Table of Content
- Everyday use of accounts with admin rights
- Adding users to domain admin groups instead of delegating access
- Configuration of password policies for different accounts
- No auditing or monitoring
Read more
Since the dawn of digitization, cybersecurity has been a prevailing cause for concern. Over time, it has become increasingly difficult to operate and maintain network security as hackers and cyberattackers continue to discover fresh ways to breach security.
Active Directory (AD) is a directory service by Microsoft that allows administrators to manage permissions and resources shared and stored over the network. AD is known to have a varying complexity depending on the size of an organization. As a consequence, it can pose numerous challenges to the admins who are responsible in a Windows environment. Poor AD management and misconfigurations can pave a path for attackers to acquire access to an organization's critical systems, and compromise the security of AD by deploying malicious payloads (e.g., ransomware). The following are the top four AD management mistakes that can directly affect an organization's cybersecurity.
Everyday use of accounts with admin rights
On a daily basis, using user accounts that have admin rights can prove to be quite the risk. Many organizations and their admins fail to recognize this simple mistake as it is believed that the user accounts are always protected by multiple layers of security. However, when it comes to digitization and network security, no strategy can be 100% foolproof against cyberattacks.
A simple fix for this mistake is to use non-privileged accounts on a general basis. Unlike domain admin or even local domain accounts that have privileges like access to AD configuration and modification, standard domain user accounts are denied any unnecessary information and controls. The separation between these accounts is put in place to mitigate any security breaches like spear phishing or malware insertion from migrating to a privileged account.
Adding users to domain admin groups instead of delegating access
A delegated AD model does not ignore the concept of "least privilege," which is one of the best security practices. All job duties need to be meticulously evaluated in AD to make sure that users only have access to the information they require in order to carry out their duty and nothing more. Instead of adding users to the Domain Admins group, which can always be seen as a risk from a security standpoint, it is highly recommended to delegate access to them specifically. Moreover, common administrative tasks (e.g., resetting passwords and unlocking accounts) can be automated, allowing the focus to be shifted to best AD delegation practices.
Configuration of password policies for different accounts
Standard accounts have basic password policies. Ideally, a privileged account should have a much stronger password policy, while a standard user account can have a somewhat lenient password policy applied to it to balance security and the user experience. Setting similar password policies across all account levels can diminish the level of importance given to privileged accounts, which can lead to neglect due to policies being weak instead of stronger. AD's Fine-Grained Password Policies make it possible to have clear distinctions between AD password policies based on the sensitivity of accounts; this maximizes security and minimizes the probability of things going wrong.
No auditing or monitoring
Tracking changes within AD is imperative—especially changes made to the Domain Admins group. Without auditing and tracking its users and servers, the organization's resources and assets can become even more vulnerable to hacking and data exfiltration.
- Audit Policies can help enable this type of tracking, and the most optimal approach for these policies is to ensure appropriate configurations.
- One of the problems with AD is that it does not have any measures to prevent the usage of breached passwords. In case malicious actors attempt to use a breached user account, active tracking and monitoring controls can be used to identify and analyze unusual or suspicious events with strict security policies in place.
- A different way to audit and monitor is to perform regular checks on the attack surface so that users and admins are aware of the level of system exposure.
More often than not, AD gradually transforms into an information dump for organizations. All the user information that exists is thrown into its database. A problem arises when one realizes that AD is a frequent point of attacks. Although sensitive data should be stored in separate databases, it is pivotal to avoid storing any data on display for users who are not supposed to access and look at it. Apart from these four mistakes that are common among many organizations, other mistakes like Kerberos issues and overloading AD with information would need a far more sophisticated and scalable approach. It is important to understand the functional gaps and sub-optimal processes in your AD environment, and take corrective actions.