Active Directory: Introduction
Active Directory (AD) serves as the cornerstone of modern enterprise networks, enabling centralized user management, authentication, and resource access control. However, the complexity and criticality of Active Directory also make it an attractive target for attackers. To safeguard your organization's infrastructure, it's crucial to be aware of the common pitfalls and vulnerabilities that can undermine Active Directory security and adopt effective mitigation strategies.
In this blog series, we will embark on a journey through the intricate landscape of Active Directory, shedding light on the most prevalent pitfalls and vulnerabilities that organizations face. We will explore the potential consequences of these weaknesses and provide practical mitigation techniques to fortify your Active Directory environment against potential attacks.
What is the Active Directory series about?
This is the introduction for a blog series about Active Directory security testing and common pitfalls. We will go through a typical kill-chain/path an adversary can take when trying to compromise an Active Directory system.
The aim of this series is to spread awareness about common Active Directory security issues and how to mitigate them. Active Directory is very effective, but for it to remain effective, it is crucial to implement it properly to ensure that it is not left exposed and vulnerable.
The blog series will consist of 5 parts:
- Domain Trust
- Privilege Access
The Cyber Kill Chain
The Cyber Kill Chain is a 7-step process, developed by Lockheed Martin, which an adversary usually follows and completes to achieve its goals. The process consists of:
- Command and control
- Actions on objectives
A cyberattack does not need to contain all of them. When it comes to Active directory, it is a complex system and there are several pitfalls during configuration that can give an adversary a way into the system. In this series we will follow a path which many adversaries have taken and look at the common vulnerabilities and misconfigurations that enable threat actors to invade and compromise systems.
What is Active Directory?
Before going into what Active Directory is, it is important to know about LDAP, Lightweight Directory Access Protocol. LDAP is a software protocol used to locate data, files, devices, and other resources on a network. Commonly it is used to provide a centralized place for authentication and can store usernames and passwords. It was also developed for applications (such as RADIUS and TACAS+) controlling wireless communication and handled millions of user authentications. Applications such as Docker, Kubernetes and OpenVPN can be used with LDAP to validate credentials, either directly or via federated service portals like ADFS (Active Directory Federated Services). LDAP was also created to enable faster and scalable retrieval of user information.
Active Directory was implemented with LDAP support to make it possible for LDAP based applications or non-windows machines to work with AD environments. Active Directory is developed by Microsoft and uses LDAP as its foundation. It stores and organizes information about objects in a networked environment. It acts as a centralized database that manages and provides access to resources such as users, computers, printers, and applications in a Windows domain.
Simply worded, LDAP is like an electronic phonebook used to organize and access information and Active Directory is a system that uses LDAP to manage all kinds of important information about the organization.
Another term commonly associated with Active Directory is Kerberos. Kerberos is used for authentication and authorization to network resources. Not to be confused with LDAP, even though it can be used for authentication as well, LDAP is mainly used as a directory management protocol. Kerberos and its pitfalls will be discussed further into the series.
Active Directory consists of the following core components:
Objects are the building blocks of Active Directory and represent various entities in the network, such as users, computers, groups, printers, and organizational units (OUs). Each object has attributes that define its properties and characteristics. For example, a user object may have attributes like username, password, email address, and group membership.
The common term for forest means a big collection of trees. Within the world of Active Directory, each tree is a group of related things. In more technical terms, each forest is a group for related and interconnected domains. The domains contain users, computers, and other resources. Within each domain there are more specific groups called organizational units (OUs) with their own sets of resources. Two forests can communicate by creating a forest level trust. A forest is a way to organize and manage groups of related things, all connected.
As touched upon earlier, a tree is a collection of related domains. Domains within a tree can communicate with each other using one way or two-way trust (this will be discussed further in later posts in the series).
A domain is a logical grouping of computers, users, and network resources that share a common security and administrative boundary. It represents a distinct unit of organization within a network and is identified by a unique domain name. Domains are used to manage and authenticate users, enforce security policies, and facilitate resource sharing.
Organizational Units (OUs)
OUs are containers within a domain that help organize and manage objects in a hierarchical structure. They allow administrators to delegate administrative tasks, apply Group Policies, and control access to resources more effectively. OUs can represent departments, geographical locations, or any other logical grouping of objects.
A domain controller is a server that hosts a copy of the Active Directory database for a specific domain. It manages authentication and authorization requests, enforces security policies, and replicates changes to other domain controllers in the same domain. Domain controllers also provide services like user authentication, directory searches, and policy enforcement. It can be compared to a regional manager, overseeing a specific area (domain) in the Active Directory. It is dedicated to ensuring the proper functioning, security, and organization of a specific domain within the network.
Common Security Risks in Active Directory
Active Directory provides a robust and scalable infrastructure for managing resources, simplifying user administration, ensuring security, and enabling efficient collaboration within an organization's networked environment. It offers features like centralized management, and policy enforcement, making it a key component in Windows-based network environments.
Protection of Active Directory is paramount due to its critical role in managing and controlling access to an organization's resources. The following list mentions a few reasons why security is vital for Active Directory:
Authentication and Access Control
Active Directory authenticates users and grants them access to various resources based on their permissions. The Active Directory Control Model defines how permissions and access rights are managed within the Active Directory. By using a combination of security descriptors, access control entries (ACEs), and access control lists (ACLs) it is possible to control who can access what resources. Each object in Active Directory, such as users, groups, and computers, has permissions that determine what actions they can perform, such as reading, writing, or modifying the object. The principle of least privilege is used, meaning users and processes are granted only the minimum access necessary to perform their tasks. By enforcing fine-grained access controls, the Active Directory Access Control Model helps maintain data security, prevent unauthorized access, and ensure the integrity of the directory's resources.
Ensuring strong security measures protects against unauthorized access, data breaches, and potential misuse of sensitive information. Proper authentication and access control mechanisms help safeguard valuable resources and maintain the integrity of the network.
Protection Against Data Loss and Manipulation
Active Directory holds vital information about users, groups, and computers. If security measures are not in place, attackers can manipulate or delete this information, causing data loss, system instability, or disruptions to business operations. Many may not know that, by default, all users within a domain are able to read all object information within the domain. This can result in finding passwords saved in the description field of an object or other sensitive information.
Robust security measures, such as secure authentication protocols, encryption, and access controls, help mitigate these risks and maintain the integrity of Active Directory data. Aside from the technical security measurements, security policies and routines are also crucial, such as password policies, privilege management, endpoint protection, incident response policies and a lot more.
Prevention of Unauthorized Changes
Unauthorized modifications to Active Directory objects can have severe consequences, including privilege escalation, unauthorized access, or the creation of backdoors. Anonymous access is disabled by default but are sometimes enabled by administrators to maintain old legacy applications that may require it. Active Directory domains that are old and have overgone domain upgrades might have this permission enabled. Implementing security controls, such as audit logging, monitoring, and role-based access controls, helps detect and prevent unauthorized changes, ensuring the stability and reliability of Active Directory.
Mitigation of Insider Threats
Active Directory security also addresses the risks posed by insider threats, which involve malicious or unintentional actions by employees or authorized individuals within an organization. By implementing proper access controls, monitoring user activities, and applying least privilege principles, organizations can minimize the potential damage caused by insider threats.
Compliance and Regulatory Requirements
Many industries have specific compliance and regulatory requirements for protecting sensitive data. Active Directory security measures play a crucial role in meeting these obligations. By enforcing proper security controls, organizations can demonstrate adherence to industry standards, protect customer information, and avoid legal and financial repercussions.
The next chapter of this series will focus on the reconnaissance and exploit phase in the Cyber Kill Chain process, where we will discuss the well-known tool PowerShell and its multitude ways of use in Active Directory.
Knowit's penetration testing team is located in several cities in Sweden and in Oslo. Do you want to be part of creating a safer digital world together with driven and committed colleagues? Our penetration test team has an opening - read more (in Swedish). You can read about our offers and contact us here.
About the author
Tobias Borgen is Head of Infrastructure Security Testing and is located at Knowit's office in Oslo. Elin Wallgren is a penetration tester located at Knowit's office in Karlskrona.