"Five Eyes" states: Tips for improving Active Directory security

IT security authorities from the so-called Five Eyes countries of Australia, the UK, Canada, New Zealand and the USA have published a guide to help organizations secure their Active Directories (AD). They present a total of 17 common techniques that attackers use to compromise ADs on 68 pages.

The English-language PDF presents the individual attacks, how malicious actors use them and recommends strategies to ward off these attacks. Implementing the recommended measures will help organizations to significantly improve their AD security and prevent intrusions by cyber criminals.

Protecting the Active Directory

The authors state that Microsoft's Active Directory is the most widely used solution for authentication and authorization in enterprise IT, globally. AD offers several services, including Active Directory Domain Services (AD DS), Active Directory Federation Services (AD FS) and Active Directory Certificate Services (AD CS). These in turn offer multiple authentication options such as smart card log-ins or single sign-on with on-premises or cloud-based services. Because of this prominent role in authentication and authorization, ADs are a valuable target for malicious actors. They routinely attack ADs as part of malicious activity on corporate networks.

Active Directory is vulnerable to compromise due to its lax defaults, complex relationships and permissions, support for outdated protocols and lack of tools to detect AD security issues, according to IT experts from the international consortium. As every user in AD has sufficient rights to detect and exploit vulnerabilities, the attack surface of ADs is immense and difficult to defend. The complexity and opacity of the relationships that exist in an AD between different users and systems also contribute to this. These hidden relationships are often overlooked by organizations and misused by attackers to gain complete control over an organization's network.

By gaining control of an AD, attackers gain privileged access to all systems and users that the AD manages. With these extended access rights, attackers can bypass other controls and access systems, including email and file servers, as well as any critical business applications. Often, access to cloud-based systems and services can be extended via Microsoft's cloud-based identity and access solution Entra-ID. By gaining access to AD, malicious actors can pursue many goals, whether it be financial gain or government cyber espionage, to gain the extended access they need to achieve their malicious goals on the victim network.

Attackers can abuse this AD access for persistent access into organizations; some techniques allow malicious actors to remotely log into the organization, even bypassing multi-factor authentication. Many of these techniques are resistant to incident response defenses. Advanced intruders can lurk in ADs for months or years. To get rid of them, sometimes drastic measures are necessary, such as resetting all user passwords or completely rebuilding the AD itself. Organizations should therefore implement the measures presented in the guide to protect the AD from malicious actors.

The IT security authorities present some commercial and open source tools that organizations can use to examine and better understand their AD; tools that attackers also use to look around the AD. This is followed by a presentation of individual attacks and possible protective measures against them. Admins should take a look at the document to see whether sufficient countermeasures have already been implemented in the ADs under their supervision.

(dmk)