Active Directory (AD) passwords remain the primary method of authentication at most organizations today. Weak passwords make it easy for attackers to compromise user accounts using any of numerous techniques and thereby gain entry to the corporate network. All too often, poorly configured permissions on the compromised AD account then enable the attackers to reach sensitive data and critical systems -- turning the breach of a single user account into a business disaster.
Accordingly, an effective way to improve AD security is to implement both strong password policies and robust permissions management and monitoring. This article provides recommendations to help.
AD attacks typically follow a similar path. Adversaries gain initial access by exploiting weak or stolen credentials. Once inside the network, they seek to escalate their privileges, either by exploiting vulnerabilities to extend the access rights of the account they already control or by taking control of other accounts with more powerful permissions. They use these additional access rights to move laterally through the environment until they reach critical systems and sensitive information. Then, they can complete their mission, for example, by shutting down operations, exfiltrating valuable information, or encrypting data and demanding a ransom.
This sketch of a typical AD attack brings to light two key AD security weaknesses that make it easier for adversaries to achieve their malicious goals: Weak passwords and excessive access rights.
The first is the failure to require users to choose strong passwords. While best practices for password security have been repeated many times, some users still have passwords like "12345678" or "Summer2024".
Hackers target these users with techniques such as password spraying attacks, in which they attempt to log on to various user accounts in an organization using a list of common passwords, taking care to avoid triggering any lockout policies that might be in place. If the organization has a weak password policy (or no policy at all), the adversary is likely to happen upon a correct password sooner or later.
The situation becomes more dire if the organization also lacks strong controls for managing access rights. In those cases, the compromised AD account may have been granted excessive permissions, or the attacker could easily acquire elevated access by exploiting AD configuration issues like inappropriate group nesting. Moreover, the hacker can modify a special AD object called AdminSDHolder to obtain extra privileges while bypassing typical security alerts to maintain long-term access.
Accordingly, strong password policies and effective permissions management help minimize the risk.
Requiring users to choose strong passwords dramatically reduces the risk that their accounts can be taken over by attackers. To define the criteria that passwords must meet, organizations can turn to trusted and regularly updated standards such as the NIST password guidelines. These guides offer specific recommendations about matters such as password length, composition, complexity and reset requirements. The NIST guidelines also advise maintaining a blacklist of unacceptable passwords, including passwords harvested in previous breaches, dictionary words and specific words such as the name of the organization or service.
To eliminate the huge burden of manual implementation of password management pillars, organizations can leverage software solutions that streamline the work of designing and enforcing a strong password policy. In addition, organizations must consider giving users a password vaulting tool. That way, users need to remember only a single master password, so you can impose stricter password criteria without the risks inherent in frustrating users.
Combining these password solutions with multifactor authentication (MFA) and alerting on suspicious failed login attempts can make it even more difficult for attackers to take over user accounts.
While a strong password policy significantly reduces the chances of attackers slipping into the corporate network, organizations still need to take steps to reduce the risk from adversaries who succeed in gaining entry, as well as from legitimate users who are either careless or have malicious intent.
One of the most effective strategies is to rigorously enforce the least privilege principle, which requires each user to be granted only the access rights they need to perform their tasks. This approach minimizes the damage that can be done by a user account, whether it's being used by its legitimate owner or is under the control of an attacker. A complementary practice is regular AD risk assessments to identify and mitigate weaknesses such as default passwords, directly assigned permissions and nested group membership.
Another essential practice is continuous monitoring of AD activity. As mentioned above, attackers performing password-spraying attacks try to avoid detection by keeping failed login attempts below standard lockout thresholds. Therefore, these attacks can be hard to spot with traditional methods. However, advanced monitoring solutions include user behavior analytics (UBA) capabilities that can identify suspicious activity, such as login attempts from unusual locations and unexpected changes to sensitive AD objects like AdminSDHolder, and notify the security team.
Malicious actors exploit weak passwords and misconfigured AD permissions to enter the corporate network, move laterally and inflict serious damage. Organizations can mitigate these risks with straightforward controls. By implementing strict password policies, MFA, enforcement of the least privilege principle, regular AD risk assessments and continuous AD monitoring, organizations can significantly reduce the risk of costly breaches, data loss and downtime.