Paramount Defenses Company | Leadership | Products | Solutions | Partners | Privileged Access Insight | Support | News | Careers | Blog | Contact 100%
Our Global Customers - Cyber Security Thought Leaders
Welcome | Importance | Assets | Top Risks | Mitigation | Audit | Auditing | Checklists | How-Tos | Tools | Guides | Learning | Technicals | Resources

The  Top-5 Active Directory Risk Mitigation Measures

Active Directory Risk Mitigation

How to Mitigate the Top 5 Security Risks to Active Directory

The following are specific risk mitigation measures that can be enacted to mitigate the Top-5 risks –


  1. How to Mitigate the Risk of Active Directory Privilege Escalation

    The risk of Active Directory Privilege Escalation based on the identification and exploitation of unauthorized access grants in Active Directory deployments can be swiftly and reliably mitigated by implementing the following risk mitigation measures –

    1. Perform an Active Directory Effective Access Audit or an Active Directory Delegation Audit to identify exactly who is delegated what administrative access in Active Directory.

      At a minimum, all organizations must always know exactly who possesses sufficient rights so as to be able to perform the following administrative tasks in Active Directory –

      • Create domain user accounts, to potentially misuse them

      • Delete existing domain user accounts, to disrupt access

      • Reset domain user account passwords, to escalate security privilege

      • Enable disabled domain user accounts, to misuse them

      • Unlock locked domain user accounts, to guess passwords

      • Create domain security groups, to mislead users

      • Modify domain security group memberships, to compromise assets

      • Convert security groups to distribution groups, to compromise assets

      • Create and delete organizational units, to compromise security

      • Modify domain account lockout and password policies, to weaken security

    2. Review the results of this audit and identify all administrative entitlements that seem excessive / unauthorized, relative to the intended administrative entitlement policy.

      For example, if per your intended administrative entitlement policy, only 10 individuals should be able to reset user account passwords in your Active Directory, and the audit reveals that more than 10 individuals are currently delegated this ability, then you should identify the list of all individuals who are not supposed to have these delegated rights, per the intended policy, but who currently do so, per the findings of the delegation audit.

    3. Once you have identified these excessive administrative entitlements in your Active Directory, determine how these individuals are currently being entitled to this excessive access, and use that information to lockdown the currently identified excessive access.

      For example, if you find that a user, John Doe, is able to perform password resets on user accounts in an OU, but should not ideally have this access, then proceed to identify the underlying security permissions (e.g. Allow Group-X Reset Password on User objects) that are currently effectively granting this user to have this entitlement. Once you have identified these security permissions, appropriately modify them or any group memberships involved, to in effect take away (revoke) this access from this user.

    4. After you have completed the process of identifying and eliminating all such excessive administrative access grants, repeat Step 1 above to ensure and verify that there are no more excessive administrative delegations in your Active Directory.

    5. From this point on, to ensure security, perform an Active Directory Effective Access Audit or an Active Directory Delegation Audit periodically, as well as after any delegation / access provisioning related changes are made, to assess and verify all administrative delegations, and ensure that there are no unauthorized delegated access entitlements in your Active Directory that could be exploited to escalate privilege.





  2. How to Mitigate the Risk of the Compromise of an Administrative Account

    The risk of the compromise of an Active Directory administrative account, whether stemming from Active Directory privilege escalation or credential exploitation techniques (such as Pass-the-Hash (PTH)) can be minimized by implementing the following risk mitigation measures –

    1. Minimize the number of Active Directory Administrative Accounts in use, by delegating all but the most sensitive of administrative tasks, to lesser privileged administrators / accounts, based on the principle of least privilege.

    2. Perform an Active Directory Effective Access Audit or an Active Directory Delegation Audit on all administrative accounts and all administrative groups to ensure that only authorized individuals can manage administrative accounts and groups.

      Examples of common account management tasks include the ability to reset an account's password, unlock a locked account, unexpire an expired account etc, and examples of common group management tasks include the ability to change a group's membership, modify the scope or the type of the group etc.

    3. Establish, implement and enforce a set of well-defined Secure Administrative Practices that amongst other things, ensure that Active Directory administrative account holders only log on to their administrative workstations and to Domain Controllers, and to no other machine, when using their Active Directory administrative credentials.

    4. Consider requiring strong (> 15 characters) and complex passwords, and/or 2-factor authentication mechanisms for protecting Active Directory administrative accounts.

    5. Ensure that Active Directory administrators do not perform any non-administrative activities, such as email, Web-browsing etc. when using their administrative credentials.

    6. Mark all Active Directory administrative user accounts as Sensitive and cannot be delegated in Active Directory.

    7. Avoid configuring services or tasks on non-DCs and non-admin-workstations to run in Active Directory administrative user account contexts.



  3. How to Mitigate the Risk of the Compromise of an Administrative Workstation

    The risk of the compromise of an Active Directory administrative workstation can be minimized by implementing the following risk mitigation measures –

    1. Designate individual administrative workstations for all Active Directory administrators.

    2. Protect each of these administrative workstations by establishing, implementing and enforcing a set of Administrative Workstation Protection policies that ensure that –

      • The security policy of these workstations is adequately configured

      • These machines are always adequately patched

      • Trustworthy, upto-date anti-virus protection is installed

      • The set of services running and applications installed is minimized

      • There is no untrustworthy/unsupported/free software (of any kind) installed

        (Typical examples include free Active Directory management/reporting tools.)

    3. Ensure that only designated administrative personnel have unrestricted physical access to these workstations at any and all times.

    4. Ensure that only authorized administrative personnel can manage the computer account representing these workstations in the Active Directory, as well as control (link / unlink / modify) the set of GPOs that are pushed out to these workstation from Active Directory.



  4. How to Mitigate the Risk of the Compromise of a Domain Controller

    The risk of the compromise of an Active Directory Domain Controller can be minimized by implementing the following risk mitigation measures –

    1. Ensure that all Domain Controllers are located in highly secure locations, access to which is restricted to highly trustworthy administrative personnel.

    2. Protect all domain controllers by establishing, implementing and enforcing a set of Domain Controller Security policies that ensure that –

      • The security policy protecting these DCs is adequately configured

      • These DCs are always adequately patched

      • Trustworthy, upto-date anti-virus protection is installed

      • The set of services running and applications installed is minimized

      • There is no untrustworthy/unsupported/free software (of any kind) installed

        (Typical examples include free Active Directory management/reporting tools.)

      • There are no unnecessary/non-essential services being hosted on these DCs

    3. Ensure that only designated administrative personnel have unrestricted physical access to these DCs at any and all times.

    4. Ensure that only authorized administrative personnel can manage the computer account representing the DCs in the Active Directory, as well as control (link / unlink / modify) the set of GPOs that are pushed out to these workstations from Active Directory.



  5. How to Mitigate the Risk of a Pass-the-Hash (PTH) Attack

    The risk of a pass-the-hash attack against Active Directory administrative credentials can be minimized by implementing the following risk mitigation measures –

    1. Minimize the number of Active Directory Administrative Accounts in use, by delegating all but the most sensitive of administrative tasks, to lesser privileged administrators / accounts, based on the principle of least privilege.

    2. Establish, implement and enforce a set of well-defined Secure Administrative Practices that amongst other things, ensure that Active Directory administrative account holders only log on to their administrative workstations and to Domain Controllers, and to no other machine, when using their Active Directory administrative credentials.

    3. Ensure that Active Directory administrators do not perform any non-administrative activities, such as email, Web-browsing etc. when using their administrative credentials.

    4. Mark all Active Directory administrative user accounts as Sensitive and cannot be delegated in Active Directory.

    5. Avoid configuring services or tasks on non-DCs and non-admin-workstations to run in Active Directory administrative user account contexts.

    6. Consider requiring strong (> 15 characters) and complex passwords, and/or 2-factor authentication mechanisms for protecting Active Directory administrative accounts.



The guidance provided above is compiled on a best-efforts basis and is for informational purposes only. It is not a substitute for precise in-depth guidance and the use of this information is subject to our disclaimer.



Top Risks Top Risks
Audit Audit


Welcome
Who We Are What We Do How We Protect You
Sitemap