Today Active Directory Security has become mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Gold Finger The Paramount Brief Gold Finger Mini World Peace

Tuesday, February 28, 2017

Top-5 Active Directory Security Risks & How to Adequately Mitigate Them


Folks,

Starting May 22, 2017, I will be most respectfully taking Microsoft to advanced Active Directory Security School. Today I'll share with you the Top-5 security risks to Active Directory deployments, and how organizations can swiftly and adequately mitigate them. There are times when less is more, so though I can share volumes, since this is paramount, I'll keep this short and to the point.


The Top-5 Active Directory Security Risks

The following are the Top-5 cyber security risks that most Active Directory deployments worldwide are likely exposed to -

1. Instant compromise of the credentials of all domain accounts, enactable via Mimkatz DCSync, made possible by the presence of unauthorized/excessive Get Replication Changes All effective permissions on the domain root.
2. Instant compromise of all default Active Directory privileged (administrative) domain user accounts and groups made possible by the presence of unauthorized/excessive effective permissions on the AdminSDHolder object. 
3. Instant compromise of all IT assets stored in Active Directory (whose ACLs are not marked Protected), made possible by the presence of a single inheritable unauthorized/excessive effective permission on the domain root. 
4. Instant compromise of all domain controllers via linking of a single malicious group policy, made possible by the presence of unauthorized/excessive effective permissions on the default Domain Controllers OU. 
5. Instant compromise of any IT asset stored in Active Directory, such as the CEO’s domain user account, made possible by the presence of unauthorized/excessive effective permissions on Active Directory objects.

It is imperative to understand that the materialization of risks 1, 2 and 4 risks above would be tantamount to a complete and systemic compromise of the entire Active Directory. The materialization of risks 3 and 5 could also have the same outcome.

It should also be noted that not a single one of these ways involve using pass-the-hash or Kerberos ticket meddling techniques. In fact, not a single one of these ways requires the victim to logon to any computer, let alone one owned by the perpetrator.

These risks pose a very real threat to most organizations since they likely remain unmitigated at most organizations worldwide, and since their materialization could result in the compromise of the entire Active Directory, their impact could be colossal.




How to Adequately Assess and Mitigate These Risks

These risks can be expeditiously assessed and mitigated by enacting the following risk assessment and mitigation measures -

1. Target Identification: Organizational IT personnel must identify all those Active Directory objects that constitute the targets upon which excessive or unauthorized access could result in the materialization of these risks. 
    • Examples - The domain root object, the AdminSDHolder object, the default Domain Controllers OU, all large/vital OUs, all Active Directory objects representing specific high-value targets such as the domain user accounts of all executive (C*O) accounts as well as all high-value and large membership domain security groups, such as a Secret Project-X Group, the Corp Sec group, the All Employees group etc.
2. Risk Assessment: They must then proceed to accurately determine Active Directory effective permissions on each one of these objects to identify all those individuals who currently possess sufficient effective permissions / effective access to be able to perform those tasks which when enacted would result in the materialization of these risks. The correct methodology to enact this step is described in and called an Effective Privileged Access Audit.
3. Risk Mitigation: The must then proceed to identify all those individuals who currently possess such effective permissions/access but should not be in possession of such effective permissions/access per the organization's existing access policies. They should then determine how these individuals are entitled to such effective permissions / effective access and apply that information to revoke their access. Revocations should be verified.
For each of the five security risks enumerated above, the details of the target Active Directory objects as well as the specific effective permissions that need to be determined, can be found in slides 15 - 20 of this slide deck.


An example that illustrates this step-by-step can be found here - How to Prevent a Perpetrator from Using Mimikatz DCSync.

(Neither detection nor other security measures can adequately mitigate these risks because from the minute they are enacted, the perpetrator would have sufficient access to immediately be able to prevent everyone else from logging-on to stop him/her.)

In this manner, organizations worldwide can adequately assess and mitigate each one of these Active Directory security risks.





One Essential Necessity

Each of the five Active Directory security risks enumerated above primarily exist because organizations have traditionally lacked the means to accurately and adequately determine effective permissions in Active Directory i.e. on Active Directory objects.

(Effective permissions are so important that Microsoft's native Active Directory management tooling has an entire tab for them -

The Effective Permissions Tab

Unfortunately, Microsoft's Effective Permissions Tab is neither accurate nor adequate. In fact it is substantially inadequate.)


In essence, organizations require the ability to accurately and adequately determine Active Directory Effective Permissions.

While accuracy is paramount for obvious reasons, adequacy is equally essential, and it entails the following -
1. IT personnel must be able to efficiently (and of course accurately) determine the identities of all individuals that possess a specific effective permission on a specific Active Directory object.
2. IT personnel must also be able to determine how a specific individual possesses a specific effective permission on a specific Active Directory object, i.e. they must be able to identify the specific underlying security permission in the object's access control list (ACL) that entitles an individual to that specific effective permission.

The former (#1) is required to be able to efficiently determine the identities of all individuals that possess a sufficient effective permission on a specific Active Directory object, and the latter (#2) is required to be able to lockdown those security permissions that end up entitling a specific individual to those effective permissions that have been deemed excessive/unauthorized.

Again, this essential necessity is best illustrated with an example - How to Prevent a Perpetrator from Using Mimikatz DCSync.


Organizations can use any Active Directory Effective Permissions Tool that is provably accurate and sufficiently adequate.




Further Reading

You may find the following technical resources to be helpful and valuable -
  1. An insightful presentation on Active Directory Security, titled Defending Active Directory Against Cyberattacks
  2. An simple yet insightful overview and an illustrative example of Active Directory Effective Permissions
  3. Specific details and options on how to perform an Active Directory Effective Privileged Access Audit
  4. An online resource center dedicated to and focused on various aspects of Active Directory Security
  5. Specific details on five cyber security capabilities that are essential for defending Active Directory

On behalf of our entire team at Paramount Defenses, I wish you, your team and your organization the very best in your efforts to adequately secure and defend your foundational Active Directory deployments. It is an honor and a privilege to help the world.

Best wishes,
Sanjay

No comments:

Post a Comment