Defusing AD-Based Risks | Best Practices for Securing Modern Directory Services

If you are on a corporate network, it likely runs and authenticates on Microsoft Active Directory (AD). Currently, AD is the most common enterprise directory service in the world, used by 90% of the Fortune 1000 globally. It contains information on every user, system, service, or application within an enterprise and acts as a map to the entire network.

Enterprises take reasonable steps to harden on-premises and cloud AD, but their size, scope, and complexity make this challenging. Attackers who steal valid network credentials can impersonate legitimate users and directly access the data stored within AD or the cloud, then use this data for nefarious purposes.

This blog post delves into why AD is so vulnerable, the challenges with safeguarding AD data from attack, and how to harden the AD attack surface to reduce the risk of a successful attack.

Active Directory As a Roadmap for Attackers

Active Directory (AD) is a powerful but complex system of interconnected domain controllers that manage identity, authorization, authentication, and access within the enterprise network. AD is a directory service for Windows network environments and facilitates centralized management of an enterprise's resources, which include users, computers, groups, network devices, file shares, group policies, devices, and trusts.

Enterprises use AD to centrally manage and store user objects, computer objects, group membership, and define security boundaries. AD stores information about users, computers, and network resources in a logical database structure, and makes them accessible to users and applications. In essence, it is the guidebook for the entire organization's network.

Reasons Why Threat Actors Target Active Directories

Active Directory (AD) systems are often targeted by threat actors due to a combination of common and obscure misconfigurations, recent vulnerabilities, and built-in functionalities. These weaknesses can be exploited by attackers to move laterally and vertically within a network environment, gaining unauthorized access and establishing persistence.

Initially, AD installations are configured with insecure settings by default, primarily for legacy compatibility and operational efficiency. Even recent installations may be vulnerable due to hidden or lesser-known configuration settings, such as allowing the use of outdated, insecure protocols. Since AD's default permissiveness poses a significant risk, it operates as a large database where any authenticated user in the domain, regardless of privilege level, can query numerous components with minimal restrictions. This means that attackers with valid credentials can easily search AD for high-value targets and privileged users.

AD environments often evolve over long periods, sometimes spanning decades. They are typically managed by multiple teams, who make changes as needed, often without thorough change management processes or adequate tracking and auditing mechanisms. This lack of oversight can result in insecure configurations and excessive assignment of user or application privileges, creating exploitable vulnerabilities. The integration of ADs into enterprise forests during mergers or acquisitions can exacerbate these issues, leaving the entire environment susceptible to attacks.

Security concerns can also stem from AD administrators commonly prioritizing functionality and ease of implementation over cybersecurity measures.They might maintain insecure configurations to ensure compatibility with critical legacy systems, such as mainframes and older financial software, which can further compromise the security posture of the AD environment.

The Risks of Misconfigured Permissions in Azure

For Azure cloud environments, every account is assigned permissions to certain actions, such as accessing storage or running an application. Workloads also require their own identities and permissions for the environment. Properly managing these permissions is problematic. Misconfigured permissions allow attackers to compromise the cloud environment (and sometimes on-premises domain if they are federated and sync permissions). Many cloud-based data breaches are due to mistakes in access permissions for cloud storage that allow external attackers access to private data.

According to Microsoft's 2023 State of Cloud Permissions Risks report, the rise in workload identities, super admins, and inactive identities accessing cloud infrastructure is posing new security risks for many organizations. Workload identities now outnumber human identities 10:1, double that of 2021. Over 50% of identities are super admins, referring to users or workloads that have access to all permissions and resources. Attackers with super admin access can take over an entire cloud environment. Even something as simple as having permission to allow external users access to the environment or install an application is dangerous.

How to Close AD Vulnerabilities

To deal with these risks, enterprises often employ external auditors to perform ad-hoc checks against their AD domains for vulnerabilities and misconfigurations, particularly in regulated industries like finance or healthcare. These auditors review AD settings, user groups, policies, and other configurations to identify issues that could affect operations, then provide a readout of findings for the enterprise to address. They will often follow up on subsequent engagements to reevaluate if the organization successfully remediated the findings or if compensating controls mitigate them. However, many enterprises do not have the in-house expertise and institutional knowledge to address findings promptly without impacting operations, so they may categorize some as accepted for operational reasons, or not fixed because they are not a high enough priority.

Enterprises in the cloud also have AD-based risks. Entra ID, formerly known as Azure AD, manages access to cloud applications and workloads and federates with on-premises networks for integrated access. It is also a lucrative target, particularly for misconfigured permissions which allow attackers to access data or even take over the environment.

For Entra ID, the approach is similar - evaluate identity permissions to ensure they follow the principle of least privilege. By limiting identity permissions to the bare minimum required to perform a task, enterprises reduce the risk of attackers gaining excessively permissive rights to the cloud environment. There are over 60 built-in Entra ID roles, some of which are privileged, and identities can be assigned to roles with the needed permissions. However, overlapping role assignments often result in permissions creep, and knowing which permissions are dangerous is increasingly difficult. Keeping track of permissions and role assignments can also be problematic.

An alternate approach is to utilize tools purpose-built to assess AD and Entra ID to find any such issues. These relatively recent tools, categorized as posture management solutions, evaluate the AD and Entra ID databases for security weaknesses and misconfigurations and report on the findings. Gartner has named this capability Continuous Threat Exposure Management (CTEM) - the key here is continuous.

This approach comes with many advantages. Enterprises can regularly scan their AD and Entra ID infrastructure for vulnerabilities, identify and address findings, and continuously improve their security posture. Costs are often lower than engaging outside consultants, and some solutions can provide prescriptive remediation capabilities for certain findings. SentinelOne's Singularity™ Identity Posture Management and Singularity™ Identity for Identity Providers are two solutions to address these needs.

Singularity™ Identity Posture Management

SentinelOne's Singularity™ Identity Posture Management (SIPM) is a cloud-delivered solution helping organizations manage their identity attack surface by reducing identity risks in AD and Entra ID. It provides real-time vulnerability assessment around identity security, including misconfigurations, excessive privileges, or data exposures.​ SIPM discovers weaknesses before attackers can exploit them and provides comprehensive references for every finding.

With SIPM, organizations can better remediate the findings and identify high-priority issues to be aware of. It also provides manual remediation instructions or automatic remediation scripts to help security teams address them.

SIPM conducts regular or on-demand AD assessments that allows security teams to see into the state of the AD and Entra ID with hundreds of real-time vulnerability checks. It uncovers domain-level exposures such as weak policies, credential harvesting, and Kerberos vulnerabilities. It reveals user-level exposures through AD object analysis, privileged account evaluation, identification of stale accounts, and issues like shared credential use. It allows security teams to understand device-level AD attack paths, including rogue domain controllers, OS issues, and other vulnerabilities.

SIPM is easy to implement and provides results as soon as it finishes its first scan - in most cases within an hour of installation and configuration. It offers full coverage for on-premises AD, Entra ID, and multi-cloud environments, improving security with minimal resources, and needing just one domain-joined endpoint and no privileged credentials to conduct its assessments.

Singularity™ Identity for Identity Providers

Singularity™ Identity for Identity Providers (SIDP) provides the same identity attack surface reduction capabilities as SIPM while adding AD attack detection and conditional access capabilities to protect on-premises enterprise identity infrastructure. SIDP proactively monitors AD for activities that indicate potential active attacks, continuously and on demand. SIDP can detect identity-based attack activity originating from any device on the network targeting AD domain controllers.

SIDP installs on AD domain controllers and can help detect persistent AD attacks by providing full visibility into attack indicators and detecting attack traffic targeting the domain controllers. It notifies you in real-time regarding anomalous activity associated with identity-based attacks and also detects and prevents advanced threats such as, but not limited to:

• Golden/silver ticket attacks
• Skeleton key attacks
• Pass-the-ticket attacks
• Pass/overpass-the-hash attacks
• DCSync/DCShadow attacks
• AS-REP roasting attacks

To help defend the identity infrastructure, SIDP allows organizations to configure conditional access to AD by triggering integrations with multi-factor authentication (MFA) solutions on the market. When it detects suspicious AD transactions, it will trigger MFA reauthentication for the user associated with the activity. Legitimate users will have no trouble providing reauthentication, but unauthorized users will see their attack fail.

Conclusion

Active Directory (AD) is also one of the most targeted enterprise assets in modern cyberattacks and most red team or penetration test exercises. Attackers steal and exploit data from AD to identify high-value targets, move laterally, elevate privileges, and even distribute malware.

Attackers consider it a high-priority target because it is the central repository and mechanism to authenticate enterprise identities. They know that if they can take advantage of insecure aspects of AD to get administrative access, they can gain full control of the entire network.

Singularity™ Identity Posture Management and Singularity™ Identity for Identity Providers improve your enterprise's security posture from identity attacks. Working in tandem, they reduce your identity attack risks and mitigate residual risks with detection and response functions. Book a demo today or contact our team to learn more about how to secure your Active Directory, Entra ID domain controllers, and domain-joined assets.