that vendors don’t always know what their accounts need.
Beyond that, I strongly advise implementing a rigid “tier zero” model in which anyone who’s a domain controller admin can sign in to domain controller machines. It should go without saying that this requires you to disable unconstrained delegation and constrain account creation. Ideally, use Kerberos only for delegation in this model.
9. Disable NTLM
By and large, New Technology Lan Manager (NTLM) is the root of all evil within Windows and Active Directory. For example, the recently discovered DFSCoerce is a Windows NTLM attack.
Disabling NTLM won’t rid you of all your problems, but it will address many of them. However, most organizations are reluctant to disable NTLM; they’re scared of what they might break. You can start by enabling auditing within Group Policy on your domain controllers to gain insight into how much NTLM activity happens in the domain environment.
The more of it you can disable, the closer you’ll be to protecting Active Directory.
Get practical when protecting Active Directory
If you’d like to explore these tips in more detail, dive in to my HIP Conference presentation, Practical Tips for Protecting Active Directory, available on demand. Then put these strategies into action—the sooner, the better.