Australian cybersecurity executives explore risks and challenges in aging Active Directory installs
Active Directory is a centralised repository that stores information about users, computers and other resources in a network.
The service provides authentication, authorisation, user and group management, policy enforcement and a hierarchical structure for organising information. As such, it is an essential component in large organisations for managing networks, users and systems.
This article is an excerpt from the Inside Active Directory Security, Australia 2023 report. The full report is available as a free download from this link.
Long having been the central database for users, computers and resources in the networks of most large businesses, Active Directory represents an attractive target for cybercriminals, with estimates suggesting it is exploited in 90% of cyberattacks.
The Australian Signal’s Directorate’s First Assistant Director General for Cyber Security Resilience at the Australian Cyber Security Centre, Stephanie Crowe, says from its release with Windows 2000 and continued integration into Microsoft products ever since, Active Directory has become a near ubiquitous system in Windows Networks.
“Successful compromise of Active Directory will typically give an adversary the keys to the kingdom, providing access to nearly all systems, applications, and resources,” she says.
“Effective Active Directory management is vital to protect credentials, applications, and sensitive data from unauthorised access. Taking action early limits the impact of a breach, and can prevent the adversary in further compromise of the network.”
Jamie Norton, who is a partner with specialist advisory firm McGrathNicol and a former CISO for the Australian Taxation Office, similarly observes the ubiquity of Active Directory in organisations today, saying there would be very few large organisations that wouldn’t use Active Directory, unless they had made a very specific choice from their beginnings to use alternative technologies.
Norton adds that it is important not to forget this underlying architecture when talking about identity and access management.
“Often there will be multiple Active Directories within the environments of large organisations,” he says.
“The IAM (identity and access management) space typically provisions into Active Directory. Assuming that you are using Active Directory for authentication and authorisation, how things get into Active Directory, how things are removed from it and all of the hygiene around that is critical to IAM.
“For example, you need a process and framework to integrate your users with your payroll system as people get onboarded. Which roles get provisioned into Active Directory, what permissions they get and what authorisations they have are key considerations.
“That doesn’t have to be done within Active Directory itself, Active Directory can just be the transactional piece where you then have other systems that manage the identity. And some organisations do use Active Directory almost like an identity store, rather than as a technical building block.
“However, it remains the underlying directory that will provide opportunities for bad actors if not well maintained.”
Risks with Active Directory
The risks inherent in credentials and user account management is well known in the modern business world, and organisations today think a lot about identity and access management.
One major risk when it comes to Active Directory and its associated infrastructure relates to legacy IT, particularly how these databases and domain controllers have been established and then maintained in big, decades-old organisations.
Rob Wiggan, Cybersecurity Advisor with global risk management consultancy firm WTW, who has also held security leadership roles in higher education and the banking sector, says that in many cases it is infrastructure teams who build and maintain domain controllers and user directories, often without the security team’s direct involvement.
“In a number of the organisations I’ve observed, the Active Directory might be 15 years old from when it was first developed,” he says. “When people first started working with Active Directory, they didn’t really understand the power that it would have in 10 or 15 years’ time.
“The CISO role and security team’s role was not to determine the construct of the directory, but more often thinking more about what controls to have in place, similar to how many other applications in an environment are approached from a security perspective, with certain permissions and authentication for use.
“So, there are many Active Directories that have no real structure to them, they’ve got users in them that have been there for a long time. They may be disabled or they may not be. There may also be user objects within that Active Directory that are critical to the running of certain applications in the organisation, particularly organisations with a lot of legacy.”
Decades of organic growth for certain Active Directory forests runs at odds with the approach organisations are leaning into today with application development, configuration and design done with security in mind from the ground up.
Jamie Norton says over time, without modern risk oversight and Active Directory governance, these services can become disorganised.
“I don’t think it will be too revealing to say that most large organisations are going to have a degree of untidiness in their Active Directory,” he says.
“Typically, there will be multiple forests and multiple instances of directories that have different Active Directory data in them and that may be based on different environments, like development environments or production environments. It could even just be a bit all over the place depending on how it has transformed and morphed over time.
“Unless you are very diligent from the start and you’ve got a process that’s very robust, you will end up with an Active Directory that’s got different artefacts that shouldn’t be there, and things that have been left to rot over time.
“You end up with an Active Directory where no one really knows everything that’s in there. There will be scepticism over whether there are people still in it that shouldn’t be, or objects still in it that shouldn’t be, and you lose overall confidence that your Active Directory is up to scratch.
“Then, as a big organisation, you have to look at how you start again and rebuild, which is like trying to fly the plane and build it at the same time. You have production environments that can’t stop while you’re trying to redefine your whole directory structure.
“This also impacts the applications that interact with it, and whether the artefacts inside are there from a bygone era or there because they need to be there. Rectifying that is a huge challenge.”
/AD-REPORT-1200-Download-Banner.png?width=760&height=401&name=AD-REPORT-1200-Download-Banner.png)
A Vulnerable Target
The ubiquity of Active Directory as the underlying software and infrastructure for authentication and authorisation, coupled with years of potential sprawl and patchy governance, makes these services a target for attackers.
Australian Cyber Security Centre’s Stephanie Crowe says Active Directory is commonly exploited by adversaries after obtaining an initial foothold in a network.
“Attacks will often focus on gaining an understanding of the network and subsequently moving laterally through the network to sensitive systems and accounts, and elevating access by compromising privileged accounts,” she says.
“There are many publicly available tools that make targeting Active Directory achievable with relative ease, and if the attacker is successful, they are easily able to hide their tracks, which can make it difficult for organisations to detect.”
McGrathNicol’s Jamie Norton agrees, noting that gaining access to Active Directory and domain controllers enables attackers to create their own credentials that pass as being totally legitimate.
“Particularly if Active Directory is in a bit of an untidy state, it’s less likely to be monitored well, and it may be misunderstood,” he says.
“That means there is less chance that any alerts will be raised if an attacker does happen to escalate privilege to, say, a domain admin account.
“This then feeds directly into the ability for threat actors to create their own illegitimate credentials that are genuine as far as the system is concerned.
“Once that’s done and the trail is removed, a hacker has persistent access into the system. The chances of those on the operational side of security discovering the adversary in the network is then very challenging. It is much harder to track at that point.
“There’s probably a lot more of this happening than we think because it’s a risk factor that you just can’t spot easily unless you have really good governance over your Active Directory.”
Based on its engagement across the Australian economy, the Australian Signals Directorate understands the most common Active Directory attacks and vulnerabilities exploited by bad actors to involve:
• Plaintext passwords in user-accessible locations
• Kerberoasting and authentication service response message (AS-REP) roasting
• Weak passwords and password configurations
• Overly privileged accounts
• Insecure domain controllers
The risks areas around legacy or ungoverned Active Directory installs are exacerbated by the changing wider cybersecurity landscape, which we will touch on in the next chapter while examining the drive to increase maturity around Active Directory security.
Get all the insights from our recent report, Inside Active Directory Security, Australia 2023 by following this link.
