Active Directory Security Vulnerabilities: the role of PAWs in a Strong AD Defense
Microsoft Active Directory (AD) provides directory services for organizations that use Windows Server. Based on the Lightweight Directory Access Protocol (LDAP), AD provides a range of directory functions, including centralized domain management and Identity and Access Management (IAM). AD is more or less the standard IAM solution in companies of all sizes. So it should be no surprise that a widely adopted tool like AD is an attractive target for malicious actors.
Why Active Directory is Such a Sought-After Target
AD attracts many varied attacks, given the value of the data it provides access to along with the potential for abuse that comes from gaining access into an organization’s IAM system. If an attacker wants to impersonate a system user, what better way is there to achieve that goal than by breaking into AD, posing as an AD administrator and taking over a user account? Even more dangerous, an attacker could disguise himself as a domain admin and create a new, fictitious user. Stolen admin credentials create a major risk.
An AD admin can assign access privileges. For example, if a user has “Read Only” access to a database, the AD admin can promote him or her to have “Read/Write” privileges. Hackers want such elevated privileges, so they often go after AD.
Understanding Microsoft Active Directory Vulnerabilities
AD has two main sets of cybersecurity vulnerabilities: generic security vulnerabilities and specific security vulnerabilities. In generic terms, AD is exposed to every type of standard IT security risks. It needs strong passwords, has to be patched properly, and be protected by firewalls and so forth. Specifically, AD is vulnerable to penetration through its inherent functioning. The server’s very capabilities create risk.
For example, if AD isn’t properly administered, its internal list of administrators may grow too long to be managed securely. No one knows for sure who is whom, and what privileges they deserve. A former employee might retain access rights long after he or she should no longer possess them. This can lead to privileged access abuse—assuming the organization does not have a Privileged Access management (PAM) solution in effect. However, many PAM solutions base their users’ identities on AD directory listings.
Guest access is yet another problem. Alternatively, if admins leave too many inactive accounts up and running, this leaves their credentials and access privileges exposed to theft by malicious actors. If AD admins do not maintain, or check, access logs, they may have trouble spotting suspicious logins. It’s important to keep in mind that a malicious actor can also be an insider. Managing AD for security should also include monitoring access by established users.
Best Practices for Defending Microsoft AD
Security professionals have developed best practices for defending Microsoft AD. Highlights include:
- Appoint a “super admin” for AD—This status should only be granted to a small, highly trusted group of employees, or even just one person. The AD super admin will be expected to stay on top of purging old accounts and monitoring task delegation. In addition, the super admin needs to know who is in any sensitive groups, e.g. domain and schema admins. These are the admins whose credentials have high value for hackers.
- The super admin should carefully manage any “group nesting” in AD. AD can nest groups in a parent-child hierarchy. This practice passes access privileges from parent to child. If these nested groups are not monitored, they can inadvertently enable users to acquire access privileges they should not have.
- Implement a policy of “least privilege”—Users should be assigned the absolute minimum permissions they need for their jobs. Again, the super admin is on task to keep this all managed securely.
- Put AD in a network secure zone—AD should not be sitting in the main area of the corporate network. Given its value to hackers and the potential significant negative impacts to the organization if it were compromised, AD should be placed on a secure sub-network or secure zone.
- Use Privileged Access Workstations (PAWs)—Provisioning a separate, dedicated device (e.g. a Windows laptop) for administrators is a strong countermeasure in mitigating the risk of unauthorized admin access to AD. A PAW is a hardened device, unable to download files, install software, access email and the Web. It is used only to log into the secure subnet where AD is located. With its restricted use, the PAW is less vulnerable to Web-based malware, phishing attacks and so forth.
PAWs do have a drawback, however. The admin may not want to carry a second laptop around when he or she leaves the office. It can be tempting to log into a VPN using a regular corporate machine, which can open privileged assets to attacks. If a malicious actor has compromised the corporate machine, he can potentially gain access to AD.
One viable alternative, as enabled by Hysolate, is to deploy two completely separate Virtual Machines (VMs) on a singular device. One of the VMs runs a general corporate computer, with full web browsing capabilities and so forth. The second VM is completely locked down to apply the utmost security when accessing privileged assets.. Running on separate operating systems (OS’s), the machines don’t “see” one another, even though they’re on the same piece of hardware. If a hacker penetrates the corporate OS, it’s impossible to jump onto the privileged OS.