What is Active Directory?
Active Directory (AD) is a directory introduced by Microsoft in 2000 with Windows 2000 Server. It lists the elements (users and resources: servers, shared folders, printers, etc.) that affect the network and the rights associated with them. It contains, for example, user identification information. Because the Active Directory is the nerve centre of a company's information system, it is a prime target for attackers. In all the cybersecurity audits carried out by PwC's Cyber teams in 2021, security flaws relating to the AD were identified. The complexity of the system means that attacks are numerous, difficult to detect quickly and persistent. It is therefore essential to deploy an Active Directory security management policy as soon as it is implemented, and to monitor it closely. Compromising your AD can have disastrous and long-lasting consequences for your organisation.
How can you guard against the main risks associated with AD?
1- Adopt a sound password management policy
According to IBM's latest study, Cost of Data Breach Report 2021, 20% of security breaches are caused by compromised credentials, which include passwords. IBM estimates that it takes almost 341 days to identify and contain a breach originating from this initial source (compared with an average of 287 days for all sources combined). It takes longer and costs more to identify and remedy this type of compromise. By hacking into the account of a single user who has administrator rights, the attacker can then access machines in the domain and carry out malicious actions long enough to compromise the AD before being unmasked. The implementation of a password management policy is therefore essential to limit this risk in an AD environment. The ANSSI (Agence Nationale de la Sécurité des Systèmes d'Information - French National Agency for Information Systems Security) has issued recommendations on the security of passwords, including their length, complexity, expiry date and robustness.
2- Be rigorous about updates
Active Directory is made up of objects such as application servers and domain controllers (DCs), whose compromise could be disastrous for the organisation. Software vulnerabilities are regularly discovered and corrected. As the publication of a patch gives attackers valuable information about the vulnerabilities concerned, it is vital to deploy updates quickly, as the means of exploiting them generally become available in just a few days. So remember to deploy the patches made available by Microsoft as soon as possible after they have been published. Domain Controllers are the first servers in your IS to be updated!
3- Implement the Tier-Model
Microsoft has introduced a delegation model called the Tier-Model or Tiering Model, which aims to improve the security of the AD. In short, this model enables you to secure your Active Directory by separating it into layers, giving each layer (called Tier 0, Tier 1 and Tier 2) specific machine access and associated rights. By distinguishing between three types of machine (Domain Controllers, application servers and workstations), and by associating dedicated accounts and administration infrastructure with each type, we create an airtight seal that reduces the scope for compromise. For example, the Tier-Model prevents a domain administrator (the most privileged role) from divulging his authentication secrets on a less privileged server or on his workstation exposed to external threats.
4- Educate and train your users
By implementing the Tier-Model within your infrastructure, you are protecting yourself against major risks. However, it is essential that users understand it properly, because it impacts the way they work and can have a major impact on system security. We know that the human factor is essential in any cyber incident, whatever its form or scope. While the Tier-Model may seem simple on the surface, it is vital that users with privileges are trained and understand the issues associated with their status as administrators. For example, administrators with Tier 0 privileges (the Domain Controllers and critical servers layer) need to be extremely well versed in security issues, as they are accessing the most critical layer of the AD.
5- Audit continuously
As we said earlier, the main vulnerability comes from the human factor, and the initial compromise can be long and difficult to identify. It is therefore essential to monitor changes made to the overall configuration of the AD or to certain sensitive objects, in order to identify as quickly as possible any form of attack or any configuration error that reduces the level of protection. You are also strongly advised to use the traces generated by Active Directory as a source of alerts in your detection system.
6- Be prepared (and humble) in the event of an attack
Despite all your seriousness and security measures, it is not impossible that you may fall victim to one or more attacks. No system can claim to be 100% secure. The adage "prevention is better than cure" is more relevant than ever when it comes to (cyber)security. According to ANSSI (Panorama de la menace informatique 2021), proven intrusions have jumped by 37% in 2021. In this context, it is essential to plan for this eventuality by preparing a Disaster Recovery Plan or Business Continuity Plan.