Microsoft Active Directory (AD) allows IT administrators to manage users, data, and applications within their organization’s network. Due to its popularity and importance within companies, AD is a perfect target for ‘bad actors.’
We’ve most likely all seen the massive increase in data breaches over the past few years. There are many attack vectors out there, but compromised credentials are very common source of vulnerability, despite password security being a regular topic in cybersecurity conversations.
Consider these seven tips when engaging with AD security:
- Meeting NIST Guidelines: Following Industry Best Practices
NIST guidelines are data based and often become the foundation for best practice recommendations across the security industry. Making the effort to build best practices from NIST into your AD environment can have positive ramifications for multiple parts of your enterprise—strengthened security, reduced help desk calls, and consequently lowered administrative costs as well.
The most recent report recommends that password should: have at least eight characters; be compared against a password blacklist; and implement a throttling mechanism. They also recommend that a password policy should not impose composition rules; and not require passwords to be changed unless there is evidence of compromise.
- Hardening Passwords Part 1: Reducing Complexity and Eliminating Periodic Password Reset
We’re at the end of the era of required, complex passwords. Requirements of a mixture of upper-case letters, symbols, and numbers were thought to be guidelines that made impossible-to-guess passwords, but it’s been shown repeatedly that these types of restrictions often result in worse (and harder to remember) passwords.
Another part of the conversation on hardening the password layer is the elimination of periodic password reset. Both Microsoft and NIST have reported that requiring frequent password changes is actually counterproductive to good password security. This is because the world of computing has changed: it no longer takes a hacker three months to crack a hashed password. Instead, billions of password-guessing attempts can be tried very quickly. A compromised or common password can be cracked in no time at all.
The current NIST guidelines indicate that if a password can be made sufficiently strong—read: not found in cracking dictionaries—then there is no reason to force it to arbitrarily expire.
- Hardening Passwords Part 2: Using a Blacklist, and Why Static Isn’t Good Enough
Another NIST guideline worth latching on to is the practice of checking passwords against a blacklist of ‘banned’ passwords. Ideally, a password blacklist should contain all of the passwords that a hacker could use to gain access to a system—then, when your employees create new passwords, they can be compared to passwords already found to have been breached and rejected if they’re too weak or already compromised.
There are several blacklist services available that can help you streamline this process, but make sure you’re choosing one that is updated frequently; static blacklists can become useless practically overnight. In order to address what NIST is actually looking for, the blacklist needs to be an up-to-date, extensive, and ever-expanding.
This is one of Enzoic’s key focuses. We have a combination of people and automated technology to build and maintain our own massive database that includes multiple billions of passwords found in cracking dictionaries and breaches online, and we have a very rapid process for keeping this up to date. The Enzoic for AD plugin is built specifically to address NIST guidelines, and it’s also intended to be as unobtrusive as possible, meaning the user experience is as seamless as ever.
- MFA: Using it Effectively, When you can, Where you can
When it comes to Multi-factor Authentication, it’s absolutely a valuable practice. However, the reality is that not every organization is ready or able to employ MFA universally in their organization.
If for some reason you’re not able to use MFA for general user accounts in AD, it’s highly recommended that you at least use it for your administrator accounts, particularly your domain admin accounts. If one of your domain accounts is compromised, the bad actor has access to your entire network—just imagine how much damage could be done within a few hours or days.
Authentication factors are categorized into three types: something you know, something you have, and something you are. MFA relies on the use of at least two factors, each from a separate category. The more layers of authentication, the more difficult it is for someone to access an account that’s not their own.
- Have Two Accounts: Divide and Conquer
It’s important to remember that AD is the heart of your access controls. Your domain account should be treated respectfully. One solution is having at least two accounts—one regular user, in addition to your one admin level account. This means that you can use them appropriately for the task at hand. This step is both crucial and easy.
Often you don’t need a domain admin account to achieve the installs that you need – so try to follow the principle of least privilege. By only accessing ‘what you need and nothing more’ you can better control the security of your whole internal network. You are the first stance in modeling the concept of Just Enough Administration (JEA) and the Principle of Least Privilege (POLP).
- Disabling Local Accounts: Where Less Is More
After you have a handle on your own accounts, it’s highly recommended that you limit user and employee access to the minimum possible as well. People often request more access than they need; this sounds fine until there is a security event and your whole identity management system could be compromised. To avoid such a scenario, ensure that employees have only the minimal level of access in AD they need to perform their tasks.
In the same vein, when it comes to standard local accounts, it’s recommended that you disable them. If they are kept around, and password is never checked or refreshed, the account just becomes an attack vector. It would be much safer to create your own, new backup system with a random account name (not just “administrator”) and a strong password.
- Monitoring Your System: Knowing What is Normal
Sometimes, no matter how smart and prepared we are, bad things can happen. It’s imperative that you monitor AD events for indicators of a potential compromise.
It will take time to organize what data and logs are most relevant for your company. But refining your tools—free or paid—to watch for alerts that are indicative of problems is an essential process. Noting what is normal (who is accessing what and when?) and what would be unusual, and tailoring your tools to those indicators, is one of the best preventative security methods you can utilize.
Active Directory is extremely common in the corporate world and it’s not as secure as it needs to be. As always, staying engaged, and educating yourself and your employees on an ongoing basis, will assist with your personal and organizational security.
Read the full e-book here.
By: Bronwen Hudson