By Amritesh Singh, Marketing Manager for IT auditing, security and compliance vendor, Lepide Software
Active Directory plays a critical role in helping sys admins manage user privileges and secure their IT infrastructure, yet the threat ‘privilege escalation’ still remains. This is because sys admins face a large number of a security challenges – many of which are not easy to anticipate. Below are 10 important Active Directory security risks, which can admins should address in order to keep their system secure:
- Using Mimikatz, an attacker can compromise any account which has the Get Replication Changes All right enabled. Mimikatz is an open-source tool which can expose user credentials stored in the Local Security Authority Subsystem Service (LSASS). Mimikatz has a new feature called DCSync, which impersonates a Domain Controller and is able to request password information from the target Domain Controller, and change permissions on the domain root. While most anti-virus tools are able to detect Mimikatz, it continues to pose a threat to many Active Directory setups.
- The AdminSDHolder is an Active Directory container, which is used to hold ACL’s and provide a reference for all AD protected objects. Unauthorized access to this object can result in a major security risk as the perpetrator can easily modify permissions of domain admins and effectively take over the entire Active Directory forest.
- Single, unauthorized access to the domain root, may compromise Active Directory assets, who’s ACL’s are not marked as ‘protected’.
- Unauthorized access to the default Domain Controller’s OU, makes it possible to link a malicious group policy to all domain controllers in your AD setup.
- Organisations often choose to the deploy their systems using the default settings – making the assumption that the default security settings are the most secure. While it’s true that the default settings of newer versions of Windows are relatively secure, this practice still remains one of the biggest security issues associated with Active Directory.
- By default, Domain Admins (DA’s) have full permissions to all Domain Controllers, servers, workstations, AD and Group Policy accounts. Such a liberal policy for granting privileges presents a significant security risk. To make matters worse, it is common for the number of Domain Admin’s to exceed the number of Active Directory administrators.
- A service account is a special type of account which allows applications or services to interact with the underlying OS. These accounts are often granted too many privileges, which can lead to an escalation of access rights. As you can imagine, this presents a significant security risk. Likewise, an application running on a service account may have access to the LSASS, which stores user credentials. Should these credentials be exposed by such a service, the domain could be compromised.
- It is easy for an attacker to request data that has been encrypted with a Service Account’s password. If the password is supported by the Kerberos network authentication protocol, it is possible for an attacker to decrypt the data and expose the account’s password. In order to mitigate this problem, account passwords should be 20+ characters.
- With each successive release of Windows Server, more sophisticated security features are introduced, and previous security flaws are patched. As such, Domain Controllers running older versions of Windows Server present a security risk.
- While it’s possible to change local admin passwords, create accounts and services, and deploy scheduled tasks using Group Policy Preferences, this is a very bad idea from a security perspective. The problem is that the credentials required to perform such operations are stored in an XML file, which is accessible on every Domain Controller. This makes it easier for attackers gain access to, and reverse-engineer, the credentials stored in this file.