Forrester AD report  - A spotlight on a critical component of your business

Category
Mon, 07/23/2018 - 10:00

Forrester recently published a research report titled The State Of Microsoft Active Directory 2018. We encourage everyone to read it, as it sheds a much-needed spotlight on the most critical component of every corporates in the world. We believe many of the trends described in the report will indeed shape the evolutions of Active Directory infrastructures and their usage.

Reading the report sparked some remarks and comments from our research team. As AD security experts, we wanted to contribute to the discussion by adding some key features, techniques or interesting facts regarding Active Directory security. Here are some addendums and opinions to some of the key trends described in the Forrester report.

Organizations have too many forests

We feel obliged to re-state the most important point regarding AD forests and security: forests are the only true security boundary in Active Directory. They are an immensely useful feature to prevent a local compromise from spreading to a global catastrophe. We encountered too many multinational companies facing security issues because of a weakly-secured subsidiary in a remote country. Putting in place security boundaries such as multi-forest infrastructures and well-configured trust relationships helps isolate the system from its weaker components.

Forests are the only security boundary in AD environments.

Multiple forests help the forester (no pun intended) prevent fires to spread massively. However, setting up a multi-forest environment is by no mean bullet-proof: great care must be taken when configuring trust relationships between those AD instances. Parameters such as trust direction and filtering must be considered carefully to benefit from a strong isolation.

Organizations have too many domains

The report’s author mentions the importance of physical protection for domain controllers. Encrypting their hard-drives is a solution to prevent an attacker from stealing the secrets they manipulate. As domain controllers should be up and running 24/7, this is only useful against physical attacks: if an attacker manages to compromise a running DC, hard-drive encryption won’t stop him from accessing authentication secrets.

To mitigate this risk, Microsoft added a powerful feature to their DC arsenal: Read-Only Domain Controllers (RODC). They allow conscious AD administrators to restrict the secrets accessible to domain controllers in physically-unsecured sites, thus protecting the most sensitive credentials from local attacks.

Password authentications can be a security risk

Passwords must indeed be protected. The report hints at the classic solution to protect from credential thefts: using two-factor authentication (2FA). While a great hardening method, one must not forget the fundamentals of AD authentication. When a user authenticates, AD generates an authentication secret (such as a Kerberos ticket, a session key, a token or a certificate) to allow users to connect to different services (file servers, web applications, remote desktop) without having to re-enter a password and use the 2FA device. This functionality is described as the Active Directory Single-Sign-On (SSO). A malicious attacker able to steal or forge a valid ticket will be able to impersonate the victim, without the use of the 2FA device. While a more complex scenario, this must remind us that 2FA is not bulletproof.

Two-factor authentication is not bulletproof.

Protecting these secrets has been a recent focus of Windows security teams at Microsoft. They added powerful features (such as Credential Guard) to prevent attackers from extracting authentication keys from the computer’s memory and help mitigate this risk.

Photo by Fancycrave on Unsplash

Group membership can introduce security flaws

The author rightly points at the AD groups as the usual source of privileges: indeed, a user can or cannot perform an action because of the groups he belongs to. To be slightly more precise, every Active Directory object (e.g. user or computer) embeds its own set of permissions. Examining this list of access control entries is the key to discovering security flaws. Having a strong control of privileges in an ever-evolving company is one of the challenges that every CISO must tackle.

The report recommends replacing manual security reviews by more regular automated checks using software solutions. The vendors mentioned by the article offer great tools to check that a company security policy is well implemented: how many admin accounts are allowed, how often a password must be changed, etc. These checks are unfortunately too simplistic to guarantee resilience against modern AD attacks. For example, many other AD features can be leveraged by a skilled attacker to escalate privileges (e.g. using the “SID History” attribute to grant oneself increased privileges). Being compliant with the enterprise security policy is by no mean a safeguard.

100% of corporates suffering from cybersecurity breaches had a security policy.

The tools mentioned in the article have some operational drawbacks, such as putting a heavy burden on the security teams, as policy must be manually implemented and updated as state-of-the-art attack techniques are published in security conferences. We believe in decreasing the workload of operational teams, not increasing it. AD security mechanisms are complex, and attackers regularly find creative ways of exploiting them. Staying ahead in this cat-and-mouse game is impossible to do in a corporate environment without a specialized R&D team, a luxury very few enterprises have. Outsourcing this research effort to competent vendors providing ready-to-use solutions with continuously-updated detection mechanisms appears to be the best posture. A good solution provides immediately actionable insights, so that administration teams have more time to focus on other problems.

Solution

At Alsid, we believe in pragmatic security. A secure system is one that is impossible to compromise, not one compliant with a legacy security policy that has not evolved. We implement non-intrusive, real-time and plug n’ play solutions to make sure an AD infrastructure is safe from the most advanced attack techniques.

Reach us to learn more about our company.

Emmanuel Gras
Co-founder & CEO
After graduating from Mines Paristech, Emmanuel spent 3 years at Orange, auditing core telco networks. He then joined ANSSI, the French national authority in the area of cyberdefense and network security (NIS). He designed large-scale audit tools for Microsoft Active Directory, and he now develops Alsid's products and solution packages.

Get in touch

Let's explore together how Alsid can improve your products and services

Contact us