How to lock down your Active Directory password reset process
Attackers target helpdesks with social engineering attacks to gain unauthorized access to user accounts, which they can use to compromise an environment or launch ransomware attacks. When done effectively, they can bypass MFA and avoid having to verify their identity. It’s possible (and highly recommended) to have a solution in place that lets helpdesk agents accurately verify the identity of callers. However, if you have a solution in place to verify end users and securely reset passwords, you want to make sure this is the only way helpdesk agents can reset a password.
We’ll share some steps you can take to ‘lock down’ the password reset process within Active Directory. First, it’s important to understand why an organization would want to tighten up their password reset process. Let’s start with a recent cyber-attack on MGM Resorts highlighting the vulnerability of helpdesks to fraudulent calls and the importance of service desk agents being able to accurately enforce user verification.
MGM Resorts attack: A lesson in social engineering
In September 2023, MGM Resorts’ infrastructure was compromised by a hacking group known as Scattered Spider. The hackers gained access by using social engineering to trick helpdesk personnel. It’s believed the group found an MGM Resorts employee’s information on LinkedIn and then called the helpdesk, posing as an employee who had lost their device and needed a password reset. After helpdesk staff gave the attacker a temporary password, they were able to gain an initial foothold in the environment and launch a ransomware attack.
The resulting ransomware attack affected MGM’s operations for around ten days before operations were able to return to normal. However, it was later disclosed that the hacker group gained access to its guests’ personal information, including names, contact information, Social Security Numbers, and other information. This attack underscores the need for organizations to have a way to verify the identity of users needing password resets and other account-related information.
Secure Service Desk: Combine security with user experience
Specops Secure Service Desk allows organizations to effectively verify the identity of end-users calling the help desk for password resets. Using Secure Service Desk, help desk staff can send a one-time code to a mobile number associated with the user’s account. It also allows integration with common identity services that may already be used, like Duo Security, Okta, and others. This allows the helpdesk to take charge of secure password resets, enforcing the need to validate identity for end users requesting password resets and other account operations.
If helpdesk agents follow the workflow correctly, they can avoid situations like at MGM Resorts where a hacker attempts to circumvent the verification process. So if your organization is already using a tool such as Secure Service Desk to validate identity, how can IT teams ‘lock down’ this process and enforce proper user verification and secure password resets?
Enforcing user verification for password resets
To avoid social engineering scenarios, organizations need to remove the ability for service desk personnel to reset passwords outside of the proper workflow for user identity verification. It shouldn’t be possible for someone to phone up with an excuse and circumvent the verification process. There are some steps you can take to tighten up the process within your Active Directory.
Active Directory groups
Built-in Active Directory Domain Services (AD DS) groups can reset passwords. For example, users in the Account Operators or Domain Admins groups can reset passwords. Service desk users added to these groups would be able to reset passwords outside of the workflows implemented by Specops Secure Service Desk.
Rather than using the built-in groups in Active Directory to allow the permissions for password resets, it’s better to create custom security groups with precisely the permissions needed by the help desk staff. Using the built-in Active Directory Delegation of Control Wizard, you can give granular in Active Directory to perform specific tasks. Below, in the Delegation of Control Wizard you can delegate permissions for specific tasks, including Modify the membership of a group. Creating specific groups with granular permissions ensures service desk members don’t have overprovisioned permissions.
Delegated permissions in Active Directory Domain Services
For environments that already have delegated permissions before implementing a strategy for enforcing identify verification, you can use PowerShell to discover permissions delegated permissions in Active Directory Domain Services (AD DS).
- Open PowerShell with Administrative Privileges: To run PowerShell commands that interact with Active Directory, you need to have administrative privileges. Right-click the PowerShell icon and select “Run as administrator”.
- Import the Active Directory Module: You must import the Active Directory module before using AD-specific cmdlets. Use the following command:
- Identify the AD Object: Determine the distinguished name (DN) or path of the AD object (like an OU) for which you want to check the delegated permissions. For example, if you want to check the permissions of an OU named ‘Sales,’ find its DN. You can do that in AD DS, by looking at the advanced properties of the OU object.
Getting the Distinguished Name for an AD DS OU
- Get the ACL of the AD Object: Use the Get-Acl cmdlet to get the ACL of the object. For example:
$acl = Get-Acl -Path "AD:\OU=Sales,DC=yourdomain,DC=com"
- Analyze the ACL Entries: The ACL contains a list of access control entries (ACEs) that define the permissions. You can view these entries using:
$acl.Access | Format-Table
- Filter and Examine the Results: The output will list the security principals (users or groups) and assigned permissions. Look at the delegated permissions in the output, like specific rights granted to non-administrative users or groups.
- Export the Results (Optional): If you want to save the results, you can export them to a CSV file:
$acl.Access | Export-Csv -Path “C:\path\to\output.csv” -NoTypeInformation
Below is an example of the CSV output from the PowerShell export of access control lists for a specific OU.
Try Specops Secure Service Desk
Verifying identity for end-user password reset requests is a must due to attackers using social engineering and other attack vectors to steal credentials via helpdesks. Service desk agents need the right tools to verify identity and validate users are who they say they are. Specops Secure Service Desk is a great solution to provide the help desk with the tools needed for proper identity verification.
However, organizations also need to enforce the workflows provided by Secure Service Desk to ensure identity is verified properly. Proper permission delegation and auditing existing delegated permissions are important to govern who has permission to reset user account passwords directly.