Active Directory security best practices
(Last updated on November 12, 2019)
At the heart of your organization’s computers, users, and IT infrastructure, you will find Active Directory. Used to mirror the corporate structure of a business, Active Directory houses sensitive data for more than 90% of all organizations. On any given workday, users with active accounts collectively authenticate up to 10 billion times.
Active Directory attacks
While Active Directory is designed with security in mind, its possession of the crown jewels makes it an attractive target for hackers. Their strategy is methodical – find a vulnerability, it could be as simple as USB baiting, a social engineering technique accomplished by planting USB sticks with malicious content at places where users of the target network/system are likely to find them. When access to a workstation is obtained, use a publicly available tool (the same ones available to penetration testers) to move laterally from one compromised machine to another. Escalate privileges to gain administration rights (even with basic access, attackers can escalate privileges and obtain administrator access in less than 72 hours), and finally, steal data!
As attacks get more sophisticated, thanks to automated tools, poor Active Directory hygiene can put your organization at risk. The Active Directory security best practices provided below address security vulnerabilities in your organization, and serve as barriers for attackers.
The Assume Breach mindset
Organizations should assume attackers can get in, or they have already gotten in – it’s not a question of if, but how long. Hackers are not always interested in gathering data within a day, instead they could monitor data over a period of time. The mean number of days that an attacker resides within a victim’s network before detection is 200+ days.
A zero trust position entails applying additional controls around Active Directory. A real-time monitoring system along with alerting is an important part of early detection. Cataloging past activity will provide an easy comparison of current state and past state. Interestingly, 66% of breach victims had sufficient evidence within their logs to discover the breach. Finally, regular password changes can help protect your system from users who tend to reuse passwords – if their password is compromised elsewhere.
The Principle of Least Privilege
Administrator privileges should only be granted to users performing tasks that span across Active Directory domains, or activities that require elevated permissions. To ensure accountability and move beyond a single point of failure, each administrator should have their own admin account – as opposed to a shared generic account with full rights. Furthermore, each administrator should have a separate user account, for day-to-day activities. For maximum security, a physical machine locked down to access only the internal server should be used for administrator tasks. For low-level activities, a virtual machine inside the physical machine can be granted outside access, without access to the host operating system that contains the elevated access.
Finally, watch out for any stale admin accounts as they can be used to access resources without being noticed. Our free tool, Specops Password Auditor, identifies stale admin accounts by reading the lastLogonTimestamp.
One way of handling administrator privileges is through delegation. Custom delegation groups should be in place to set privileges at the lowest level required for their responsibility. For example, common helpdesk tasks, such as unlocking accounts, and resetting passwords, do not require full control over an Organizational Unit.
Employees, contractors, service providers, and other insiders are in an opportune position to compromise data. While the term Insider Threat often implies a deliberate wrongdoing, it can also encompass users that are careless or unaware of organizational security policies. Regardless of intent, there are some effective measures for stopping this threat. End-user training is an obvious start. Employees need to know what security policies are in place, and why. Next, you need a process for de-provisioning users that begins with immediate IT notification of any user changes. IT will have to disable/delete the relevant account, and remove the user from all groups and distribution lists. Temporary staff, contractors, interns, and visitors should have accounts with expiration dates. If temporary access to sensitive groups is required, you can assign temporary group memberships with automatic start and end dates.
Monitor passwords for compromise
Many of the recent data breaches are the direct result of compromised passwords. Unfortunately, the built-in Active Directory policies don’t stop users from making poor password choices. That’s why we recommend auditing existing passwords to check for vulnerabilities. Specops Password Auditor (Free Tool) detects security weaknesses specifically related to password settings. By scanning your Active Directory, the tool collects and displays multiple interactive reports containing user and password policy information. The Blacklisted Passwords report finds user accounts with passwords that are known to be leaked. The account in this list should be prompted to change their password. For more information on how to audit active directory passwords, read Active directory password audit best practices.
Active Directory security is a moving target, and while the periodic security audit will ensure that it is being properly managed, keeping an eye on daily changes is just as important. The best practices outlined in this document are certainly a good place to start if organizational security is keeping you up at night.