The top five questions you must ask when building an AD security programme
Enforcing Active Directory security in these circumstances is paramount, but only after the most pressing questions are answered
24 September 2020 | 0
In association with Alsid
For more than 20 years, Active Directory (AD) has formed the backbone of organisations worldwide. When fully operational, its purpose goes beyond a tool for governing authentication and passwords to ultimately manage the crucial access control rights for almost every organisational asset. Active Directory is by no means a static software system, and its universal adoption is a testament to its ability to adapt and meet ever-changing business requirements. A modern organisation’s architecture can change instantly. And AD security hygiene can get ugly fast if not managed or secured properly.
Enforcing AD security in these circumstances is paramount, but only after the most pressing questions are answered. Not all ‘so-called’ AD security solutions are created equal, so we have assembled some of the most fundamental questions that we believe will help your decision-making process.
Does the AD security vendor install agents on the Active Directory, and are privileged rights required?
No security professional wants to give access to a system they spend their days maintaining. The same goes for an AD administrator who manages a complex system like Active Directory. Part of that management is ensuring that AD control is not provided freely to any third party or external source. Control and privileged rights access are usually given through the deployment of agents that act under a “trust-based” jurisdiction. This ultimately gives access to view, modify, or change objects. The installation of an agent should not be a requirement for enabling AD security on the domain controller, or any endpoint for that matter. Knowing the importance of Active Directory within an organisation, your administrators should not feel comfortable with vendors requiring mandatory access to the directory. The installation of agents and the surrender of privileged rights imply that access to confidential corporate data is open.
It is imperative to guarantee that privileged rights to the Active Directory are not surrendered and that a platform will be unable to alter or modify objects. Currently, there are only a limited number of auditing solutions for AD, providing little protection and only capable of monitoring and reporting on attacks after they have occurred. These auditing solutions may consist of the deployment of agents on domain controllers which lead to partial or full control over the status of AD objects. There is no reason why any third parties require open access to AD objects. Also, some agent-based AD security solutions have strict update requirements to be supported regularly, and sometimes even .net framework must be installed (including on the Domain Controller).
Does the AD security vendor display information in real time?
Picture driving a car. A real-time warning system should alert you when a dangerous, oncoming driver is approaching, not after the driver hits your car. Likewise, you would want to be alerted of brake failure before you start your car, not when they go out. In the world of AD security, real-time alerting is mission critical. A real-time solution must detect and alert you to ongoing configuration changes that affect security measures of the AD, as well as provide recommended steps for remediation. With real-time, you are validating a proactive approach to monitoring and detection. While attackers sit for months within target networks waiting for the right AD attack pathways to appear, constant visibility of your AD security posture is essential.
Does the AD security vendor rely on AD event logs or AD object changes to provide analysis?
Trying to secure AD continually with AD event logs is difficult and cannot provide 100% visibility. To stay up to date, you need to have dedicated AD security experts constantly surveying the AD security threat intel space, discovering your AD misconfigurations leveraged for attacks, understanding the event logs used to detect attacks, and creating rules to extract the specific AD configuration event log from the full stream of all AD event logs. This is expensive, tough, and inefficient.
What’s more, attackers are now conducting attacks that do not create event logs, like DCShadow, or they are turning off event logs in the AD via SACL modification so they can make changes in the AD with no event logs being created.
That means event logs can no longer be trusted to give a full view of what is happening in the AD. The only way to do this is at the object level in the AD database, which is precisely what Alsid achieves.
Does the AD security vendor proactively identify dangerous AD misconfiguration attack pathways out of the box?
Recall the car-and-driver analogy. Similarly, built-in anticipation within an AD security platform provides several benefits that can increase the likelihood of breaking potential attack pathways. Built-in anticipation is focused on delivering a proactive approach to AD security, rather than the reactive method that is used by the vast majority of solutions claiming to cater to AD.
The most common way AD gets hacked today is through misconfigurations in the AD software being used to escalate privilege or propagate ransomware. Therefore, the most effective method to secure AD is to continuously detect and remediate dangerous configurations as soon as possible when they appear on the AD. Alsid provides security teams with this powerful advantage.
AD is constantly evolving, with potentially hundreds of changes occurring in AD every minute. Any of these changes could open your AD to adversaries, such as:
- AD backdooring techniques – AdminSDProp modification
- AD credential dumping techniques – Kerberoasting attack
Can the AD security vendor provide in-context AD security information in real time?
It is not enough to simply display the specific deviance for an AD object, as this view provides limited ‘global’ information. This data will not reveal where the specific problem is coming from.
An incriminating object needs a detailed, accurate explanation of the security issue and, where relevant, to show how multiple security issues related to each deviant object. You should be allowed to individually select each separate security problem from one specific object and action it independently. Coupled with the detailed information explaining how to fix these complex AD security issues, Alsid clients are empowered to proactively harden their AD.
Alsid enables continuous detection and remediation at an AD object level through:
- In-depth, real-time explanation of each detected AD security event – what it is and why it is dangerous
- In-depth, real-time explanation of how to fix each detected AD security event
By detecting the AD attack pathway misconfigurations, attacks like Pass-The-Hash, GoldenTicket, DCShadow, and DCSync can be stopped before they even begin.
To discover five more questions that CISOs should be asking, get the free Microsoft MVP-approved guide from Alsid.
This is just the beginning when planning your AD security journey. Contact an Alsid AD specialist at email@example.com to learn what else needs to be evaluated in building an efficient Active Directory security programme.