Simple Steps to Improve Active Directory Security
Active Directory is the most critical asset in your infrastructure and most attacks are targeted at it. Since Active Directory brings your organization together, it's vitally important to keep it protected and breach-proof. Here are eight basic steps that will help you improve overall Active Directory security and avoid common security threats:
- Revoke Excessive Permissions
- Segregate Admin and Personal Accounts
- Disable Inactive Accounts
- Assign Permissions To Groups Not Users
- Keep the Group Names and Hierarchy Clear
- Keep Network Resources Names in Line with Groups
- Use Aliases for Email Addresses
- Enforce Strong Password Policy
The organization evolves over time. Employees get promoted or moved to other departments, their duties and tasks change. Does your Active Directory domain structure keep up with these changes? Are you sure nothing is left behind and no permissions were granted "just in case"?
Dedicate some time to assess your forest structure and ensure it stays up-to-date with your organization. By up-to-date, I mean no one has access to objects outside his or her scope of responsibility, no can-do-it-all kind of groups are present, and domain structure resembles your real org-chart.
Why is it so important? Shouldn't we focus on external threats instead of routine reviews? Not yet! The idea of an employee browsing the assets he or she is not in charge of is morally questionable in the first place. What is more, it exposes your domain to even more risks. Should the user identity be stolen, attackers won't think twice to take advantage of excessive permissions granted to this account.
Don't wait for it to happen! Review right assignments for each account and revoke permissions that are irrelevant to the user's role. The concept of the least privilege should be applied to all accounts, including administrators and service accounts. For instance, instead of opting for built-in Administrator account for fixing mail-related issues, use the Exchange Administrators group.
Getting rid of unnecessary permissions benefits you in two ways:
- Makes administration much more transparent. Less items to go through and keep in mind.
- Reduces the risk of attackers taking control of digital assets the account shouldn't be able to access in the first place.
To be honest, this step derives from a previous one. I decided to keep it separately to emphasize its importance. Obviously, some employees need more advanced permissions to perform their daily tasks. For example, system administrators. They monitor IT infrastructure, manage users and permissions, and keep the company's domain running. Because of the elevated permissions, administration accounts are appealing to attackers who seek to exploit them and break into your system.
To ensure security, administration tasks should be accountable and kept separately from the personal user activity such as reading emails or answering support requests. Administrators, security or helpdesk personnel can opt for two accounts—"on duty" account and personal (for example, org.com\admin_j.johnson and org.com\j.johnson). You can go further and use separate workstations for different purposes. In this case, more advanced accounts will be protected from compromise and phishing attacks.
As another round of Active Directory clean up, check all accounts and identify those that are currently not in use but still will be needed in the future. These accounts are more prone to identity theft. Since no one uses these accounts at the moment, it's harder to spot the identity compromise and it will remain concealed longer.
Set up a control procedure to disable accounts when they are not needed. For example, accounts of seasonal workers after each working session or company representatives accounts that visit your office just every quarter or so. Disabling accounts when not in use is a best practice. Keeping them enabled all the time can lead your company into trouble.
Are you guilty of assigning permissions directly to users? At some point, we all are. Some may argue that it's more transparent to grant permissions directly—after all, you see the final list of usernames instead of vague groups. However, this practice makes things much more confusing in a long run.
As we discussed before, the users get promoted or moved to other departments. The administrator has to go through all entities the account has access to and manually revoke permissions, one after another. When permissions are inherited through group membership, the organizational structure remains the same while accounts are moved between groups. This approach ensures that no excess permissions will be left behind and attackers won't be able to take advantage of direct role assignment.
You know the "Assign permissions to groups" mantra. Now, take a look at your directory—can you tell what each security or distribution group stands for? Are there any names that make no sense? I bet there are.
The way you name Active Directory groups and organizational units should encourage your fellow system administrators to use groups and not direct right assignments. The name should clearly articulate the purpose of the group and its position in the domain hierarchy.
A great way to achieve this level of transparency is to follow Microsoft-recommended naming conventions or design your own in-house standard. Either way, use prefixes that indicate location, department, or task the group is in charge of. Be creative and specific when it comes to describing the group purpose. Prefer meaningful words over general placeholders (e.g., Accountants-fullaccess instead of Department_1).
Let's say, you've got two teams of Toronto-based system administrators working in shifts and whose main responsibility is resetting passwords. The original group names were "GL-SEC-Toronto-AdminsA" and "GL-SEC-Toronto-AdminsB". While in line with a naming convention, these names are confusing. They do not help you distinguish the groups and do not hint at their purpose. Try renaming these groups into "GL-SEC-Toronto-AdminsDayShift-pswreset" and "GL-SEC-Toronto-AdminsNightShift-pswreset". In this case, you can guess the group's main function as well as identify that each group has a twin in the domain hierarchy.
Sticking to naming conventions and long names may seem too formal at first. Actually, it helps keep your Active Directory entities organized. Whenever a user account should be granted permissions to access a resource or perform some action, a system administrator will be able to find a right group just by browsing group names.
You are on the right track! It's time to review your digital assets once again. Check names for all your network resources (shared folders, printers, shared mailboxes, calendars, etc.). As AD groups, they should follow certain naming conventions. For example, include the name of the department that holds the custody of a resource in its prefix (e.g., Sales_Offers). You can coordinate Active Directory groups and network resources names and make them in line with each other.
With a proper naming and direct relation between group and resource names, you will clearly see who is the resource owner and who isn't. This will bring you an extra level of security. Internal bad-actors and outside attackers will not be able to take advantage of gaining access to your digital assets as you will immediately identify that they should not have these permissions and revoke them. So far, clear naming is a key to security management.
The intruders start small—they try to take control of any account in your Active Directory and then use it to compromise more powerful admin accounts. But how do they learn about your company's accounts in the first place? Emails! Most companies still use the same names for domain usernames and mailboxes.
Whenever the employee sends an email or signs up for a newsletter, his or her name is revealed and attackers can use this information to attempt the identify stealth. An easy way to combat this threat is to create aliases for emails addresses. This is a simple yet effective way to reduce the risk of compromise.
Please, please, please enforce strong password and lockout policies. Obvious, yet super effective. Insist on password complexity, record history, define the minimum (yes!) and maximum password ages, and set a requirement to change passwords every 30 to 45 days. Lock out accounts after three to five failed login attempts and keep it disabled for about 30 minutes to minimize the risk of brute force attack.
A strong password that is difficult to guess is a first level defense and should be taken seriously. As a system administrator, you are encouraged to enable two-factor authentication. If you are not comfortable establishing new rules company-wide at this point, at least enable two-factor authentication for admin accounts and users who connect over RDP as these accounts are the most vulnerable and appealing to attackers.
The security principles listed above are basic and somewhat obvious. However, they proved to be effective against Active Directory attacks. If you haven't incorporated them yet, then hurry up!
There is much more to say about Active Directory security, more best practices and advanced workflows to follow but the key to Active Directory security is on-going monitoring and keeping up with changes in your environment. Make sure to document your forest structure and review it every so often, educate your personnel to follow naming conventions and basic security practices, and set up an effective auditing and risk mitigation framework.