In this series, we’re continuing to explore my 2019 predictions for Windows and Office 365 professionals. Today we’ll be diving into the one constant Active Directory security prediction that has carried over since year one of the Holocene geological epoch — humans. Yes, they will still be a factor in your organization next year. And the humans — er, users — in your organization have Active Directory (AD) and Azure AD accounts and continue to have great influence over those environments.
In fact, there are over 1.1 billion identities in Azure AD and well over 500 million active on-premises AD user accounts within 90% of the world’s enterprises.
Users are the weakest link
There was something very satisfying about the way Anne Robinson, host of the game show The Weakest Link, would ruthlessly and without emotion eject players from the stage. The game is straightforward: Answer questions correctly and watch your bank grow for the team. The consequences, however, aren’t always so clear cut: Most times, the player with the most incorrect answers is voted off, but anyone — even the strong player — can go home at any point.
The same can be said of users in your organization. Anyone can be compromised. According to the Verizon’s 2018 Data Breach Investigations Report, stolen credentials and phishing are the first and third most used actions, respectively, in a breach.
The weakest link in any security system is the human factor. Microsoft’s chief information security officer Brett Arsenault said it best: “Users are both my first line and my last line of defense.”
Users are more security savvy today. No one is really being fooled by the spoofed email from your bank with tons of misspellings and grammatical errors. But just as users become more security conscious, looking for that little green lock on websites or not opening attachments they don’t know, cyber criminals are evolving their phishing tactics, too. Hackers are weaponizing AI to bypass your machine learning detection algorithms and using stolen PII and PHI to spear phish your users.
And let’s not forget the disgruntled and accident-prone insiders who can wreak just as much havoc with their access — especially those with elevated privileges, like domain or enterprise admins all the way down to server and backup operators. The headlines are still full of employees stealing data or dumping systems before quitting, and everyone has stories about misconfigurations resulting in accidental data loss or security holes.
Your Active Directory is under-secured
All of this is to say that the primary means by which users and objects authenticate to a system and receive their rights for traversing that system, AD, is an extremely under-secured, vital corporate asset.
Historically, network and physical infrastructure layers have received all the security attention, while the focus on AD security has lagged. Organizations are now starting to prioritize and invest in AD security like they do perimeter security.
AD is a prime target for attackers because of its importance in authentication and authorization for all users. In Windows environments, everything relies on AD. And in your Office 365 environment, access relies on Azure AD.
With that said, there are a few big risk areas within your AD you need to keep in mind:
- Too many forests and domains complicate the landscape, especially when you throw as many Azure AD tenants in there as you have Office 365 tenants.
- Too many groups and nested groups that hide effective permissions to privilege escalation or sensitive data.
- Too much unnecessary software and agents installed on domain controllers (DCs), increasing the attack surface, and effectively making users who have access to that software or those agents domain admins.
- Too much noise in the native AD audit logs to understand when a user is acting suspiciously or out of the norm.
- Insufficient backup and recovery methods beyond the" “onsie” and “twosie” account restores that leave your AD and DCs vulnerable to catastrophe from ransomware, accidents
Our recommendations for Active Directory security in 2019
My crystal ball says that 2019 will be the year you dive into AD, seeing it not as legacy, but as a critical part of your infrastructure that you need to secure beyond what Microsoft offers by default.
- Reduce your attack surface area by consolidating forests and domains, and then review all Group Policy objects (GPOs) that affect your DCs and remove any unnecessary software and agents installed on those DCs.
- Bring group management under control first by creating go-forward policies and procedures for group creation, modification and attestation.
- Create a Red Forest — officially named Enhanced Security Admin Environment (ESAE) — for all privileged accounts so you can keep a close eye on them. Not to mention so you can more easily apply additional security requirements, such as requiring that they log on from a hardened workstation or by enforcing two-factor authentication.
- Use machine learning to alert on suspicious activity, such as unusual logons to sensitive servers after business hours, password changes made to VIP and sensitive accounts by third parties, successful logons after several failed attempts, direct assignment of administrative rights to any user, excessive LDAP quieries, changes to GPO settings and changes to the registry setting HKLM\SYSTEM\CurrentControlSEt\Control\Lsa.
- Automate the continual review, enforcement and remediation of your security policies to ensure consistency, application and prevention of controls being bypassed.
To learn more about AD security and how insider threats and stolen credentials can cripple your organization, check out our informative e-book Nine Best Practices for Active Directory Security today.