How to secure Active Directory

This key application of Microsoft’s needs to be battened down.

 How to secure Active Directory

Under attack

A report recently released by Microsoft shows the antivirus suite included in Windows 10 detected a 400 percent increase in the number of ransomware encounters from December 2015 to July 2016. These vulnerabilities create opportunities for hackers to access one of the most important applications to an organization, Microsoft Active Directory. If breached its blast radius can be devastating.

Active Directory manages access to nearly every piece of the IT infrastructure from user access, corporate data, and applications to computers, storage, and the network. It is reported that 75 percent of all breaches involved the loss or theft of privileged credentials. Attackers can use stolen administrative access for weeks without detection, resulting in breach costs in the millions. Russell Rice, senior director of product management at Skyport Systems, provides some ways IT organizations can keep privileged credentials for Active Directory safe.

02 breach

Assume breach

Studies find that 2% to 7% of workstations in an organization have malware at any point in time. You need to assume you are breached and hosts in your network can attack Active Directory directly, without having to pass through your network defenses. Start from a position of “zero trust” and apply controls around AD that do not assume the network or neighboring systems are secure.

 How to secure Active Directory

Only approve a few admins

Active Directory is one of the most important applications within an organization. Only a small number of users should have the ability to make domain-level changes. The less admins you have the less admin systems you need to lock down and users you need to monitor.

 How to secure Active Directory

Separate admin vs user accounts

Sysadmins should use a separate user account for day-to-day activities and only use a privileged account for AD administration. This greatly limits the risk admin credentials will be exposed on insecure systems.

05 whitelisting

Whitelist admin workstations

Don’t allow every host inside and outside your environment have the rights to administer AD. Build and maintain a whitelist of admin workstations, and only allow those to use admin ports and protocols to talk to domain controllers.

06 authentication

Use strong authentication

Passwords these days are just too easy to hack. Attackers are sophisticated and have access to various password cracking tools. Use multifactor authentication for administrative access rather than reusable passwords to keep accounts more secure.

 How to secure Active Directory

Use a SAW

Active Directory is only as secure as the administrative environment. Organizations must protect administrative workstations to prevent credential theft and misuse and ensure they are free of malware. AD admins can use virtual or physical Secure Administrative Workstations that are locked down and free of infection.

 How to secure Active Directory

Block internet access (for admins)

Admin workstations should be able to talk to trusted systems inside and outside the network. Domain controllers should be locked down even more strictly, likely with zero internet access at all.

 How to secure Active Directory

Safeguard against AD attack tools

There are many custom tools today that are designed to break into AD and steal or spoof admin credentials. Many are freely available on GitHub. Be sure you are versed in what these tools can do and have implemented measures to detect and prevent them from harming you.

 How to secure Active Directory

Restore from a clean state

In an event of compromise you need the confidence to know that you can restart domain controllers quickly and from a version that are free of malware. For systems in remote locations that lack strong physical security safeguards, make sure you can verify the hardware isn’t at risk either.

 How to secure Active Directory

Build an isolated admin enclave

Key accounts and systems responsible for managing Active Directory production environments are the root target for hackers. Separate the systems and people responsible for any changes to Active Directory infrastructure from the rest of the production environment to ensure these systems and privileged credentials are kept safe and protected.

Want to comment on this? Head over to Facebook.

Copyright © 2017 IDG Communications, Inc.

Related Slideshows