By Tammy Mindel, Security Product Manager at Semperis
Microsoft Active Directory (AD) has become a highly lucrative target for cyberattackers. That’s no surprise, given the prevalence of the identity service in enterprise organizations (as of 2019, AD still held a 95 percent market share among Fortune 500 companies) and its security vulnerabilities. Attackers take advantage of weak AD configurations to identify attack paths, access privileged credentials, and deploy ransomware. Recent reports by 451 Research, Enterprise Management Associates (EMA), and Gartner highlighted the collective concern about AD security problems.
Many of the problems stem from the fact that AD has been in place since 2000, when cybersecurity was not a priority. Many organizations have legacy AD systems with components that haven’t been used for years—but remain gateways for cyberattacks.
Cybercriminals know how and where to look for the bits and pieces AD has left behind over its many iterations. By exploiting the platform’s identity management infrastructure, attackers can escalate their privileges. From there, the sky’s the limit: They can deploy ransomware, steal data, or even take over the organization.
According to an EMA survey, in just the past two years, 50 percent of organizations have experienced an AD-specific attack, and more than 40 percent of these attacks were successful. Making matters worse, penetration testers can typically exploit an AD exposure roughly 80 percent of the time.
Reviewing legacy AD infrastructures for security weaknesses
Organizations can take action to prevent some of the common AD exploits. Following are practical guidelines for identifying and addressing security gaps in your AD infrastructure environment.
- Maintain proper AD hygiene
Just as practicing good physical hygiene reduces your chance of getting sick, maintaining proper hygiene in your AD environment is crucial to combat cybercrime. If you configure the directory service securely and clean up misconfigurations, your system will be much less attractive to attackers.
First and foremost, continuously examine your AD installation in all its complexity to uncover potential exploits and attack vectors. Perform regular or even continuous vulnerability assessments. Apply basic cybersecurity best practices, such as deleting orphaned accounts, enforcing a tight access control policy, enforcing effective risk management, and removing legacy components.
That last action item, you’ll soon learn, is arguably the most important.
- Know that most major AD vulnerabilities have much in common
By studying frequently exploited AD security gaps, you will notice similarities. Consider the following vulnerabilities, three of the most common currently in the wild: PetitPotam, PrintNightmare, and SID History.
This authentication coercion exploit was first published in July 2021. Attackers with domain access can authenticate using a vulnerable interface, such as Encrypting File System. They can then use a classic NT LAN Manager (NTLM) relay to further elevate their privileges.
Microsoft’s recommended fix for PetitPotam is to disable NTLM authentication on all Active Directory Certificate Services systems, then enable Extended Protection for Authentication to help eliminate man-in-the-middle attacks.
PrintNightmare, as the name suggests, is a set of vulnerabilities that target the Windows Print Spooler service. Intended to store and queue remote print jobs, attackers within the network can use this service to perform DLL injection to printer drivers, then run them with system permissions. Any user can connect to the service and abuse it to gain access to the domain controller with system permissions.
As with PetitPotam, the recommended fix is simply to disable the Windows Print Spooler service on your domain controller.
Typically used only in migration scenarios, integration of new domains, or mergers, SID History is a user account object attribute that can yield thousands of records. Inevitably, some SID History fragments get left behind—fragments you might be reluctant to clean up because you’re afraid of breaking access to older systems.
Addressing this vulnerability requires that you maintain visibility into security identifiers (SIDs), identify privileged SIDs, and scan for unauthorized changes.
What do these vulnerabilities have in common? First, they’re easy targets. Second, they exploit legacy components. Third, they’re easy to stop—the caveat being that you need to know where and how to look.
- Know that attackers typically look for specific AD targets
When attackers target an AD environment, they’re not usually using sophisticated methods. They’re doing the digital equivalent of prowling a parking lot looking for an unlocked door or open window—the path of least resistance that will offer them the highest potential return.
Common targets include:
- Legacy systems: Older components are often underused, loosely monitored, and highly exploitable
- SID misconfiguration: Most commonly in the form of an orphaned privileged SID
- Security policy issue: Misconfigured Group Policy security is a common target
- Use testing tools to uncover vulnerabilities
Tools that scan your AD environment for indicators of exposure and compromise—such as Purple Knight, a free AD security assessment tool built by the Semperis team of AD experts—can help you uncover and address common vulnerabilities. Although the ideal approach is to use a solution that continuously monitors your AD environment for exploits, using a standalone tool like Purple Knight on a regular basis (twice a month is the sweet spot) will raise your awareness of potential problems and give you a roadmap for remediation.
Securing AD is an ongoing process
As the mainstay of identity and access management for most organizations, AD will continue to be a core piece of the infrastructure security puzzle, even as assets shift to the cloud: AD is the foundation of the hybrid identity architecture commonly used today. Even though AD isn’t going away anytime soon and has well-known security gaps, organizations can improve their overall security posture with frequent, systematic review of commonly exploited AD misconfigurations. AD remains a valuable tool. We just have to use it correctly and securely, as carelessness leaves the door open to adversaries.
About the Author
Tammy Mindel, Semperis Security Product Manager, has held customer and product-centric roles in the cybersecurity sector and has experience in application security, infrastructure/network security, incident response and forensics, and security best practices and standards.