Application Security

2/1/2018
05:45 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Poor Visibility, Weak Passwords Compromise Active Directory

Security experts highlight the biggest problems they see putting Microsoft Active Directory at risk.

Every company has different security challenges. One common hurdle is securing Active Directory, which remains a critical issue because it's used to store increasing amounts of data. Businesses face a major risk in granting access to too many people without knowing who is safe.

"Active Directory was put in decades ago, and many companies, especially large ones, have had it a long time," says Skyport Systems CEO Art Gilliland. "Most companies don't have a handle on what Active Directory looks like or how many people in the organization can administer it."

One of the biggest problems is a lack of visibility into the amount of people and systems with administrative rights, he continues. Admins, and sometimes systems, have access to keys and codes, and the ability to disable or enable controls as they wish.

Skyport researchers learned last year that many businesses overly expose AD admin credentials and consequently expose themselves to security breaches. More than 90% of organizations use AD to control policies for users and services, and they need to better secure their infrastructure. More than half let admins use the same account to configure AD and multiple other services.

Older programs make it tough to control security. "Bad guys use legacy programs to gain access and elevate privileges, and that's when the real damage and breaches begin," Gilliland says. Attackers rarely target Active Directory first; they look for other ways to get in, then access the AD system.

"It's usually a vulnerability in some application," he adds. "It typically starts simply, with a vulnerability that's probably known and the company just hasn't patched it."

Cracking Down on Attackers
"Once you've elevated privileges, it's impossible to see bad stuff is happening," Gilliland says of visibility. "You can't tell someone has the keys to the kingdom and is running amok."

There are two types of attackers, he explains. Some spread mass phishing attacks to see what level of access they get, then figure out if there's anything of value. Others use more targeted attacks attempting to gain access to specific information — for example, healthcare data.

If you've been breached in any way, most breach response companies will lock down and assess Active Directory because, as Gilliland puts it, "the attacker has almost always done something in AD." The next step is to turn off attackers' access, but finding them is tough, especially if your business has a big AD deployment.

Sometimes the only way to handle an Active Directory breach is to rebuild AD from scratch. If you have evidence that outside attackers have found their way in and created 10,000 accounts in a 50,000-person company, it will be almost impossible to get rid of them without starting over.

"The marketplace makes it very difficult to know who's attacking you until after they've stolen something and after the damage is done," he says. It doesn't help that adversaries are becoming smarter and using more-sophisticated tools than they were five years ago. Attackers are a profit center; IT departments have a strict budget that limits their actions.

The Vulnerability of Passwords
"The Active Directory password is probably the most valuable one," says Amit Rahav, VP of marketing and business development at Secret Double Octopus. "We've been told to create long and complicated passwords, we've been told to change them frequently, and we end up using more and more passwords to get our jobs done."

Passwords are the most common authentication factor but also the most frequently abused, and they're a prime target for attackers seeking Active Directory access. With so much sensitive data in one place, AD authentication is a "single point of failure." The most common way for attackers to obtain passwords is through social engineering or phishing attacks.

But sometimes those aren't even necessary. Rahav points out that some passwords are encrypted, but often they're weak; for example, a birth date or dog's name. Open source tools are available to break those types of passwords, he explains. Sometimes employees store passwords in iPhone notes, Android notes, or Google+ pages, where they're easily found.

Rahav emphasizes the need for stronger protection. "It's time to move into stronger and user-friendly authentication factors … move from passwords into phones, biometrics, and things of that nature." Microsoft offers Windows Hello, which authenticates using facial recognition but requires new hardware.

Rahav anticipates biometrics will continue to grow for Active Directory authentication and within the enterprise, especially as more people use it for personal devices. "A few years ago, nobody knew what biometrics was; now before breakfast we use it two or three times."

How to Be Proactive about AD Security  
Once malicious actors are inside, it's hard to detect them, whether they're external attackers or rogue employees. Often Active Directory is threatened by internal users who have been granted privileges they shouldn't have. You need to know who has access and how to restrict it.

A straightforward step for businesses to take is securing the access workstation, says Gilliland. "The first thing you should do is make sure you can only access Active Directory from a system that's specifically designed to administer Active Directory and nothing else," he says. "That will eliminate a lot of pain."

From there, you should monitor the actual domain controllers. It's complicated, says Gilliland, but provides visibility into what's happening and helps avoid malicious activity. Businesses should also modernize the way that they delegate access to who has permission to change rules.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
2/3/2018 | 3:08:56 PM
AD's inherent limitations
Active Directory is powerful; and something like it is necessary with enterprise networks.  However, I think Microsoft locked themselves into the wrong data topology (and the wrong mindset).  AD was (and I assume still is), hierarchical, rather than relational. 

While performance advantages are important, you lose the built-in safeguards of a Relational Model compliant schema. 

Perhaps more importantly is that application domain modeling methodologies used to generate RM schemas, provide better correspondence between the facts (objects and relationships - business rules), in the domain and the data structure.  The result is that the models are more comprehensible, in the terms used within those domains.  Because the business rules are integrated into the transactional processes of a RDBMS (rather than applied and processed externally), rule changes are reflected in an updated schema, and enforced by mechanisms of the transactions. 

Security and data integrity are inherently better with a transaction based system.  When domain specific (your enterprise network assets and rules, in this case), RM compliant schemas are generated by means of a fact-based methodology, the conceptual level model is created using the terms and rules actually used by your domain-experts/knowledge-workers -- rather than imposing someone's idea of how things should work, or shoehorning the specifics of your enterprise to fit a template.

Object Role Modeling (a fact-based methodology), results in a perspective of roles and rules, rather than types and labels.  This leads to thinking in terms of workflows and individuals, rather than job titles and groups, when it comes to permissions and restrictions.  Consider how that would impact network security concerns. 

I don't know if a solely RDBMS solution could meet the speed and scale performance levels of AD; probably not.  Still, a hybrid system could offer the benefits of each; and result in a better overall solution to enterprise network/asset management, efficiency and security.   
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: White Privelege Day
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17282
PUBLISHED: 2018-09-20
An issue was discovered in Exiv2 v0.26. The function Exiv2::DataValue::copy in value.cpp has a NULL pointer dereference.
CVE-2018-14592
PUBLISHED: 2018-09-20
The CWJoomla CW Article Attachments PRO extension before 2.0.7 and CW Article Attachments FREE extension before 1.0.6 for Joomla! allow SQL Injection within download.php.
CVE-2018-15832
PUBLISHED: 2018-09-20
upc.exe in Ubisoft Uplay Desktop Client versions 63.0.5699.0 allows remote attackers to execute arbitrary code. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of URI ha...
CVE-2018-16282
PUBLISHED: 2018-09-20
A command injection vulnerability in the web server functionality of Moxa EDR-810 V4.2 build 18041013 allows remote attackers to execute arbitrary OS commands with root privilege via the caname parameter to the /xml/net_WebCADELETEGetValue URI.
CVE-2018-16752
PUBLISHED: 2018-09-20
LINK-NET LW-N605R devices with firmware 12.20.2.1486 allow Remote Code Execution via shell metacharacters in the HOST field of the ping feature at adm/systools.asp. Authentication is needed but the default password of admin for the admin account may be used in some cases.