By: Miguel Angel Saiz
September 11, 2020
Active Directory Best Practices
By: Miguel Angel Saiz
September 11, 2020
The use of LAN networks and Active Directory (AD) by companies is a common practice today. In a world interconnected by the internet, more and more companies, public centers, and even home users create LAN networks where they interconnect their computer equipment for better access. Active Directory provides a service located on one or more servers, capable of creating objects such as users, computers, or groups to manage the credentials during the computers' login that connect to a network. It can also be used to administer the policies of the entire network in which this server is located.
The network protocols used by Active Directory are mainly Lightweight Directory Access Protocol (LDAP), Dynamic Host Configuration Protocol (DHCP), Kerberos, and Domain Name System (DNS). It is a database in which information is stored in real-time about the authentication credentials of the users of a network.
SECURITY IN AD:
Active Directory is the central point of an organization. Suppose an attacker gets elevated privileges into AD. In that case, he/she could cause a lot of damage to the organization, and gain unauthorized access to confidential information located on File Servers or in Office 365 (for example, Outlook, Teams, OneDrive, SharePoint). For example, suppose an attacker gets the Chief Financial Officer (CFO). In that case, they could have access to all the financial information of the company (e.g., sensitive e-mails, files in the cloud, contacts, and budgets). For these reasons, protecting AD is one of IT's most important goals in a modern organization. Below is a discussion of some of the best security practices for Active Directory.
At least two domain controllers:
It doesn't matter if the infrastructure is not a large enterprise; it is very important to have two domain controllers to have resiliency and avoid critical failures.
Patch Your Domain Controllers:
Attackers are quick to exploit known vulnerabilities. This means it is vital that the AD servers are kept up to date. Planning the appropriate time to first test (preferably on a non-production server) and install Windows updates is essential.
Domain Controller Backups:
One consideration of the frequency of Backups is always to ask the question, "how often should it be done?". As always, every answer is relative, but there is an easy way for everyone to deduce "their" answer. It boils down to a key question: "How much work time can an organization lose or spare to redo?"
Rename the domain administrator account:
The first user used to initiate an attack is an administrator, so the first step is to change the default domain administrator name. It is recommended to use a completely different variable name because leaving the default means the attacker now knows half the problem.
Inactive domain accounts:
An administrator can find active user accounts that haven't been used for a long time, by reviewing the "last login date". Normally, these accounts belong to temporary or test identities. Having unused domain accounts increases the organization's attack surface, as it provides a great opportunity for compromise of these accounts (e.g., through login attacks, such as brute force or password guessing). Ultimately, there should be a policy to disable or delete these accounts, based on periodic checks, for example, after 30 days of inactivity.
Too many users in privileged groups:
Having many users in privileged groups, such as Domain Administrators, Schema Administrators, and Business Administrators unnecessarily increases the risk of compromise of the domain, because if some of those users are compromised, it enables a total compromise of the domain.
The principle of least privilege:
This principle is a foundational security strategy, applicable to different areas, for securing accounts, especially those of administrators. It is based on the idea of granting permission only when they are necessary for the performance of a certain activity.
Users with passwords that do not expire: Some organizations have domain accounts configured with the DONTEXPIREPASSWORD flag. This is the typical configuration of service accounts, but sometimes it can also be seen in more privileged domain accounts. Although it can be useful in some situations, it can also be quite damaging, and domain accounts with this flag are ideal targets for privilege escalation attacks and are excellent backdoors for maintaining access as seen in much advanced persistent threat (APT) attacks.
Weak password policy:
Password policy is an issue that continues to evolve. There are many different views and opinions on what an ideal password policy should look like. Some organizations apply long and complex passwords and require frequent changes. Some are more benevolent, and some may even almost ignore applying any policy or just focus on strengthening their compensatory controls in their internal environments. That account engagement has only a very small impact.
Some good practices are: • Minimum password length: 14 characters • Enforce password history: 24 times • Account lockout duration (minutes): 15 minutes or more • Account lockout observation window (minutes): 30 minutes • Maximum password age: 60 days or less. • Minimum password age: 1 day or more
Upgrade from Passwords:
Create a password of at least eight combined characters: strong security passwords are considered to have eight or more characters with a combination of letters (lower and upper case), numbers, and symbols. It is advisable to place numbers and symbols through the password instead of grouping them all at the beginning or end. This is important to make it harder for attackers to crack. It is advised to avoid words or phrases with very obvious, habitual, and personal information. Also, avoid using easily accessible personal data, such as date of birth or the name of a relative or a pet, as these are very predictable and will be much easier to guess for an attacker. Nor should weak keys or anything elaborate that have become incredibly common, such as 111111, qwerty (the first five letters of the keyboard), the word password, or the sequence 123456, which surprisingly continues to be the most used password worldwide. Furthermore, use different passwords for different accounts: many people use the same password for all their accounts to remember it more quickly, but this practice is highly insecure and makes users much more vulnerable to attacks. It is advised to use different passwords for each account.
Maintaining audit levels of Active Directory makes it possible for centralized control over each organizational unit's behavior, each user, each team, and each group policy, thus preventing failures in the future and improving security posture in the present. In server environments, it is essential to maintain strong visibility overall events that occur inside the system. This is important because it's commonly a case that unauthorized changes in policy or directive, occur during non-standard hours. Administrators must maintain control over their systems and architecture; otherwise, they can become vulnerable to multiple errors and attacks, which could go unnoticed for a long time and cause irreparable harm.
Nowadays, Active Directory security must be one of the most important priorities for an organization. Applying the aforementioned practices will help mitigate basic vulnerabilities, with user training is one of the most important points.