Active Directory is used in many organizations worldwide to provide network services so that users and computers can easily authenticate and authorize access to network resources or log on to Windows systems. But cybercriminals also benefit from the Microsoft directory service by abusing common misconfigurations to gain network ownership.
Table of Contents
Why Active Directory Is So Interesting For Cybercriminals
Once attackers get into a company’s Active Directory, they have created a gateway to the rest of the network, which ultimately allows them to steal sensitive data and gain higher rights step by step. From the hackers ‘ perspective, AD is also beautiful for ransomware attacks since users and computers rely on AD to access various network resources. Hackers can quickly wreak havoc by encrypting or exfiltrating critical data.
The ransomware does not encrypt the Active Directory but uses AD to access and encrypt connected hosts and domain-connected systems. Two famous ransomware families targeting AD are Lock Bit 2.0 and BlackMatter. In a typical AD ransomware attack, the attackers attempt to gain access to the network by fishing for credentials, escalating their privileges, and moving vertically into the web of servers. The goal is to acquire administrative access rights and compromise a domain controller. Domain controllers host a copy of Active Directory Domain Services (AD DS), a schema containing all objects that Active Directory stores and for which authorization and authentication services are provided.
4 Tips To Reduce Active Directory Risks
Cybercriminals can launch dangerous attacks via AD because of various misconfigurations that the attackers know how to exploit for their purposes. To eliminate these, security teams must develop a comprehensive Active Directory security strategy that spans multiple areas. If you implement the following four points, the risk of AD compromises can be reduced in the long term.
1. Avoid Adding Domain Users To The Local Administrators Group
Misconfigurations and networked systems with Domain users in the “Local Administrator” group are a godsend for hackers. They use these to move laterally in a network, escalating their privileges and thereby spying on sensitive credentials. Suppose an attacker can log into a Windows endpoint as a local administrator. In that case, they can use that compromised system or account as a staging system to make network changes, elevate full domain administrator privileges, and disable all security settings.
For this reason, IT teams should avoid adding domain users to the Local Administrators group in the first place and instead implement the least privilege or just-in-time access controls. This ensures that administrators are tightly controlled and only granted extended rights as needed. In addition, it is necessary to continuously scan to detect and eliminate potential misconfigurations at an early stage.
2. Backup Your Remote Desktop Log
Another popular gateway for cybercriminals is the Remote Desktop Protocol (RDP). Especially since the beginning of the pandemic and the sudden widespread remote work, the number of attacks on RDP systems has multiplied. This is mainly due to poor password hygiene, which makes it easy for attackers to brute-force credentials for endpoints using the Remote Desktop Protocol and gain full access to a remote system. It is hazardous when users use the same passwords for their work Active Directory account, other accounts, and standard Internet services. Once the attacker has managed to gain remote access to the victim’s system and gain a foothold in the victim’s environment,
One of the most effective ways to protect against brute force attacks on RDP is to use strong multi-factor authentication and specific privileged access security.
3. Prevent Multiple Uses Of Domain Admin Accounts
A dangerous but often seen vulnerability in many Active Directory environments is the multiple uses of domain admin accounts by system administrators – for service accounts, setting up remote access to systems, or automating backups. While this may be convenient, it is also an entry point for hackers, making it easier for them to go from local admin to FULL DOMAIN admin privileges.
An attacker waits until the domain administrator logs on to a system on which he already has local administrator rights. The hacker then modifies the registry on the compromised system, which stores a cached credential in plain text. Now he waited and accessed the system remotely from time to time to check if the domain admin left a footprint of the password, which can be extracted in plain text. Since the attacker has local administrator rights, he can disable security on the affected system, run Mimikatz as a privileged user, and is thus able to read the domain admin password in plain text.
For this reason, it is essential to prevent over privileged users from having local administrator rights on all systems. It is also necessary to ensure that endpoint application controls are in place to prevent unauthorized applications such as Mimikatz from running, even if an attacker has local administrator privileges. Furthermore, the registry settings should permanently be changed in such a way that attackers have no way of extracting passwords in plain text.
4. Use Active Directory Bridging
Active Directory Bridging is a feature that allows users to access non-Windows operating systems using AD credentials. In this way, Active Directory can easily interoperate with Linux, Windows, and Unix IT systems and devices. The security of AD also benefits from this because a proliferation of local identities is restricted in this way. Because users authenticate to all plans with an individual Active Directory identity, the attack surface is significantly reduced because there are fewer entry points for attackers. At the same time, it simplifies reporting on compliance with access policies.
In addition, bridging helps establish a unified Privileged Access Management (PAM) strategy with centralized, cross-platform management of access policies, zero-trust access, permissions control, and identity consolidation.
Active Directory plays a vital role in securely accessing systems and files. Still, poor management and misconfigurations remain commonplace, making it easy for attackers to access organizations’ critical systems and inject malicious payloads such as ransomware. This makes it all the more important to give top priority to privileged access to Active Directory and to implement a security strategy based on a solid risk assessment of the company.