Over 90% of the Fortune 1000 use Microsoft Active Directory (opens in new tab) (AD) for identity and access management, making it one of the most common pieces of software in the world.
Unfortunately, this ubiquity also makes it an attractive target for cyberattackers (opens in new tab). Since Active Directory controls which users have access to the systems and software on a network, attackers can compromise it and give themselves the access levels they need to accomplish their goals. In addition, getting control of Active Directory allows an attacker to deploy ransomware (opens in new tab), steal sensitive information, or do other nefarious acts – and it can be nearly impossible for a defender to stop them.
Unfortunately, most enterprise Active Directory environments have millions of misconfigurations and vulnerabilities that attackers can exploit. AD’s built-in tools and user interface make it difficult for security teams to audit user privileges, which means errors and misconfigurations can quickly build up over time.
What is 'misconfiguration debt'?
Most organizations suffer from “misconfiguration debt” where errors multiple over time if AD security was never prioritized. Add on the fact that Active Directory changes daily through the creation or removal of users, groups and software and it’s easy to see why enterprises (which will have hundreds or thousands of AD users) have so many security issues.
These security issues come from a range of errors. For example, admins might accidentally grant users or groups more privileges than they require, or administrators could use their Domain Admin credentials to log into workstations where they’re at risk of being stolen.
These leave enterprises open to an attack technique called identity Attack Paths. In this technique, an attacker first gets the ability to run code on a single machine within a network, perhaps through a phishing email or finding a user’s credentials in a data dump from another data breach. Then they use various tools to exploit these errors and security issues to steal other user credentials.
Next, they use the access from those new credentials to compromise additional systems until they reach their target. These attacks can be difficult to detect because they use legitimate tools and credentials.
Defending against Attack Paths requires fixing the AD security issues that attackers take advantage of - and as discussed, there can be a lot of them. The good news is that AD or Identity and Access Management administrators can resolve many of these issues in minutes by changing default configurations.
While other problems require longer and more involved fixes – like retraining Global and Domain admins on which accounts to use when logging into high-value systems – these quick fixes can significantly reduce an organization’s overall AD security risk with very little work.
Here is how to solve one particular issue that is low-hanging fruit for improving AD security.
Restricting ownership of Domain Controllers to Domain Admins
For various reasons, Domain Controller objects frequently end up being owned by security principals other than domain admins. This issue is present in roughly 75% of our customers, and my colleagues regularly see it in consulting engagements, even though it is not a security best practice. For example, consider a Help Desk user creating a new server in the domain.
Several months later, the role of this system changes, and the admin team promotes the system to a Domain Controller. This Help Desk user now owns a Domain Controller and has a path to effective full control over the environment. This is extremely dangerous because if an attacker gets credentials for this Help Desk user, they can easily compromise the Domain Controller. As more situations like this occur, Domain Controller objects amass more and more owners, and the risk keeps increasing.
Luckily this is easy to fix. To do this, first generate a list of each Domain Controller object in the target AD environment. This data can be gathered from AD directly but it’s much easier to use a tool like BloodHound (opens in new tab) (a free and open-source AD mapping tool that was created by some of my colleagues). Then do the following:
- Open Active Directory Users and Computers
- Enable advanced features
- Locate each Domain Controller object (using the list)
- Right-click it and select “Properties,” then “Security,” then “Advanced”, and then "Change"
- Change the owner of each Domain Controller object to the Domain Admins group.
Now only Domain Admins have access to these objects, as intended.
To continue securing Microsoft AD beyond the basics, organizations should consider using a method like Attack Path Management to measure an organizations’ overall AD risk exposure.
It enables teams to map all possible Attack Paths, identify high value “choke points” where a single fix can remove many Attack Paths, and prioritize fixing these issues based on their risk. AD security can easily become overwhelming, so prioritizing issues to fix is key to making real progress.
However, even if an organization decides not to make AD security a priority, the quick fix explained above will significantly reduce their vulnerability to identity Attack Paths.