There are hundreds, if not thousands, of possible settings related to Active Directory, including group membership, user rights, access control lists (ACLs), delegations, and so many more. With all of these settings, there are always some settings missed or misconfigured. Here are three security-related settings that I have found most Active Directory environments fail to have set up correctly.
Enterprise Admins group: For most Active Directory installations and corporations, the Enterprise Admins group should be empty. This group should be empty because the group capabilities are rarely utilized, but having a user in the group exposes that user account to attacks and the dangerous use of the group
There is nothing scarier to an Active Directory administrator than the thought of someone attacking the domain controllers. The majority of attacks come from within the internal network and come from existing domain users. If the attacker does not have elevated credentials, the goal for the attacker is to try to obtain these credentials. The typical method for this is to guess passwords of existing users.
When an attacker tries to guess the password of another user, there will inevitably be failures – at least, we hope so! A high, repetitive number of failed logons for a single account can indicate a potential attack. The key is finding these failed logons before the attacker is successful, so you can neg…
Well, I know I have been saying it for years, talking about it like it was one of the most important aspects of your computer, and emphasizing it as one of the top five most important security configurations for corporations and users.
With so many companies being attacked, compromised, and making front page news, I hope that now you get the picture!? The passwords for your Active Directory, your bank, Amazon, LinkedIn, and other sensitive accounts are key to your career, personal protection, and economic stability.
Now, all I can say is, “I told you so!” Just like your mom said to you regarding washing behind your ears, wearing clean underwear, and not cursing in public.
It only makes sense, does it not…
Every Active Directory installation has one common issue. Every installation has one or more users that were created for a project, new employee, returning employee, and the like; but the user account was never used. These users should be cleaned up as they pose a threat to the overall security of the environment.
I know, “pose an overall threat to the environment” seems a bit severe. However, I truly believe this, and these are the reasons why:
- Most organizations use the same password for new user accounts, knowing the user will be forced to change the password on next logon. However, if the user account was never used, it could be used as an attack account at any time.
- Most organizations place new user acco
Before getting into the specifics, I would like to give a small introduction on tracking Logon / Logoff in Active Directory environment, which is a cumbersome process.
Auditing the Windows Active Directory environment
With the current Windows architecture it’s difficult to get all logon data at a single point. In an AD environment, a Domain Controller (DC) is the one which does the real authentication. When there are multiple DCs in a setup, handling the authentication mechanism, the logon data (please note only the logon data) is available in different computers (read as DCs). So to compute a clear logon activity collecting all these data is essential. Also another pain point here is …