In the first six parts of this blog series, we laid the foundation for beginning to work with and manage Active Directory (AD). With the groundwork out of the way, it is now time to explore the relationship between cybersecurity and AD.
Taking this series one step further, this blog provides an overview of which design considerations are important in securing your AD infrastructure against potential security breaches. Below we’ll explore the four W’s of any AD-based attack: the who, what, when, and where of a root cause analysis.
If you recognize the importance of monitoring your AD and ensuring its security, then this is the blog for you.
The design elements and configurations of AD that contribute to an organization’s security posture
Every aspect of an AD environment is susceptible to security risk. The risk of exposure to attackers is maximum under the following three scenarios:
-
When the configuration of an AD environment is erroneous.
-
When Group Policies have been incorrectly applied.
-
When AD domain-connected endpoints are mismanaged.
Harden your AD security by focusing on the three problem areas highlighted above.
In the previous six parts of this blog series, we have studied various aspects of AD from a theoretical standpoint. However, now we can look at the very same list of topics and discuss them further from a security standpoint. Risks associated with each of the above three scenarios will come into play in our discussion below:
-
Integration of AD with the Domain Name System (DNS)
-
Users and computers in AD
-
AD Groups and OUs
-
AD replication
- FSMO roles in AD
Integration of AD with the Domain Name System (DNS)
The dependency of AD services on DNS is unavoidable. While DNS is crucial for any inter-connected network, your AD setup will cease to function if it has a faulty integration with DNS.
You will need to consider the following aspects to ensure security hardening of the AD attack surface:
- Monitor the DNS infrastructure and DNS protocol to ensure built-in security through measures like DNS Security Extensions (DNSSEC), DNS encryption, and DNS firewalls.
- Periodically audit the AD-DNS zone files and their associated resource records.
- Carefully configure zone transfer requests. Make sure to closely monitor and periodically audit the zone transfer access control lists (ACLs).
- Implement secure LDAP. This will guarantee that the LDAP data is encrypted during the LDAP authentication bind process whenever a user or client communicates with the directory service.
AD Users and Computers
If you’re not already doing so, begin using an AD monitoring system to help you stay up-to-date on all AD activity in your ecosystem. Automatic tracking and monitoring through a well-designed log monitoring system is crucial.
While understanding the management of AD users and computers is important, you will have to apply this knowledge to secure the AD infrastructure.
Microsoft recommends making a robust audit policy an integral part of AD management, which includes auditing, alerting and reporting of AD activity.
-
You will need to schedule alerts and customize reports for logon events, including user accounts and computer accounts authenticated on any AD domain.
-
Schedule and conduct user account management audits to monitor events of user creation and user modification, such as renaming, password updating, or changing the account status (e.g. enabled or disabled, or whether the account is locked), as well as user deletion.
-
Both built-in and custom privileged user accounts, if compromised, have the most detrimental impact from an AD attack. Thus, you have to monitor privileged accounts for events relating to account lockout, logon failure, or unusual logon and logoff.
You will also need to conduct computer account management audits to monitor events of computer account creation, modification, and deletion.
AD Groups and OUs
As with users and computers, you will have to manage and audit reports on groups and OUs to ensure that any misconfigurations are corrected and any unusual event logs from these AD objects are addressed immediately.
Consider the following points:
-
AD group management reports should be set up and monitored for creation, modification, and deletion of both security and distribution groups.
-
Similar to built-in and custom privileged users, monitor user activities in privileged and sensitive AD groups.
-
You will need to closely study both the physical and logical layers of your AD architectural model. Examine AD group design to understand how well nesting is achieved, and set up alerts for changes to GPOs and group membership. Any activity that deviates from the standard should alert you.
-
Security ACLs provide security that’s built into the design of AD groups and how Group Policy settings are applied to AD objects. You should monitor these ACLs as a mandatory process of safeguarding your AD.
-
Monitor any changes to group policy, user privileges, access permissions, and user rights, especially in cases of user groups with high privileged access. Continually work towards establishing an environment of least privilege.
-
Ensure and audit role-based delegation to maintain granular control over which permissions and privileges are granted to users who are part of sensitive groups, such as domain administrators.
AD replication
The AD replication model is designed with utmost consideration to three core components. The first being the source domain controller (DC), which authorizes any change request on an AD site. The second is all the other replication partners, and third, the designated bridgehead servers within every site. These three components are deemed crucial for designing your AD setup and placed in the forefront to make replication error-free.
The configuration and design of your AD environment’s replication topology plays a big role in ensuring AD security in a resilient AD infrastructure. To ensure this, you will have to look into the following areas:
-
Segregate and safeguard your DCs, including both physical and virtual servers.
-
Ensure that your DCs run on the latest operating system versions for up-to-date functionalities and security patches.
-
Restrict the availability of internet access and web browsing capabilities on DCs to provide another layer of implicit and built-in security against external attack vectors.
-
Carefully conduct auditing and monitoring of DC group memberships to monitor domain administrators in particular, as well as any unusual membership modifications to accounts with escalated privileges.
-
Consider the essential role that endpoint management of domain-connected network resources plays in securing AD replication. Your role is to maintain a security and compliance checklist that is focused on real-time risk assessment and takes into account the entirety of AD logs.
FSMO roles in AD
Establishing a baseline of all activity in your AD environment can help you detect any deviations or anomalous behavior. This is particularly necessary for FSMO roles due to their privileged access.
In this regard, you should monitor for any unwarranted FSMO role transfers, unexpected changes to the AD scheme, account lockout instances, hyper-active accounts, high percentage of logon failures, and other unusual activities.
Pay attention to the following design considerations concerning FSMO roles:
-
Closely monitor and continuously audit any events pertaining to the transfer of FSMO roles between DCs in any AD domain.
-
Record logs of when FSMO roles have been seized due to inoperative or dead DCs.
-
Set up alerts for when DCs are demoted or if DCs experience failure or shut down.
-
Study any changes made to the AD schema.
-
Establish alerts for rules and policies on a real-time AD monitoring and auditing console to track and analyze your overall AD security posture.
-
Consider integrating your AD log collection with a SIEM solution to forward the AD logs to make your monitoring more comprehensive.
You now know what to look into when you begin monitoring your AD service to ensure maximum security by design.
With these concepts in mind, in the next part of this blog series, we will look at exposing some of AD’s most crucial security vulnerabilities through use-cases and some common AD attacks.
The ultimate aim for all AD administrators should be to achieve cyber-resilience and an unassailable active directory environment. The real challenge is to achieve this despite AD’s dynamic nature and, let’s not to forget, the sophisticated attacker mindset of today’s cybercriminals.