Active Directory attacks have been on the rise over the past few years, prompting more organisations to rethink their cybersecurity strategies and place more importance on AD protection. Protecting Active Directory is vital for one simple reason - Active Directory is an essential tool for providing authentication and authorisation services that helps IT ecosystems run smoothly. As Microsoft Office 365 adoption continues to grow, so does the complexity of securing AD. According to Frost & Sullivan, approximately 90% of the Global Fortune 1000 companies use Active Directory as a primary method to provide seamless authentication and authorisation. With so many users across the world, AD remains one of the top targets for cyberattacks.
Cybercriminals who gain control over Active Directory environments will have direct access to sensitive data, making it easy to steal security credentials, launch ransomware and ultimately wreak havoc inside the business. Think of it like having a stolen key card: Hackers that made their way through inside the building can now take the elevator, wander through offices, open desks, and look through drawers. With more complex IT infrastructures and avenues of entry, the threats facing AD environments are growing in numbers day by day, leaving more businesses susceptible to potential economic and reputational damage.
At first glance, securing the Active Directory might seem like an impossibly complicated task, with many cybersecurity professionals not knowing where to start. However, the reality is completely different, and companies can find themselves in a much better position by implementing several key best practices.
1. Bring down your attack surface area
The first step in reducing risk is starting with a clean slate. Begin with the IT environment itself and aim to reduce the number of forests and domains or identify and remove duplicate and other unnecessary groups. Also, don’t forget to remove unnecessary software installed on domain controllers and sensitive servers. Then reduce the ways that the environment could be misused or exploited, limiting user permissions by using the principle of the least privilege. It is also imperative to set up account expiration dates when creating accounts for temporary staff, such as contractors, interns and visitors, and to reduce delegation across organisational units, to prevent domain controllers from accessing the internet.
2. Ensure control over sensitive systems and credentials
To further minimise the risk that your most valuable data can be compromised, require multi-factor authentication on sensitive systems, and ensure admins use jump boxes when connecting using privileged accounts and that they log on only to hardened workstations. Also, you can easily manage your privileged accounts using a hardened password vault solution. Finally, instead of granting anyone permanent admin access to sensitive servers, use temporary group membership with automatic start and end date/time, thus implementing more control over user access.
3. Keep an eye on privileged group membership
Once your house is in order, you need to monitor the actions of everyone in it. Watching for privilege escalation should be at the top of your list, especially when it comes to some privileged groups such as administrators, print operators, network configuration operators, or backup operators. IT teams should monitor in real-time not only direct changes to privileged groups but also any additions of members to nested groups (which Windows servers do not log). To help with this, implementing a solution that can prevent anyone from changing your most critical security groups will prove beneficial in the long-run.
4. Automation is your best friend
When it comes to security, automation can provide a helping hand to under-pressured IT teams. Companies can supplement native tools with solutions that can automatically detect and prevent unauthorised intrusions to privileged and VIP groups and accounts, and that can mitigate controls from being bypassed by enforcing rules-based access to sensitive resources. Also, organisations can use automation for the remediation of issues. In particular, look to implement self-correcting policies that automatically remediate compliance gaps and build rules that automate the reversion of unauthorised changes to sensitive users or groups.
Another key tip to keep in mind is preventing unauthorised creation of accounts by defining a whitelist of authorised credentials permitted to perform this task. If someone who is not on the approved list creates a user account, the event should trigger an alert, and possibly even disable the creator’s account, the created account or both. Also, companies can prevent unauthorised changes to important enterprise groups and GPO settings by using a whitelist of authorised users. With a whitelist in place, even if insiders gain admin rights from compromised credentials, their attempts to change the membership of privileged groups like Domain Admins and Enterprise Admins will be denied.
5. Plan out your AD business continuity process
The skyrocketing number of ransomware attacks has vividly illustrated the need for comprehensive disaster recovery planning, with Active Directory front and centre. A solid AD recovery plan starts with proper backups. Back up your domain controllers, databases, and other systems frequently, and store those backups securely. Test your business continuity plan regularly, including all stages of your disaster recovery plan and make sure to incorporate recovery into your security incident response process, and validate that your disaster recovery process meets your recovery time objectives following a disaster or breach.
Bolster your cybersecurity defences by placing Active Directory front and centre
Users need access to resources to do their jobs, and that’s why protecting the Active Directory becomes paramount to ensure that employees can access the data needed in a secure and safe manner. The key to AD security is balancing the need to streamline user access to maximise productivity against the need to protect sensitive data and systems from both accidental and deliberate privilege abuse. By following the Active Directory best practices mentioned here, companies will benefit from improved cybersecurity protection and, most importantly, peace of mind in a reality where cyber risks are exponentially growing.