Freely subscribe to our NEWSLETTER

AD security vulnerabilities

Microsoft Active Directory (AD) at the time of launch was a revolutionary technology - originally released with the Windows 2000 server operating system, and one that continues to support much of the hyperconnected world of work that we inhabit in the modern era.

Microsoft AD prevailed above all other directories for one core reason: it was open. It is because of this openness and ease of integration that AD remains to this day a foundational piece of infrastructure for 90% of businesses. However, its biggest strength 21 years ago has since become its most concerning weakness.

The threat

If you take into account that a hacker can use any unprivileged AD account to read almost all attributes and objects in AD, including their permissions, allowing them to find computer accounts in any domain of an AD forest that are configured with unconstrained delegation, then you get an idea for why the default AD openness has become a vulnerability.

Today, due to the disappearance of the network perimeter, identity has become the last line of defence from cyberattacks.
Researchers at Mandiant recently reported that 90 percent of the incidents they investigate involve AD in one form or another.
Some of the largest and most recent AD security breaches include SolarWinds, Hafnium and the Colonial Pipeline attack which made headlines due to their scale and the disruption caused when Microsoft AD went down.

Purple Knight

Semperis is a pioneer in managing and protecting the identity credentials of enterprises’ hybrid environments and was purpose-built for securing AD.
Last year it launched a free AD security assessment tool, Purple Knight and is today releasing the findings of data from 1000 IT and security leaders that have deployed Purple Knight.

Key summary of findings:

• Organisations overall scored an average of 68% across five Active Directory security categories; AD delegation, account security, AD infrastructure security, Group Policy security, and Kerberos security. This is barely passing grade.
• Large organisations fared even worse —reporting an average score of 64%—indicating that the challenges in securing Active Directory expand with legacy applications and complex environments, particularly in large organizations.
• Organisations reported the lowest scores for Account Security, which covers settings on individual accounts such as privileged accounts with a password that never expires.
• Insurance companies reported the lowest overall scores (55%), followed by healthcare (63%) and transportation (64%)
• Transportation companies reported utterly failing scores in Group Policy (36%) and Account Security (46%)
• Public infrastructure companies scored the highest overall (71%), followed by government entities (70%)

Respondents cited various catalysts for downloading the security assessment, ranging from a proliferation of attacks in their industries, organisational mandates, or post-breach remediation. Many of the respondents said they were blindsided by the findings of their Purple Knight reports.
In follow-up interviews with respondents, the research also found that:

• Misconfigurations proliferate in organisations with legacy Active Directory implementations
• Organisations struggle with a lack of Active Directory expertise

In a recent 451 Research report, analyst Garrett Bekker said, “Directory services sit at the heart of most firms’ IT strategies, and as such they have become mission-critical assets that can present dire consequences if compromised—as we have learned from the now infamous SolarWinds supply-chain attack, and the Hafnium attack on Microsoft Exchange.”
Speaking about the report, Mickey Bresman, Semperis CEO says, “We saw that many companies don’t have a good understanding of the Active Directory exposures that adversaries are able to use against them. We wanted to give security teams that don’t have deep AD expertise a way to understand their AD security posture—and then close any existing gaps so that adversaries won’t use those against them.”

Knowledge brings power to act

The report includes more information about the security indicators that were flagged, responses from the IT and security leaders on what it revealed for their organisation and, importantly, the steps that they are putting in place to close these gaps.