Protecting Active Directory (AD) is a critical focus for security teams. Bad actors frequently target AD because it is central to so many vulnerable functions, including authentication, credentialing and network access. Users, applications, IoT devices and other vital network connections use AD every time they access an enterprise’s systems.
Attacks typically follow the same fundamental steps:
The 2018 healthcare.gov attack is one real-world example of a severe AD breach. Using stolen credentials, attackers were able to log into the database undetected and expose over 75,000 files containing personally identifiable information (PII).
AD attacks often hinge upon the weakest link in every security system: the human element. Phishing schemes, in particular, have become worryingly effective. Bad actors posing as prominent executives or representatives of well-regarded partners like financial institutions routinely convince unwitting employees to willingly hand over vital information. Cybercriminals have persuaded employees to:
To protect your organizations, it is crucial to establish, communicate and enforce the following best practices around AD.
Securing domain controllers is an integral step of Active Directory security. A domain controller (DC) is a server that responds to verification requests and authenticates logins by checking usernames, passwords and other credentials against stored data.
The domain controller is the primary target for cybercriminals since it includes network information that hackers can use to steal data and cause enterprise-wide damage.
Microsoft Active Directory allows you to define fine-grained password policies that control account lockout settings and password criteria like minimum password length. These password policies apply to all users in an Active Directory managed domain.
One way you can use password policy to better secure your network is to apply stricter account lockout settings to privileged accounts. That way, users who have access to valuable data and critical applications will need to go through a more complex authentication process if they become locked out of their accounts.
Follow the following NIST password guidelines:
All too often, organizations create a generic local admin user ID with the same password on each machine. This approach increases the organization’s vulnerabilities — bad actors who compromise one machine can easily attack every machine. A local administrator password solution (LAPS) mitigates this risk by forcing each device to have a different local admin password.
Group Policy is a tool for enforcing a consistent and secure setup across multiple devices. However, Group Policy tends to be tangled and messy; some organizations even have Group Policy settings that are mutually exclusive. To avoid this weak link in your security posture, you need to have visibility into your Group Policy structure and changes. Best practices can be grouped into those for security groups and those for roles and accounts.
Security groups are the recommended way to control access to resources and enforce a least privilege model. Instead of assigning access rights to individuals one by one, you assign permissions to security groups and then make each user a member of the appropriate groups.
Best Practices for All Accounts
Additional Best Practices for Administrative and Other Powerful Accounts
Naturally, attackers are particularly interested in gaining access to accounts that have administrative privileges or access to sensitive data, such as customer records or intellectual property. Therefore, it’s critical to be especially vigilant about these powerful accounts. Best practices include the following:
Active Directory is a busy place. To spot attacks, it’s essential to know what to look for in all the event data. Here are the top five things to monitor:
Be on the lookout for unusual modifications to an AD user account. Consider investing in a tool that can help you answer the following questions:
Domain admins should always follow established best practices when resetting user credentials. A robust monitoring tool helps answer questions like:
Unexpected changes to security group membership can indicate malicious activity, such as privilege escalation or other insider threats. You need to know:
Attempts by a single user to log on from different endpoints is often a sign that someone has taken control of their account, or is trying to. It is vital to flag and investigate this activity to find out:
A single improper change to Group Policy can dramatically increase your risk of a breach or other security incident. Using a tool to monitor this activity will make it easy to answer pressing questions like:
The Active Directory security best practices laid out here are essential to strengthening your security posture. Careful management of activities across the entire network that affect AD security will enable you to reduce your attack surface area and to promptly detect and respond to threats, dramatically reducing your risk of suffering a disastrous security incident.