Preventing Insider Threats in Your Active Directory

Mar 22, 2023The Hacker NewsPassword Security / Active Directory

Active Directory (AD) is a powerful authentication and directory
service used by organizations worldwide. With this ubiquity and
power comes the potential for abuse. Insider threats offer some of
the most potentials for destruction. Many internal users have
over-provisioned access and visibility into the internal
network.

Insiders’ level of access and trust in a network leads to unique
vulnerabilities. Network security often focuses on keeping a threat
actor out, not on existing users’ security and potential
vulnerabilities. Staying on top of potential threats means
protecting against inside and outside threats.

Active Directory Vulnerabilities

From the outside, a properly configured AD domain offers a
secure authentication and authorization solution. But with complex
social engineering and phishing email attacks, an existing AD user
can become compromised. Once inside, threat actors have many
options to attack Active Directory.

Insecure Devices

With “Bring Your Own Device” (BYOD) growing, there is increased
device support and security complexity. If users connect a device
that is already compromised or has inadequate security measures,
attackers have a simple way to gain access to the internal
network.

In the past, an attacker would have to sneak in to install a
malicious device. Now, however, a user with a compromised device
does the hard work for them. Moreover, many workers may also
connect their smartphones or tablets to the network. This means
that, instead of a single work-issued laptop, you may have two or
three user devices that are not subject to the same security
measures.

Over-Provisioned Access

Adding complexity to internal security is the common issue of
over-provisioned access. Organizations often tend to expand access
instead of restricting it. A single act of convenience to solve a
problem can have the unintended consequence of creating a potential
attack vector, which is then often forgotten.

For those users that are also administrators, there is not
always a highly secure “Administrative” account created to separate
the different access levels. In this way, the convenience of
allowing Administrative tasks via a standard user account opens the
door to rampant abuse due to a compromised and highly privileged
account.

Weak Password Policies

Many organizations, especially larger ones, may have weaker
password policies due to the various applications they support. Not
all applications are the same, and some do not support the latest
security standards. Examples of this include those that do not
support LDAP signing or TLS over LDAP with LDAPS.

A weak password policy coupled with a lack of multi-factor
authentication makes it easy to crack a retrieved hash through a
technique such as Keberoasting via a privileged internal account.
This is in stark contrast to a strong password policy and
multi-factor authentication, which makes it much harder to gain
access to a system or network by cracking a hash.

Best Practices for Securing Active Directory

To secure Active Directory, there are many best practices to
follow. Based on the previously outlined security themes, here are
several:

Training users to identify potential phishing emails and social
engineering attacks is essential. Additionally, users should be
discouraged from clicking on any attachments, and organizations
should use systems that scan for malicious content. These measures
can help to reduce the risk of a successful attack.

But, assume that AD has already been compromised. An
organization can and should take an in-depth look into the
permissions assigned to active and non-active or decommissioned
users and systems. Are there ways to separate permissions from
typical user accounts and assign them to special administrative
accounts with a higher security level?

Enabling multi-factor authentication with a strong password
policy is essential for creating some of the strongest protections
available. As many social engineering attacks rely on learning and
compromising a user’s external sites where a reused password could
offer a foothold, an organization must mandate strong
passwords.

Keeping Active Directory Secure with Specops Password
Policy

Underpinning many of the security recommendations is a strong
password policy. The default Active Directory configurations and
user tools are inadequate. To ensure users comply with password
policies such as NIST, CJIS, and PCI, and block weak passwords,
organizations can use Specops Password Policy^[1]. It gives your
organization the ability to create custom dictionary lists and
block user names, display names, specific words, consecutive
characters, incremental passwords, and reusing a part of the
current password; while providing real-time feedback for users.

The Breached Password Protection add-on further enhances
security by alerting users in real-time if their chosen password is
on a list of breached passwords. It also provides in-depth scanning
to detect over 3 billion compromised passwords on accounts
throughout an AD domain.

Protecting Active Directory from Insider Threats

Though it may be impossible to protect against every threat, by
taking in-depth looks into existing permission structures, active
users, and the technical implementation of Active Directory, an
organization can go a long way to securing its environment. With
Specops Password Policy^[2], take your password
policy to the next level through Breached Password Protection and
mandating unique and secure passwords across the board.