Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

05:45 PM
Connect Directly

Poor Visibility, Weak Passwords Compromise Active Directory

Security experts highlight the biggest problems they see putting Microsoft Active Directory at risk.

Every company has different security challenges. One common hurdle is securing Active Directory, which remains a critical issue because it's used to store increasing amounts of data. Businesses face a major risk in granting access to too many people without knowing who is safe.

"Active Directory was put in decades ago, and many companies, especially large ones, have had it a long time," says Skyport Systems CEO Art Gilliland. "Most companies don't have a handle on what Active Directory looks like or how many people in the organization can administer it."

One of the biggest problems is a lack of visibility into the amount of people and systems with administrative rights, he continues. Admins, and sometimes systems, have access to keys and codes, and the ability to disable or enable controls as they wish.

Skyport researchers learned last year that many businesses overly expose AD admin credentials and consequently expose themselves to security breaches. More than 90% of organizations use AD to control policies for users and services, and they need to better secure their infrastructure. More than half let admins use the same account to configure AD and multiple other services.

Older programs make it tough to control security. "Bad guys use legacy programs to gain access and elevate privileges, and that's when the real damage and breaches begin," Gilliland says. Attackers rarely target Active Directory first; they look for other ways to get in, then access the AD system.

"It's usually a vulnerability in some application," he adds. "It typically starts simply, with a vulnerability that's probably known and the company just hasn't patched it."

Cracking Down on Attackers
"Once you've elevated privileges, it's impossible to see bad stuff is happening," Gilliland says of visibility. "You can't tell someone has the keys to the kingdom and is running amok."

There are two types of attackers, he explains. Some spread mass phishing attacks to see what level of access they get, then figure out if there's anything of value. Others use more targeted attacks attempting to gain access to specific information — for example, healthcare data.

If you've been breached in any way, most breach response companies will lock down and assess Active Directory because, as Gilliland puts it, "the attacker has almost always done something in AD." The next step is to turn off attackers' access, but finding them is tough, especially if your business has a big AD deployment.

Sometimes the only way to handle an Active Directory breach is to rebuild AD from scratch. If you have evidence that outside attackers have found their way in and created 10,000 accounts in a 50,000-person company, it will be almost impossible to get rid of them without starting over.

"The marketplace makes it very difficult to know who's attacking you until after they've stolen something and after the damage is done," he says. It doesn't help that adversaries are becoming smarter and using more-sophisticated tools than they were five years ago. Attackers are a profit center; IT departments have a strict budget that limits their actions.

The Vulnerability of Passwords
"The Active Directory password is probably the most valuable one," says Amit Rahav, VP of marketing and business development at Secret Double Octopus. "We've been told to create long and complicated passwords, we've been told to change them frequently, and we end up using more and more passwords to get our jobs done."

Passwords are the most common authentication factor but also the most frequently abused, and they're a prime target for attackers seeking Active Directory access. With so much sensitive data in one place, AD authentication is a "single point of failure." The most common way for attackers to obtain passwords is through social engineering or phishing attacks.

But sometimes those aren't even necessary. Rahav points out that some passwords are encrypted, but often they're weak; for example, a birth date or dog's name. Open source tools are available to break those types of passwords, he explains. Sometimes employees store passwords in iPhone notes, Android notes, or Google+ pages, where they're easily found.

Rahav emphasizes the need for stronger protection. "It's time to move into stronger and user-friendly authentication factors … move from passwords into phones, biometrics, and things of that nature." Microsoft offers Windows Hello, which authenticates using facial recognition but requires new hardware.

Rahav anticipates biometrics will continue to grow for Active Directory authentication and within the enterprise, especially as more people use it for personal devices. "A few years ago, nobody knew what biometrics was; now before breakfast we use it two or three times."

How to Be Proactive about AD Security  
Once malicious actors are inside, it's hard to detect them, whether they're external attackers or rogue employees. Often Active Directory is threatened by internal users who have been granted privileges they shouldn't have. You need to know who has access and how to restrict it.

A straightforward step for businesses to take is securing the access workstation, says Gilliland. "The first thing you should do is make sure you can only access Active Directory from a system that's specifically designed to administer Active Directory and nothing else," he says. "That will eliminate a lot of pain."

From there, you should monitor the actual domain controllers. It's complicated, says Gilliland, but provides visibility into what's happening and helps avoid malicious activity. Businesses should also modernize the way that they delegate access to who has permission to change rules.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
2/3/2018 | 3:08:56 PM
AD's inherent limitations
Active Directory is powerful; and something like it is necessary with enterprise networks.  However, I think Microsoft locked themselves into the wrong data topology (and the wrong mindset).  AD was (and I assume still is), hierarchical, rather than relational. 

While performance advantages are important, you lose the built-in safeguards of a Relational Model compliant schema. 

Perhaps more importantly is that application domain modeling methodologies used to generate RM schemas, provide better correspondence between the facts (objects and relationships - business rules), in the domain and the data structure.  The result is that the models are more comprehensible, in the terms used within those domains.  Because the business rules are integrated into the transactional processes of a RDBMS (rather than applied and processed externally), rule changes are reflected in an updated schema, and enforced by mechanisms of the transactions. 

Security and data integrity are inherently better with a transaction based system.  When domain specific (your enterprise network assets and rules, in this case), RM compliant schemas are generated by means of a fact-based methodology, the conceptual level model is created using the terms and rules actually used by your domain-experts/knowledge-workers -- rather than imposing someone's idea of how things should work, or shoehorning the specifics of your enterprise to fit a template.

Object Role Modeling (a fact-based methodology), results in a perspective of roles and rules, rather than types and labels.  This leads to thinking in terms of workflows and individuals, rather than job titles and groups, when it comes to permissions and restrictions.  Consider how that would impact network security concerns. 

I don't know if a solely RDBMS solution could meet the speed and scale performance levels of AD; probably not.  Still, a hybrid system could offer the benefits of each; and result in a better overall solution to enterprise network/asset management, efficiency and security.   
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-14
A heap buffer overflow read was discovered in upx 4.0.0, because the check in p_lx_elf.cpp is not perfect.
PUBLISHED: 2021-05-14
A Zip Slip vulnerability was found in the oc binary in openshift-clients where an arbitrary file write is achieved by using a specially crafted raw container image (.tar file) which contains symbolic links. The vulnerability is limited to the command `oc image extract`. If a symbolic link is first c...
PUBLISHED: 2021-05-14
A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed more permissions to be granted during a GitHub App's user-authorization web flow than was displayed to the user during approval. To exploit this vulnerability, an attacker would need to create a GitHub App o...
PUBLISHED: 2021-05-14
Apache Traffic Server 9.0.0 is vulnerable to a remote DOS attack on the experimental Slicer plugin.
PUBLISHED: 2021-05-14
Firely/Incendi Spark before 1.5.5-r4 lacks Content-Disposition headers in certain situations, which may cause crafted files to be delivered to clients such that they are rendered directly in a victim's web browser.