3 Key Principles in Active Directory Security

By Keren Pollack, on September 22nd, 2021

Active Directory has become a prime target for cyber-attacks. Back in 2015, it was already estimated that 95 million Active Directory accounts are compromised each day, and numbers are increasing since then.

 

Active Directory is most organization’s primary identity storage. It is used to manage users, computers, servers, and other devices in the network. Since its launch 20 years ago, it has been integrated with numerous applications and systems and became one of the main foundations in the organization’s IT infrastructure.

 

Active Directory is classified as mission-critical for almost every organization, therefore damaging it will have devastating and costly results on the organization.

 

This post aims to present 3 key principles in Active Directory security:

  1. Least privileges model.
  2. Hardening Domain Controllers.
  3. Hardening Administrative Hosts.

 

By following these 3 principles, you’ll significantly lower your Active Directory attack surface and decrease the chances for cyberattacks.

 

Finally, we offer an automated approach that will help you implement these principles easily and without investing loads of time and money.

 

Use a least privilege administrative model:

 

Least privilege model aims to make sure that only required privileges that are essential for the daily tasks are allocated to a user. By implementing a least privilege administrative model you lower the chances that a compromised account will cause excessive damage to the entire network.

 

This is a simple principle to understand, yet it is rarely implemented appropriately. We often find excessive numbers of accounts having rights and privileges that are not required for their daily functions. The bigger the organization, the more complex it is to follow this principle.

 

In Active Directory is common to see Domain Admins (DA), Enterprise Admins (EA), or built-in Administrators (BA) groups contain an excessive number of accounts. A good least privilege model is a ‘role-based access control model’.

 

Role-based access control in Active Directory is a mechanism for grouping users and granting them access and privileges that are based on their business tasks.

 

Securing Domain Controllers Configuration:

Since Domain Controllers have read and write privileges to anything in the AD DS database, you should treat their hardening process with extra care. Once they are compromised, your Active Directory forest can never be trusted again (unless you have good backups and found the gap that allowed the intrusion).

 

Here are few best practices for Domain Controllers hardening:

a. Block Domain Controllers access to the internet:

A basic step in assessing Active Directory security is to check whether it has access to a web browser. And yet, analyses revealed numerous cases where this fundamental requirement wasn’t followed.

 

Browsing the internet or intranet from a highly privileged account exposes the organization to a major risk. Attackers can use different methods to insert malware-infected utilities to gain access and destroy the Active Directory environment.

 

b. Configure Perimeter Firewall Restrictions:

You can use perimeter firewall restrictions to prevent an outbound connection from domain controllers to the internet. In case of domain controllers that need to communicate across the site’s boundaries, you can configure perimeter firewalls to allow this kind of communication.

In addition, you configure your firewall with advanced security settings on domain controllers.

 

c. Restrict RDP:

Allow RDP connection only from authorized users and systems. You can read this RDP Hardening Guide for more detailed instructions for RDP secured configuration.

 

d. Use industry’s hardening best practices to configure domain controllers:

Best practices such as DISA STIGs and CIS Benchmarks have special consideration to domain controllers, comparing to other infrastructure components. You should use these files as a baseline of your policy and aim to achieve the highest compliance posture possible for your organizations.

 

To learn how you can implement these best practices in an automated fashion, continue your reading here.

 

CIS Hardening and Configuration Security Guide

 

Secure Administrative Hosts:

Administrative hosts are workstations or servers that are hosting privileged accounts. These privileged accounts refer to accounts that are members of the most privileged groups in Active Directory and to accounts that have rights that allow them to perform administrative tasks. For example, Help Desk accounts and accounts that are used for configuration management (check here how you can minimize the number of users authorized to perform hardening to only one user).

 

There are few basic recommendations for securing Administrative Hosts:

a. Restrict Single Factor Authentication:

Do not allow single-factor authentication when performing administrative tasks. Therefore, user name and password combination is not an acceptable authentication.

 

b. Consider using a smart card logon for these accounts.

 

c. Restrict RDP:

Restrict RDP connection to only authorized users. Consider removing or blocking other logon types that are not required for administrative tasks. You can read this RDP Hardening Guide for more detailed instructions for RDP secured configuration.

 

d. Use industry’s hardening best practices to configure administrative hosts:

Best practices such as DISA STIGs and CIS Benchmarks have guidance for securing hosts configurations. You should use these files as a baseline of your policy and aim to achieve the highest compliance posture possible for your organizations.

To learn how you can implement these best practices in an automated fashion, continue your reading here.

 

e. Block access to the intranet and intranet:

Administrative Hosts should not be permitted to access the internet and the intranet. Web browsers should not be used. You can use a firewall to block internet access.

 

f. Use virtual machines:

By using virtualization, you can store and manage specific administrative hosts to each user’s needs. You can control it and shut it down when not active, to prevent credential theft. There are many other practices you can use with virtual machines to enhance administrative hosts security.

 

An Automated Approach for Active Directory Security:

CalCom offers an automated approach for configuration security and hardening tasks. By using CalCom Hardening Automation Suite you’ll be able to easily harden your Domain Controllers and Administrative Hosts and achieve compliance to industry’s best practices.

 

CalCom Hardening Automation Suite learns your production and indicates what will be the impact of each configuration change on your production, therefore eliminating the need to perform any testing before implementing your policy.

The entire hardening process is done from a single point of control, allowing you to minimize the number of authorized users to a minimum.

 

Finally, CalCom Hardening Automation Suite monitors your compliance posture, making you’ll remain secure and audit-ready at any given time. To learn more, continue your reading here.