Secure Active Directory Management. Part 1

Hello!

Today we are starting to translate the posts of one of our authors, get acquainted - Brian Svidergol, author of Active Directory Cookbook. Brian specializes in IT infrastructure issues, including management of AD, Exchange, storage systems, etc. Brian generously diluted the original text with general phrases, so we will try to highlight the essence.



The principle of minimum privileges

Wikipedia contains a good article on the principle of minimum privileges. In a nutshell, observing this principle means giving the user only those privileges that are absolutely necessary to carry out his tasks.


Information Security Incidents

The network contains completely different data on how critical internal security threats can be to IT system security. I have seen reports that say that only 15% of intrusions are carried out from the corporate network. I have seen other reports that say about 50%, but the safe management of AD is not to find out where the attack is carried out, it is not so important whether it is an internal threat or an external one. It is important that Active Directory is almost always the primary target of an attacker. After gaining control of AD, an attacker can manage hundreds of different IT systems using privilege escalation. Here are a few examples:

1) Microsoft Exchange.Active Directory administration and management of Exchange servers is often done by different IT professionals, but privileges are granted through groups in AD.
If you have control over Active Directory, you can add yourself to the appropriate groups and get full access to the entire mail subsystem of the organization. For example, access to managers' mailboxes, the ability to copy confidential information, the ability to act on behalf of an administrator with a high level of access, such as DBA.

2) Microsoft Lync.The situation is similar to Exchange: role-based access, privileges granted through AD groups. Add yourself to the appropriate groups and you can send messages on behalf of any user in the organization. You can redirect calls, cancel scheduled appointments, read message logs.

3) Shared folders. Most file resources, shared folders, etc. are controlled by AD groups. Often, the most confidential information is stored in public folders - salary data, personal data of employees, constituent documents. An attacker taking control of AD can use PowerShell to quickly access any file share on the corporate network.

See how fast things get out of hand? We offer some tips to help reduce risks, use the principle of minimum privileges:
Helpdesk employees can reset the password of most users in Active Directory.
If a Helpdesk employee can reset the DBA password, they can access any database. In practice, attackers are always looking for the easiest way to gain access to resources, so they do not have to hack into a domain administrator account. Phishing several support staff and gaining access to their accounts is all that is needed in such cases.
We recommend that you make sure that support staff cannot reset passwords for privileged accounts, in such cases, security specialists should be involved or secure methods for resetting passwords independently should be used.

Delegating administrative authority to an additional account can reduce the risks associated with phishing attacks, browser vulnerabilities, or virus activity. The administrator can read letters, open web pages, etc. Using an account that is not endowed with elevated privileges.

Service accounts in the Domain Admins group. I think you have often been in a situation where some software needs a service to work, which should be run from under a service account. And of course, this account must certainly be part of the Domain Admins group. The first adequate step in such a situation will be to request official documentation from the software manufacturer. It is possible that the documentation describes the minimum privileges required to start and run the service. If there is no such information, we recommend that you turn to the relevant forums, maybe you are not the first to install and configure this product, and a solution has already been found. In any case, it is considered good practice to regularly change passwords for service accounts. You can automate this process, and we will provide a free tool for this - Netwrix Privileged Account Manager.

Original text
_____

PS In general, all this: resetting passwords for privileged accounts, actions performed using an additional account and attempts to increase privileges - can be easily tracked using software tools for auditing changes . This will not only protect the infrastructure and data, but also partially reduce the load on administrators and helpdesk. As an example (type of reports, methods of formation, information content of reports), you can see Netwrix Auditor . Available trial version and online test drive .

Also popular now: