If you’re responsible for the management and security of an Active Directory (AD) or Windows infrastructure, you already know you’ve got a tough job. And with thousands of configurations and potential conditions to worry about across dozens of AD and Operating System (OS) versions, where do you even begin an effort to address your most at-risk conditions? What are they to begin with? If you’re at a loss, I’d suggest you start right here…
Below I’ve listed 10 checks you can perform to highlight critical, high-risk situations that attackers exploit or leverage in the real-world to perpetrate their attacks. The good news is that if you can understand where these risks exist in your environment, many can be remediated with minimal effort. If you want to make it even easier, please check out our Credential and Data Security Assessment and you can have real answers in just minutes.
Check #1 – Figure out exactly who is a member of your most sensitive security groups
Members of Sensitive Security Groups like Domain, Enterprise, and Schema Administrators have the highest levels of privilege within an Active Directory environment. If stolen by an attacker or abused by an internal bad actor, the critical changes these accounts can make can have devastating effects on the security of Active Directory and everything connected to it.
Check #2 – Figure out exactly who has Local Admin access to your desktops and servers (and how)
Local Administrator access is critical to any attacker’s ability to compromise an organization’s network. Understanding how Local Administrator access has been granted and is being used, as well as reducing Local Admin access to the lowest levels possible (Least Privilege Access), is one of the most pragmatic and effective measures any organization can take to mitigate the risk of successful breach.
Check #3 – Identify and then disable or delete stale user accounts
Stale User Accounts pose a serious security risk for organizations as they are often leveraged by rogue insiders and savvy attackers to elude detection as they perpetrate attacks.
Check #4 – Find passwords stored in plaintext
Group Policy Objects (GPOs) can be used to create accounts and set passwords on computers within an Active Directory domain. Attackers can target these GPOs to obtain and decrypt these passwords without any elevated rights. Because Group Policy Preferences are often used to set and control the Local Administrator password across systems en masse, compromising an account contained in Group Policy Preferences can provide an attacker high-privilege, far-reaching access across an enterprise.
Check #5 – Figure out who can logon to your Domain Controllers
Not knowing who has the ability to logon to a Domain Controller results in an inability to protect privileged identities and any assets they can provide access to. It also equates to a significant blindspot within any Privileged Identity Management program.
Check #6 – Make sure LSA Protection is enabled everywhere
If left unprotected, attackers are able to leverage hacking tools like Mimikatz to compromise credentials from Windows systems through the injection of code into the Local Security Authority (LSA) process; the mechanism responsible for enforcing security policy on a Windows host. Stolen credentials are then easily replayed to obtain access to any resource the stolen account can access.
Check #7 – Get a status check on every account’s password
Proper password management can have a significant impact on an organization’s security stature and is a pragmatic solution to threats associated with credential theft and abuse. Passwords that have not been changed for extended periods of time are more likely to be known, increasing the opportunity for unauthorized access events to occur.
Check #8 – Unravel those “Nested” groups
Organizations use Active Directory security groups to grant like users access to various resources. Administrators often nest groups within others to ease the burden of managing group memberships; however, it often ends up making the process of understanding what groups provide access to more challenging. This nesting ultimately leads to a situation where the effect of adding or removing a member from a group is obfuscated, leading to inadvertent granting or removal of access rights – a condition attackers can leverage to gain privileged access without causing alarm.
Check #9 – Shut down Open Access
Well-known Security Principals like Everyone, Domain Users, and Authenticated Users are often inappropriately used to provide users with access to network resources like file shares. The use of these well-known security principals not only provides resource access to an inordinately large number of valid user accounts, but also other accounts like Guests and Anonymous, leaving organizations unnecessarily vulnerable to data theft in either scenario.
Check #10 – Find out who can logon to your servers
The ability to logon to a server is dictated by more than who has local or administrative access to the system itself through standard means. Group Policy controls Local Security Policies through 44 discrete User Rights Assignments (e.g. “Allow log on locally”, “Log on as a batch job”, “Allow log on through Remote Desktop Services”, “Log on as a service”) that allow non-administrators to perform administrator-like functions. If not assessed, understood, and restricted, attackers can easily exploit these other avenues of access to compromise systems, credentials, and data.
It’s time to bring security back to the basics. Fix these issues and you’ll be building a strong foundation that will enable all the investments you’ve made in technologies, people, and processes to reach their full potential. Check out our Credential and Data Security Assessment and we’ll help you package the results into a polished, professional Executive Summary that will leave no doubt as to where focus is needed (and your Rock Stardom!)
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Adam Laub is STEALTHbits Technologies’ Chief Marketing Officer (CMO). As CMO, Adam is responsible for corporate marketing, communications and AR/PR, demand generation, product marketing, events, and marketing operations. Additionally, he and his team participate heavily in setting product strategy, defining future roadmap, driving strategic sales engagements, supporting demand generation activities, enabling the sales organization, and all aspects of product evangelism.
Since joining STEALTHbits in 2005, Adam has held multiple positions within the organization, including Sales, Marketing, Product Management, and Operational Management roles.
Adam holds a Bachelor of Science degree in Business Administration from Susquehanna University, Selinsgrove, PA.