Dark Mode

    Free Trial
    Image of Tal Kollender
    • 4 min read
    • Jul 12, 2021 10:08:30 AM

    Managing Active Directory Threats

    AD Threats

    Do threats against your Active Directory keep you up at night? Honestly, they should. Active Directory is critical as it controls access to your systems and data. Ensuring that your Active Directory is secure should be one of your main priorities. In this blog, I list some of the most common Active Directory security issues and briefly detail how they should be approached.

    The usual suspects

    Do any of these look familiar to you? If so, you should start addressing these issues.

    1.   Excessive Administrator Accounts

    In this case “more” is not a good thing. When it comes to your AD system, if you have an overly long list of Active Directory users with Administrative rights and excessive privileges, it’s likely that there is the potential for privilege abuse, which is one of the leading causes of lateral movement for hackers.

    2.  Delegating Tasks in Active Directory

    Delegating tasks to users who have no real need to be in a power position like an administrator happens, but it’s a bad way to do business. By delegating tasks to non-administrators, without proper oversight is a massive risk. One misstep or account failure and the entirety of an enterprise might be compromised. Don’t allow your tasks to be delegated, especially in an unmanaged way.

    3.  Bad Password Management

    Passwords are the main avenue of compromise in roughly ¾ of attacks on AD systems. One weak password, or already compromised account that is bought on an underground site is the only thing a hacker needs to become an administrator on your network. That single, simple thing can literally invalidate your entire security strategy and technology portfolio. Don’t fall down the password rabbit hole. Fix them and always mandate MFA.

    4.  Inactive Accounts

    Inactive accounts often seem to be harmless, bu. Inactive accounts usually hold administrative privileges and will be used as a platform for a hacker to gain access to your infrastructure. Inactive accounts should be removed entirely and audited regularly to make sure you are actively mitigating those risks.

    5.  Guest Access

    Be careful that your Guest and Anonymous accounts are not granted the same open access as regularly managed and authenticated users.

    6.  Lack of Visibility on Domain Controllers

    Not seeing or knowing who is logging into your Domain Controller makes it almost impossible to protect administrative accounts and privileged access. Ensure that you have a continuous and proactive way of auditing and controlling those logins, so that you can quickly react to anomalies.

    7.   Not Knowing Membership of Security Groups

    Members of security groups like Domain, Enterprise and Schema Administrators have the highest levels of privileges, they are the ultimate power player in your network to be sure. If one of those users has bad credentials the damage to your organization’s security could be catastrophic.

    To help minimize these risks, you should only grant membership to those accounts that need it, and withdraw group memberships the minute they are no longer required. Do not leave those accesses or accounts live any longer than is absolutely necessary.

    8.  Not Implementing Zero Trust Policies

    One of the main principles of a good Zero Trust policy dictates that users should only log on with an account that has the absolute minimum permissions required for their job, that’s it.

    You should be consistently tracking changes to privileges to ensure that the right users have the right levels of access to the right data, and nothing more is present. Doing this reduces your risk profile, increases visibility and accuracy of account management and will help you better respond to anomalies.

    GYTPOL can help

    GYTPOL offers Next Generation Active Directory assessment. Providing continuous assessment 24×7. These days, this is a must as the AD is a critical component. GYTPOL is able to detect real-time AD attacks and supports automatic remediation.

    About Author

    Image of Tal Kollender

    Tal Kollender

    With a background in hacking, Tal's filled senior cyber roles for the IDF and Dell EMC. In 2023, Tal was named "Cybersecurity Women Entrepreneur of the Year" by the Unite Cybersecurity Alliance.

    Comments