Securing Active Directory: How to avoid common mistakes and ensure resilience to attacks

You can read this article in Ukrainian: https://tinyurl.com/23jt9hbg

For over two decades, Active Directory has reigned supreme as the go-to solution for managing identities and access within organizations. The technology itself hasn't undergone significant changes. System administrators know it very well — and so do hackers.?

This lack of innovation necessitates a fresh perspective on securing AD infrastructure and the broader network resources it safeguards. Attackers, leveraging advanced techniques, have breached AD from both external and internal vantage points. Unfortunately, traditional security tools and strategies have proven inadequate, as evidenced by the rising number of successful attacks and the persistent vulnerabilities plaguing AD. While a single solution cannot eliminate all security concerns associated with AD, employing the right tools and adopting a comprehensive approach can significantly bolster defenses and mitigate attacks.?

This article will discuss modern AD threats and ways to confront them.?

What you should know about AD?

Active Directory has been around for a long time — over 20 years! While some things haven't changed, like the information it stores, this lack of updates has both good and bad sides.?

The good news: admins already familiar with AD don't need much extra training, since it hasn't changed much.?

The bad news: attackers know this too. They can use this knowledge to find weaknesses and launch complex attacks to take control of an entire network.?

So, if organizations don't update their defenses, attackers will find ways to get in. So, new security approaches need to break this cycle to keep networks safe.?

Let's highlight the following points related to AD protection:?

• Environment is based on domains and forests??
• Users, groups, and computers are the core objects??
• Each domain is broken down for the management of objects using organizational units (OUs)??
• Group Policy is the preferred method for controlling users and computers??
• Required services such as DNS and DHCP remain consistent??
• Kerberos and NTLMv2 remain the preferred authentication protocols??
• Password policy controls remain unchanged and stagnant?

AD Security Solutions??

Microsoft has tried different tools to secure on-premises Active Directory over the years, but most haven't lasted long. They either stop being supported or get replaced with other solutions.?

The one exception is Group Policy. It's like the old reliable tool in the toolbox. It's been updated with the inclusion of many ADM/ADMX customizations, Group Policy Preferences, and Advanced Audit Policy. Still, the core of Group Policy has mostly stayed the same.?

Here are other security solutions introduced over the years:??

• Auditing and Advanced Auditing??
• Security Configuration Wizard (SCW)??
• Security Compliance Manager (SCM)??
• Desired State Configuration (DCM)??
• Local Administrator Password Solution (LAPS)??
• Protected Users group??

The other security tools for on-premises Active Directory struggle to provide comprehensive protection. They often have limited impact, only affecting specific computers, settings, and threats. Additionally, some valuable tools suffer from low adoption due to a lack of awareness. This combination significantly weakens their ability to fully secure Active Directory environments.?

New AD Attacks: Hide & Seek?

Unchanging infrastructure and unreliable security tools have created a prime target for attackers. Active Directory incidents have become more frequent and sophisticated, with hackers seeking ways to infiltrate the system undetected.?

Many in the industry point to inherent vulnerabilities in the initial design of Active Directory as the root cause. These fundamental security flaws persist due to the lack of significant improvements, leaving the system vulnerable.?

New sophisticated techniques exploit inherent weaknesses in Active Directory's foundations, rendering traditional monitoring solutions ineffective. Attackers leverage these vulnerabilities to move laterally through the network, escalating privileges to achieve complete control (domain domination) within a short timeframe (hours or days).?

Some modern attack methods plaguing AD today include:?

• DCSync??
• DCShadow??
• Password spray??
• Pass-the-Hash??
• Pass-the-Ticket??
• Golden ticket??
• Service Principal Name??
• AdminCount and adminSDHolder?

Read the full article here: https://tinyurl.com/275zbv3t