SECNOLOGY : 5 Errors that can harm your Active Directory
Today, Active Directory is the main target of attackers in most ransomwares encountered. And this is easy to understand: once the domain authority rights are acquired, the attacker will be able to access most of the file servers or NAS whose authentication is based on the domain (in order to exfiltrate data) and, in the final phase of his attack, deploy his encryption on all the workstations and servers attached to the domain.
As a result, Active Directory = is rightly considered the “sacred element”. But it’s not always protected as such, and whether it is its’ architecture or the way it’s routinely used by the company administrators, five bad practices are almost always seen in the victims of ransomware attacks.
Through workflow automation, incident reports can be included in a clear process and the right information can be placed in the right place without manual intervention or delay. SECNOLOGY makes it possible with its SECmanage module.
So to improve the security level of is, start by strengthening the Active Directory by avoiding these five common mistakes:
1 – No third party administration
This is the most important element, but also the most effective: separate the domain administration accounts and infrastructure from the rest of the IS. Under no circumstances should an account with domain administration rights connect to other resources, especially user stations. This is because at each connection, the Admin account deposits elements on the target machine that can allow an attacker to usurp it. And since end-users, in particular, are particularly at risk, logging in with domain administration rights is too often like serving the keys to the kingdom on a platter to attackers.
2 – In-depth knowledge of the AD
In 70% of the incidents handled by our teams, the victim does not have a good knowledge of his directory: what are his privileged accounts, what does what GPO , etc. This often goes hand in hand with a lack of knowledge of the IS as a whole. But as far as the directory is concerned, this translates into an inability to quickly tell ifb for example, any action undertaken by a privileged account is legitimate, or what the purpose of a given service account is, or if its rights are appropriate.
Specifically concerning service accounts (often prime targets for attackers), the situation is aggravated by the fact that some publishers demand disproportionate rights for their applications, or by the tendency, within corporate IT departments, to give as many rights as possible in order to ensure that the application works when it is installed… and then not to want to touch it for fear that it will not work anymore!
CIOs are often surprised when, during an audit of the actual use of Active Directory – rights, they discover that a particular department has never used a privilege it has!
3 – Lack of training for administrators
Often with small teams and high business expectations; IT teams do not always have the time to train. However, the tools evolve and every new version of Windows Server introduces new protections or administration features that are potentially very useful, or that could help to implement good administration practices more easily (for example, password management for service accounts). But without taking the time to train and capitalize on the knowledge, the CIO will remain limited to his old practices: those that work without question!
4 – Search for preventive compromised paths
Once on the domain, one of the first actions attackers will take is to use a tool such as BloodHound or AD Control Paths to find configuration errors in the directory. These are common, simply because an AD, especially in a large organization, is a particularly complex object that lives and changes constantly. Frequent intrusions are due to the fact that the attacker may have deployed BloodHound to find a path between the unprivileged account he has when he arrives on the IS and a domain administration account.
5- Take the time!
There is no secret; nothing bodes well when working in a hurry and under pressure. Active Directory – is not only a very complex object, but also in constant mutation depending on organisational and personnel changes. It is difficult to understand it well if it is managed by a third party and/or if one does not take the time to “feel” its configuration and what constitutes its optimal operation, in order to better detect anomalies.
Best practices of SECNOLOGY :
SECNOLOGY is security big data mining company dedicated in providing powerful and user friendly event analysis and security management solution
SECNOLOGY’s mission is to provide end-users, managers and experts with the simplest and most powerful solutions to automatically manage all the events related to the data of their information system on a worldwide scale. They must be able to do it in the required way at any time without compromising the integrity of the original data.
The idea was actually quite simple. In today’s environment, data can be generated by any device. When data is available and accessible, it is rich, but this is not always the case! Very often, data must be collected, processed, decrypted via multiple and different heterogeneous means. Each of these means requires specific skills and a lot of time. Each event source device has its own monitoring tool, its own way of processing data, and its own management needs and restrictions.
For events, traces or logs, the situation is even more complicated. Each of these devices generates its own events and records logs in its own specific format. Each part of the data has its own specific meaning.
The situation is even worse when the same device with the same configuration generates different log formats depending on the administrator’s configuration. From the user’s point of view, the requirements are very clear and the requirements for these devices are simple and precise. Nevertheless, it is still very difficult to get a single, complete view of all data. This is the main objective of SECNOLOGY company.
Best practices of SECAGENT from SECNOLOGY :
The SECagent solution collects events from sources that are not able to send their data. SECagent will fetch, watch, pull, and send this data to the collector on the fly. SECagent is able to watch file systems, Windows events, data files, folders, registry keys, Active Directory events, and user’s activity on the system.