Active Directory (AD) is Microsoft’s directory server. Ubiquitous across Fortune 500 and small businesses alike, AD is the software that connects on-prem servers, workstations, users, and networks. AD’s cloud-based counterpart, Microsoft Entra ID (Azure AD), completes the same goals.
While AD provides both users and administrators with central services, its security has not kept pace with the growing complexity of the modern digital ecosystem—which is a huge concern, as it’s a tempting target for threat actors. AD contains repositories of personal data so when it’s compromised, the organization is immediately and severely affected.
Businesses without strong cybersecurity policies might forget about AD entirely. As enterprises move to the cloud, or split operations between on-premise and the cloud, it’s easy to neglect updates and patches, evolving password policies, and privilege creep.
In all the hype of cloud solutions, security continues to be an afterthought. It’s even more important to check security defenses for AD as there may be legacy policies in place.
(1) Review AD Password Policies
If you haven’t reviewed password policies within AD, it’s a good place to start. In addition, NIST guidelines provide additional password framework recommendations which include removing periodic password change requirements, getting rid of arbitrary complexity requirements, and screening passwords for compromise. A solution, such as Enzoic for Active Directory, automates the enforcement of password policies that are underscored by NIST 800-63b.
To get a gauge of the state of things within your AD environment you can also perform a password audit to identify weak, common, reused, and unsafe passwords. An audit is a quick, straightforward way to get a snapshot of your credential security state. Weak and reused password passwords can result in a multitude of security vulnerabilities, especially if the credentials have been exposed in a previous breach.
(2) Keep an Eye on Privileged Accounts
Active Directory can store hundreds of thousands of accounts, sets of credentials, and repositories of financial information. Within these, the accounts with the most privileges are the real targets for cybercriminals. Any account with a local administrator or especially with domain access should be particularly protected with a long, complicated password that is stored securely. An admin account with domain access should really only be used during initial deployment and then for disaster recovery.
The other aspect of account monitoring worth mentioning is the problem of ‘ghost accounts,’ unused accounts that still have access to various parts of the network. Unused accounts tend to be overlooked and leave organizations vulnerable to data breaches through compromised credentials. Regularly monitor AD for any old employee accounts to ensure that no unauthorized access is possible by bad actors.
(3) Check for Privilege Creep
Within all accounts, even those of the IT team with levels of admin access, a “least privilege” model is the best practice to adopt. The ‘principle of least privilege’ or POLP stipulates every user account should come equipped with only those privileges required to do the job. As part of this account monitoring, account privileges should be reviewed every time an individual changes position or on a regular basis. “Privilege creep” happens frequently, especially in organizations with high staff changeover. Coupled with the habits of password reuse, leaving accounts active when the user is gone causes high-security vulnerabilities.
(4) Monitor, Patch, and Update
It might go without saying in some situations, but ensuring that Active Directory is updated organization-wide on an ongoing basis is crucial. As Microsoft detects vulnerabilities they will push patches, but often still need either a user or an administrator to accept the update. Don’t wait to update!
(5) Education
All conversations around password hygiene within Active Directory will improve if education is part of your organizational culture. Sharing the “why” can be more effective than the “how.” Share password policy changes, best practices, and their importance with your employees regularly. Advise against sharing credentials or reusing passwords among their personal and business accounts. These habits make it easy for cyber attackers to access multiple accounts within AD after obtaining a single set of credentials.
Remember that securing “the basics” is just as important as patch management and threat hunting. For AD, where users and employees store credentials and PII, this is particularly salient. Even if you think AD is on the out, take time to ensure your passwords and administrative accounts are safe.