Active Directory (AD), a directory service developed by Microsoft for Windows domain networks, is most organizations’ primary store for employee authentication and identity management, and controls assets / applications / systems to which a user has access. This makes Active Directory a valuable target for attackers and prompts organizations to improve its security.
But Guido Grillenmeier says the technology has been taken off the company’s agenda.
“Active Directory is considered a staple technology these days – after all, this technology should have matured after more than 20 years of use. And from the point of view of infrastructure resilience and stability, that claim is correct. But, unfortunately, not from a security perspective, where various AD weaknesses are increasingly used by cybercriminals to attack businesses, ”he told Help Net Security.
“AD is too easily compromised and allows intruders to gather information about a company’s IT assets, steal company data, and then demand ransom payments after encrypting a large chunk of the company’s IT assets. business, including the AD service itself. “
A lifetime of dedication
Grillenmeier witnessed the introduction of Active Directory over two decades ago and was immediately fascinated by its complexity and potential.
He made his professional debut at HP in the mid-90s and quickly became a Windows-centric infrastructure consultant, designing and migrating clients to Windows NT with various flagship projects for HP.
With the evolution of Windows NT to Windows 2000, he has become a specialist in new Active Directory (AD) domain services, honing his skills and gaining experience through various large-scale projects around the world and from major projects. situations involving helping clients survive AD disasters. caused by operational errors.
“It was these disasters that helped me dig into the details of the technology and better understand its weaknesses. Over the years, special work for the German government has further helped me understand the intricate details of Active Directory security, as it often required AD lockdown far beyond your standard business setup, ” he shared.
Grillenmeier was a Microsoft MVP for Directory Services for 12 years, and his recent appointment as Chief Technology Officer at Semperis is an opportunity for him to focus on helping businesses protect themselves and their environments. AD and, in the worst case, to recover. quickly from a disaster.
“Those who are not ready to quickly recover their AD from a malware attack will have a hard time recovering the rest of their business faster, as many applications and services still depend on a well-functioning Active Directory,” he noted.
AD and the cloud
The ever-growing need for more IT services and the rising cost of hosting their own IT infrastructure in their own data centers have led many organizations to host these services in someone else’s data center, he said. As a result, they had to synchronize their primary identity store – their on-premises Active Directory service – with a cloud-based identity provider (for example, Microsoft Azure Active Directory).
This adjustment is also often influenced by attractive cloud offerings, such as Office 365 with Teams and other cloud native apps, which require a cloud-based identity for users who use the service.
Grillenmeier notes that there are several ways for employees to authenticate with these cloud applications: Authentication decisions can be made in the cloud or through federation services to allow a company to have more control over this sensitive process.
“Many companies do not trust cloud services enough to allow them to perform actual user authentication or have compliance obligations to follow that do not allow this level of trust to be passed on to a third party,” he explained.
“To work around this problem, they set up federation services between their own on-premises directory services and the cloud. In such a configuration, the cloud fully trusts the federation service to properly prove a user’s identity, allowing its employees to log into cloud services with their on-premises identity, often coupled with a multi-factor solution (MFA). third. . By signing in this way, the cloud provider trusts your on-premises AD with authentication and will then grant access to cloud applications requested by employees (for example, Microsoft Teams).
In the latter scenario, corporate security relies even more on a strong and well-leveraged Active Directory service, as the risk encompasses malicious (or revoked) access to both on-premises corporate applications and applications. cloud.
Likewise, depending on the configuration of the cloud identity service such as Azure AD, on-premises AD may be at risk when a breach occurs in a company’s cloud application. In this hybrid world we live in, the security posture of any business requires proper management of both its on-premises AD, as well as its cloud identity stores, ”he added.
Tips to improve your Active Directory security posture
Grillenmeier points out that the core of Active Directory was designed over 20 years ago and that no AD deployment operated since the early days of its creation would be considered secure today if the improvements Microsoft has made over the years. years had not been implemented.
These include powerful features such as the Protected Users security group and Authorization policy silos (introduced with Windows Server 2012 R2), and the Armored VMs and Management of privilege access (introduced with Windows Server 2016).
At present, there are also a variety of tools available for free in the market to raise awareness of the security posture of one’s AD on-site.
Grillenmeier advises companies to at least perform periodic scans of their Active Directory configuration with these and similar tools, and then address any security issues discovered before an intruder first finds and exploits them.
“Performing a manual scan on a weekly basis is much better than not doing it at all, but organizations should also consider investing in appropriate security monitoring tools built into their SIEM to allow immediate warning when a new vulnerability exposes their AD again. he nodded.
“This could easily be the one you could have closed after your previous scan – for example, granting ‘unconstrained delegation’ to a computing object, allowing any process to impersonate a user elsewhere on the network -” and was reintroduced by an uninformed app owner or help desk staff. Unfortunately, your next manual AD security scan might be too late to find out.
Finally, despite all security measures and efforts, the worst can still happen: a zero-day exploit could be used to decommission your entire AD service and all your other business applications, with a crypto -locker following to make all systems and possibly their backups unusable.
“Microsoft provides a very good white paper on AD Forest Recovery but does not provide real help to enable rapid recovery, ”he noted.
“Normal OS-level backups won’t do – either companies figure it out for themselves and speed up the process with proper scripts and lots of testing in their labs, or they think about third-party tools well. adapted that could fully automate such AD forest recovery for them.