Tenable's Security Response Team examines some of the most common Active Directory misconfigurations targeted by attackers and offers proactive measures to help cyber defenders disrupt attack paths.
Microsoft's Active Directory is one of the most widely used technologies for the administration of groups and users within an organization's IT networks. It serves as the central management interface for Windows domain networks, and is used for authentication and authorization of all users and machines. This makes Active Directory a prominent and valuable target for threat actors, as attackers are able to use it as a foothold to deploy malware, create new user accounts, add new machines to the network and leverage its functionality for lateral movement.
Once an attacker has gained a foothold into an organization's Active Directory, they can perform a number of malicious actions, such as creating new administrative users, adding new machines to the domain, deploying ransomware across the network, compromising sensitive systems, stealing sensitive data and more. By compromising just a single asset on the domain, an attacker may be able to elevate privileges and move laterally across a network, targeting sensitive data or devices along the way.
Yet, the administration of Active Directory can be complex and challenging for IT teams, and securing it can be equally complicated for security professionals. Many organizations lack security professionals with Active Directory skills and expertise.
The challenges of securing Active Directory in the enterprise
Threat actors are well aware of common configuration issues and will look to capitalize on them as soon as they gain entry to your organization. Once an attacker gains control of Active Directory, they effectively have the "keys to the kingdom" which they can use to access any device or system connected to the network. In addition, if Active Directory serves as your Identity Provider (IdP), a compromise of it could impact your single sign-on (SSO) solution, giving attackers even more access to additional accounts which a user might be configured with access to.
Configuration issues and common security issues are the two main Active Directory risks in most organizations. Organizational challenges can also arise. For example, in many organizations, IT administrators manage Active Directory deployments, while their security counterparts are the ones responsible for protecting it. Many organizations are faced with limited IT and security budgets and security practitioners in particular are often expected to be knowledgeable in multiple domains. The result? Expert knowledge on Active Directory — and the many intricacies involved with properly implementing it — can be in short supply.
Our new whitepaper, Securing Active Directory: The Top 5 Configuration Mistakes Putting Your Organization at Risk, aims to give busy security and IT professionals a place to focus their Active Directory efforts. Tenable's Security Response Team (SRT) analyzed breach notices and consulted with our expert research team to provide insights into the Active Directory misconfigurations we believe are most likely to be exploited in an attack.
The whitepaper explores the reasons why such misconfigurations can happen in an organization, how they help attackers and what organizations can do to address them.
A closer look at two vulnerabilities affecting Active Directory
Although vulnerabilities directly impacting Active Directory have not been commonplace, attackers tend to chain vulnerabilities together in an attempt to elevate their privileges and often leverage legitimate accounts and Active Directory access to further pivot and access or attack sensitive systems on a network. The paper provides insights into two prominent vulnerabilities — Zerologon (CVE-2020-1472) and ProxyLogon (CVE-2021-26857 and others) — and how they can impact Active Directory.
Download Securing Active Directory: The Top 5 Configuration Mistakes Putting Your Organization at Risk and you'll learn:
- How attackers exploit and leverage Active Directory to attack organizations
- What types of vulnerabilities are used to target Active Directory
- What you can do to better protect your organization from common Active Directory misconfigurations
Improving cyber hygiene, having regular patching cycles, developing plans to address out-of-band patches and performing regular backups can all help to prepare your organization for the next vulnerability that could impact your Active Directory environment. Administrators and defenders must be ready and stay vigilant, implementing policies to reduce their exposure and protect their core.
Learn more
- Download the whitepaper: Securing Active Directory: The Top 5 Configuration Mistakes Putting Your Organization at Risk
- Read the blog: Disrupting the Pervasive Attacks Against Active Directory and Identities
- See more from Tenable Research here