Quest Security Assessments Reveal Top 4 Issues in Active Directory: Groups and OSs (Part 3 of 3)

In the final post of my 3 part series on the top four Active Directory security issues uncovered in a Quest Security Assessment, I want to bring attention to the last two doozies. Part 1 discussed the issues with Service Accounts; Part 2 looked in the mirror at us – the users. Part 3 looks at the problems with Groups and Operating Systems.

About the Quest Security Assessment

The issues identified in this blog series are taken from a review of anonymized security assessments performed in 2019 for large organizations. These security assessments are requested by enterprises to evaluate their security posture of their Active Directory. Using Quest Active Directory solutions, a Quest architect will provide an analysis of a comprehensive set of data relating to AD including:

  • Domain groups and members
  • Domain users
  • Domain servers
  • Active Directory permissions

The Problem with Groups

Security assessments have uncovered two interesting issues with groups. 1) Every organization seems to have a huge number of empty groups. 2) Numerous accounts that are part of critical admin groups. Let’s take a deeper look at each of these.

Thousands of Empty Groups

Empty groups, while they seem harmless, highlight issues in governance of an organization’s Active Directory. These groups may have been used for a project that is no longer active, a piece of software or some other process. If the groups are no longer needed, why are they still in Active Directory? Most likely the person who created the group is no longer at the company and no one really knows its purpose. So, the group remains. We also need to ask ourselves if the group has been assigned permissions that could impact our operations. Attackers have numerous reconnaissance tools that allow them to determine the best path to gain access to their target. Any user has read access to Active Directory. This means if one user in the organization has been compromised, an attacker can gather intel to aid them in elevating their rights and persisting on the network. Having hundreds of empty mystery groups increase the chances of an attacker finding a path to exploit.

Users in Privileged Built-In Groups

In 95% of organizations we have found numerous users accounts in sensitive admin groups. Microsoft recommends that the Domain Admins, Enterprise Admins and Administrators groups contain no day-to-day users except for the built-in Administrator account. Users should only be added when needed for build and disaster recovery situations.

We also find users in Backup Operators and Server Operators. Users in these groups can perform backups and restores on servers and Domain Controllers. This would allow an attacker to get a copy of the Active Directory database. Now the attacker could try to discover passwords by brute force using an offline copy of the database.

Keep in mind that there is also Account Operators, Schema Admins, DNA Admins, etc. These groups should also be treated as critical admin groups.

Mitigation

To deal with the issues outlined above we can use some of the same techniques as we discussed previously.  For example, move away from “Tribal Knowledge” administration and use a solution like Active Roles to automate the administration of users and groups according to corporate policy.

Remove empty groups.  Now this can seem a bit scary, right?  Here are couple things that we can do to make this easier.  1)  Use Quest Enterprise Reporter to understand if the group has been assigned any rights in the environment.  If it has not, it is probably safe to remove.  2) If we find out later that a group we deleted was needed you can use Quest Recovery Manager for Active Directory to restore the object from a backup.  

Create a policy for group creation and attestation.  This process will make sure that groups follow a naming convention, they have an owner and follow an approval process workflow.  They could also expire when a project is completed so stale groups do not litter your Active Directory.  Owners and managers of groups can regularly attest to the membership and modify as needed.  Quest On Demand Group Management can accomplish these tasks for both on-premises and Azure environments.

Finally, review the membership of sensitive groups like Enterprise Admins, Domain Admins, Account Operators, DNS Admin, etc.  Remove accounts that should not be in these groups.  For the accounts that cannot be removed, audit what they are doing.  In addition, you should audit membership changes to these critical groups.  This would include membership changes directly to the group or indirectly via a nested group.  Quest On Demand Audit Hybrid Suite can alert you in real time if these events occur both on-premises and in Azure AD.

Operating Systems - Are you still running Windows 7?

During security assessments we look at the servers on the network to determine if unsupported operating systems are present. We always find at least a few. Did you know that that on January 14, 2020, support for Windows 7, Windows Server 2008 and 2008 R2 ended? This means regular Windows security updates have ended. These machines will be primary targets for attackers because newly discovered security flaws will not be patched. In addition, if supported operating systems are not regularly updated with the latest security updates, they too could be vulnerable. Attackers have at their disposal many tools to fingerprint an operating system. Once the OS and patch level are determined they can reference a database of vulnerabilities to plan the next phase of attack.

Mitigation

Unsupported operating systems should be removed. Migrate the apps, data, etc. to a supported OS.

Patch your machines.  When new security updates are released, they should be deployed to desktops, laptops and servers.   While the process of testing and deploying updates to machines can seem overwhelming there are solutions that can ease the burden of this task.  KACE Systems Management Appliance can patch Windows and Mac as well as apps like Adobe Reader and Java.

Summary

Securing Active Directory is a continuous process. The issues identified and mitigation suggested in this blog series is a small part of a larger security and governance strategy. Our security assessments have identified common gaps in Active Directory infrastructures that can be resolved if we know where the issues exist. Using a set of tools to gather data and present the results allows us to visualize the risk and create a plan to remediate. Active Directory administration is a moving target. As standards change, new leadership takes over from old and technologies progress we must take time to look deep into our Active Directory’s past and clean out the legacy artifacts that make our environment less secure and manageable.

Blog Post CTA Image

Related Content