Active Directory has been around for a long time, and malicious actors have discovered and exploited vulnerabilities in the system throughout time. In addition to exploiting vulnerabilities, hackers can now simply steal or get user credentials, giving them access to your data. If they can acquire access to your computer or login, they may be able to gain full control of Active Directory and take over your network. Active Directory is the centralized system that authenticates and permits network access in many of the companies.
It is crucial to establish, communicate and enforce the following best practices around AD to secure your organization:
1-Secure the Domain Administrator account:
- Every domain has an Administrator account, which is a member of the Domain Admins group by default. Only utilize the built-in Administrator account for domain setup and disaster recovery (restoring Active Directory).
- All who need administrative access to servers or Active Directory should use their account. No one should know the Domain Administrator account password. Create a password with at least 20 characters and save it in a vault. Again the only time this is needed is for recovery purposes.
- The following are some suggestions for securing the built-in Administrator Account:
- Enabling the Account is a private function that cannot be delegated.
- For interactive logon, you must enable the smart card.
- Deny access to this computer from the network
- Deny log on as a batch job
- Deny log on as a service
- Deny log on through RDP
Also Read: Latest IOCs – Threat Actor URLs , IP’s & Malware Hashes
2-Use at least two accounts (normal and administrator):
- You shouldn’t log in every day using a local admin account or one with privileged access (Domain Admin).
- Create two accounts instead: an ordinary account with no admin privileges and a privileged account for administrative purposes exclusively.
- At the very least, do not add your secondary account to the Domain Admins group.
- Instead, choose the administrative model with the fewest privileges. To summarise, all users should log on with an account that has the minimum necessary access to perform their tasks.
- For day-to-day operations like checking email, accessing the internet, and using the ticket system, you should use a standard non-administrator account. You’d only use the privileged account for administrative operations like creating a user in Active Directory, login into a server, setting up a DNS record, and so on.
3-Disable the local Administrator account on all computers:
- In Domain environments, the local administrator account is a well-known account that isn’t required. The problem with the local admin account is that it is a well-known account; even if you rename it, the SID remains the same, and attackers are aware of it.
- On most computers in a domain, it’s set up using the same password. You should use a separate account with the relevant permissions to complete tasks.
- If you need to execute administrative actions on the computer (install software, remove files, etc. ), use your personal account rather than the local admin account.
- You can boot into safe mode and use the local administrator account even if the account is disabled.
Also Read: Types of SPLUNK Deployments and Configuration
4-LDAPS (Local Administrator Password Solution):
- The local administrator account is a well-known account used by attackers to get access to your machines.
- Companies frequently employ imaged computers, which means that the admin password is the same on all of them.
- Setting a random password for the local administrator account on each computer using LAPS can help alleviate this issue.
5-Using a Secure Admin Workstation (SAW) is a good idea.
- A specialized system for performing administrative activities with your privileged account is known as a secure admin workstation.
- For administrative activities, use a secure workstation (SAW, PAW, Jump Server).
- For tasks that do not necessitate privileged rights, use your local computer.
- The SAW machine should be locked down with limited access, and if possible, MFA should be implemented.
- A SAW can assist limit unauthorized access to your systems and data if you have a security breach.
Also Read: Detecting Office365 Azure AD Environment Backdoors
6-Using group policy, enable audit policy settings:
- Confirm that the Audit Policy settings are configured and implemented to all computers and servers via group policy.
- You can’t monitor for malicious behavior or investigate a security breach unless you have the right auditing and logging settings installed.
7-Monitor Active Directory for signs of compromise:
- To help detect compromise and odd behavior on the network, you should keep an eye on the following Active Directory events. Here are a few things to keep an eye on and examine on a weekly basis:
- Changes to privileged groups such as Domain Admins, Enterprise Admins, and Schema Admins
- A spike in bad password attempts
- A spike in locked out accounts
- Account lockouts
- Disabled or removal of antivirus software
- All actives performed by privileged accounts
- Logon/Logoff events
- Use of local administrator accounts
- A log analyzer should be deployed to monitor and alert you to any suspicious activity on your network.
- The advantage is that you can detect malicious attempts and turn off intruders before they can compromise your systems.
- A log analyzer can also help with post-breach analysis, but it’s more crucial to notice unusual activity early on.
Also Read: Soc Interview Questions and Answers – CYBER SECURITY ANALYST
8-Use descriptive security group names:
- Generic group names can lead to major security issues
- Use descriptive group names that you can easily determine what it is used for
- Come up with a naming convention, document it, and share it with your IT staff
9-Identify and delete inactive user and computer accounts:
- In Active Directory, you must have a mechanism in place to detect inactive users and computer accounts.
- Organizations don’t want several unused accounts sitting around in Active Directory, waiting to be discovered and exploited by an attacker. This can slow down group policies and cause issues with reporting and patching.
10-Remove Users from the Local Administrator Group:
- On computers, regular users should not be in the local administrator group.
- A user who has local admin permissions has complete control over the Windows operating system. This can lead to a variety of security vulnerabilities, including the installation of software, the disabling of antivirus software, the downloading and installation of malware, the theft of data, the hacking of credentials, the pivoting of systems, and so on.
- You may dramatically limit the chances of attackers gaining access to your computer and network by eliminating people from the local administrator group.
- I recommend utilizing group policy to manage the local administrator group. If they are removed from the computer without centralized oversight, someone will just re-assign the permissions. With the helpdesk, I’ve fought this battle many times. When troubleshooting an issue, I remove the rights, and they simply add it back.
11-Do not install additional software or server roles on DCs:
- Limited software and roles should be deployed on domain controllers.
- Because DCs are so valuable to the organization, you don’t want to risk increasing security concerns by running additional software on them.
- Installing a load of garbage on your mission-critical servers is a bad idea.
- Adding more software to your domain controllers can increase security vulnerabilities.
- Maintain a compact and clean DC.
12-Patch management and vulnerability scanning:
If you do not regularly scan and remediate discovered vulnerabilities you are at a much greater risk for comprise.
- To discover all potential vulnerabilities, scan all systems at least once a month. It’s even great if you can scan more regularly.
- Prioritize the vulnerability scans’ discovery and repair the ones with known vulnerabilities in the wild first.
- Automate the installation of software updates on operating systems.
- Automated updates to 3rd-party applications should be deployed.
- Identify any out-of-date or no-longer-supported software and have it updated.
Also Read: Latest Cyber Security News – Hacker News !
13-For Office 365 and remote access, use two-factor authentication:
- Now the attacker has that user’s Active Directory credentials. The attacker could now access a variety of systems from any location.
- Even if the account had been compromised, if the user had two-factor authentication activated, this may restrict access. To log in, the attacker would require the second set of credentials.
- There are too many ways for attackers to obtain credentials to prevent accounts from being compromised.
- If you use Office 365, MFA may be included depending on the bundle you have and make the most of this feature.
14-Use the most up-to-date ADFS and Azure security features:
Security is a strong point of both ADFS and Azure. These features will aid in the prevention of password spraying, account compromise, and phishing, among other things. Here are a few features worth investigating:
- Smart Lockout – Uses algorithms to spot unusual sign-on activity.
- IP Lockout – Uses Microsoft’s database of known malicious IP addresses to block sign-on-ins.
- Attack Simulations – You should be doing regular phishing tests to help train end-users. Microsoft will be releasing phish simulator software very soon.
- MFA Authentication – Microsoft’s 2-factor solution
- Banned passwords – Checks passwords against a known list
- Azure AD Connect Health – Provides several good reports
- Custom bad passwords – Ability to add custom banned passwords to check against.
15-Lock down service accounts:
Service accounts are those that launch an executable, a task, or a service, authenticate with Active Directory, and so on. These are widely used, and the passwords are frequently configured to never expire. These accounts frequently have excessive rights and are frequently members of the domain admin group. Here are some suggestions for securing service accounts:
- Use Managed Service Accounts
- Use long Strong passwords
- Give access to only what is needed
- Try to avoid granting local administrator rights
- Do not put in Domain Admins
- Deny logon locally
- Deny logon as a batch
- Require vendors to make their software work without domain admin rights
The security practices for Active Directory outlined here are essential to enhancing your security infrastructure. Continuous monitoring of activities that affect AD security across the whole network will allow you to limit your attack surface area and identify and respond to threats quickly.