Active Directory (AD) still serves as the foundation of identity and access management for many organisations and is likely to remain so for the foreseeable future. While it is a powerful identity and access platform, it’s not without risks due to the way it was originally designed. Because of this, and within today’s IT security threat landscape, it is seen as a high-value target for malicious actors.

In this article, David Ripley, our Lead Identity Consultant, explores the key risks associated with AD and how these can be potentially mitigated using an approach that Silversands has adopted for our customers.

Graphic suggesting a cyber threat

What are the main threats against Active Directory in 2023?

Active Directory can be susceptible to a number of different attacks, with varying levels of reach and impact.  Some are easier to effect than others, but the result of an attack could be credential compromise, data loss, denial of service, and reputational damage, all of which are clearly undesirable.  These threats include:

  • Pass-the-Ticket (PTT) / Pass-the-Hash (PTH) Attacks

Attackers can steal Kerberos tickets or NTLM hashes and use them to impersonate legitimate users within the network.

  • Golden Ticket Attacks

Attackers with access to the Key Distribution Center (KDC) can create a “Golden Ticket” that allows them to access any resource within the domain.

  • NTLM Relay Attacks

Attackers can intercept NTLM authentication sessions and relay them to another host, gaining unauthorised access.

  • LDAP Injection Attacks

Attackers can manipulate LDAP queries to gain unauthorized access to directory objects.

  • ACL Manipulation

By manipulating Access Control Lists (ACLs), attackers can escalate privileges or gain unauthorised access to resources.

  • SID History Injection

Attackers can inject additional SIDs into their token, allowing them to assume the rights associated with those SIDs.

  • DNS Reconnaissance and Poisoning

Attackers can gather information about the AD infrastructure or poison DNS records to redirect traffic.

  • Group Policy Object (GPO) Abuse

Attackers with lower level privileges can create or modify GPOs to execute malicious code or change security settings to elevate their permissions using lateral movement.

  • Kerberoasting

Attackers can request service tickets and attempt to crack the tickets offline to obtain service account credentials.

  • DCShadow Attack

Attackers can mimic a Domain Controller (DC) and push malicious changes to other DCs within the network.

  • Cloud Attacks

With the integration of AD with cloud services, attackers may attempt to exploit misconfigurations or vulnerabilities in these connections.

  • Zero-Day Vulnerabilities

New, or previously undiscovered vulnerabilities in AD or related components could be exploited by attackers.

<p>The result of an attack on Active Directory could be credential compromise, data loss, denial of service, and reputational damage.</p>

The result of an attack on Active Directory could be credential compromise, data loss, denial of service, and reputational damage.

How do we help to mitigate against these threats?

The most appropriate approach to mitigate these threats involves a number of elements and activities within a standardised framework developed over our many years of working with Active Directory. These include environment analysis, clear reporting, developing the use of methodologies such as the least privileged admin model, implementing Microsoft Defender for Identity, and deploying other mitigation methods, such as infrastructure hardening.

Analyse the environment, understand the risks

Understanding the risks starts with a thorough analysis of the AD environment to validate and baseline the architecture against best practice security measures.

This enables us to identify vulnerabilities and weak points (attack paths), including outdated systems, misconfigurations, or excessive permissions.

 

Clear reporting promotes effective remediation

Once we have identified the risks, we present a report that clearly outlines the issues and identifies the most logical and effective steps required to eliminate or mitigate them. Naturally, it is important that the most critical vulnerabilities are targeted first and our report provides this information in an easily understandable way.

Secure the environment

Implementing best practices is essential for securing an AD environment.

These can include:

  • Deployment of security hardening to ensure that services are secured from known attack paths
  • Regular patching to keep AD up to date and reduce the risk of known vulnerabilities being exploitable
  • Implementation of strong authentication, such as multi-factor authentication, to add an extra layer of security at the point of login
  • Tightening administration practices such as by utilising dedicated devices, or step-up authentication (privilege escalation)
  • Enabling continuous monitoring and logging to quickly detect and respond to suspicious activities
  • The use of complementary technology such as passwordless solutions
Laptop displaying a 'hacked' graphic

Utilise a least privileged admin model

The principle of least privilege (PoLP) ensures that users have only the permissions necessary to perform their roles. This is a more granular approach to permissions management than may have been acceptable in the past.

Adopting this approach helps to reduce the attack surface by limiting permissions, and therefore the potential damage from compromised accounts is minimised.

In addition to reducing risk, this can also simplify management as a well-designed, least-privileged model makes it easier to manage and audit permissions. This also typically forces an organisation to validate the actual roles required for administration within its environment rather than using broader permissions. Clear roles and responsibilities also improve accountability and reduce the risk from insider threats.

An admin model normally encompasses all aspects of Active Directory permissions and management including DNS, Group Policy and Active Directory itself.

An admin model can also be supplemented by a privileged access solution, which deploys dynamic roles, rather than fixed and retained access permissions.

Implement Microsoft Defender for Identity

Microsoft Defender for Identity is a cloud-based security solution that can be invaluable in protecting against AD attacks. It can help by detecting advanced threats and complex attacks such as ‘Pass-the-Ticket’, ‘Golden Ticket’, and ‘NTLM Relay Attacks’. It provides detailed information about suspicious activities to enable quick and effective responses. It can also be integrated with other security solutions for a more comprehensive defence strategy.

However, although this product provides a broad safety net, it does not remove all of the risks that have been outlined in this article and therefore needs to be considered as one element of an overall threat protection solution alongside the other techniques outlined.

Active Directory is robust and reliable but needs to be protected against malicious threats

Active Directory is a vital part of modern IT infrastructure, but it comes with its share of risks. By conducting regular analyses, adhering to best practices, implementing a least privileged admin model, and leveraging tools such as Microsoft Defender for Identity, organisations can significantly reduce these risks.

 

How can Silversands help?

We have been working with Microsoft Active Directory since its inception and have helped many of our customers secure, troubleshoot and repair their AD deployments. Over the years, we’ve seen it all and have an extreme level of expertise and experience.

We help many organisations to secure their Active Directory deployments, ensuring that it remains a stable and reliable foundation within their IT service infrastructures.

Contact us to arrange a chat with one of our identity consultants who can help you understand how we can help protect your Active Directory platform with a custom, tailored and effective solution.

Other Resources