ACTIVE DIRECTORY MANAGEMENT BEST PRACTICES

Last year, European organizations witnessed a wave of cyberattacks directed against the Active Directory (AD). According to security experts, negligence and unawareness from IT personnel led in most of the cases, to the success of the attacks.

The threats to IT security are inexorable, and that’s the reason why businesses must take measures to reduce the risks.  AD is one of the most critical assets in an organization, so let’s analyze which are the best practices to maintain it impregnable. But first, a little bit of theory.

Introduction

Microsoft released it first with Windows 2000 Server edition, additional improvements were added through the years, and the last version came into view with Windows Server 2008. Active Directory (AD) is a directory service used for Windows domain networks. A domain is the smallest AD structural unit, a logical group (users, hosts, servers). A tree consists of a set of domains that use a common namespace, and the forest combines all the trees.

It is a hierarchical structure that stores, manages, and organizes network resources (objects), which can include volumes, folders, files, printers, users, groups, devices, and telephone numbers. It maps the names of network resources to their respective network addresses. It is a core element of a network operating system. A successful cyberattack would reveal the organization’s infrastructure, and the perpetrators could access the user accounts, passwords, names, telephone numbers, and applications.

Methods used to compromise the AD

When an enterprise grows, it grows the structure of the forest AD, adding new trees.  All the trees in the forest are typically combined with bidirectional trusts, which allows users in any tree to access resources in any other if they have the appropriate permissions and rights.

Let’s suppose that a hacker gained primary access with small user privilege, and he sends an email to an employee.  The worker, by negligence or unawareness, opens an attachment. Automatically, the attacker receives a shell. Using tools like PowerShell, the payload inject mechanism creates a new session. At that point, it is possible to see all domains in the forest and the trust relationship of the domain.

phishing

The invader could even generate a visual map describing all domains and relationships. Having a current PowerShell session (with an imported PowerView module), a hacker can also examine in detail the domain groups and users. From that point on, it is possible to raise the privileges to a local administrator-level, providing access to the objects on the whole network.

Best practices

1. Large organizations possess big IT infrastructures. The IT security staff must identify the most critical assets, the ones that store critical information for the organization. The administration of this ¨high-risk assets¨, such as domain controllers, must be isolated. Only the workers performing their functions can access them.
2. Strict privilege management: The employees should have level access according to the job they execute.  Most of them, even those in the IT staff, don’t need high-level, or superuser privileges.
3. A correct AD configuration: Misconfiguration issues help hackers. The default security settings might not be appropriate for your organization’s requirements. To change the default password policy, and use the NTLMv2 authentication is essential.
4. Implement an appropriate Intrusion Detection System (IDS), and Access Rights Auditor. They stop the malicious traffic from entering or leaving the network, as well as find security risks such as violations of least-privilege access rights, non-expiring passwords, and orphaned objects. The Market is plenty of helpful products like Suricata, SolarWinds, or UTMStack.
5. Detect and Patch all Vulnerabilities systematically.
6. Last and not less important: Guarantee Active Directory Backup and Recovery. Remember that the threats to cybersecurity are unavoidable, to keep the backups secures the mitigation process after a breach.