Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

05:45 PM
Connect Directly

Poor Visibility, Weak Passwords Compromise Active Directory

Security experts highlight the biggest problems they see putting Microsoft Active Directory at risk.

Every company has different security challenges. One common hurdle is securing Active Directory, which remains a critical issue because it's used to store increasing amounts of data. Businesses face a major risk in granting access to too many people without knowing who is safe.

"Active Directory was put in decades ago, and many companies, especially large ones, have had it a long time," says Skyport Systems CEO Art Gilliland. "Most companies don't have a handle on what Active Directory looks like or how many people in the organization can administer it."

One of the biggest problems is a lack of visibility into the amount of people and systems with administrative rights, he continues. Admins, and sometimes systems, have access to keys and codes, and the ability to disable or enable controls as they wish.

Skyport researchers learned last year that many businesses overly expose AD admin credentials and consequently expose themselves to security breaches. More than 90% of organizations use AD to control policies for users and services, and they need to better secure their infrastructure. More than half let admins use the same account to configure AD and multiple other services.

Older programs make it tough to control security. "Bad guys use legacy programs to gain access and elevate privileges, and that's when the real damage and breaches begin," Gilliland says. Attackers rarely target Active Directory first; they look for other ways to get in, then access the AD system.

"It's usually a vulnerability in some application," he adds. "It typically starts simply, with a vulnerability that's probably known and the company just hasn't patched it."

Cracking Down on Attackers
"Once you've elevated privileges, it's impossible to see bad stuff is happening," Gilliland says of visibility. "You can't tell someone has the keys to the kingdom and is running amok."

There are two types of attackers, he explains. Some spread mass phishing attacks to see what level of access they get, then figure out if there's anything of value. Others use more targeted attacks attempting to gain access to specific information — for example, healthcare data.

If you've been breached in any way, most breach response companies will lock down and assess Active Directory because, as Gilliland puts it, "the attacker has almost always done something in AD." The next step is to turn off attackers' access, but finding them is tough, especially if your business has a big AD deployment.

Sometimes the only way to handle an Active Directory breach is to rebuild AD from scratch. If you have evidence that outside attackers have found their way in and created 10,000 accounts in a 50,000-person company, it will be almost impossible to get rid of them without starting over.

"The marketplace makes it very difficult to know who's attacking you until after they've stolen something and after the damage is done," he says. It doesn't help that adversaries are becoming smarter and using more-sophisticated tools than they were five years ago. Attackers are a profit center; IT departments have a strict budget that limits their actions.

The Vulnerability of Passwords
"The Active Directory password is probably the most valuable one," says Amit Rahav, VP of marketing and business development at Secret Double Octopus. "We've been told to create long and complicated passwords, we've been told to change them frequently, and we end up using more and more passwords to get our jobs done."

Passwords are the most common authentication factor but also the most frequently abused, and they're a prime target for attackers seeking Active Directory access. With so much sensitive data in one place, AD authentication is a "single point of failure." The most common way for attackers to obtain passwords is through social engineering or phishing attacks.

But sometimes those aren't even necessary. Rahav points out that some passwords are encrypted, but often they're weak; for example, a birth date or dog's name. Open source tools are available to break those types of passwords, he explains. Sometimes employees store passwords in iPhone notes, Android notes, or Google+ pages, where they're easily found.

Rahav emphasizes the need for stronger protection. "It's time to move into stronger and user-friendly authentication factors … move from passwords into phones, biometrics, and things of that nature." Microsoft offers Windows Hello, which authenticates using facial recognition but requires new hardware.

Rahav anticipates biometrics will continue to grow for Active Directory authentication and within the enterprise, especially as more people use it for personal devices. "A few years ago, nobody knew what biometrics was; now before breakfast we use it two or three times."

How to Be Proactive about AD Security  
Once malicious actors are inside, it's hard to detect them, whether they're external attackers or rogue employees. Often Active Directory is threatened by internal users who have been granted privileges they shouldn't have. You need to know who has access and how to restrict it.

A straightforward step for businesses to take is securing the access workstation, says Gilliland. "The first thing you should do is make sure you can only access Active Directory from a system that's specifically designed to administer Active Directory and nothing else," he says. "That will eliminate a lot of pain."

From there, you should monitor the actual domain controllers. It's complicated, says Gilliland, but provides visibility into what's happening and helps avoid malicious activity. Businesses should also modernize the way that they delegate access to who has permission to change rules.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
2/3/2018 | 3:08:56 PM
AD's inherent limitations
Active Directory is powerful; and something like it is necessary with enterprise networks.  However, I think Microsoft locked themselves into the wrong data topology (and the wrong mindset).  AD was (and I assume still is), hierarchical, rather than relational. 

While performance advantages are important, you lose the built-in safeguards of a Relational Model compliant schema. 

Perhaps more importantly is that application domain modeling methodologies used to generate RM schemas, provide better correspondence between the facts (objects and relationships - business rules), in the domain and the data structure.  The result is that the models are more comprehensible, in the terms used within those domains.  Because the business rules are integrated into the transactional processes of a RDBMS (rather than applied and processed externally), rule changes are reflected in an updated schema, and enforced by mechanisms of the transactions. 

Security and data integrity are inherently better with a transaction based system.  When domain specific (your enterprise network assets and rules, in this case), RM compliant schemas are generated by means of a fact-based methodology, the conceptual level model is created using the terms and rules actually used by your domain-experts/knowledge-workers -- rather than imposing someone's idea of how things should work, or shoehorning the specifics of your enterprise to fit a template.

Object Role Modeling (a fact-based methodology), results in a perspective of roles and rules, rather than types and labels.  This leads to thinking in terms of workflows and individuals, rather than job titles and groups, when it comes to permissions and restrictions.  Consider how that would impact network security concerns. 

I don't know if a solely RDBMS solution could meet the speed and scale performance levels of AD; probably not.  Still, a hybrid system could offer the benefits of each; and result in a better overall solution to enterprise network/asset management, efficiency and security.   
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/13/2020
Where Are the 'Great Exits' in the Data Security Market?
Dave Cole, Cofounder and CEO, Open Raven,  10/13/2020
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-19
A prototype pollution vulnerability has been found in `object-path` <= 0.11.4 affecting the `set()` method. The vulnerability is limited to the `includeInheritedProps` mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of `object-path` and settin...
PUBLISHED: 2020-10-19
On Windows the Veyon Service before version 4.4.2 contains an unquoted service path vulnerability, allowing locally authenticated users with administrative privileges to run malicious executables with LocalSystem privileges. Since Veyon users (both students and teachers) usually don't have administr...
PUBLISHED: 2020-10-19
An exploitable denial of service vulnerability exists in the ENIP Request Path Logical Segment functionality of Allen-Bradley Flex IO 1794-AENT/B 4.003. A specially crafted network request can cause a loss of communications with the device resulting in denial-of-service. An attacker can send a malic...
PUBLISHED: 2020-10-19
An exploitable denial of service vulnerability exists in the ENIP Request Path Logical Segment functionality of Allen-Bradley Flex IO 1794-AENT/B 4.003. A specially crafted network request can cause a loss of communications with the device resulting in denial-of-service. An attacker can send a malic...
PUBLISHED: 2020-10-19
A flaw was found in Infinispan version 10, where it permits local access to controls via both REST and HotRod APIs. This flaw allows a user authenticated to the local machine to perform all operations on the caches, including the creation, update, deletion, and shutdown of the entire server.