Skip to main content

Active Directory security is hard. Here’s why and how to fix it

(Image credit: Shutterstock / Golden Sikorka)

Active Directory (AD) is one of, if not THE, most critical services used by organizations of all sizes. In fact, for roughly 90 percent of Global Fortune 1000 companies, AD is the primary method utilized for seamless authentication and authorization when connecting and managing individual endpoints inside corporate networks. For these enterprises, AD is effectively the foundation upon which access is managed for endpoint management services, identity and authentication services, email authentication and critical business operations.

One might presume that the benefits afforded by its ubiquity – a rich community to tap into for support when needed, a highly mature AD engineering and management training ecosystem, and a deep talent pool of highly experienced AD professionals – would include a mature understanding of its inherent risks along with an equally mature and effective host of solutions in the realm of security. Alarmingly, that just isn’t the case.

Why AD security is so hard in the first place

A common weakness shared across all AD environments is that Windows and AD make it nearly impossible to accurately audit permissions – including permissions on an AD object, local administrator rights on a computer, and even effective rights granted to a security group. This spells disaster for an enterprise’s security posture because Windows and AD simply aren’t designed to answer questions like, “How many users have administrator rights on this computer?” In fact, Windows will only report which principals have a direct “admin rights” relationship to a computer or object.

Coupled with the low utilization of endpoint firewalls and the near-universal ubiquity of AD, this lack of clarity regarding permissions means adversaries can use the same fundamental tactics to attack almost any organization. In other words, if an adversary can master the techniques for attacking AD once, they can then use that proficiency again and again to launch similar attacks anywhere else AD is used. Furthermore, adversaries often use built-in, legitimate administrative tools and abuse existing privileges and permissions in AD. As such, it’s very difficult for defenders to tell the difference between “good” versus “bad” admin behavior.

The preceding statement is particularly evident when trying to detect malicious behavior in Attack Paths, which are the chains of abusable privileges and user behaviors that create direct and indirect connections between computers and users. Ultimately, the challenge of AD security lies in understanding, quantifying, and eliminating or mitigating these Attack Paths. In theory, there are a couple of practical best practices for doing so. In reality, they’re both extraordinarily impractical.

Why least privilege and tiered administration don’t work well 

Least Privilege and Tiered Administration are two of the methodologies an organization can use to mitigate the risks presented by Attack Paths, and on paper they both sound simple.

  • Least Privilege: Limit users and other security principals (any entity that can be authenticated by the operating system) to only the privileges needed to do their jobs. No privilege is to be given beyond that.
  • Tiered Administration: Assign administrators and endpoints to different “tiers” and only permit principals and systems in the same tier access to one another. This approach promises to prevent an attacker with control of a lower-tier principal or system from pivoting to higher tiers by blocking the ability to move laterally between them.  

However, for the vast majority of organizations, these methodologies are out of reach due to several factors that inhibit effective deployment. For starters, the opaque nature of how privileges are granted in Windows and AD makes it too difficult for even the most talented administrators to understand whether a user or principal has the least amount of privilege required or whether a tier-separation violation exists. Without a quick and easy way to check if a violation has taken place, enforcing least privilege or tiered administration models quickly becomes too complex for most IT teams to manage.

The sheer size of the average AD environment contributes to this complexity. An enterprise AD environment will contain hundreds or thousands of new Attack Paths – linking every user and computer to the most highly privileged principals and highly sensitive systems – that change every day. The idea of manually unrolling every security group to audit every single privilege across an entire organization – including security groups nested inside other groups is simply untenable.

Historically, effective implementation and maintenance of Tiered Administration has required architectural changes to several fundamental services like endpoint management, identity and access management, and even network architecture. There’s also never been a way to accurately forecast or quantify the benefits that Least Privilege Access or Tiered Administration would provide. These “basic” security controls have been relegated to the realms of impractical best practice (at best) and industry buzzword (at worst) because they can’t demonstrate risk reduction. Until security teams can produce concrete proof that these methods actually work, executives will continue to view the uncertain rewards of the juice as not worth the amount of work required for the squeeze.  

In truth, there’s an endless loop of non-starters such as these that are keeping most organizations from ever really achieving effective Least Privilege enforcement. While it’s true that an organization may achieve Least Privilege on a particular set of systems or use logical network rules to mitigate privilege abuse, the reality is that any Least Privilege accomplishment is negated by the persistence of Attack Paths that continue to grow and go unmanaged.

Recent advancements in attack path management

A problem that can’t be measured can’t be managed or mitigated effectively – which is why Attack Paths are dangerous for many enterprises. While some organizations are aware of Attack Paths, most still lack the ability to use accurate and meaningful statistics to measure their exposure to them. Fortunately, the security community has recently started to pay more attention to AD security. A group of best practices, collectively called Attack Path Management, can help secure AD, as well as make it more feasible to implement practices like Least Privilege, Tiered Administration, or credential hygiene. More precisely, Attack Path Management does the following:

  • Provides clear visibility on AD structure, facilitating better architectural design (for both AD and for applications), IT and security team productivity gains, and the end of the misuse of penetration test results leading to tedious, unproductive configuration changes.
  • Eliminates ‘Band-Aid’ fixes, that do nothing to hinder the advancement of an adversary. By contrast, Attack Path Management enables enterprises to identify choke points in Active Directory, where a single fix can cut off a large number of Attack Paths.
  • Enables IT to measure improvements to their security posture, through the provision of meaningful, transparent measurements that uncover the real risks created by Attack Paths. Furthermore, Attack Path Management allows for tracking of an organization’s AD security posture progress over time.

Ultimately, the true value of Attack Path Management lies in its continuous discovery, mapping, measurement, risk assessment, and elimination of high-risk Attack Path choke points – or, in other words, measure Attack Path exposure in more detail to quantify the problem and prioritize fixes. 

It allows organizations to significantly reduce the attack surface AD presents to the adversary, harden AD against abuse by helping enterprises finally achieve effective Tiered Administration and Least Privilege, bolster Directory Services availability, and protect the ‘keys to the kingdom.’ What’s more, Attack Path Management forces adversaries to retreat and look for other places to target and use different, more difficult tactics for less payoff elsewhere.

Andy Robbins, product architect, BloodHound

Andy Robbins co-created the FOSS Active Directory mapping and analysis tool BloodHound, has spoken at BlackHat and DEFCON, and has a background in professional red teaming and penetration testing.