MOUNTAIN VIEW, Calif. - Skyport Systems, a leading secure, hyperconverged infrastructure provider for the hybrid enterprise, has found that many enterprises overly expose Active Directory (AD) administrators' credentials, leaving companies vulnerable to security breaches. Skyport reached this conclusion after conducting comprehensive AD security assessments for enterprises over the past year.
Skyport's AD security assessments are based on a 100-point investigation into an organization’s current AD implementation, enabling scoring of the overall health of the organization’s AD infrastructure. The findings from each assessment highlight key lessons learned, benchmarks, and operational implications for reducing risk within the organization.
"We know that over 90 percent of all organizations use Active Directory to control policies for users and services," said Russell Rice, senior director, product management, Skyport Systems. "Successful attacks against AD or admin credentials can be devastating because the blast radius reaches nearly every system in the enterprise. The data we collected and analyzed shows that organizations need to pay more close attention to their AD infrastructure and use a modern approach to securing AD since many attack tools are widely available, effective and free," said Rice.
Security experts recommend the following four pillars to protect against cyberattacks:
- Implement AD hygiene by limiting domain admin privileges, configuring secure password policies, and frequent patching.
- Make admin workstations secure to prevent credential theft and misuse.
- Protect Domain Controllers (DCs) against insider and outsider threats.
- Build an isolated admin forest for large or complex enterprises.
Despite these measures, there are many ways organizations’ defenses break down, according to key findings from Skyport’s Active Directory security assessments.
These key findings include:
- Over 50 percent of the organizations assessed allow administrators to use the same account to configure AD as they use for everything else.
- Microsoft recommends implementing secure administrative workstations (SAWs) for management of AD. However, less than 10 percent of the organizations Skyport Systems assessed have implemented a SAW.
- Fewer than 25 percent of the organizations use multi-factor authentication (MFA) for AD administrator accounts.
- It is a best practice to severely limit the systems that are permitted to alter the AD configuration. However, almost none of the organizations assessed implemented host-based firewalls for the DCs, and less than 15 percent use administrative whitelists.
- Microsoft has recommendations for building an Enhanced Security Administrative Environment (ESAE), but virtually no mid-market enterprises appear to be aware of, or effectively implement these guidelines.
Obtain a full copy of the AD Assessment Findings here.