Secure Active Directory management. Part 1
Hello!
Today we are starting to translate the posts of one of our authors, meet Brian Svidergol, the author of the book Active Directory Cookbook. Brian specializes in IT infrastructure issues, incl. managing AD, Exchange, storage systems, etc. Brian generously diluted the original text with common phrases, so we will try to highlight the essence.
')
The principle of minimal privileges
Wikipedia has a good article on the principle of minimal privileges. In a nutshell, to observe this principle means to give the user only those privileges that are absolutely necessary for the performance of his tasks.
Internal IS incidents
The network contains a completely different data on how critical for the security of IT systems can be internal threats. I have seen reports that say that only 15% of intrusions are carried out from the corporate network. I have seen other reports that say about 50%, but the safe management of AD is not to find out where the attack is coming from, it’s not so important whether it’s internal or external. It is important that Active Directory is almost always the main target of the attacker. After gaining control over AD, an attacker can control hundreds of different IT systems through privilege escalation. Here are some examples:
1) Microsoft Exchange. Active Directory administration and management of Exchange servers are often carried out by different IT specialists, but privileges are distributed using groups in AD.
If you have control over Active Directory, you can add yourself to the appropriate groups and get full access to the entire mailing subsystem of the organization. For example, access to executive mailboxes, the ability to copy confidential information, the ability to act on behalf of an administrator with a high level of access, such as a DBA.
2) Microsoft Lync. The situation is similar to Exchange: role-based access, privileges distributed via AD groups. Add yourself to the appropriate groups, and you can send messages on behalf of any user in the organization. You can redirect calls, cancel scheduled meetings, read message logs.
3) Shared folders. Most file resources, shared folders, etc. are controlled by AD groups. Often the most confidential information is stored in public folders - salary data, personal data of employees, constituent documents. An attacker who has control over AD can use PowerShell to quickly access any file resource on the corporate network.
See how quickly the situation gets out of control? We offer several tips that will help reduce risks, use the principle of minimum privileges:
Helpdesk employees can reset the password for most users in Active Directory.
If a Helpdesk employee can reset the DBA password, he can access any database. In practice, attackers are always looking for the easiest way to gain access to resources, so they do not need to hack a domain administrator account. “Phishing” several support staff and gaining access to their accounts is all that is needed in such cases.
We recommend that you make sure that support staff cannot reset passwords of privileged accounts, in such cases security specialists should be involved or protected methods of self-resetting passwords should be used.
Delegating administrative authority to an additional account can reduce the risks associated with phishing attacks, browser vulnerabilities, or viral activity. The administrator can read letters, open web pages, etc. using an account that is not endowed with elevated privileges.
Service accounts in the Domain Admins group . I think you have often been in a situation where a certain software needs a service that must be started from under the service account. And of course, this account should certainly be a member of the Domain Admins group. The first adequate step in this situation will be a request for official documentation from the software manufacturer. It is possible that the documentation describes the minimum privileges necessary to start and operate the service. If there is no such information - we recommend to contact the specialized forums, perhaps you are not the first to install and configure this product and the solution has already been found. In any case, it is good practice to regularly change the passwords of service accounts. You can automate this process, and we will provide a free tool for this - Netwrix Privileged Account Manager .
Original text
_____
PS In general, all this: resetting passwords for privileged accounts, actions performed using an additional account, and attempts to elevate privileges can be easily tracked using software tools to audit changes . This will not only protect infrastructure and data, but also partially reduce the workload for administrators and helpdesk. As an example (type of reports, methods of formation, informative reports) you can see Netwrix Auditor . Trial version and online test drive available .
Today we are starting to translate the posts of one of our authors, meet Brian Svidergol, the author of the book Active Directory Cookbook. Brian specializes in IT infrastructure issues, incl. managing AD, Exchange, storage systems, etc. Brian generously diluted the original text with common phrases, so we will try to highlight the essence.
')
The principle of minimal privileges
Wikipedia has a good article on the principle of minimal privileges. In a nutshell, to observe this principle means to give the user only those privileges that are absolutely necessary for the performance of his tasks.
Internal IS incidents
The network contains a completely different data on how critical for the security of IT systems can be internal threats. I have seen reports that say that only 15% of intrusions are carried out from the corporate network. I have seen other reports that say about 50%, but the safe management of AD is not to find out where the attack is coming from, it’s not so important whether it’s internal or external. It is important that Active Directory is almost always the main target of the attacker. After gaining control over AD, an attacker can control hundreds of different IT systems through privilege escalation. Here are some examples:
1) Microsoft Exchange. Active Directory administration and management of Exchange servers are often carried out by different IT specialists, but privileges are distributed using groups in AD.
If you have control over Active Directory, you can add yourself to the appropriate groups and get full access to the entire mailing subsystem of the organization. For example, access to executive mailboxes, the ability to copy confidential information, the ability to act on behalf of an administrator with a high level of access, such as a DBA.
2) Microsoft Lync. The situation is similar to Exchange: role-based access, privileges distributed via AD groups. Add yourself to the appropriate groups, and you can send messages on behalf of any user in the organization. You can redirect calls, cancel scheduled meetings, read message logs.
3) Shared folders. Most file resources, shared folders, etc. are controlled by AD groups. Often the most confidential information is stored in public folders - salary data, personal data of employees, constituent documents. An attacker who has control over AD can use PowerShell to quickly access any file resource on the corporate network.
See how quickly the situation gets out of control? We offer several tips that will help reduce risks, use the principle of minimum privileges:
Helpdesk employees can reset the password for most users in Active Directory.
If a Helpdesk employee can reset the DBA password, he can access any database. In practice, attackers are always looking for the easiest way to gain access to resources, so they do not need to hack a domain administrator account. “Phishing” several support staff and gaining access to their accounts is all that is needed in such cases.
We recommend that you make sure that support staff cannot reset passwords of privileged accounts, in such cases security specialists should be involved or protected methods of self-resetting passwords should be used.
Delegating administrative authority to an additional account can reduce the risks associated with phishing attacks, browser vulnerabilities, or viral activity. The administrator can read letters, open web pages, etc. using an account that is not endowed with elevated privileges.
Service accounts in the Domain Admins group . I think you have often been in a situation where a certain software needs a service that must be started from under the service account. And of course, this account should certainly be a member of the Domain Admins group. The first adequate step in this situation will be a request for official documentation from the software manufacturer. It is possible that the documentation describes the minimum privileges necessary to start and operate the service. If there is no such information - we recommend to contact the specialized forums, perhaps you are not the first to install and configure this product and the solution has already been found. In any case, it is good practice to regularly change the passwords of service accounts. You can automate this process, and we will provide a free tool for this - Netwrix Privileged Account Manager .
Original text
_____
PS In general, all this: resetting passwords for privileged accounts, actions performed using an additional account, and attempts to elevate privileges can be easily tracked using software tools to audit changes . This will not only protect infrastructure and data, but also partially reduce the workload for administrators and helpdesk. As an example (type of reports, methods of formation, informative reports) you can see Netwrix Auditor . Trial version and online test drive available .
Source: https://habr.com/ru/post/215569/
All Articles