Paramount Defenses Company | Leadership | Products | Solutions | Partners | Privileged Access Insight | Support | News | Careers | Blog | Contact 100%
Our Global Customers - Cyber Security Thought Leaders
Welcome | Importance | Assets | Top Risks | Mitigation | Audit | Auditing | Checklists | How-Tos | Tools | Guides | Learning | Technicals | Resources

The  Top-5 Security Risks to Active Directory

The Top-5 Risks to Active Directory

Top 5 Active Directory Security Risks

The following are the Top-5 Risks to Active Directory deployments, from various threat sources, listed in order of importance –


  1. Active Directory Privilege Escalation

    The escalation of privilege in Active Directory environments, based on the successful identification and exploitation of unauthorized access grants in Active Directory, especially one involving multi-step escalation of privilege from a non-administrative user level to a Domain Admin level, is the #1 (most serious) risk to Active Directory today.

      NOTE To download an Executive Summary that describes this risk, please click the image below, or click here. For more information on this risk, please click here.

    Active Directory Privilege Escalation

    This risk involves the identification and exploitation of excessive (unauthorized) access rights in Active Directory deployments, especially those protecting vital Active Directory objects, such as administrative and executive accounts and groups, as well as OUs and other objects. Once detected, these excessive rights can be used to easily and instantly escalate privilege.

    It is the #1 risk, because its attack surface is vast, the skill required to materialize it is low, its probability of occurrence is high, and the impact of its successful enactment is very high.

    Summary –

    • Asset at Risk – Administrative Delegations, Admin Accounts and Groups

    • Threat Source – Malicious Entity

    • Attack Surface – Vast (All Active Directory Content)

    • Exploitation Procedure – Detect and exploit unauthorized access grants in Active Directory using freely available tools like dsacls and acldiag. Malicious use of advanced tools like an Active Directory Permissions Analyzer or an Active Directory Password Reset Analysis Tool can speed up the detection process. The free availability of Active Directory management tools like ADUC can be used to enact the exploitations (e.g. perform a password reset to escalate privilege, etc.)

    • Difficulty – Minimal (Authenticated Users have read access by default.)

      Unlike the Pass-The-Hash (PTH) technique, this technique does not require admin access on a server, or the requirement for an admin to logon to that server.

      It only requires read access to Active Directory (AD) content (which Authenticated Users have by default), the ability to analyze AD ACLs to find excessive rights (which can be easily done using available tools), and the ability to enact administrative tasks (which can be easily done using any Active Directory management tool, such as Microsoft Active Directory Users and Computers.)

    • Impact – Very high (Once gained, administrative access can be used to very quickly cause widespread damage across the IT infrastructure.)

    • Likelihood / Probability of Occurrence – High

    • Mitigation / Prevention – This risk can be reliably mitigated/prevented by ensuring that there are no privilege escalation paths in Active Directory to exploit. An Active Directory Effective Access Audit can be performed to detect the presence of, and subsequently eliminate excessive/unauthorized access grants.

      Additional (detailed) mitigation guidance can be found here and here.

    • Detection – Privilege escalations can be detected if proper auditing is in place. However, because not all modifications are audited, it is possible that not all escalations, whether successful or attempted, may always be detected. Further, by the time an audit event/notification is acted upon, it might already have been too late.


    Additional Information

    • For additional information on this risk, please click here and here.




  2. Compromise of an Administrative Account

    The compromise of an administrative account in Active Directory, especially that of a highly privileged administrator, like a Domain Admin or an Enterprise Admin, is the #2 risk to Active Directory today.

    This risk involves the compromise of administrative accounts and groups in Active Directory.

    It is the #2 risk, because the skill required to materialize it is low, its probability of occurrence is high, and the impact of its successful enactment is high.

    Summary –

    • Asset at Risk – Admin Accounts and Groups

    • Attack Surface – All Active Directory Administrative Accounts and Groups

    • Exploitation Procedure – Exploit techniques that do not require administrative access, such as using Active Directory Privilege Escalation to reset an admin's password or modify the membership of an admin group. Alternatively, employ techniques that do require some level of administrative access (or a domain admin to have logged-on on a system one has administrative access to), such as pass-the-hash (PTH) to obtain administrative access. Alternatively, employ archaic techniques like password-guessing/brute-forcing etc. to gain administrative access.

    • Difficulty – Minimal (Authenticated Users could attempt Active Directory Privilege Escalation, and non-AD admins could use the Pass-the-Hash (PTH) technique)

    • Threat Source – Malicious Entity

    • Impact – Very high (Once gained, administrative access can be used to very quickly cause widespread damage across the IT infrastructure.)

    • Likelihood / Probability of Occurrence – High

    • Mitigation / Prevention – This risk can be reliably mitigated/prevented by ensuring that there are no privilege escalation paths in Active Directory to exploit. In addition, secure administrative practices, such as ensuring that Domain Admins only logon to their own machines and DCs, and none other, can be used to prevent PTH based exploitations. Strong, complex passwords and multiple-factor authentication, such as those involving the use of Smart-cards are recommended.

    • Detection – Auditing the enactment of all sensitive tasks on administrative accounts and groups, such as password resets and modifications to group memberships, can help detect potential attempts to gain administrative access.

      Additional (detailed) mitigation guidance can be found here.




  3. Compromise of an Administrative Workstation

    The compromise of an administrative workstation in Active Directory, especially one being used by a highly privileged administrator, like a Domain Admin or an Enterprise Admin, is the #3 risk to Active Directory today.

    This risk involves the compromise of administrative workstations, which are usually more accessible than domain controllers (DC), and are thus exposed to higher risk than are DCs.

    It is the #3 risk, because it is harder to compromise an adequately protected administrative workstation than it is to compromise an administrative account or group membership.

    Summary –

    • Asset at Risk – Administrative Workstations

    • Attack Surface – All Active Directory Administrative Workstations

    • Exploitation Procedure – Exploit well-known host compromise techniques to compromise an administrative workstation. Once the workstation has been compromised, one can have malicious code executed in administrative context when the administrator logs on, or steal the administrator's credentials by installing software/hardware keyloggers on the system.

    • Difficulty – Moderate (Requires unrestricted physical access to an admin workstation, or a combination of network access and host-compromising skills)

    • Threat Source – Malicious Entity

    • Impact – Very high (Once attained, the execution of malicious code in administrative context can be used to very quickly cause widespread damage.)

    • Likelihood / Probability of Occurrence – Medium (This assumes that administrative workstations have less exposure than administrative accounts and groups, but more exposure than DCs)

    • Mitigation / Prevention – This risk can be reliably mitigated/prevented by defining and implementing adequate administrative workstation security controls, which ensure that all workstations are afforded adequate physical, system and network security.

      Additional (detailed) mitigation guidance can be found here.




  4. Compromise of a Domain Controller

    The compromise of a Domain Controller is the #4 risk to Active Directory today.

    This risk involves the compromise of an Active Directory domain controller, which are usually less accessible than administrative workstations, because they are typically located in data-centers, access to which is usually restricted to highly trustworthy administrative personnel.

    It is the #4 risk, because it is harder to compromise an adequately protected DC placed in a data-center than it is to compromise an administrative account, group membership or administrative workstation. This risk can increase substantially if DCs are not afforded adequate physical security, such as if they are placed in unprotected areas in branch offices.

    Summary –

    • Asset at Risk – Domain Controllers

    • Attack Surface – All Active Directory Domain Controllers

    • Exploitation Procedure – Exploit well-known host compromise techniques to compromise a domain controller. Once a domain controller is compromised, effectively the Kerberos Key Distribution is compromised, and by consequence, the entire IT infrastructure and all organizational IT assets become exposed to risk.

    • Difficulty – Moderate to Difficult (Requires unrestricted physical access to a Domain Controller, or a combination of unfiltered network access and expert host-compromising skills)

    • Threat Source – Malicious Entity

    • Impact – Very high (The compromise of the DC is tantamount to the compromise of the Kerberos Key Distribution Center, the bedrock of distributed security in the network.)

    • Likelihood / Probability of Occurrence – Low (This assumes that DCs have less exposure than administrative accounts and groups, as well as administrative workstations)

    • Mitigation / Prevention – This risk can be reliably mitigated/prevented by defining and implementing adequate domain controller security controls, which ensure that all DCs are afforded adequate physical, system and network security.

      Additional (detailed) mitigation guidance can be found here.




  5. Pass-the-Hash (PTH) Attack

    A Pass-the-Hash attack, if successfully carried out and enacted against Active Directory administrative credentials, could be used to obtain administrative access to Active Directory.

      NOTE For detailed information on this risk, please click here.

    However, contrary to popular belief, a Pass-the-Hash attack against Active Directory administrative credentials is actually only the 5th most serious risk to Active Directory today.

    This is so because, unlike the Active Directory privilege escalation risk stemming from the detection and exploitation of unauthorized grants in Active Directory, the successful enactment of the PTH attack REQUIRES 2 essential aspects to be in place –

    1. It requires the attacker to have administrative access on a machine, AND

    2. It requires that an Active Directory administrator logon to THAT machine

    Although the former (i.e. requirement 1 above) is relatively easy to obtain, the latter (i.e. requirement 2 above) can be easily prevented (and virtually eliminated) by the mere presence of secure administrative practices that ensure that Domain Admins and other Active Directory admins ONLY logon to machines they control and trust.

    In contrast, an Active Directory privilege escalation attack based on the identification and exploitation of unauthorized access rights in Active Directory NEITHER requires administrative access on any machine NOR requires that an Active Directory administrator logon to any machine. It only requires read access to security permissions protecting Active Directory content, which is available to all authenticated users by default. The availability of this read access can, with either sufficient skill, or the use of appropriate tools, be easily misused to identify and exploit privilege escalation paths to easily and swiftly gain unrestricted, all-powerful, Active Directory administrative access within minutes.

    Summary –

    • Asset at Risk – Active Directory Administrator Credentials

    • Threat Source – Malicious Entity

    • Attack Surface – Small (Only Active Directory Administrative Account Credentials)

    • Exploitation Procedure – Capture hashes, then use captured hashes to impersonate users locally, and/or across the network.

    • Difficulty – Moderate (Knowledge of tools required to perform hash captures and re-use, as well as the use of social engineering to lure an Active Directory administrator to logon to a machine are required.)

    • Impact – High to very high (If Active Directory administrative access is gained, it could be used to very quickly cause widespread damage across the IT infrastructure.)

    • Likelihood / Probability of Occurrence – Medium

    • Mitigation / Prevention – As it pertains to the risk to Active Directory administrative accounts, this risk can be reliably mitigated by establishing, following and enforcing secure administrative practices that ensure that Active Directory administrators only logon on highly trustworthy machines that they trust, manage and control. In addition, restricting the use of Kerberos delegation can also aid in minimizing risk.

      Additional (detailed) mitigation guidance can be found here.


    Additional Information

    • For additional information on this risk, please click here.




It is vital to ensure that organizations protect their Active Directory deployments from these 5 risks.



Assets Assets
Risk Mitigation Risk Mitigation


Welcome
Who We Are What We Do How We Protect You
Sitemap