Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

2/1/2018
05:45 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Poor Visibility, Weak Passwords Compromise Active Directory

Security experts highlight the biggest problems they see putting Microsoft Active Directory at risk.

Every company has different security challenges. One common hurdle is securing Active Directory, which remains a critical issue because it's used to store increasing amounts of data. Businesses face a major risk in granting access to too many people without knowing who is safe.

"Active Directory was put in decades ago, and many companies, especially large ones, have had it a long time," says Skyport Systems CEO Art Gilliland. "Most companies don't have a handle on what Active Directory looks like or how many people in the organization can administer it."

One of the biggest problems is a lack of visibility into the amount of people and systems with administrative rights, he continues. Admins, and sometimes systems, have access to keys and codes, and the ability to disable or enable controls as they wish.

Skyport researchers learned last year that many businesses overly expose AD admin credentials and consequently expose themselves to security breaches. More than 90% of organizations use AD to control policies for users and services, and they need to better secure their infrastructure. More than half let admins use the same account to configure AD and multiple other services.

Older programs make it tough to control security. "Bad guys use legacy programs to gain access and elevate privileges, and that's when the real damage and breaches begin," Gilliland says. Attackers rarely target Active Directory first; they look for other ways to get in, then access the AD system.

"It's usually a vulnerability in some application," he adds. "It typically starts simply, with a vulnerability that's probably known and the company just hasn't patched it."

Cracking Down on Attackers
"Once you've elevated privileges, it's impossible to see bad stuff is happening," Gilliland says of visibility. "You can't tell someone has the keys to the kingdom and is running amok."

There are two types of attackers, he explains. Some spread mass phishing attacks to see what level of access they get, then figure out if there's anything of value. Others use more targeted attacks attempting to gain access to specific information — for example, healthcare data.

If you've been breached in any way, most breach response companies will lock down and assess Active Directory because, as Gilliland puts it, "the attacker has almost always done something in AD." The next step is to turn off attackers' access, but finding them is tough, especially if your business has a big AD deployment.

Sometimes the only way to handle an Active Directory breach is to rebuild AD from scratch. If you have evidence that outside attackers have found their way in and created 10,000 accounts in a 50,000-person company, it will be almost impossible to get rid of them without starting over.

"The marketplace makes it very difficult to know who's attacking you until after they've stolen something and after the damage is done," he says. It doesn't help that adversaries are becoming smarter and using more-sophisticated tools than they were five years ago. Attackers are a profit center; IT departments have a strict budget that limits their actions.

The Vulnerability of Passwords
"The Active Directory password is probably the most valuable one," says Amit Rahav, VP of marketing and business development at Secret Double Octopus. "We've been told to create long and complicated passwords, we've been told to change them frequently, and we end up using more and more passwords to get our jobs done."

Passwords are the most common authentication factor but also the most frequently abused, and they're a prime target for attackers seeking Active Directory access. With so much sensitive data in one place, AD authentication is a "single point of failure." The most common way for attackers to obtain passwords is through social engineering or phishing attacks.

But sometimes those aren't even necessary. Rahav points out that some passwords are encrypted, but often they're weak; for example, a birth date or dog's name. Open source tools are available to break those types of passwords, he explains. Sometimes employees store passwords in iPhone notes, Android notes, or Google+ pages, where they're easily found.

Rahav emphasizes the need for stronger protection. "It's time to move into stronger and user-friendly authentication factors … move from passwords into phones, biometrics, and things of that nature." Microsoft offers Windows Hello, which authenticates using facial recognition but requires new hardware.

Rahav anticipates biometrics will continue to grow for Active Directory authentication and within the enterprise, especially as more people use it for personal devices. "A few years ago, nobody knew what biometrics was; now before breakfast we use it two or three times."

How to Be Proactive about AD Security  
Once malicious actors are inside, it's hard to detect them, whether they're external attackers or rogue employees. Often Active Directory is threatened by internal users who have been granted privileges they shouldn't have. You need to know who has access and how to restrict it.

A straightforward step for businesses to take is securing the access workstation, says Gilliland. "The first thing you should do is make sure you can only access Active Directory from a system that's specifically designed to administer Active Directory and nothing else," he says. "That will eliminate a lot of pain."

From there, you should monitor the actual domain controllers. It's complicated, says Gilliland, but provides visibility into what's happening and helps avoid malicious activity. Businesses should also modernize the way that they delegate access to who has permission to change rules.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
2/3/2018 | 3:08:56 PM
AD's inherent limitations
Active Directory is powerful; and something like it is necessary with enterprise networks.  However, I think Microsoft locked themselves into the wrong data topology (and the wrong mindset).  AD was (and I assume still is), hierarchical, rather than relational. 

While performance advantages are important, you lose the built-in safeguards of a Relational Model compliant schema. 

Perhaps more importantly is that application domain modeling methodologies used to generate RM schemas, provide better correspondence between the facts (objects and relationships - business rules), in the domain and the data structure.  The result is that the models are more comprehensible, in the terms used within those domains.  Because the business rules are integrated into the transactional processes of a RDBMS (rather than applied and processed externally), rule changes are reflected in an updated schema, and enforced by mechanisms of the transactions. 

Security and data integrity are inherently better with a transaction based system.  When domain specific (your enterprise network assets and rules, in this case), RM compliant schemas are generated by means of a fact-based methodology, the conceptual level model is created using the terms and rules actually used by your domain-experts/knowledge-workers -- rather than imposing someone's idea of how things should work, or shoehorning the specifics of your enterprise to fit a template.

Object Role Modeling (a fact-based methodology), results in a perspective of roles and rules, rather than types and labels.  This leads to thinking in terms of workflows and individuals, rather than job titles and groups, when it comes to permissions and restrictions.  Consider how that would impact network security concerns. 

I don't know if a solely RDBMS solution could meet the speed and scale performance levels of AD; probably not.  Still, a hybrid system could offer the benefits of each; and result in a better overall solution to enterprise network/asset management, efficiency and security.   
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.