Protecting Your Active Directory – Is It Still Relevant?
Over the past few years, the IT threat landscape has changed in ways that most of us thought would never happen. The global pandemic forced us to redefine our perimeters, not just the physical boundaries of our offices, but the perimeter of our security systems too. Naturally this shift in perimeter has driven a huge change in focus. We have seen a drastic acceleration in the adoption of Security Services Edge (SSE) and Zero Trust Network Access (ZTNA) platforms, and quite rightly so! But has this shift of focus onto your edge computing led to a neglection of your core services? Is it even still relevant to protect them?
The answer is simply yes, absolutely, now more so than ever! Many attackers and cyber criminals are capitalizing on this shift in focus and using it as a smokescreen to target organizations right at the core, the Active Directory (AD). Active Directory has been at the center of over 90% of every business network for almost as long as we’ve had the internet and is often connected in some way to almost every other service the business utilizes. But are we protecting it properly? Just stop and think for a minute… how many services within your organization are connected to your AD, or use it to authenticate logins, be it directly domain joined or through LDAP / LDAPS authentication? How many applications or devices in your network look to your domain controllers for DNS resolution? Are you using group policy to deploy secure baselines across your architecture? By the time you’ve reached the end of this paragraph I’m sure you have at least 3-5 things in mind?
Now let’s consider that your AD has been compromised, and a cybercriminal has seized control of at least one privileged account. Can you still guarantee the integrity of your applications / devices? Was a backdoor installed whilst the bad actor had access? Have your DNS records been modified to repoint traffic to a fake server or have your baselines been modified to create an exploitable weakness?
Once the AD is compromised, the next course of action for any cybercriminal will be to leverage control of privileged accounts / groups and move laterally across your network, gaining access to whatever else possible. Without proper visibility, this movement can take place under the guise of ‘known accounts’ so might not be effectively detected. When we consider the possible impact and damage that could be done in this situation, it brings the protection of AD rapidly back into focus! Active Directory has been around for a long time, since 1999 to be exact, and whilst Microsoft has made significant advancements in the security of the platform since this date, a lot of those enhancements have come forth in form of new OS releases and are only truly realized during a fresh deployment.
Out of the box, a Windows Server 2022 AD installation is significantly more ‘hardened’ compared to that which came with Windows Server 2008, but unfortunately, when joined to an existing domain, a lot of these enhancements are lost. Active Directory follows a ‘rolling’ model, with new domain controllers added and older removed, simply replicating, and maintaining the same configuration throughout. If your forest / domain was first created on Server 2003, unless already patched or updated manually, there may still be vulnerabilities present. So, how can we combat these challenges?
The first, and probably most important thing is to gain visibility to the changes which are happening in your AD, we need to be able to see the four Ws:
- WHO – Who made the changes? Was it an admin, was it a machine account, or was it a service account?
- WHAT – What was changed? Most importantly, can you see what the value was before the change, and after? Most log forwarding does not keep a track of the old value, only what it was changed to. Without the information of the previous value, how can you hope to revert it effectively?
- WHERE – Where was the change made from? You might have multiple domain controllers, if you can see a lot of changes coming from a specific one, this is likely where we would start an investigation.
- WHEN – When was the change made? Can we see if lots of unexpected changes are happening during the middle of the night?
With this information, we can start to build a much bigger picture of what is happening inside the AD. Looking at patterns or anomalous behaviour and correlating these changes with other events which might be happening in your network. This data, however, is only going to begin scratching the surface, if we were to collate it all, even in a small AD – let’s say approx. 500 users, we could be seeing upwards of 6,000 events happening in a 24-hour period! How do we know what events we should care about, and what is just normal behaviour? This is where Active Directory specific monitoring and protection tools come into play. Simply forwarding these logs to a SIEM platform is often not enough, we need them to be captured by a platform which understands the changes, and any impact they might have.
Most AD monitoring and protection platforms leverage dedicated threat feeds and intelligence, often referred to as “Indicators of Compromise” or “Indicators of Exposure.” These are commonly built using data from previous attacks, threat research, and even checking against the hardening which has been included in newer versions of AD by Microsoft. With this intelligence, it is possible to see whether you’ve missed a specific patch, have a weak legacy configuration, or even if a specific change has been made, which increased your risk level or might highlight an attack is taking place.
For example, if you saw a sIDHistory value was changed for one of your accounts, would you even think twice about it? What if the value that was written was that of a privileged account? This could be a strong indication that your AD is compromised, and the attacker is trying to create a backdoor. We also need to consider however, that no matter how much protection you apply, to any service or platform – be it your Active Directory, Email Security or a Firewall, bad things can still happen, and environments can be breached. Therefore, it is of utmost importance to ensure that you have a “clean” backup of your Active Directory using a tool which was designed for the purpose.
In its very nature, AD is quite difficult to back up and restore. It is intrinsically linked to almost every corner of a network, and therefore partial backups are not of much use. Any compromised accounts or bad configuration will be replicated across your entire estate, and often, even after a restoration, the rate of re-compromise is high. So, what do I mean by a “clean” backup?
There are many ways to back up AD, most involving Disaster Recovery (DR) replication, bare metal backup, or at the very least a full system state. The problem with this is attackers can simply leave a backdoor on your domain controller, and once you’ve completed the restore and reverted any changes in your AD itself, they take control once again and wreak havoc. To truly guarantee a “clean” restore, we need to restore only the domain directory files themselves to a totally fresh server, which creates a whole host of new problems around domain trust, and device connectivity to the AD. For a long time, the process to circumvent this was to follow the almost 100-page document from Microsoft, manually extract the pieces you need, and run many scripts to piece it back together. It could take days, even weeks to complete this, depending on the size of your organization and when you’re trying to recover from a full-scale ransomware attack, it’s almost impossible to restore any other service, until AD is back on its feet. But by using a backup application which is built from the ground up with AD restoration in mind, you could be back in business in as little as 20 minutes, making all the difference between losing a few hours, and millions of dollars! With all this in mind, I will leave you with my key takeaways, and some thought provoking questions to ask your IT teams, to ensure that you are properly prepared for anything this ever-changing threat landscape might throw at you.
- Ensure that your AD is being properly monitored, perform regular checks for known weaknesses and vulnerabilities, and review the changes which are made to track patterns or anomalies.
- Ensure that you have an audit trail for these changes, it’s extremely important to know when changes are happening and what the before / after values were. How else are you supposed to recover?
- Invest in a dedicated backup solution for your Active Directory – it’s the hardest part of any environment to restore effectively, and often also the most overlooked!
Some Questions To Ask Your IT Teams
- How are you currently monitoring your Active Directory? If this is with a SIEM solution, is it
giving you visibility into misconfigurations which might have existed for a long time in your
- When strange behaviours are spotted or privileges granted, how long does it take you to react
to them? Do you have any tools or platforms which are automatically remediating unexpected
changes, like members added to “Domain Admins” etc?
- What is your Active Directory backup strategy? Realistically, how long would it take you to
recover from a disaster scenario and rebuild your AD completely from scratch? More
importantly, when was the last time it was tested and verified?