Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Friday, September 13, 2013

Active Directory Privilege Escalation based on Exploitation of Unauthorized Access Grants in Active Directory - The #1 Insider Threat to Organizations


Today, I will objectively substantiate not only why the risk I declassified yesterday (i.e. Active Directory Privilege Escalation based on Exploitation of Unauthorized Access Grants in Active Directory) is the #1 cyber security risk to Active Directory, but also why it is also the #1 insider threat to 85% of organizations worldwide -

The Building Blocks of Security in an Organization

In every IT infrastructure, there is a security infrastructure that is responsible for providing Authentication, Authorization and Auditing (AAA), which provides the foundation upon which all secure access is based i.e. it facilitates secure authenticated and authorized access to securable resources and it enables the auditing of access to these resources.

In the IT infrastructure of every organization in the world, no matter how small or large, there are 5 basic building blocks of the security infrastructure that together facilitate AAA / secure access to resources -
  1. The User Accounts (and their passwords/ other credentials) that are used to uniquely identify and authenticate users
  1. The Computer Accounts that represent the computing devices in the system on to which users logon, and on which all computing occurs i.e. your laptops, desktops, file servers, application servers, database servers etc.
  1. The Securable Resources to which access can be granted, i.e files, directories, applications and their content, databases and their content, directory services and their content etc.
  1. The Security Groups that are used to aggregate users for the purposes of authorization
  1. The Auditing Mechanisms that enable the auditing of secure access to securable resources
Together, these User Accounts, Computer Accounts, Security Groups and the Auditing Mechanisms facilitate secure authenticated, authorized and auditable access to all Securable Resources in the organizations IT infrastructure,  24-7.

Where are the Building Blocks of Security Stored, Managed and Protected?

In IT infrastructures powered by Microsoft's Windows Server platform, i.e. in about 85% of IT infrastructures worldwide, these building blocks are stored and managed in, and protected by the Active Directory.

Specifically -
  1. All User Accounts and their passwords are stored in the Active Directory
  1. All Computer Accounts representing all domain-joined hosts are stored in the Active Directory
  1. All Securable Resources in turn are stored on domain-joined machines, which can be completely controlled via Group Policy from the Active Directory
  1. All Security Groups and their memberships, that are used to specify access to all Securable Resources (e.g. files, directories, shares, SharePoint portals etc.) are all stored in the Active Directory
  1. All Auditing for identity & access management is done on Domain Controllers (i.e. machines that host Active Directory)
In other words, it is Active Directory that stores and protects (directly or inditectly) the entirety of all security building blocks, as well as facilitates their management by administrative IT personnel.

What are the Consequences of the Compromise of These Building Blocks?

Now let us consider what the consequences of the compromise of any of these building blocks could be, and how they could impact organizational security.
  Specifically -
  1. If a specific User Account, such as that of the CEO is compromised, the attacker can instantly access everything the CEO has access to, including all confidential data, documents, groups, databases etc etc. as well as modify or destroy everything the CEO has modify access to.
  1. If a Computer Account, such as that of a file server that stores highly confidential information (e.g. trade secrets, blue prints, financials, customer records) etc. is compromised, the entirety of data stored on that server can be easily accessed, tampered, divulged or destroyed.
  1. If a Securable Resource, such as the spreadsheet that contains Earnings Numbers can be accessed and leaked minutes before a public organization's Earnings Call, the untimely disclosure of that data could result in a loss of billions of dollars in market capitalization.
  1. If a Security Group such as Human Resources Personnel can be compromised, i.e. if an attacker can add his/her account to this group, all confidential information such as all employee records being protected by that group can now be instantly accessed by that attacker.
  1. If the Auditing settings can be tampered with, than an attacker can disable auditing in the system, before he/she proceeds to engage in other malicious tasks, thus ensuring that there is no trail of malicious actions left.
In other words, the amount of damage that can be done by an attacker if he/she can compromise the very foundational building blocks of security is potentially colossal, and can result in serious consequences ranging from substantial monetary loss to reputational damage.

What is the Easiest Way for Someone to Compromise These Building Blocks?

In light of these consequences of the compromise of any of these building blocks, let us consider what is the easiest way that someone could use to compromise these building blocks.

Specifically -
  1. The easiest way to compromise a User Account is to reset the user's account's password to one of your choice (e.g. H@cked!) then instantly login as the user.
  1. The easiest way to compromise a Computer Account is to take over its computer account in Active Directory, and/or cause a Group Policy designed to take over the computer to be sent out to the computer via the trusted channel between the computer and the DC, by applying it to the OU in which the computer account resides.
  1. The easiest way to compromise any Securable Resource is to find out which Security Group has modify access to it, then just add your own account to that security group, to instantly gain access.
  1. The easiest way to compromise a Security Group is the find out who can change its membership, and compromise that individual's account by resetting their password, then login as that individual and add your own account to the group.
  1. The easiest way to compromise Auditing is to turn either turn OFF auditing in the Active Directory, or modify the SACL of objects to disable auditing on specific objects.
In other words, the easiest way to compromise the building blocks of security is to find out who has what access on them, then compromise their accounts to take control of the building blocks.

In Most Organizations, No One Knows Exactly Who can do What on these Building Blocks?

In most Active Directory deployments large number of IT personnel currently posses the ability to perform various administrative tasks on these building blocks, but NO ONE really knows EXACTLY who can do what on these building blocks in their Active Directory deployments.

This most simply put, is primarily because all of these building blocks are protected by Active Directory's security model, which makes it very easy to precisely provision secure access but lacks the ability to help IT personnel precisely assess/audit effective provisioned access.

As a result, although IT admins provision access for delegating administrative responsibilities frequently, due to the lack of a single point of control on both delegations and group memberships, as well as the sophistication of Active Directory's security model, they have no way of knowing whether access was infact provisioned on the principle of least privilege, or whether they may have accidentally/inadvertently ended up granting additional IT personnel access that they should not ideally have. They also have no way to precisely assess/verify/audit provisioned access, so they continue fulfilling provisioning needs based on "approximations" and over time (years), the presence of excessive unauthorized administrative access in Active Direcory deployments becomes pervasive.

As a result, IT admins may have an "approximate" idea of who has what access, but most do not have "precise" insight, and almost always, the difference between security and compromise is "precision" (referred to as "vulnerability" in security parlance.)

ANY Insider Can Potentially Assess Security (Effective Access) on and Compromise these Build Blocks

Anyone with a domain user account, from IT Personnel to Executives, and from Executive Assistants to Contractors, can with some basic and readily available free tools EASILY access and analyze the universe of all security permissions that protect all of these building blocks, and with a little skill and sufficient time (hours/weeks/days), easily find out exactly who has what access over these building blocks, and (mis)use this information to compromise virtually any IT asset of choice.

The "little skill" requirement, as well as the "sufficient time" requirement can be easily obviated by the availability of tools (e.g. an Active Directory Permissions Analysis Tool, or an Active Directory Password Reset Analysis Tool) that automate the determination of effective access in Active Directory.

Whether analyzed manually or via a tool, these access assessment are all read-only in nature, and thus IT personnel cannot audit or detect the occurrence of such an access assessment. Once completed, such an assessment can provide a very rich "road-map" of sorts to insiders, as to how to go about compromising anything from a basic file all the way to down to how to completely take over and control the entire Active Directory deployment.

The #1 Insider Threat to Organizations

For reasons stated below, I believe that Active Directory Privilege Escalation based on Exploitation of Unauthorized Access Grants in Active Directory, is the #1 insider threat to organizations today -

  1. It can be carried out by ANY insider, from highly technical delegated administrators to completely non-tech savvy Executive Assistants. Tech-savvy individuals can use Microsoft's native tools (e.g. dsacls) to assessments and non-tech savvy individuals can use 3rd party tools (e.g. any Active Directory Password Reset Analysis Tool) to do so.
  1. The attack surface is VAST, because literally the entirety of all Active Directory content, i.e. any user account, computer account, security group, OU, GPO, Service Connection Point etc. is a potential target.
  1. The analysis part of the attack vector only involves READ access which is NOT audited, and cannot be realistically audited, thus can hardly ever be detected.
  1. The exploitation part of the attack vector (i.e. one involving the password resets or the group membership changes) literally takes seconds and can at best be responded to, meaning the damage would already have been done. In most cases, by the time someone responds, it would have been too late (; e.g. sure you can catch the individual who leaked the earnings report, but the damage (in billions of dollars) would already have been done.
  1. Unlike the sophisticated Pass-The-Hash (Pth) attack, this attack vector does not require ANYONE to LOGON to any machine. It only requires READ access to Active Directory, which everyone has, basic (e.g. dsacls) or advanced tooling (e.g. any Active Directory Permissions Analysis Tool), and the implementation of basic tasks for which User Interfaces (e.g. Active Directory Users and Computers Snap-In) are freely and readily available from Microsoft.

In light of the above, given the fact that ANY insider can enact this threat, the VAST attack surface, the inability to audit the core part of this attack vector (read-only effective permissions analysis) and the availability of the tooling required to enact this threat, it is clearly a very serious insider threat to organizations today.

From gaining unauthorized access to a single confidential document to automating the destruction of the entire Active Directory deployment, the expanse of the damage an insider can do with it is limited only to their skill. In that light, it may be very well be the #1 insider threat to Active Directory today.

But We don't worry about Insider Threats

Organizations that do not worry about insider threats need only be reminded of one name - Edward Snowden, the classic Trusted Insider, who may not only have caused monumental and irreversible damage, but also great embarrassment to arguably the world's most powerful and clandestine national security agency, the U.S. NSA.

Best wishes,

PS: If you're still not convinced, I'll prove it to you - using this free tool you can see for yourself just how many people could reset your password and login as you today. (The threat, in most cases, is not directly from them, but frm someone who first resets their password, then resets yours to login as you.) In case you didn't know, a password reset takes about 5 seconds to perform.

No comments:

Post a Comment