Active Directory & Security
Active directory is the foundation of the majority of enterprise networks. Cyber security professionals need to have a solid understanding to protect and secure sensitive data. Active directory is one of the important resources which all organizations consider when they think about security. AD is a centralized resource, enabling us to add, remove and manage users and groups, monitor usage and activity on devices, and report on application usage. The main features of the Active directory include:
Hierarchical Structure: Active directory is expandable to add multiple organizational units within a single domain.
Multi-Location: To reduce the latency, Active directory can be made available at multiple locations or regions across the globe.
Multi-Standard: It supports DNS & LDAP to facilitate other non-windows environments.
PowerShell: It supports PowerShell cmdlets to make changes to Active directory
Application Integration: It supports multiple applications like Azure & Exchange.
Mostly, cyberattacks affect Active Directory (AD) in some ways, whether it is a compromised user or service accounts, a hacked authentication ticket, or a stolen authentication token.
Over 53,000 cyber-attacks have been researched by Verizon’s security team for their 2018 Verizon Data Breach Investigation Report. During that research, Verizon confirmed 2,616 data breaches. For comparison, in 2017, the FBI tracked 19,502 burglaries of offices in the United States.
The active directory currently uses Kerberos Authentication (default authorization technology used by Microsoft Windows, and implementations of Kerberos exist in Apple OS, FreeBSD, UNIX, and Linux), which has many vulnerabilities like pass-the-ticket, Golden ticket, Silver ticket, brute force, etc.
There are no genuine contenders to replace Kerberos in the pipeline. Most of the advancements in security protect your password or provide a different method of validating who you are to Kerberos. Kerberos is still the back-end technology. Kerberos excels at Single-Sign-On (SSO), making it more usable in a modern internet-based and connected workplace. With SSO, you prove your identity once to Kerberos, and then Kerberos passes your TGT to other services or machines as proof of your identity.
The weakest link in the Kerberos chain is the password. Passwords can be brute force cracked or stolen by phishing attacks. For this reason, Multifactor Authentication (MFA) is becoming more popular to protect online identities. With MFA, you need a password, a randomized token, mobile phone, email, or biometrics like- thumbprint, retina scan, facial recognition, etc.
To counter the many vulnerabilities and attacks used to break into Active directory, you can follow the best practices for securing active directory: -
First, Documenting the Active Directory, as a result, you can identify all your computers, users, domain, OU hierarchy, DNS Configurations, network numbering conventions, and DHCP configuration.
Second, once you tighten up the rest of the security, have a focus on the human errors – the weakest link in the organization, which turns a little action into big trouble and loss. So, it is important to train or educate your employee or staff with proper training and knowledge transfers. Some best practices in users or employees are to make them understand the good password mechanism and its regular updates, train them about phishing, access limitation, least privileges, etc. You can also configure logging and monitoring on Active directory to detect abnormal behaviors. During the pandemic, when everyone in the world is forced to work remotely, the human error problem is a greater threat now than ever, and now this factor adds a significant impact to the overall risk posture. As organizations become readily dependent upon internet-enabled business models, they are more vulnerable and prone to a wide array of cyber-attacks and business-disrupting challenges. A small mistake or human error creates a noticeable impact that could lead to the latest news headline.