Active Directory (AD), a directory service developed by Microsoft for Windows domain networks, is most organizations’ primary store for employee authentication and identity management, and controls which assets / applications / systems a user has access to. This makes Active Directory a valuable target for attackers and spur organizations to improve its security.
But Guido Grillenmeier says that the technology has been dropped from the corporate agenda.
“Active Directory is considered commodity technology these days – after all, this technology should have matured after more than 20 years of being in use. And from an infrastructure resilience and stability point of view, this statement is correct. But, sadly, not from a security point of view, where various weaknesses of AD are being used increasingly by cyber-criminals to attack companies,” he told Help Net Security.
“AD is being too easily compromised and allows intruders to gather intelligence of a company’s IT assets, steal corporate data and then request ransom payments after having encrypted much of the corporate IT assets, including the AD service itself.”
A lifetime of dedication
Grillenmeier has witnessed the introduction of Active Directory over two decades ago and was immediately fascinated with its complexity and potential.
He got his professional start at HP in the mid ’90s and soon became a Windows-centric infrastructure consultant, designing and migrating customers to Windows NT with various lighthouse projects for HP.
With the evolution of Windows NT to Windows 2000, he became a specialist for the new Active Directory (AD) domain services, honing his skills and earning experience through various large-scale projects around the globe and situations that involved helping customers to survive AD disasters caused by operational mistakes.
“It’s those disasters that helped me to further dig into the details of the technology and better understand its weaknesses. Over the years, special work for the German government further helped me to understand the intricate details of Active Directory security as this often required a lockdown of AD way beyond your standard corporate configuration,” he shared.
Grillenmeier was a Microsoft MVP for Directory Services for 12 years, and his recent appointment to the post of chief technologist at Semperis is an opportunity for him to concentrate on helping companies protect themselves and their AD environments and, in worst-case scenarios, to recover quickly from a disaster.
“Those who are not prepared to recover their AD quickly from a malware attack will have a very hard time recovering the rest of their business any quicker as so many applications and services still depend on a well-functioning Active Directory,” he noted.
AD and the cloud
The ever-increasing need for more IT services and the rising cost of hosting one’s own IT infrastructure in one’s own datacenters has pushed many organizations towards hosting these services in someone else’s datacenter, he says. Consequently, they had to synchronize their primary identity store – their on-premises Active Directory service – to an identity provider in the cloud (e.g., Microsoft Azure Active Directory).
This adjustment is also often influenced by attractive cloud offerings, such as Office 365 with Teams and other cloud-native applications, which require a cloud-based identity for the users that use the service.
Grillenmeier notes that there are several ways that employees can authenticate to these cloud applications: authentication decisions can be made in the cloud, or via federation services to allow a company to have more control on this sensitive process.
“Many businesses either don’t trust the cloud services enough to allow them to perform the actual authentication of the user or they have compliance obligations to follow, which do not allow handing out this level of trust to a third party,” he explained.
“To circumvent this problem, they set up federation services between their own on-premises directory services and the cloud. In such a setup, the cloud puts full trust in the federation service to correctly prove a user’s identity, allowing their employees to log onto cloud services with their on-premises identity, often coupled with a third-party multi-factor (MFA) solution. By signing on this way, the cloud provider trusts your on-prem AD with the authentication and will then grant access to the employees’ requested cloud applications (e.g., Microsoft Teams).”
In the latter scenario, enterprise security relies even more on a sound and well-operated Active Directory service, because the risk encompasses malicious (or revoked) access to both the company’s on-prem applications and the cloud applications.
“Likewise, depending on the configuration of the cloud identity service such as Azure AD, the on-prem AD may be at risk when a breach is occurring within a company’s cloud application. In this hybrid world that we live in, the security posture of any company requires proper management of both their on-prem AD, as well as their cloud-identity stores,” he added.
Tips to improve your Active Directory security posture
Grillenmeier points out that the core of Active Directory was designed over 20 years ago, and that no AD deployment operated from the early days of its inception would be considered secure today if the improvements that Microsoft has made over the years haven’t been implemented.
These include powerful features such as the Protected Users security group and Authorization Policy Silos (introduced with Windows Server 2012 R2), and the shielded VMs and Privilege Access Management (introduced with Windows Server 2016).
By now, there are also a variety of tools available for free on the market to raise the awareness of what the security posture of one’s on-prem AD looks like.
“Some examples are BloodHound, PingCastle and our newly released Purple Knight tool, which will help organizations to get a better idea of which holes need mending in their AD,” he shared.
Grillenmeier advises companies to perform at least periodic scans of their Active Directory setup with these and similar tools, and then work on remediating the discovered security issues before an intruder finds and exploits them first.
“Performing a manual scan on a weekly basis is much better than not doing it at all, but companies should also consider investing into proper security monitoring tools that are integrated with their SIEM to allow immediate warning when a new vulnerability exposes their AD again,” he opined.
“This could easily be one you might have closed after your previous scan – e.g., granting ‘unconstrained Delegation’ to a computer object, allowing any process to impersonate any user elsewhere in the network – and has been re-introduced by an uninformed application owner or help desk personnel. Unfortunately, your next manual AD security scan may be too late to find out about it.”
Finally, despite all security measures and efforts, the worst may still happen: a zero-day exploit could be used to take down your complete AD service and all your other business applications with it, with a crypto-locker following to make all systems and possibly their backups unusable.
“Microsoft provides a very good whitepaper on AD forest recovery but fails to provide true help to allow for a quick recovery,” he noted.
“Normal OS-level backups won’t do the trick – either companies figure this out on their own and speed up the process with proper scripts, and lots of testing in their labs, or they think about well suited third-party tools that could fully automate such an AD forest recovery for them.”