A review of Active Directory (AD) security assessments shows that many enterprises are overly exposing their AD administrator’s credentials, leaving them vulnerable to security breaches.
Skyport Systems found that more than 50% of the organizations assessed allow administrators to use the same account to configure AD as they use for everything else. And, fewer than 25% of the organizations use multi-factor authentication (MFA) for AD administrator accounts.
Further, Microsoft recommends implementing secure administrative workstations (SAWs) for management of AD. However, fewer than 10% of the organizations Skyport Systems assessed have implemented a SAW.
It is a best practice to severely limit the systems that are permitted to alter the AD configuration. However, almost none of the organizations assessed implemented host-based firewalls for the DCs, and fewer than 15% use administrative whitelists.
Microsoft also has recommendations for building an Enhanced Security Administrative Environment (ESAE), but virtually no mid-market enterprises appear to be aware of, or effectively implement these guidelines.
Skyport recommends four pillars to protect against cyberattacks: Implement AD hygiene by limiting domain admin privileges, configuring secure password policies and frequent patching; make admin workstations secure to prevent credential theft and misuse; protect DCs against insider and outsider threats; and build an isolated admin forest for large or complex enterprises.
“We know that over 90% of all organizations use Active Directory to control policies for users and services,” said Russell Rice, senior director, product management, Skyport. “Successful attacks against AD or admin credentials can be devastating because the blast radius reaches nearly every system in the enterprise. The data we collected and analyzed shows that organizations need to pay more close attention to their AD infrastructure and use a modern approach to securing AD since many attack tools are widely available, effective and free.”