If you’re a part of the Microsoft ecosystem, in all
likelihood, you already know how valuable Active Directory is to Microsoft's Windows Server ecosystem, and how
important the security of Active Directory deployments is to organizations worldwide.
(For those of you who don’t, Active Directory is the very
foundation of cyber security in every organization whose IT infrastructure is
powered by Microsoft Windows Server i.e. about 85% of all organizations worldwide.)
As you may also know, Microsoft's own global Active Directory
deployment is one of the world’s most prominent and important Active Directory
deployments, as it serves as the foundation for Microsoft’s global
organizational security infrastructure.
Microsoft IT’s Best Practices for Securing Active Directory
Microsoft IT’s Best Practices for Securing Active Directory
Earlier this year, Microsoft IT released a
whitepaper titled Best Practices for Securing Active Directory, which encompasses
experience from several hundred Active Directory security assessments, critical
incident responses, and recovery engagements -
Best Practices for Securing Active Directory |
This whitepaper seems quite well written and covers a lot of interesting ground, (although a tad bit of the content seems repetitive.) The four key sections it covers include Avenues to Compromise, Reducing the Active Directory Attack Surface, Monitoring Active Directory for Signs of Compromise and Planning for Compromise.
(BTW, I happen to know a thing or two about Microsoft's Active Directory deployment because I had the opportunity to propose and perform a
risk assessment of Microsoft’s global Active Directory deployment SEVEN years
ago i.e. long before Bret was the CISO. One of the outcomes of that assessment was that Microsoft IT's Directory
Services Team was moved under the IT Corporate Security team, for the first
time in the history of Microsoft IT. But I digress.)
5 Key Active Directory Security Takeaways
The following, in my humble opinion, are the Top 5 key takeaways from this whitepaper –
1.
Active
Directory Security is Mission-Critical To Business
The very first thing that is noteworthy about it is that the Foreword of this whitepaper is by none other than Microsoft’s Chief Information Office Security Officer (CISO.)
Quoting Bret Arsenault, Microsoft’s CISO – “Active Directory plays a critical role in
the IT infrastructure, and ensures the harmony and security of different
network resources in a global, interconnected environment.”
IMHO nothing conveys the criticality of Active Directory Security
more than the CISO of Microsoft Corporation stating in clear words that “Active Directory plays a critical role in
the IT infrastructure”
At Paramount Defenses, we have been saying this for over 7 years now. It was about time that Microsoft too publicly acknowledged the importance of Active Directory Security, and I am glad to see that they finally have done so.
I do sincerely hope that CIOs across the world are listening to what Bret has to say, and taking this seriously, in their own best interest, and of course in the best interest of their employees, customers, partners and shareholders.
2.
Active
Directory Security Incidents (Compromises) Do and Have Occurred
IT personnel and management at so many organizations worldwide continue
to think that Active Directory security incidents do not occur, and/or that the likelihood of occurrence in their organizations is low. Well, here’s a snippet from this
whitepaper that might encourage them to give this fallacy a second thought
–
“Much of the content
of this document is derived from the ADSA (Active Directory Security
Assessment) and other ACE (Assessment, Consulting and Engineering) Team
assessments performed for compromised customers and customers who have not
experienced significant compromise.”
The fact that much of the content of this document has been
derived from assessments performed at compromised customers clearly indicates
that there have been enough Active Directory security incidents (compromises)
to warrant the issuance of such guidance from Microsoft IT and to provide sufficient content for an entire whitepaper on Active Directory
Security.
In fact, an introduction of the Avenues to Compromise
section reads as follows – “This section
provides information about some of the most commonly leveraged vulnerabilities
we have found to be used by attackers to compromise customers’ infrastructures.
This section begins with general categories of vulnerabilities and how they are
leveraged to initially penetrate customers’ infrastructures, propagate
compromise across additional systems, and eventually target AD DS and domain
controllers to obtain complete control of organizations’ forests.”
Need one say more?
3.
The #1
Mitigation Step is to reduce the Number of Privileged Administrative Accounts
The #1 topic that the introduction to the section of
Reducing the Attack Surface begins with reads – “This section begins by providing background information about
privileged accounts and groups in Active Directory to provide the information
that helps clarify the reasons for the subsequent recommendations for securing
and managing privileged groups and accounts. We then discuss approaches to
reduce the need to use highly privileged accounts for day-to-day
administration, which does not require the level of privilege that is granted
to groups such as the Enterprise
Admins (EA), Domain Admins (DA), and Built-in Administrators (BA) groups in
Active Directory. Next, we provide guidance for securing the privileged groups
and accounts and for implementing secure administrative practices and systems.”
At Paramount Defenses, we have been saying for years now that nothing is more important than minimizing the number of privileged administrative accounts in Active Directory by delegating all non-critical administrative tasks based on the principal of least privilege access (LPA) and ensuring that you know exactly who can do what in your Active Directory deployments, because the compromise of a single privileged administrative account/group is sufficient and tantamount to compromise the entire Active Directory.
Also, as any Active Directory security expert will
tell you, it is not sufficient to minimize the membership of the default
privileged administrative groups. In order to achieve true security, you have
to know exactly who can perform which administrative tasks on which IT
resources in Active Directory, because the ability to perform a single
administrative task could be sufficient to take over the Active Directory.
For instance, a user John Doe may not be a member of any
default administrative group, but if he effectively has the ability to modify
the membership of any administrative group, or reset the password of any
administrative account, he is effectively just one step away from being a
privileged administrator himself.
Incidentally, the only way to know for sure exactly who has
what privileged access in Active Directory is to perform an Active Directory Effective Access Audit to find out who really (i.e. effectively) has what administrative access provisioned in AD.
4. Active Directory
Auditing only helps see Signs of Compromise
Most organizations view Active Directory Auditing as the #1
Active Directory security risk mitigation measure, but in fact, its use is
primarily limited to delivering accountability and helping see signs of
compromise.
An introduction of the section titled Monitoring Active
Directory for Signs of Compromise reads – “Whether
you have implemented robust SIEM in your environment or are using other
mechanisms to monitor the security of the infrastructure, this section provides
information that can be used to identify events on Windows systems that may
indicate that an organization is being attacked.”
If you’re looking at an event in an event log, the
administrative task / access corresponding to that event has already occurred.
The keyword here is “already” meaning that it is in the past.
Should that
event indicate the occurrence of a malicious action, then that action has
ALREADY taken place. In other words, the system has already been compromised;
now, all you can do is react to it, by trying to contain it if possible, and/or
investigate for legal/accountability purposes. In other words, you’re reacting
to a security incident.
Now, because no action can be performed without authorization, whether explicit, or implicit, the fact that someone was able to enact a specific action implies that he/she had sufficient effective access to be able to do so. He/she may not be supposed to have that access by policy, but it was effectively provisioned in the system, which is the only reason, he/she was able to carry out that action.
Now, because no action can be performed without authorization, whether explicit, or implicit, the fact that someone was able to enact a specific action implies that he/she had sufficient effective access to be able to do so. He/she may not be supposed to have that access by policy, but it was effectively provisioned in the system, which is the only reason, he/she was able to carry out that action.
In most organizations today, no one really knows who has
what effective access, and thus they’re operating in the proverbial dark,
relying on auditing to give them some clue as to the misuse of excessive
(unauthorized/unintended) access in Active Directory deployments.
On the other hand, if one knows exactly who can do what, one
can have the assurance of knowing exactly who has the authorization to take a
specific action to begin with, and that is SO MUCH BETTER than having no idea,
and then relying on auditing to let you know that someone has ALREADY done
something bad.
In that regard, a proactive Active Directory Audit of
Effective Access is substantially more valuable than Active Directory Auditing,
and in fact is an activity that should be performed by every organization on a
periodic basis, ideally once a week, and at least once a month, because access
changes frequently.
5. Accurate (Effective)
Access Visibility is Mission-Critical To Active Directory Security
As you may know, most systems start in a known good secure state, and it is only over time that driven by access changes, that gaps start to appear between the "intended" state and the "actual" state, and over time, it is these gaps that become vulnerabilities that malicious entities identify and exploit.
Quoting from the first paragraph of the section on Avenues
to Compromise – “In organizations that
have experienced catastrophic compromise events, assessments usually reveal
that the organizations have limited visibility into the actual state of their
IT infrastructures, which may differ significantly from their “as documented”
states. These variances introduce vulnerabilities that expose the environment
to compromise, often with little risk of discovery until the compromise has
progressed to the point at which the attackers effectively “own” the
environment.”
The second paragraph continues to read – “Detailed assessments of these organizations’
AD DS configuration, public key infrastructures (PKIs), servers, workstations,
applications, access control lists (ACLs), and other technologies reveal mis-configurations and
vulnerabilities that, if remediated, could have prevented the initial
compromise.”
In regards to vulnerabilities and mis-configurations in Active Directory content (i.e. the thousands of objects that reside in Active Directory), as such all Active Directory deployments are highly securable, because every IT resource is adequately
securable via its access control list (ACL), and most IT resources in Active
Directory deployments start out being adequately secured initially.
However, with the passage of time, the state of provisioned
access changes quickly, and the “actual” state of provisioned access can
deviate very quickly from the “documented” state of access, resulting in a
situation wherein numerous vulnerabilities are introduced that can be
identified an exploited to inflict damage and take over the Active Directory.
For example, one of the easiest ways to become a Domain
Admin and gain complete control over an Active Directory deployment is to add
one’s own account to the Domain Admins
group. In order to do so, one only needs to find out who currently possesses
the ability to change the membership of the Domain
Admins group. In 99% of organizations worldwide, there is a “documented” list which states the identities of individuals who should be able to do so, and there is the “actual” list, which is the list of individuals who can currently effectively change the membership of the Domain Admins group, and in a 100% of these organizations, these two lists are not identical.
In fact, there are always more individuals who can change this
group’s membership than there are individuals on the “documented” list. The
“actual” list can be put together by anyone with a domain user account and some
Windows security knowledge, and used to identify at least one non
administrative individual who has sufficient privilege to modify this group’s
membership. This one individual then becomes the easiest avenue to obtaining
privileged and unrestricted administrative access in the Active Directory
deployment.
This is why it is very important (in fact paramount) to
always have accurate visibility into who really has what effective access on
which objects in Active Directory. At a minimum, organizations must always know
exactly who can modify administrative group memberships and reset
administrative account passwords, because these two tasks are the easiest
avenues to gaining administrative power in Active Directory.
It is never easy to keep track of access in medium to large systems, which is why vulnerabilities exist to begin with. The ability to identify access vulnerabilities in Active Directory quickly and reliably can go a long way in identifying and eliminating vulnerabilities, and thus substantially help ensure security.
It is never easy to keep track of access in medium to large systems, which is why vulnerabilities exist to begin with. The ability to identify access vulnerabilities in Active Directory quickly and reliably can go a long way in identifying and eliminating vulnerabilities, and thus substantially help ensure security.
I'm sure there are other takeaways from the whitepaper as well, but these were the most interesting ones in my humble opinion. I'm a big believer in "Prevention is better than cure" because not everything is easy to cure, especially an Active Directory security compromise, so while I found the sections on Planning for Compromise interesting, I seriously do hope no organization needs to be in a situation wherein they actually have to use that information. They should be ready though, but I hope they never have to use it.
One Glaring Omission
Microsoft IT has done a good job at providing both,
information on key threats to Active Directory, as well as actionable guidance
on how to enhance Active Directory security. In regards to the threats, they’ve
rightly pointed out that the single biggest target in Active Directory
deployments are the administrative accounts and groups that can easily be
targeted in an attempt to compromise Active Directory, and they have mentioned
some of the top attack vectors including the pass the hash attack (PTH) vector.
But there was NO mention whatsoever of the #1 risk to Active
Directory deployments.
The omission of the #1 risk to Active Directory is
intriguing. Perhaps it is intentional, or perhaps, even Microsoft IT does not
know what the #1 risk to Active Directory deployments is.
(The latter I find a
little hard to believe, although it is not out of the realm of possibilities
because there was hardly any coverage in the whitepaper on one of the most
important areas of Active Directory Security, which is so extensively used worldwide,
and to which the #1 risk is related.)
Anyway, since we’re about to declassify it shortly, if
Microsoft IT does not know about it yet, they too will know about it, shortly, along with the rest of the world.
All in all, this whitepaper is a must-read and I highly
recommend it. Although there seems to be some duplication of content within the
whitepaper, there is still much information of value to learn from.
Kindest regards,
SanjayPS: You may find this interesting as well - Responding to a Domain Admin Account Compromise