By: Navid Kagalwalla
August 7, 2020
Protecting the Active Directory - The Keys to the Kingdom
By: Navid Kagalwalla
August 7, 2020
Active Directory is a Microsoft technology developed as a directory service for Windows domain networks. It forms one of the most critical aspects of an organization's infrastructure. It is used to manage computers and other devices by logically dividing user accounts into groups and subgroups based on the level of access control required. Active Directory provides authentication, authorization, and configuration capabilities for users, computers, servers, applications, and load balancers throughout an organization's IT infrastructure. Attackers primarily target the Active Directory after gaining access to an organization's network to perform reconnaissance, elevate privileges, access critical applications, and to create several fictitious accounts to persist in the environment. Any breach or exploitation of an Active Directory can be disastrous for an organization. Recovering an Active Directory to a secure state can be very expensive and is extremely complicated since Active Directories are structured hierarchically with different access controls, authentication mechanisms, and user rights provided at each level. The significant access that Active Directory provides to the organization is rightly called "The Keys to the Kingdom."
What is Active Directory Security Assessment
Active Directory Security Assessment (ADSA) involves reviewing the Active Directory configurations and the group policy objectives and access control mechanisms employed by an organization to prevent attack propagation throughout the internal network. ADSA identifies the most likely attack vectors and provides remediation on how to detect, mitigate, and prevent them. It helps an organization effectively identify, quantify, reduce, and repel the risks of an Active Directory breach. ADSA provides structured and constructive remediation advice, which helps organizations identify which technologies need to be focused on and hardened. ADSA involves assessments both on technical and non-technical fronts. The concept of ADSA can significantly reduce costs of supporting a secure Active Directory by regularly auditing and assessing the Active Directory installations instead of unnecessarily integrating expensive security components on an already complex installation. ADSA provides domain controller security, secure administration, improved operational performance, and reliable knowledge transfer between entities.
Phases and Key Assessment Areas of Active Directory Security Assessment
ADSA primarily has four phases, which must be performed to provide the overall security posture of an organization's Active Directory infrastructure. These four phases include gathering data from the environment which can be on-site or remote, interpreting and analyzing the results, completing the assessment report, and, finally, providing detailed recommendations. The outcome of a successful ADSA should be a document stating how the organization's Active Directory installation can be hardened. The detailed recommendations must include security misconfigurations, event logs, and patch management. The sources of conducting an ADSA should include adversary intelligence (real-time attack techniques, tactics, and procedures), victim intelligence (privilege escalation and misconfigurations), and machine intelligence (security bypass methods). ADSA must focus on central logging systems (SIEM) and top-level domain permissions. The key focus areas of ADSA include endpoint configuration and hardening, remote access to resources, group policy controls, integration with cloud computing platforms, access management, domain trust configuration review, server life cycles, and permission delegation. ADSA must be conducted regularly to ensure secure Active Directory infrastructure.
A breach of the Active Directory of an organization can be disastrous, since finding all the malicious changes or additions an attacker makes is very expensive and extremely hard to find. That's where ADSA comes in. By assessing and auditing the focus areas of an Active Directory regularly, an organization can be sure of mitigating threats to their Active Directory installation.