Microsoft Active Directory (AD) is the most common directory services product in the world, used by most of the Fortune 1000 for identity and access management. Unfortunately, it can also be a nightmare to secure. In addition, its administrators are often unaware of the security ramifications of their actions – not that security is necessarily their responsibility – or how they can harden their environments.
This article will explore some of the widespread AD security issues admins face and explain what they can do to prevent or mitigate them.
Understanding AD Attack Paths
Nearly all AD environments are vulnerable to a powerful, difficult-to-detect technique called attack paths. You may have heard them called “identity snowball attacks” because they first compromise a host and then use the privileges of users logged into that host to launch attacks against other hosts. Attackers move from machine to machine in this way until they reach their targets (usually a domain controller) and complete their objectives, whether that’s stealing sensitive data, deploying malware, or something else.
The average AD environment has hundreds or thousands of attack paths, and they’re usually an “unknown unknown,” where admins don’t understand the problem or even realize they have one. But this isn’t a criticism of AD admins – the features that make AD useful for enterprises are the same ones that make it attractive to attackers and difficult to defend. Getting control of an AD environment will almost always give attackers the access they need to reach their objectives, either through taking direct control of endpoints or using AD to validate themselves as a user with access to the system they need.
Since AD is widely used among major enterprises, attackers can reuse the same techniques against multiple targets. And because hacker tools used to progress along an attack path (like Mimikatz and Responder) abuse features built into Windows and AD rather than software exploits, it’s difficult for defenders to detect them.
The size and scope of AD also make it difficult to secure. Enterprises can easily have thousands of attack paths, and they constantly change as new users are added or removed and groups and permissions shift. Mapping all of them is difficult, and closing them all is practically impossible. While individual attack paths can be closed by altering a particular permission or security group membership, removing one accomplishes very little. Attackers has plenty of alternate routes to the same objective. Think of AD as Google Maps, with an attacker starting in Los Angeles and trying to get to Washington, DC. There are thousands of specific routes they might take, so closing one highway won’t stop them from getting there.
Making Active Directory More Secure
So do we just throw up our hands in the face of this overwhelming problem? Of course not. There are many things AD admins can do to help make their environments more secure that don’t require detailed security expertise. Two of the most important steps are gaining better visibility into AD and understanding nested security groups.
AD makes it very difficult to audit user permissions. Windows will only report which principals have a direct “admin rights” relationship to a computer or control of an object. A principal could be an individual or a group, and there’s no way to “unroll” these groups in AD – the admin must go through a separate process to view group membership. If there’s another group nested in the first one, the admin will have to repeat the process.
This makes auditing permissions clunky and time-consuming, to the point that it prevents most AD admins from truly understanding their own environments. Using third-party tools or scripts for more insight into which users have which permissions and tracking nested security groups is a great starting point to better AD security. A free and open source AD mapping tool called BloodHound has this functionality (I am a co-creator of it), and other tools like PingCastle are also helpful.
Other useful steps toward better AD security include defining an organization's Tier Zero assets (this normally includes AD domain admins, domain controllers, PKI, and anyone with access to high-value systems specific to the organization in question) and developing a method to measure its risk exposure. Also, think twice when giving new users permissions – while it’s tempting to give them access to everything they might need, overprivileged users create more attack paths.
To learn more about attack paths and AD security, I recommend Microsoft's Securing Privileged Access Documentation and the website ADSecurity.org. Whether they've known it or not, defenders have been plagued by attack paths for decades, so understanding them is the first step towards reducing risk for the entire enterprise.