Discover the Top 5 XDR Use Cases for Today’s Cyber Threat Landscape
Explore essential Active Directory hardening practices and checklists to enhance your organization's
Active Directory (AD) is crucial for network security as it controls access to sensitive data, making it a primary target for attackers. Even a small AD breach can result in significant data loss, operational downtime, and reputational damage in a business.
Active directory incidents typically fall into these categories:
When something goes wrong with AD, it can lead to several serious problems. Let’s explore the main issues and solutions to overcome or avoid them in detail.
| Problem | Solution | Impact |
|---|---|---|
| Inadequate Password Security | Implement Passwordless Authentication (e.g., biometrics, FIDO2) | Eliminates password-based attacks |
| Enforce Strong Password Policies (14+ characters, complexity) | Minimizes brute force risks | |
| Enable Multi-Factor Authentication (MFA) | Adds an extra layer of security | |
| Overprivileged Accounts & Weak Credential Management | Limit Domain Admin accounts | Reduces attack surface |
| Use Privileged Access Management (PAM) | Applies least-privilege model | |
| Review & Rotate Service Account Passwords Regularly | Secures service accounts | |
| Vulnerable Account Settings | Regularly audit account settings | Reduces attack vectors |
| Require Kerberos Pre-authentication | Prevents unauthorized access attempts |
Weak or easily guessable passwords for privileged accounts are common vulnerabilities.
These options avoid the need for passwords, so attacks like password spraying and phishing can’t occur.
Using longer passwords (14+ characters) and changing them less often discourages users from cycling through easily guessable passwords. Additionally, enabling multi-factor authentication (MFA) adds an extra layer of protection to critical systems.
Granting excessive privileges to accounts, especially service accounts, increases the risk of AD breaches. If many service accounts or user accounts are given Domain Admin privileges, they get high-level access to your network.
Service accounts are often weak targets, because:
Additionally, the combination of too many Domain Admin accounts and weak security controls increases the chance of credential theft.
If a user account is compromised without admin rights, it becomes more difficult for attackers to escalate privileges across the network. Organizations should also ensure that their Active Directory incident response strategy includes rapid identification and response to misuse of overprivileged accounts.
There is no fixed rule for how many Domain Admin accounts are needed; it depends on your business environment. Therefore, carefully review any requests for additional Domain Admin accounts, and prefer granting lower privilege levels, especially for service accounts, rather than giving them full Domain Admin access.
Instead of giving service accounts full access to all servers and workstations, consider limiting their access to only a subset of devices and giving them minimum privileges needed to work.
If you don’t have strong controls over how important accounts (like Domain Admins) are managed, adding more Domain Admin accounts increases the risk. Use tools to manage passwords automatically and securely, making sure privileged access is tightly controlled.
These solutions help mitigate risks by enforcing the least privilege model.
In Active Directory, misconfigurations can make individual user accounts less secure. Some settings can make accounts vulnerable to attacks, including:
Regularly audit account settings to identify and remediate misconfigurations. This includes checking for any accounts that do not require Kerberos pre-authentication, storing passwords with weak or reversible encryption, or failing to enforce strong password policies.
| Problem | Solution | Impact |
|---|---|---|
| Exposed Privileged Credentials | Limit where Domain Admins log in | Prevents credential theft from workstations |
| Use Defender for Identity | Detects lateral movement | |
| Minimize credential exposure | Reduces chance of theft via compromise | |
| Kerberoasting (Service Account Exploitation) | Review all SPNs and use complex passwords | Stops attackers from cracking service accounts |
| Regularly rotate service account passwords | Prevents long-term access | |
| Uncontrolled Delegation | Restrict delegation for admin accounts | Prevents TGT theft and escalation |
| Monitor and audit delegation settings regularly | Minimizes unnecessary risks |
Admins often log into multiple devices (workstations, servers) for their tasks, which can leave privileged credentials exposed.
Attackers can use tools like Mimikatz or secretsdump to retrieve these credentials.
For instance, if Domain Admins log into non-critical devices (e.g., user workstations), their credentials may be exposed on those devices, increasing the risk of credential theft. This increases the risk of an attacker stealing the credentials and gaining higher access.
Effective incident response Active Directory procedures should include rapid identification of compromised active directory credentials and steps to prevent lateral movement across the network.
Ensures they only access critical systems from secure devices.
It helps map lateral movement paths, showing how a compromised regular user account could lead to domain-level access. Defender for Identity also tracks high-risk users and devices, aiding in prioritizing security actions.
When accessing remote systems, avoid methods that leave privileged credentials behind on devices.
SPNs (Service Principal Name) are identifiers for service accounts in the Active Directory. If an attacker compromises a regular user account, they can make service ticket requests for any account with an SPN. The ticket includes the hashed password of the service account.
The attacker can extract this hash from memory and try to crack the password offline. If successful, they can use the service account and gain the privileges of that account.
Unconstrained Kerberos delegation allows one server to impersonate users and access other resources on their behalf.
For example, a web server may be configured to access an SQL server using user credentials.
When you log into the web server, it uses delegation to authenticate to the SQL server with your credentials, storing your Kerberos Ticket Granting Ticket (TGT) in memory on the web server. If an attacker compromises the web server, they can steal the TGTs from memory and impersonate any user, including Domain Admins. If a Domain Admin’s TGT is stolen, the attacker can gain full control of Active Directory.
LAPS is a Microsoft tool that automatically manages the password for the built-in Administrator account on Windows devices. During machine setup (e.g., during imaging), many devices may share the same password for this account. If left unchanged, this common password can allow attackers to move across devices once they gain access to one. LAPS resolves this by ensuring each device has a unique local administrator password, which is regularly rotated.
Ensure LAPS is implemented on all devices and regularly audit its usage. This helps remove privilege from administrative accounts and lowers the risk of credential theft.
Only certain users should be allowed to retrieve the LAPS-managed password. Access to the LAPS password is controlled by the ‘ms-Mcs-AdmPwd’ attribute.
Regularly audit who has access to these passwords to make sure only the necessary people can use them.
| Problem | Solution | Impact |
|---|---|---|
| Misconfigured ACLs (Access Control Lists) | Audit ACLs regularly | Fixes misconfigurations and secures access |
| Use attack path tools to identify potential escalation paths | Prevents unauthorized privilege escalation | |
| Apply the Principle of Least Privilege | Restricts access to critical resources | |
| Exchange Permissions (Exchange Server Exploitation) | Implement Split Permissions Model (separate Exchange/AD permissions) | Minimizes attack surface |
| Reduce Exchange Permissions | Limits admin-level access for Exchange users | |
| Abuse of Group Policy Permissions | Limit Group Policy Permissions | Prevents unauthorized GPO modifications |
| Apply Least Privilege to GPOs | Minimizes impact from compromised accounts | |
| Vulnerabilities in Trust Relationships | Enable SID Filtering | Secures trust relationships |
| Limit unnecessary trusts | Prevents privilege escalation across domains | |
| Remove unused trusts after migrations | Minimizes attack surface by removing unused trust relationships |
Misconfigurations of ACLs are common and can weaken security without affecting day-to-day operations.
These misconfigurations can create attack vectors that allow low-privileged users to escalate access and potentially gain full control over the domain. And attackers can exploit these paths created by excessive privileges and broad access granted by misconfigured ACLs.
Common ACL Issues:
Even if a company has migrated user mailboxes to Office 365, they may still rely on an on-premises Exchange server for various reasons, such as:
Exchange groups like ‘Exchange Trusted Subsystem’ and ‘Exchange Servers’ often have high-level privileges, which can give attackers a potential path to domain control. Additionally, internet-facing Exchange servers (like those used for Outlook Web Access) expand the attack surface, making systems more vulnerable to external threats.
If attackers gain SYSTEM privileges on the Exchange server, they can exploit excessive Active Directory permissions to take over the entire domain.
If an attacker hasn’t yet compromised a Domain Admin, they might gain access to an account with permissions to manage Group Policy Objects (GPOs).
Example: A user can be given permission to create, update, or link policies, which could be exploited by the attacker.
In these cases, attackers can take several malicious actions, including:
Use efficient security tools for auditing and managing privileges. And,
Misconfigured SID History (Security Identifier History) settings can be exploited by attackers to escalate privileges across domains and gain control over trusted domains.
To help address the challenges posed by Active Directory vulnerabilities, organizations can enhance their security posture with Fidelis Active Directory Intercept™. This powerful, all-in-one solution combines Active Directory-aware Network Detection and Response (NDR) with integrated AD monitoring to offer comprehensive protection.
Key features include:
Fidelis empowers you with the tools needed to protect your Active Directory environment, ensuring it remains secure, resilient, and fully monitored—helping to streamline Active Directory incident response and enhance overall security management.
Active Directory compromises pose significant risks to an organization’s data confidentiality, integrity, and availability. These breaches can lead to financial losses, regulatory fines, and reputational damage, which erode customer trust and cause long-term harm. Securing AD is crucial for safeguarding organizational assets and ensuring business continuity. Additionally, following guidance from organizations like the National Security Agency or the Cybersecurity and Infrastructure Security Agency (CISA) may help strengthen Active Directory security protocols and provide more comprehensive solutions.
See Fidelis in action. Learn how our fast and scalable platforms provide full visibility, deep insights, and rapid response to help security teams across the World protect, detect, respond, and neutralize advanced cyber adversaries.