Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.


Monday, June 19, 2017

The Top-5 Cyber Security Risks to Active Directory Deployments (Day-5)

Dear Microsoft,

Today is Day-5 of our advanced Active Directory Security school for you. Since you've been busy trying to address risks posed by credential-theft attacks, and making paradigm shifts, you may likely have forgotten about the top risks to Active Directory.


So, today, I'll educate you about the Top-5 security risks that most Active Directory deployments are likely vulnerable to today.



The Top-5 Security Risks to Active Directory Deployments

The following are the Top 5 security risks that most Active Directory deployments are likely exposed to today -

  1. The complete and instant compromise of the credentials of all domain user accounts, including those of all privileged users, enactable via Mimikatz DCSync, by any intruder/insider that has sufficient effective permissions to replicate secrets from Active Directory.

  2. The complete and instant compromise of all default Active Directory privileged user accounts and groups, enactable via any AD mgmt. tool, by any intruder/insider that has sufficient effective permissions on the AdminSDHolder object.

  3. The complete and instant compromise of most* IT assets stored in Active Directory, enactable via any AD mgmt. tool, by any intruder/insider that has sufficient effective permissions, resulting from wide-scoped insecure inheritable permissions.

  4. The complete and instant compromise of all Domain Controllers in the domain, enactable via any AD mgmt. tool, by any intruder/insider that has sufficient effective permissions to link a malicious GPO to the default Domain Controllers OU.

  5. The complete and instant compromise of specific IT assets stored in Active Directory, such as the CEO's user account, enactable via any AD mgmt. tool, by any intruder/insider that has sufficient effective permissions to do so.

[ Sufficient reasoning for what makes these risks the top 5 risks, as well as technical details, are furnished below. ]


It is vital to understand that a SINGLE occurrence of risks #1, #2 and #4 above (, and depending on the target, also of risks #3 and #5) could result in the compromise of the ENTIRE Active Directory deployment. This fact CANNOT be overstated enough.




But First, 5 Notable Points About These 5 Risks

Organizations that care about their foundational security may find the following points interesting to note -

  1. Not a single one of these risks either requires or involves the use of any credential-theft technique (such as Pass-the-Hash, Kerberos Golden Tickets etc.) and none of these band-aids can prevent an attacker from enacting these risks.

  2. Not a single one of these risks requires the attacker to compromise any computer whatsoever i.e. he/she need not compromise even a single Domain Controller, admin workstation, member server, employee laptop etc.

  3. Not a single one of these risks requires the attacker to have physical or system access to even a single Domain Controller, data center, admin workstation, or for that matter even a single copy of an Active Directory backup.

  4. Not a single one of these risks requires the attacker to possess tooling that is not freely available. Microsoft's native Active Directory management tools, and Mimikatz DCSync, all of which are freely available, are amply sufficient.

  5. Not a single one of these risks requires the attacker to be at a specific location. Each one of these risks can be enacted from anywhere in the world (HQ, branch, offshore) as long as the attacker has network access to your Active Directory.

All that an attacker needs to enact these risks is sufficient effective access i.e. Active Directory Effective Permissions.




Oh and , 2 Other Quick Points

For those who may wonder why these risks are higher than risks posed by the compromise of a Domain Controller or an admin workstation, or the risks posed by credential-theft techniques involving the compromise of Active Directory privileged users -

  1. For those wondering as to why these risks are higher than the risk posed by the compromise of a Domain Controller (DC) or an admin workstation, it is because to compromise a DC or an admin workstation, one typically requires either unrestricted physical access to it, and/or the ability to breach its system security, both of which are almost always more difficult to obtain than mere network access to Active Directory, which (obviously in addition to sufficient effective permissions) is all that a perpetrator needs to successfully enact any or each of these 5 risks to Active Directory.

  2. For those wondering as to why these risks are higher than the risk posed by predominant credential-theft techniques involving the compromise of Active Directory privileged users, we're focused on mature defendable IT environments, wherein organizations have been able to either largely eliminate or minimize the possibility of credential-theft attacks involving the compromise of Active Directory privileged users in their environments, or be in a position to detect their occurrence (via technologies such as Microsoft ATA) and thwart them. Speaking of which, may I suggest reading this.


And now...



An Objective, Formal Risk-Management based Substantiation of these Top-5 Risks -



1. Complete and Instant Compromise of the Credentials of All Domain User Accounts -

  • Asset at Risk – Credentials of all Active Directory domain user accounts (including those of all privileged users)
  • Threat Source – Any sufficiently privileged intruder (hacker, APT etc.) / insider (disgruntled, rogue or coerced user)
  • Attack Surface – Active Directory domain root object
  • Enabler - Anyone who possesses Get-Replication-Changes-All extended right effective permissions on the domain root object is allowed to, and thus can, replicate all data including secrets (i.e. passwords) from Active Directory
  • Exploitation ProcedureDCSync feature of the Mimikatz tool
  • DifficultyMinimal
  • ImpactVery high
  • Likelihood / Probability of OccurrenceHigh
  • Physical / System Level Access to DC Required No
  • Resources Required – Network access to Active Directory + Sufficient Effective Permissions in Active Directory
  • Mitigation / Prevention – Ensure (at all times) that only the smallest number of most highly trustworthy IT personnel have the Get-Replication-Changes-All effective permissions granted on the domain root object in Active Directory
  • Risk Assessment – To find out exactly who can enact this risk, audit Active Directory effective permissions on the domain root object to find out exactly who all effectively have the Get-Replication-Changes-All right granted today
  • Detection – Potentially possible via use of Active Directory auditing. However, detection is hardly useful because by the time an audit event/notification is generated / acted upon, substantial damage will likely already have been done
  • Additional Info - Here



2. Complete and Instant Compromise of All Default Active Directory Privileged Domain User Accounts and Groups -

  • Asset at Risk – All default Active Directory privileged/administrative domain user accounts and security groups (e.g. Administrators, Domain Admins, Enterprise Admins, Server Operators, Print Operators, Account Operators etc.)
  • Threat Source – Any sufficiently privileged intruder (hacker, APT etc.) / insider (disgruntled, rogue or coerced user)
  • Attack SurfaceAdminSDHolder object in Active Directory
  • Enabler - Anyone who possesses any one of various modify (WP, WD, CR, FC) effective permissions on the AdminSDHolder object is allowed to, and thus can, manage all default Active Directory domain accounts and groups
  • Exploitation Procedure – Use native Microsoft Active Directory management tooling (e.g. ADUC etc.) to maliciously enact an authorized administrative task such as a password reset or a group membership change
  • DifficultyMinimal
  • ImpactVery high
  • Likelihood / Probability of OccurrenceHigh
  • Physical / System Level Access to DC Required No
  • Resources Required – Network access to Active Directory + Sufficient Effective Permissions in Active Directory
  • Mitigation / Prevention – Ensure (at all times) that only the smallest number of most highly trustworthy IT personnel have modify (WP, WD, CR, FC) effective permissions granted on the AdminSDHolder object in Active Directory
  • Risk Assessment – To find out exactly who can enact this risk, audit Active Directory effective permissions on the AdminSDHolder object to find out exactly who all effectively have various modify effective permissions granted today
  • Detection – Possible via use of Active Directory auditing. However, detection is hardly useful because by the time an audit event/notification is generated / acted upon, substantial damage will most likely already have been done.
  • Additional Info - Here



3. Complete and Instant Compromise of Most IT Assets Stored in Active Directory -

  • Asset at Risk – Almost all Active Directory content (i.e. all Active Directory objects except those whose ACLs are not marked Protected), such as all domain user accounts, security groups, computer accounts, OUs, SCPs etc. 
  • Threat Source – Any sufficiently privileged intruder (hacker, APT etc.) / insider (disgruntled, rogue or coerced user)
  • Attack Surface – The entire Active Directory
  • Enabler - Anyone who ends up being entitled to any one of various modify (WP, WD, CR, FC) effective permissions on any object in Active Directory is allowed to, and thus can manage that Active Directory object. A single incorrectly specified (whether accidentally or intentionally) inheritable security permission specified at the domain root or at a top-level OU could impact the effective permissions on thousands of Active Directory objects in that domain/OU. 
  • Exploitation Procedure – Use native Microsoft Active Directory management tooling (e.g. ADUC etc.) to maliciously enact an authorized administrative task such as a password reset or a group membership change
  • DifficultyMinimal
  • ImpactHigh to Very high
  • Likelihood / Probability of OccurrenceHigh
  • Physical / System Level Access to DC Required No
  • Resources Required – Network access to Active Directory + Sufficient Effective Permissions in Active Directory
  • Mitigation / Prevention – Ensure (at all times) that all access provisioned in Active Directory adheres to the principle of least privilege, so as to ensure that net resulting effective permissions / effective access on all Active Directory objects only permits authorized personnel to enact administrative tasks on these objects
  • Risk Assessment – To find out exactly who can enact this risk, perform a domain-wide Effective Privileged Access Audit in Active Directory to find out exactly who can enact which privileged/admin tasks where in Active Directory
  • Detection – Possible via use of Active Directory auditing. However, detection is hardly useful because by the time an audit event/notification is generated / acted upon, substantial damage will most likely already have been done.
  • Additional Info - Here



4. Complete and Instant Compromise of All Domain Controllers in the Domain -

  • Asset at Risk – All Domain Controllers in an Active Directory domain 
  • Threat Source – Any sufficiently privileged intruder (hacker, APT etc.) / insider (disgruntled, rogue or coerced user)
  • Attack Surface – The default Domain Controllers organizational-unit (OU) in Active Directory
  • Enabler - Anyone who has sufficient effective permissions to be able to modify the list of Group Policy Objects (GPOs) linked to the default Domain Controllers OU in Active Directory is allowed to, and thus can link a GPO to that OU. The linking of a single weak or malicious GPO to the default Domain Controllers OU could weaken the System security of all DCs in that domain, and be used to easily obtain administrative command and control over all DCs. 
  • Exploitation Procedure – Use native Microsoft Active Directory management tooling (e.g. ADUC etc.) to link a weak or malicious GPO to the default Domain Controllers OU
  • DifficultyMinimal
  • ImpactVery high
  • Likelihood / Probability of OccurrenceHigh
  • Physical / System Level Access to DC Required No
  • Resources Required – Network access to Active Directory + Sufficient Effective Permissions in Active Directory
  • Mitigation / Prevention – Ensure (at all times) that only the smallest number of most highly trustworthy IT personnel have sufficient effective permissions to be able to link GPOs to the default Domain Controllers OU in Active Directory
  • Risk Assessment – To find out exactly who can enact this risk, audit Active Directory effective permissions on the default Domain Controllers organizational unit (OU) object to find out exactly who can link GPOs to this OU
  • Detection – Possible via use of Active Directory auditing. However, detection is hardly useful because by the time an audit event/notification is generated / acted upon, substantial damage will most likely already have been done.
  • Additional Info - Here



5. Complete and Instant Compromise of Specific IT Assets Stored in Active Directory -

  • Asset at Risk – Almost all Active Directory content, such as and including as all domain user accounts (including any executive and non-default privileged user accounts), security groups, computer accounts, OUs, SCPs etc.

  • Asset Examples –  The following are a few simple illustrative examples of such assets:

    1. The domain user account of a non-default highly privileged user, one that is not protected by AdminSDHolder, yet possesses Domain-Admin equivalent privilege in Active Directory based on custom access provisioning
    2. The domain user account of an organizational executive (e.g. Chairman, CEO, CFO, CIO, CISO, VP etc.)
    3. A large membership domain security group such as All Employees, or (all) Domain Computers etc.
    4. The domain computer account of a specific computer, such as a high-value email, app or database server
    5. A top-level Organizational Unit that contains thousands of users, computers, groups and other objects
    6. A service connection point of a mission-critical Active Directory integrated service/app, e.g. this one (; here)

  • Threat Source – Any sufficiently privileged intruder (hacker, APT etc.) / insider (disgruntled, rogue or coerced user)
  • Attack Surface – The entire Active Directory
  • Enabler - Anyone who ends up being entitled to any one of various modify (WP, WD, CR, FC) effective permissions on any object in Active Directory is allowed to, and thus can manage that Active Directory object. A single incorrectly specified security permission (inherited or explicit) in an Active Directory object's ACL could substantially impact the actual resulting effective permissions entitled on that object, resulting in unauthorized effective access on the object.
  • Exploitation Procedure – Use Microsoft's Active Directory management tooling (e.g. ADUC etc.) to enact an (un-)authorized administrative task such as a malicious password reset, a group membership change, a user account creation, a computer account delegation change, an OU deletion, a service connection point keyword change etc.
  • DifficultyMinimal
  • ImpactHigh to Very high
  • Likelihood / Probability of OccurrenceHigh
  • Physical / System Level Access to DC Required No
  • Resources Required – Network access to Active Directory + Sufficient Effective Permissions in Active Directory
  • Mitigation / Prevention – Ensure (at all times) that all access provisioned in Active Directory adheres to the principle of least privilege, so as to ensure that net resulting effective permissions / effective access on all Active Directory objects only permits authorized personnel to enact various administrative tasks on those objects
  • Risk Assessment – To find out exactly who can enact this risk, either audit Active Directory effective access on all vital objects in Active Directory (e.g. all exec accounts, sensitive groups large OUs etc.) one-by-one, or perform a tree-wide effective privileged access audit to find out exactly who all can enact which admin tasks on these objects
  • Detection – Possible via use of Active Directory auditing. However, detection is hardly useful because by the time an audit event/notification is generated / acted upon, substantial damage will most likely already have been done.
  • Additional Info - Here



So Microsoft, there you have it. These are the actual and REAL Top-5 cyber security risks that almost all Active Directory deployments worldwide (including possibly yours) are likely exposed to today. You may want to read this many times over.

BTW, for anyone who needs it, an Executive Summary of the above (in PDF format) can be downloaded from here.



Summary

Today I just wanted to share with Microsoft and the whole world the actual Top-5 cyber security risks that most Active Directory deployments worldwide are substantially exposed to today (; most organizations may not even know that they're exposed.)


In light of the above, I would also encourage folks worldwide to first read the above (with attention to detail, and in its entirety) and then read the following 3 insightful posts, and you'll see why I believe Microsoft doesn't seem to have a clue -
  1. 30 Days of Advanced Active Directory Security School for Microsoft

  2. A Trillion $ Cyber Security Question for Microsoft regarding Defending Active Directory

  3. How Well Does Microsoft Really Understand Cyber Security?

If you still need a hint, I'll give you one - in factually and objectively describing  the Top-5 security risks to Active Directory, how many times did I need to use the term "effective permissions" above? In contrast, when you read the 3 linked posts pointed to above make a note of and compare how many times Microsoft has educated the world about the term "effective permissions."


Microsoft, you'll want to read this (50 times) and absorb it like a sponge absorbs water - Active Directory Effective Permissions.


Alright, Microsoft, this is it for today. Later this week we shall continue with Day-6 of our advanced Active Directory Security school for you, during which I'll cover another fascinating trillion $ topic for you and the world - you likely won't want to miss it.

Best wishes,


PS: I've been meaning to do this on a daily basis, but given my responsibilities (i.e. a global cyber security company to head), time is difficult to take out, thus the delay. That said, if this weren't vital to global security, I wouldn't be wasting my time on it.

No comments:

Post a Comment