Active Directory Security Best Practices
Protecting Active Directory (AD) is a critical focus for security teams. Bad actors frequently target AD because it is central to so many vulnerable functions, including authentication, authorization and network access. Your users, applications, services and IoT devices use AD every time they access your enterprisesystems.
The 2018 healthcare.gov attack is one real-world example of a severe AD breach. Using stolen credentials, attackers were able to log into a database undetected and expose over 75,000 files containing personally identifiable information (PII).
Defending your organization starts with understanding how attacks unfold. They typically follow the same fundamental steps:
- Steal the credentials of a legitimate AD account, or take advantage of weak or re-used passwords.
- Log into systems posing those credentials.
- Spy on AD to uncover valuable information about vulnerable users, servers and computers.
- Move laterally to escalate their privileges, steal data, sabotage systems or commit other cybercrimes.
In other words, AD attacks often hinge upon the weakest link in every security system: the human element. Phishing schemes, in particular, have become worryingly effective. Bad actors posing as representatives of well-regarded partners like financial institutions routinely convince unwitting employees to willingly hand over vital information. Cybercriminals have persuaded employees to:
- Transfer money into bogus accounts
- Share login credentials over the phone
- Escalate access privileges
- Share private personal data (PPD)
To protect your organizations, it is crucial to establish, communicate and enforce the following Active Directory security best practices.
Secure Your Domain Controllers
A domain controller (DC) is a server that authenticates users by checking their usernames, passwords and other credentials against stored data, and also authorizes (or denies) requests to access various IT resources.
DCs are a primary target for cybercriminals because they store and process information that hackers can use to steal data and cause enterprise-wide damage.
- Ensure the physical security of domain controllers.
- Limit the software and roles installed on domain controllers.
- Standardize DC configuration. For example, use build automation through deployment tools such as System Center Configuration Manager.
Establish a Robust Password Policy
Microsoft Active Directory allows you to define fine-grained password policies that control factors like password length and complexity requirements.
One way you can use password policy to better secure your network is to apply stricter account lockout settings to accounts that have access to valuable data and critical applications. That way, for example, an attacker who attempts to compromise an admin account will be locked out after just a few failed attempts, but a regular user who mistypes their password a few times will not get locked out and need to reset their password before they can get back to work.
Follow the following NIST password guidelines:
- Passwords should contain at least eight characters when set by a human and six characters when set by an automated system or service.
- Using one strong password is more effective than regularly updating weak passwords.
- Avoid complexity requirements that are not user-friendly, since they can lead to users creating weak passwords or storing their passwords in a non-secure way (such as on a sticky note on their desk).
- Monitor administrative password resets. Unusual password reset activity can signal a compromise of the administrator account.
Use a Local Administrator Password Solution
All too often, organizations create a generic local admin user ID with the same password on every machine. This approach increases the organization’s vulnerabilities — bad actors who compromise one machine can easily attack every machine. A local administrator password solution (LAPS) mitigates this risk by forcing each device to have a different local admin password.
- Do not run the LAPS client-side extension (CSE) on domain controllers.
- Do not use additional local admin passwords on domain-joined devices.
- Do not use Group Policy to set local administrator passwords.
Enable Visibility into Group Policy
Group Policy is a tool for enforcing a consistent and secure setup across multiple devices. However, Group Policy tends to be tangled and messy; some organizations even have Group Policy settings that are mutually exclusive. To avoid this weak link in your security posture, you need to have visibility into your Group Policy structure and changes.
Group Policy best practices can be grouped into those for security groups and those for roles and accounts:
Security groups are the recommended way to control access to resources and enforce a least-privilege model. Instead of assigning access rights to individuals one by one, you assign permissions to security groups and then make each user a member of the appropriate groups.
- Closely monitor changes to the membership of security groups, especially groups that have permissions to access, modify or remove sensitive data.
- Have data owners regularly review security group membership to ensure that only the right users are members of each group.
Best Practices for All Accounts
- Do not assign privileges directly to user accounts; use security groups.
- Rigorously follow a least privilege model, giving each user only the minimum permissions they need to complete their tasks.
- Establish a delegation model following best practices
- Immediately disable accounts for employees who leave the organization.
- Monitor inactive accounts and disable them if necessary.
- Create guest accounts with minimum privileges.
- Monitor for unauthorized modifications to AD accounts.
Additional Best Practices for Administrative and Other Powerful Accounts
Naturally, attackers are particularly interested in gaining access to accounts that have administrative privileges or access to sensitive data, such as customer records or intellectual property. Therefore, it’s critical to be especially vigilant about these powerful accounts.
Best practices for domain administrator accounts and other privileged accounts include the following:
- Train admins to use their administrative accounts only when absolutely necessary to reduce the risk of credential theft.
- Ideally, implement a privileged account management (PAM) solution. If that is not possible, keep only the default domain admin in the Domain Admin group and place other accounts in that group only temporarily, until they have completed their work.
Monitor Active Directory for Signs of Compromise
Active Directory is a busy place. To spot attacks, it’s essential to know what to look for in all the event data. Here are the top five things to monitor:
User Account Changes
Be on the lookout for unusual modifications to an AD user account. Consider investing in a tool that can help you answer the following questions:
- What changes were made to which user accounts?
- Who performed each change?
- When did the change happen?
- Where was the change made from?
Password Resets by Administrators
Domain admins should always follow established best practices when resetting user credentials. A robust monitoring tool helps answer questions like:
- Which user accounts had their passwords reset?
- Who reset each password?
- When did the reset happen?
- Where did the admin reset the password?
Changes to Security Group Membership
Unexpected changes to security group membership can indicate malicious activity, such as privilege escalation or other insider threats. You need to know:
- Who was added or removed?
- Who made the change?
- When did the change happen?
- Where was the security group change made?
Logon Attempts by a Single User from Multiple Endpoints
Attempts by a single user to log on from different endpoints is often a sign that someone has taken control of their account, or is trying to. It is vital to flag and investigate this activity to find out:
- Which account attempted to log on from multiple endpoints?
- What were those endpoints?
- How many attempts were made from each endpoint?
- When did the suspicious activity begin?
Changes to Group Policy
A single improper change to Group Policy can dramatically increase your risk of a breach or other security incident. Using a tool to monitor this activity will make it easy to answer pressing questions like:
- What changes have been made to Group Policy?
- Who performed each change?
- When was each change made?
The Active Directory security best practices laid out here are essential to strengthening your security posture. Careful management of activities across the entire network that affect AD security will enable you to reduce your attack surface area and to promptly detect and respond to threats, dramatically reducing your risk of suffering a disastrous security incident.