Active Directory Security - 10 most common issues

For last 15 years, I have been working on Active Directory Security and Operation. I have done Active Directory Security and operation assessment for many organizations. In the beginning, I figured out many security issues but not all. That was the good initiative though. Later through my experience and sharing knowledge with like-minded security and system admins professional, I realized that there so many most common issues related to Active Directory Security. I have tried to compile them as 10 most common Active Directory Security issues. I totally agree there are more issues to talk about but let us focus on top 10 according to me.



1. Too many Domain Admins

By default, Domain Admins group members have full administrative rights on all workstations, servers, Domain Controllers, Active Directory, Group Policy etc. This is too much power for anyone account in an organization. Only Active Directory Administrators require Domain Admins privileges. Whoever is not actively managing Active Directory, should not be in Domain Admins group. Delegations must be used if in case someone need to work on specific part of the Active Directory. Also service accounts should not be in this group.




2. Delegated Access are not tracked

Default groups in Active Directory provide too much privileges. For example, help desk people in Account Operators group will have more rights then they actually need. It is better to use delegation instead and monitor it. Delegation can be leveraged to insure that appropriate rights for each admin group.




3. Service Accounts with short password and over-permissioned

I have seen many times when vendor simply ask for Domain Admins rights for its service account which is actually may not be needed at all. Hackers are fond of privileged accounts and specially loves service accounts because it is less attentive. Additional privileges to service accounts can be used maliciously to escalate privilege on network.

it is to insure that service accounts get the rights they actually need to do their job. Service accounts credentials are in protected memory of LSASS process, an attacker can easily extract that password which may lead to compromise the network.

Another mitigation against Kerberos brute force attack (offline) is to use the password longer than 15 characters. This can be achieved by configuring the fine grained password policy for service accounts.



4. Using credential in GPP

Windows 2008 came out with Group Policy Preferences which provide additional functionality to system administrators. They can manage local accounts and credential, local groups and schedule task etc. This has created a big issue because encrypted credentials are stored in XML file which are located in SYSVOL share. This share can be access from any domain joined systems. If the credential is already configured in GPP, remove it immediately. Delete the XML files from the SYSVOL. Microsoft also release the patch MS14-068 to address this vulnerability which remove the functionality to manage credentials.

5. Unpatched Servers and workstations

Regular patching of servers have been an issue in many organization. According to Verizon Data Breach report published in 2015, 99% of the vulnerabilities exploited in breaches had a patch for more than a year. Patching is the most critical for maintaining the security of the systems. Its is actually not realistic having a system not patched for months when a vendor released a patch. Unpatched systems provide the ability to attackers to gain privileged access to the systems.



6. Unmanaged Admin group membership

When a snowball start rolling on snow, its size getting bigger and bigger. Same thing happen with group in Active Directory. Most of the time group membership keep increasing slowly but hardly go down. Admin groups specially in Active Directory need to be monitor and scrutinized. Group automation will be the best choice just to make sure that appropriate users are in their appropriate groups all the time. These admins groups are need to be reviewed on regular basis, some of them, Domain Admins, Administrators group, Account Operators, and any other user-created group which provide privileged access to systems.



7. Local administrator account password is same across the network

Local account is used to logon to the system when Active Directory is not available. Most of the time, system administrators build servers with the same password for local administrator account. it may end that all systems will have the same password for local administrator account. if the account is hacked, this will provide the access to all the system, make the life easy for hackers. Therefore, each system must have unique password for its local administrator password. There are many software available that will not only manage the unique password but also rotate them on regular basis.



8. Unmanaged inactive user and computer accounts

Enabled stale accounts in Active Directory always attract the attackers because it can be leveraged to get access to resources without being noticed. There are few different ways to take control of the account, since it is inactive, most probably the usage will not be noticed.

We should have a plan to deal with inactive users accounts.



9. No isolation for highly privileged accounts and systems

Pass-the-Hash attack is the perfect example for such type of environment where same privilege account is being used to logon to servers, domain controllers and workstations. We have been talking about this attack for so many years but still organizations are lacking behind. Imagine if the malware get onto computers inside the network. Attackers using this malware will search for the credentials to steal and re-use it. if the privileged accounts logon to various computers, those credential on the system can be stolen. It is important that all highly privileged accounts must be isolated. Domain Admins account must not be used to logon to workstation and member servers. Regular accounts must not be given administrative level of privileges on any system, rather separate accounts must be created for admin level of work.



10. Using legacy authentication on network

When we talk about legacy authentication, we simply talk about LM/NTLMv1 authentication. These legacy authentication protocols are insecure, therefore it is very important to completely remove these legacy protocols. Windows Server 2008 R2 include the feature to help identify the NTLM authentication use on the network. The minimum protocols for authentication should be NTLMv2 and Kerberos