Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Tuesday, October 8, 2013

5 Facts You Must Know about Active Directory Privilege Escalation


Last month, we declassified the #1 cyber security risk to Active Directory deployments - Active Directory Privilege Escalation.

Active Directory Privilege Escalation based on identification and exploitation of unauthorized access grants in Active Directory deployments.

Today, I wanted to share with you 5 things that we all must know about Active Directory Privilege Escalation –

#5 – Domain Admin accounts only account for 1% of the attack-surface. Accounts of delegated admins, executive and regular employees, and all other Active Directory content (i.e. all group memberships, GPOs, OUs etc. ) accounts for 99% of the attack surface

#4 – We may not know it or realize it yet, but most Active Directory deployments worldwide are currently exposed to this risk today. In fact, most domain user and computer accounts, domain security groups, GPOs, OUs, SCPs etc are potentially at risk of compromise.

#3 – This risk is far more damaging and easier to carry out than even the risk posed by the Pass-the-Hash (PtH) attack vector, because unlike Domain Admins, the likelihood of a non-admin user logging on to the attacker’s machine is quite low. (Consider this - what is the likelihood that your organization's CEO will logon to your machine, whether for legitimate reasons, or even if social engineered into doing so?)

#2 – This risk exists because Active Directory lacks the ability to help IT personnel precisely assess and verify provisioned access. Active Directory does let us precisely provision access, but it is unable to help us precisely assess/verify/audit effective provisioned access.

#1 – The presence of an Auditing solution does nothing whatsoever to mitigate this risk. It merely helps detect its occurrence. By the time an associated event shows up in the audit log, it is already too late, because the damage has been done. (E.g. - if a malicious entity has been able to reset a Domain Admin's password, or the CEO's password, even though the event may show up in the audit log, by the time you react to it, the damage is already done.)

In days to come, I will share with you how organizations can assess whether they're at risk, and how they can mitigate this risk.

For now, perhaps its worth asking yourself a simple question – “Do we know exactly who can do what in our Active Directory, especially in light of the fact that anyone with a domain user account can find this out on any object within minutes?

Best wishes,

PS: This is a very simple and fundamental problem that stems from the lack of verifiable implemented least privilege access (LPA) in a major foundational technology. Frankly, I’m really surprised that over 80% of organizations worldwide still do not realize this simple fact! The only thing more concerning is that based on our intelligence, the Chinese have most likely already figured this out.

No comments:

Post a Comment