Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Tuesday, August 27, 2013

Microsoft IT’s Best Practices for Securing Active Directory – A Must Read (5 Takeaways and 1 Glaring Omission)


If you’re a part of the Microsoft ecosystem, in all likelihood, you already know how valuable Active Directory is to Microsoft's Windows Server ecosystem, and how important the security of Active Directory deployments is to organizations worldwide.

(For those of you who don’t, Active Directory is the very foundation of cyber security in every organization whose IT infrastructure is powered by Microsoft Windows Server i.e. about 85% of all organizations worldwide.)

As you may also know, Microsoft's own global Active Directory deployment is one of the world’s most prominent and important Active Directory deployments, as it serves as the foundation for Microsoft’s global organizational security infrastructure.

Microsoft IT’s Best Practices for Securing Active Directory

Earlier this year, Microsoft IT released a whitepaper titled Best Practices for Securing Active Directory, which encompasses experience from several hundred Active Directory security assessments, critical incident responses, and recovery engagements -
Best Practices for Securing Active Directory
If you are in the Active Directory space, I highly recommend reading this whitepaper.

This whitepaper seems quite well written and covers a lot of interesting ground, (although a tad bit of the content seems repetitive.) The four key sections it covers include Avenues to Compromise, Reducing the Active Directory Attack SurfaceMonitoring Active Directory for Signs of Compromise and Planning for Compromise.
I wanted to summarize the 5 key takeaways from this paper (below) but I also wanted to add that I was really surprised to see a glaring omission from this whitepaper i.e. that of the #1 risk to Active Directory deployments today (; more on that below.)

(BTW, I happen to know a thing or two about Microsoft's Active Directory deployment because I had the opportunity to propose and perform a risk assessment of Microsoft’s global Active Directory deployment SEVEN years ago i.e. long before Bret was the CISO. One of the outcomes of that assessment was that Microsoft IT's Directory Services Team was moved under the IT Corporate Security team, for the first time in the history of Microsoft IT. But I digress.)

5 Key Active Directory Security Takeaways

The following, in my humble opinion, are the Top 5 key takeaways from this whitepaper –
1.      Active Directory Security is Mission-Critical To Business

The very first thing that is noteworthy about it is that the Foreword of this whitepaper is by none other than Microsoft’s Chief Information Office Security Officer (CISO.)
Quoting Bret Arsenault, Microsoft’s CISO – “Active Directory plays a critical role in the IT infrastructure, and ensures the harmony and security of different network resources in a global, interconnected environment. 

IMHO nothing conveys the criticality of Active Directory Security more than the CISO of Microsoft Corporation stating in clear words that “Active Directory plays a critical role in the IT infrastructure
At Paramount Defenses, we have been saying this for over 7 years now. It was about time that Microsoft too publicly acknowledged the importance of Active Directory Security, and I am glad to see that they finally have done so.

I do sincerely hope that CIOs across the world are listening to what Bret has to say, and taking this seriously, in their own best interest, and of course in the best interest of their employees, customers, partners and shareholders.

2.      Active Directory Security Incidents (Compromises) Do and Have Occurred

IT personnel and management at so many organizations worldwide continue to think that Active Directory security incidents do not occur, and/or that the likelihood of occurrence in their organizations is low. Well, here’s a snippet from this whitepaper that might encourage them to give this fallacy a second thought – 

Much of the content of this document is derived from the ADSA (Active Directory Security Assessment) and other ACE (Assessment, Consulting and Engineering) Team assessments performed for compromised customers and customers who have not experienced significant compromise.

The fact that much of the content of this document has been derived from assessments performed at compromised customers clearly indicates that there have been enough Active Directory security incidents (compromises) to warrant the issuance of such guidance from Microsoft IT and to provide sufficient content for an entire whitepaper on Active Directory Security.


In fact, an introduction of the Avenues to Compromise section reads as follows – “This section provides information about some of the most commonly leveraged vulnerabilities we have found to be used by attackers to compromise customers’ infrastructures. This section begins with general categories of vulnerabilities and how they are leveraged to initially penetrate customers’ infrastructures, propagate compromise across additional systems, and eventually target AD DS and domain controllers to obtain complete control of organizations’ forests.

Need one say more?

3.      The #1 Mitigation Step is to reduce the Number of Privileged Administrative Accounts

The #1 topic that the introduction to the section of Reducing the Attack Surface begins with reads – “This section begins by providing background information about privileged accounts and groups in Active Directory to provide the information that helps clarify the reasons for the subsequent recommendations for securing and managing privileged groups and accounts. We then discuss approaches to reduce the need to use highly privileged accounts for day-to-day administration, which does not require the level of privilege that is granted to groups such as the Enterprise Admins (EA), Domain Admins (DA), and Built-in Administrators (BA) groups in Active Directory. Next, we provide guidance for securing the privileged groups and accounts and for implementing secure administrative practices and systems.” 

At Paramount Defenses, we have been saying for years now that nothing is more important than minimizing the number of privileged administrative accounts in Active Directory by delegating all non-critical administrative tasks based on the principal of least privilege access (LPA) and ensuring that you know exactly who can do what in your Active Directory deployments, because the compromise of a single privileged administrative account/group is sufficient and tantamount to compromise the entire Active Directory.

Also, as any Active Directory security expert will tell you, it is not sufficient to minimize the membership of the default privileged administrative groups. In order to achieve true security, you have to know exactly who can perform which administrative tasks on which IT resources in Active Directory, because the ability to perform a single administrative task could be sufficient to take over the Active Directory.

For instance, a user John Doe may not be a member of any default administrative group, but if he effectively has the ability to modify the membership of any administrative group, or reset the password of any administrative account, he is effectively just one step away from being a privileged administrator himself.

Incidentally, the only way to know for sure exactly who has what privileged access in Active Directory is to perform an Active Directory Effective Access Audit to find out who really (i.e. effectively) has what administrative access provisioned in AD.

4. Active Directory Auditing only helps see Signs of Compromise

Most organizations view Active Directory Auditing as the #1 Active Directory security risk mitigation measure, but in fact, its use is primarily limited to delivering accountability and helping see signs of compromise.

An introduction of the section titled Monitoring Active Directory for Signs of Compromise reads – “Whether you have implemented robust SIEM in your environment or are using other mechanisms to monitor the security of the infrastructure, this section provides information that can be used to identify events on Windows systems that may indicate that an organization is being attacked.

If you’re looking at an event in an event log, the administrative task / access corresponding to that event has already occurred. The keyword here is “already” meaning that it is in the past.

Should that event indicate the occurrence of a malicious action, then that action has ALREADY taken place. In other words, the system has already been compromised; now, all you can do is react to it, by trying to contain it if possible, and/or investigate for legal/accountability purposes. In other words, you’re reacting to a security incident.

Now, because no action can be performed without authorization, whether explicit, or implicit, the fact that someone was able to enact a specific action implies that he/she had sufficient effective access to be able to do so. He/she may not be supposed to have that access by policy, but it was effectively provisioned in the system, which is the only reason, he/she was able to carry out that action.

In most organizations today, no one really knows who has what effective access, and thus they’re operating in the proverbial dark, relying on auditing to give them some clue as to the misuse of excessive (unauthorized/unintended) access in Active Directory deployments.

On the other hand, if one knows exactly who can do what, one can have the assurance of knowing exactly who has the authorization to take a specific action to begin with, and that is SO MUCH BETTER than having no idea, and then relying on auditing to let you know that someone has ALREADY done something bad.

In that regard, a proactive Active Directory Audit of Effective Access is substantially more valuable than Active Directory Auditing, and in fact is an activity that should be performed by every organization on a periodic basis, ideally once a week, and at least once a month, because access changes frequently.

5. Accurate (Effective) Access Visibility is Mission-Critical To Active Directory Security

As you may know, most systems start in a known good secure state, and it is only over time that driven by access changes, that gaps start to appear between the "intended" state and the "actual" state, and over time, it is these gaps that become vulnerabilities that malicious entities identify and exploit.
Quoting from the first paragraph of the section on Avenues to Compromise – “In organizations that have experienced catastrophic compromise events, assessments usually reveal that the organizations have limited visibility into the actual state of their IT infrastructures, which may differ significantly from their “as documented” states. These variances introduce vulnerabilities that expose the environment to compromise, often with little risk of discovery until the compromise has progressed to the point at which the attackers effectively “own” the environment.


The second paragraph continues to read – “Detailed assessments of these organizations’ AD DS configuration, public key infrastructures (PKIs), servers, workstations, applications, access control lists (ACLs), and other technologies reveal mis-configurations and vulnerabilities that, if remediated, could have prevented the initial compromise.

In regards to vulnerabilities and mis-configurations in Active Directory content (i.e. the thousands of objects that reside in Active Directory), as such all Active Directory deployments are highly securable, because every IT resource is adequately securable via its access control list (ACL), and most IT resources in Active Directory deployments start out being adequately secured initially.

However, with the passage of time, the state of provisioned access changes quickly, and the “actual” state of provisioned access can deviate very quickly from the “documented” state of access, resulting in a situation wherein numerous vulnerabilities are introduced that can be identified an exploited to inflict damage and take over the Active Directory.

For example, one of the easiest ways to become a Domain Admin and gain complete control over an Active Directory deployment is to add one’s own account to the Domain Admins group. In order to do so, one only needs to find out who currently possesses the ability to change the membership of the Domain Admins group.

In 99% of organizations worldwide, there is a “documented” list which states the identities of individuals who should be able to do so, and there is the “actual” list, which is the list of individuals who can currently effectively change the membership of the Domain Admins group, and in a 100% of these organizations, these two lists are not identical.

In fact, there are always more individuals who can change this group’s membership than there are individuals on the “documented” list. The “actual” list can be put together by anyone with a domain user account and some Windows security knowledge, and used to identify at least one non administrative individual who has sufficient privilege to modify this group’s membership. This one individual then becomes the easiest avenue to obtaining privileged and unrestricted administrative access in the Active Directory deployment.

This is why it is very important (in fact paramount) to always have accurate visibility into who really has what effective access on which objects in Active Directory. At a minimum, organizations must always know exactly who can modify administrative group memberships and reset administrative account passwords, because these two tasks are the easiest avenues to gaining administrative power in Active Directory.

It is never easy to keep track of access in medium to large systems, which is why vulnerabilities exist to begin with. The ability to identify access vulnerabilities in Active Directory quickly and reliably can go a long way in identifying and eliminating vulnerabilities, and thus substantially help ensure security.
I'm sure there are other takeaways from the whitepaper as well, but these were the most interesting ones in my humble opinion. I'm a big believer in "Prevention is better than cure" because not everything is easy to cure, especially an Active Directory security compromise, so while I found the sections on Planning for Compromise interesting, I seriously do hope no organization needs to be in a situation wherein they actually have to use that information. They should be ready though, but I hope they never have to use it.
One Glaring Omission

Microsoft IT has done a good job at providing both, information on key threats to Active Directory, as well as actionable guidance on how to enhance Active Directory security. In regards to the threats, they’ve rightly pointed out that the single biggest target in Active Directory deployments are the administrative accounts and groups that can easily be targeted in an attempt to compromise Active Directory, and they have mentioned some of the top attack vectors including the pass the hash attack (PTH) vector.

But there was NO mention whatsoever of the #1 risk to Active Directory deployments.

The omission of the #1 risk to Active Directory is intriguing. Perhaps it is intentional, or perhaps, even Microsoft IT does not know what the #1 risk to Active Directory deployments is.
(The latter I find a little hard to believe, although it is not out of the realm of possibilities because there was hardly any coverage in the whitepaper on one of the most important areas of Active Directory Security, which is so extensively used worldwide, and to which the #1 risk is related.)

Anyway, since we’re about to declassify it shortly, if Microsoft IT does not know about it yet, they too will know about it, shortly, along with the rest of the world.

All in all, this whitepaper is a must-read and I highly recommend it. Although there seems to be some duplication of content within the whitepaper, there is still much information of value to learn from.

Kindest regards,

PS: You may find this interesting as well - Responding to a Domain Admin Account Compromise

Monday, August 12, 2013

The "Pass-The-Hash" (PTH) Attack is NOT the Top (#1) Security Risk to Microsoft Windows Server / Active Directory Environments


Hope you're well. Sorry for the momentary absence. Time to blog is just not a luxury I can afford these days given my responsibilities. However, I did want to take a few moments to share a thought on something that so many believe is the #1 risk to Active Directory deployments...

Pass-the-Hash (PTH) Attack

... it is widely believed that the Pass-The-Hash (PTH) attack is the #1 attack against Active Directory deployments, primarily because it can be used to easily obtain administrative access i.e. the keys to the kingdom in Active Directory deployments.

It is undoubtedly a powerful attack vector because, with the right tooling, it provides an insider a relatively easy way to obtain powerful, unrestricted administrative access in an Active Directory environment.

However, it is most certainly NOT the top attack vector against Active Directory. There is at least ONE attack vector which makes it far easier to obtain administrative access in Active Directory deployments than does the PTH attack vector.

Unlike the pass-the-hash attack vector which absolutely requires a victim to have logged on to a computer owned by the attacker, the #1 attack vector has no such requirements. In fact, it does not require the victim to logon to any particular computer, and it most certainly does not require the use of such advanced tooling such as hash capture and replay tools.

(If only folks who built these sophisticated hash capture and replay tools would've thought out-of -the-box, they could've saved themselves a lot of painstaking effort. Oh well, I suppose if they were Active Directory security experts, they would have figured this out way back.)

The attack vector I am referring to is far easier to carry out than to carry out the PTH attack vector, and it can be carried out by any insider, without requiring any technical know-how or hacking prowess. In fact, its attack surface is substantially vaster, and with the right tooling, it could be used to obtain administrative access in Active Directory environments almost instantly.

(The good news is that, with the right capabilities, it can be reliably mitigated (more on that later), and it doesn't require the use of advanced security measures such as Authentication Mechanism Assurance.)

We have reason to believe that certain Advanced Persistent Threats may have gotten adrift of it, and may be in the process of developing exploits, so to help organizations worldwide put adequate risk mitigation measures in place before such exploits make their way, we'll share the knowledge of this attack vector and its mitigation shortly.

The only other thing I'll add is that it is not based on any classified information. In fact it is based on a very logical premise, and if anything, only involves a little bit of novel thinking and common sense. However, as goes the old saying, "common sense is not so common."

I'll share it with you on Sep 12, 2013 on this blog. Until then, here's a hint - Top 5 Active Directory Security Risks

September 12, 2013 Update: Here is the link to the declassified risk -

Best wishes,

PS: What surprises me is that even prominent cyber security experts don't seem to have a clue about this specific vector!