Tackling the problem of Active Directory misconfigurations [Q&A]
Microsoft's Active Directory is used by many businesses as a way of managing identity services and controlling access.
But if it's not configured correctly it can lead to security risks. But how dangerous is this and what can enterprises do to keep themselves safe? We spoke to Andy Robbins, technical product architect at SpecterOps to find out.
BN: For roughly 90 percent of Global Fortune 1000 companies, Active Directory (AD) is the main method used for seamless authentication and authorization when connecting and managing individual endpoints inside corporate networks. How does AD also present significant security risk for these enterprises?
AR: Microsoft Active Directory is a foundational technology for businesses because it manages identity and access management, endpoint management, business application management and much more -- basically it tells systems if a user is who they claim they are, and if they have permission to access the thing they're trying to access. If an attacker gets control of Active Directory (AD), they can almost always use it to give themselves the access they need to reach their objective. Controlling AD isn't the goal -- that might be deploying malware, locating and exfiltrating sensitive data, or conducting espionage -- but AD will help an attacker achieve all of these goals.
AD is an attacker's favorite target for several reasons. First, they get unlimited retries and they learn more about the target AD environment with each attempt. Second, controlling AD gives attackers many options for staying undetected and maintaining persistence in a network -- they can even make systems lie to queries from defenders and report everything is fine when it's not. Adversaries often use legitimate administrative tools and take actions that appear normal, like resetting user passwords or executing commands on remote systems, which is difficult for defenders to spot. Finally, AD is widely used at Fortune 1,000 companies, so attackers can use the same tools and techniques against multiple targets without any extra work modifying them.
BN: Why is Microsoft AD so difficult to secure?
AR: Active Directory environments at major enterprises have tens of thousands of users or more and this complexity makes it easy for attackers to slip in unnoticed. AD's user interface also makes it very difficult to answer the question, "How many users have administrator rights on this computer?" AD only shows which principals have a direct 'admin rights' relationship to a computer or object. It doesn't indicate if these principles are individual accounts, or a group of users. If it's a group, there's no easy way to see the members of the group. The admin will need to go into a different tool to do that -- and that group contains a second group, they'll need to repeat the process again. This makes it almost impossible for teams to get an accurate picture of who has abusable access to crucial systems. In one extreme case, I found an environment where AD showed 31 security principals in a local admin group, but a total of 733,415 users actually had admin rights thanks to nested security groups. This lack of visibility hobbles any attempts to secure AD, to the point that many teams don't even try.
BN: What are the most common misconfigurations in Microsoft AD?
AR: There are three very common misconfigurations we've seen across the majority of Active Directory environments. First, highly privileged users that are susceptible to the 'Kerberoast' attack, as first described by Tim Medin. By combining a particular kerberos configuration, a weak password, and a high degree of privilege, attackers are able to reliably abuse this misconfiguration in nearly every Active Directory domain.
Second, all-inclusive security principals with any kind of special privilege. For example, it's common to see the 'Domain Users' group granted local admin rights on one or more systems. This configuration effectively offers adversaries a 'beach head' opportunity, kicking off an attack path that can land all the way at the compromise of a Domain Admin user.
Third, it's very common to see normal users or lower-privileged service accounts as the object owners of domain controller computer accounts. This misconfiguration can bridge the gap between the rest of the environment and a domain controller, as these normal users or lower-privilege service accounts are not given the same protections and care as more sensitive domain admin user accounts.
BN: Why are these misconfigurations such a problem? What attacks do they open organizations up to?
AR: The most impactful contributing factor to the emergence of these misconfigurations is a lack of visibility provided by native and third party tooling. Microsoft's own tooling does not make these misconfigurations easy to identify or understand, and third party tooling that does find these issues can't calculate the impact of any of these configurations. This means that admins usually never see these configurations within any security context, let alone with any empirical risk rating.
These misconfigurations almost always chain together to form complete attack paths connecting every user and computer in the environment to the most critical assets -- domain admins and domain controllers. An attacker landing in almost any Active Directory domain can find and chain these misconfigurations together to completely compromise every system and identity in the enterprise.
BN: Can they be fixed, and if so, how?
AR: An individual attack path can be fixed, usually by removing privileges that users don't need. But closing specific attack paths doesn't accomplish much -- in a large environment, an attacker can usually find a different route to the same objective. Imagine driving from Seattle to Los Angeles. If a specific road or section of highway is closed down, you can still get to your destination.
But organizations can absolutely reduce their overall risk exposure to AD Attack Paths. To do this, they need to look at their high-value Tier Zero assets and work backwards from the attacker’s point of view to identify Attack Paths targeting them and find 'choke points' that many of these Attack Paths pass through. Closing these high-priority choke points can sever hundreds or thousands of Attack Paths at once. The key is to close off the Attack paths that present the most risk rather than eliminating them entirely.
BN: How are security professionals tackling this issue today? What more needs to be done going forward?
AR: The two methodologies historically used to secure AD are Tiered Administration and Least Privilege, but in my experience neither one is effective. They either require more visibility into AD than organizations have (the lack of visibility into AD discussed earlier makes it very hard to tell if a user has the least privilege required for their job), involve too much extra work (for example, effective Tiered Administration requires architectural changes to identity and access management, endpoint management, and sometimes network architecture), and don't offer a way to measure and quantify the benefits they provide.
A newer approach called Attack Path Management is more effective. Attack Path Management involves continuously mapping all the Attack Paths in an AD environment (remember, AD changes constantly so the mapping must be constant as well). Then defenders should identify 'choke points' that lead to Tier Zero assets. For example, if an organization has ten connections to their Tier Zero assets, then any Attack Path to those assets must go through one of those connections, no matter where it starts. Finding these choke points reduces the scope of what defenders need to focus on, turning it into a more manageable process. Defenders can now prioritize these choke points and address them -- in the last example, if 70 percent of an environment’s Attack Paths went through one of those ten choke points, it's clear what they should fix first. Since fixing Attack Paths can sometimes have unintended consequences, all fixes must have clear guidance about what to do, what the fix will affect, and quantify the benefit of the change. For example, telling an AD admin, "This change will reduce our overall AD security risk by 25 percent," is much more likely to convince them that the benefits are worth the cost.
Image credit: Narith Thongphasuk38 / Shutterstock