Active Directory Security Best Practices
Protecting Active Directory (AD) is a critical focus for security teams. Bad actors frequently target AD because it is central to so many vulnerable functions, including authentication, credentialing and network access. Users, applications, IoT devices and other vital network connections use AD every time they access an enterprise’s systems.
Attacks typically follow the same fundamental steps:
- Spy on AD to uncover users, servers and computers.
- Steal credentials.
- Log into systems posing as legitimate users.
- Use the access permissions to steal data, sabotage systems or commit other cybercrimes.
The 2018 healthcare.gov attack is one real-world example of a severe AD breach. Using stolen credentials, attackers were able to log into the database undetected and expose over 75,000 files containing personally identifiable information (PII).
AD attacks often hinge upon the weakest link in every security system: the human element. Phishing schemes, in particular, have become worryingly effective. Bad actors posing as prominent executives or representatives of well-regarded partners like financial institutions routinely convince unwitting employees to willingly hand over vital information. Cybercriminals have persuaded employees to:
- Transfer money into bogus accounts
- Share login credentials over the phone
- Escalate access privileges
- Share private personal data (PPD)
To protect your organizations, it is crucial to establish, communicate and enforce the following best practices around AD.
Secure Your Domain Controllers
Securing domain controllers is an integral step of Active Directory security. A domain controller (DC) is a server that responds to verification requests and authenticates logins by checking usernames, passwords and other credentials against stored data.
- Active Directory handles identities and security access.
- Domain controllers authenticate logins and other access requests.
The domain controller is the primary target for cybercriminals since it includes network information that hackers can use to steal data and cause enterprise-wide damage.
- Ensure the physical security of domain controllers.
- Limit the software and roles installed on domain controllers.
- Standardize domain controller configuration. For example, use build automation through deployment tools such as System Center Configuration Manager.
Establish a Robust Password Policy
Microsoft Active Directory allows you to define fine-grained password policies that control account lockout settings and password criteria like minimum password length. These password policies apply to all users in an Active Directory managed domain.
One way you can use password policy to better secure your network is to apply stricter account lockout settings to privileged accounts. That way, users who have access to valuable data and critical applications will need to go through a more complex authentication process if they become locked out of their accounts.
Follow the following NIST password guidelines:
- Passwords should contain at least eight characters when set by a human and six characters when set by an automated system or service.
- Using one strong password is more effective than regularly updating weak passwords.
- Avoid complexity requirements that are not user-friendly, since they can lead to users creating weak passwords or storing their passwords in a non-secure way (such as on a sticky note on their desk).
- Monitor administrative password resets. Unusual password reset activity can signal a compromise of the administrator account.
Use a Local Administrator Password Solution
All too often, organizations create a generic local admin user ID with the same password on each machine. This approach increases the organization’s vulnerabilities — bad actors who compromise one machine can easily attack every machine. A local administrator password solution (LAPS) mitigates this risk by forcing each device to have a different local admin password.
- Do not run the LAPS client-side extension CSE on domain controllers.
- Do not use additional local admin passwords on domain-joined devices.
- Do not use Group Policy to set local administrator passwords.
Enable Visibility into Group Policy
Group Policy is a tool for enforcing a consistent and secure setup across multiple devices. However, Group Policy tends to be tangled and messy; some organizations even have Group Policy settings that are mutually exclusive. To avoid this weak link in your security posture, you need to have visibility into your Group Policy structure and changes. Best practices can be grouped into those for security groups and those for roles and accounts.
Security groups are the recommended way to control access to resources and enforce a least privilege model. Instead of assigning access rights to individuals one by one, you assign permissions to security groups and then make each user a member of the appropriate groups.
- Closely monitor changes to security group membership, especially changes to groups that have permissions to access, modify or remove sensitive data.
- Regularly review security group membership to ensure that only authorized employees are members of each group.
Best Practices for All Accounts
- Do not assign privileges directly to user accounts; use security groups.
- Rigorously follow a least privilege model, giving each user only the minimum permissions they need to complete their tasks.
- Establish a delegation model following best practices.
- Immediately disable accounts for employees that leave the company.
- Monitor inactive accounts and disable them if necessary.
- Create guest accounts with minimum privileges.
- Monitor user account changes for unauthorized modifications to an AD user.
Additional Best Practices for Administrative and Other Powerful Accounts
Naturally, attackers are particularly interested in gaining access to accounts that have administrative privileges or access to sensitive data, such as customer records or intellectual property. Therefore, it’s critical to be especially vigilant about these powerful accounts. Best practices include the following:
- Train admins to use their administrative accounts only when absolutely necessary to reduce the risk of credential theft.
- Ideally, implement a privileged account management (PAM) solution. If that is not possible, keep only the default domain admin in the Domain Admin group and place other accounts in that group only temporarily, until they have completed their work.
Monitor Active Directory for Signs of Compromise
Active Directory is a busy place. To spot attacks, it’s essential to know what to look for in all the event data. Here are the top five things to monitor:
User Account Changes
Be on the lookout for unusual modifications to an AD user account. Consider investing in a tool that can help you answer the following questions:
- What changes were made to which user accounts?
- Who performed each change?
- When did the change happen?
- Where was the change made from?
Password Resets by Administrators
Domain admins should always follow established best practices when resetting user credentials. A robust monitoring tool helps answer questions like:
- Which user accounts had their passwords reset?
- Who reset each password?
- When did the reset happen?
- Where did the admin reset the password?
Changes to Security Group Membership
Unexpected changes to security group membership can indicate malicious activity, such as privilege escalation or other insider threats. You need to know:
- Who was added or removed?
- Who made the change?
- When did the change happen?
- Where was the security group change made?
Logon Attempts by a Single User from Multiple Endpoints
Attempts by a single user to log on from different endpoints is often a sign that someone has taken control of their account, or is trying to. It is vital to flag and investigate this activity to find out:
- Which account attempted to log on from multiple endpoints?
- What were those endpoints?
- How many attempts were made from each endpoint?
- When did the suspicious activity begin?
Changes to Group Policy
A single improper change to Group Policy can dramatically increase your risk of a breach or other security incident. Using a tool to monitor this activity will make it easy to answer pressing questions like:
- What changes have been made to Group Policy?
- Who performed each change?
- When was each change made?
The Active Directory security best practices laid out here are essential to strengthening your security posture. Careful management of activities across the entire network that affect AD security will enable you to reduce your attack surface area and to promptly detect and respond to threats, dramatically reducing your risk of suffering a disastrous security incident.