How Windows Active Directory is failing user logon security

Curated advice for IT administrators from your peers on :

Spiceworks Peerlyst Daniweb Reddit

Executive Summary

Despite all its benefits, Windows Active Directory is the root cause of many logon security headaches — something compounded by the vast number of challenges IT professionals are dealing with from the careless, exploited or malicious user.

Poor logon security can lead to devastating data breaches, but improving the way you manage access is no easy feat — especially if you rely on Windows Active Directory alone.

IT professionals’ opinion on how their companies are currently treating logon security show hugely varied techniques, from completely overhauling their security systems to, more shockingly, sticking their head in the sand and doing nothing.

However, many of these challenges can be mitigated with investment in tools that monitor and, to a certain extent, control users, for their own benefit and for that of the organisation they work for.

Introducing the modern-day logon security challenge

On average,
it takes
469 days
for a European
organisation
to spot a data breach

Managing access to corporate networks is one of the most important parts of an IT professional’s job. The reason why is simple. Poor access security can lead to devastating data breaches. The recent high-profile attacks on the likes of Dropbox, eBay, Sony, Anthem, Sage, Three and many others have directly resulted in an employee’s login details falling into an attacker’s hands.

And once those credentials are out in the open, you’re unlikely to find out until it’s too late — because your anti-virus, firewalls and perimeter defences won’t pick up on a login with a genuine username and password. On average, it takes 469 days for a European organisation to spot a data breach, and with the GDPR coming up in April 2018, chances are you’re already too late to do anything about your latest breach — and may have to face a fine of €20,000 or 4% of your turnover, whichever the greater.

Improving the way you manage access is no easy feat though — especially if you rely on Windows Active Directory alone. For all its benefits and uses, Windows Active Directory doesn’t provide you with all the information you need at your fingertips to be able to see who is on your network, from which workstation or device, since when, and what suspicious behaviour is going on.

Analyst and director Bob Tarzey at Quocirca agrees saying:

« Active Directory provides basic user security, checking that credentials supplied match stored user profiles and then opening up access to resources. Stronger techniques are needed to ensure a user really is who they say they are. »

IT’s opinion on the biggest Windows Active Directory headaches

We asked various IT community groups “what are your biggest challenges regarding access security” and the responses demonstrated a real mix of headaches, including the sheer number of users, access to different data types, having no real native support from multi-factor authentication and Kerberos:

Guurhart

"The biggest challenge is Kerberos and the weaknesses inherent in AD. Only the latest versions of windows give you any real chance at beating attackers who're trying to move laterally. So if you're not on windows 10 and server 2016, you don't have all the tools needed to have a real chance. What administrators are doing is haphazard and based on what they know about the threats to AD, which typically is not a lot. The kind of employees that open up your organization to attack are: Local administrators and domain admins who log into anything not a DC."

Brad Voris

"Depends on the environment really, number of users, access to specific types of data, etc. MFA with RSA/Duo, RBAC, minimizing Group Policy, privileged access accounts, change control, audit trails, monitoring etc."

Scott Miller, Niagara Technology Group

"A major limitation of AD is the assumption that you will have a LAN. Azure AD (which is not AD) breaks this barrier and is worlds better as a concept IMHO. Unless you are totally LAN centric, AD adds so much complication."

Brad Voris (on Group Policy)

"Audit logs are in the form of event logs with specific error messages, some of which require Group Policy configuration changes on the Domain Controller Default Policy. Initially there is VERY limited logs and in order to get more data you have to make a fair amount of changes to Group Policy. Very important."

Adam Cotton,
Criterion Systems (on users)

"Many compromises take advantage of users that don’t take proper precautions or that can be persuaded to give out information"

When asked "what's the worst that could happen?" one respondent in particular understood the breadth of the threats facing his organisation:

Cereal

"Social engineering, gathering data, installing software, running ransomware on shared resources"

Indeed, a previous IS Decisions study found that, when asked about the security of Windows Active Directory, nearly half (49%) of IT security professionals stated that there were security holes.

There are security holes in Microsoft Active Directory

49%

3% Strongly Agree

46% Agree

51%

48% Disagree

3% Strongly Disagree

From The Insider Threat Manifesto
(a survey of 500 IT decision makers in the UK and US)

Many of these challenges stem from the fact that Active Directory lacks the ability to do any of the following:

  • Defend against the use of stolen logon credentials

    1

  • Apply temporary logon controls

    3

  • Stop simultaneous logins from a single user

    5

  • Detect possible or suspicious access events

    7

  • 2

    Stop careless user behaviour such as password sharing

  • 4

    Ensure access is identifiable and attributable to an individual user who is then accountable for any activity — malicious or otherwise

  • 6

    Monitor systems in real time to get a clear picture of who, when and where is on the network at any one time

  • 8

    Audit with centralised, network-wide reporting

  • 1

    Defend against the use of stolen logon credentials

  • 2

    Stop careless user behaviour such as password sharing

  • 3

    Apply temporary logon controls

  • 4

    Ensure access is identifiable and attributable to an individual user who is then accountable for any activity — malicious or otherwise

  • 5

    Stop simultaneous logins from a single user

  • 6

    Monitor systems in real time to get a clear picture of who, when and where is on the network at any one time

  • 7

    Detect possible or suspicious access events

  • 8

    Audit with centralised, network-wide reporting

Current techniques to manage logon security

The responses we saw around how companies are currently treating access security show hugely varied techniques, from completely overhauling their security systems to, more shockingly, sticking their head in the sand and doing nothing due to a lack of budget to fund access security.

Meanwhile, some companies have ruled out real-time monitoring on the mistaken assumption that it is too time consuming and difficult, and would likely add additional strain on the IT department, rather than work alongside the team to its benefit.

Another common practice IT professionals are seeing in their places of work is dealing with different breaches in different ways. Often organisations are overcomplicating matters by implementing complex and costly solutions that only end up being disruptive.

Brad Voris

"My organization is implementing a massive new security program and overhaul to change not just the physical/logical aspects of security but also the culture."

Roguetroll

"We use Windows Active Directory. But since there's no budget for security (I don't even know if we're running AV on all machines right now) let's just say we're deploying the "Told you so" method when shit hits the fan."

Guurhart

"Keeping up with who's doing what in real time seems like a pointless exercise that will drain your IT and infosec staff rapidly."

Brad Voris

"When it comes to detecting breaches, what I do depends on the activity, type of attack and where it is originating from. How quickly I am able to identify it again depends on the breach, most of the time almost instantly but that is due to the SIEM not AD. AD isn't designed as a SIEM, its designed as a means of authentication, authorization and access. If you want more functionality out of AD PowerShell is the way to go, if you want better security you are going to have to have some third party hardware/software."

Guurhart

"There are always risks associated with custom scripts and applications. Do the risks outweigh the rewards? In my environment yes. We have a limited number of admins, engineers who can modify anything in AD. This in itself is difficult to manage since the business focus is on development and not on support. So I actively monitor changes in AD as well."

Whatever companies are doing about improving access security, it’s still not enough. So poor, in fact, is the current state of many organisations’ access management policy mthat many are failing to address even the most basic of issues.

A previous piece of research by IS Decisions uncovered that as much as a third of ex-employees still have access to their former company’s data or systems — a hugely worrying statistic considering ever-tightening data protection laws.

From IS Decisions – A Study of Insider Threat Personas

36,3%

of employees have continued to have access to systems or data from an employer after they have left a job

I am always looking for any solution that can improve Active Directory security

Chart

17,9% Strongly agree

65,1% Agree

15,3% Disagree

1,7% Strongly disagree

The good news, however, is that IT administrators are not turning a blind eye as to what’s out there. Most (83%) are actually looking for ways to improve their Active Directory security.

Top tips to improve your user logon security

Our conversations with IT professionals prove that businesses are facing a variety of issues with access management and dealing with these problems in numerous different ways. It’s also clear from our discussions that these professionals have a wealth of knowledge and experience to share around access management security. Here’s a few of the best nuggets they had to say:

Brad Voris

"Windows servers need to be hardened prior to deployment into a production environment… No real native support for MFA/2FA so third-party tools should be used. Third-party resources are still significantly better than no resources at all considering that most AD environments are haphazardly managed by administrators with little security & AD expertise."

Brad Voris

"Invest a lot of time with PowerShell if your strictly an MS shop. You can get real-time anything in a small enough environment."

Vivek Krishnan

"If you are looking into the security angle, then first you need to ensure your AD is not exposed to the net. Secondly, anyone is inside your LAN can know the available users and do brute force attacks. Coming to AD, if running Windows it's a very convenient feature to be having."

Guurhart

"Many types of logs are not very important. Model your threats, identify the Windows EIDs that you need to be monitoring to be able to catch attackers and unauthorized usage, log those and build some monitoring and alerting use cases."

Guurhart

"Very important to get an alert when certain access events occur."

Guurhart

"When detected or alerted, you need playbooks for handling these situations. If you don't have playbooks and someone trained in using those, you will respond inconsistently and randomly. How quickly we're able to identify and contain - well that's a very tough question. The threats we see, rapidly. The threats we don't see, never."

Guurhart

"I want to add that you need to factor physical access management into the picture also, because someone with physical access to let's say an archive room full of sensitive stuff also suddenly has access to all that's in there. For active directory - indeed as said below "least privilege" is the way to go, for AD especially this means:

  • Domain Admin accounts are used only to log into domain controllers
  • Figure out how enterprise admins and the other roles allow you to do what you need to be able to do
  • No local admins should be allowed at all, they pose a huge risk"

Mark Cutting

"You should also periodically run a report to see who has local admin access."

Darrell Drystek

"In terms of reviewing file access to understand whether the current access assigned is appropriate, the following is required:
The first step is to inventory the file shares/folders and determine who the data owner is (or who should be the assigned data owner). If data ownership has not been assigned, then communication and negotiation will be necessary to obtain agreement on the assignment of ownership of each repository
“The second step is to produce a list of users having access to each file share/folder. The list should include the types of access the user has been granted. Communicate the information derived in steps 1 and 2 to the assigned data owners, request review and reply with either agreement or adjustment to the assigned access rights.
There is a bit of grunt work involved in getting the initial process done but it is well worth it because once you have that information in hand it becomes easier to keep current and you have a repeatable reporting piece for your governance and compliance assessment processes going forward"

Mark Cutting

"Access in terms of data should always work using the "least privilege" model, so you can use that as a base and work outwards. The only real way to determine who has access to what is to perform a full audit of all file shares and folders to:

  • Determine who the owner is
  • Who has access
  • Based on the results of the review, contact the owner of the data and provide them with a list of who is able to access – they either approve and sign off, or ask you to make changes
  • Typically, this type of audit in a SOX environment is conducted once a quarter

    Unfortunately, there’s a fair amount of effort involved in getting the bulk of the information initially, but once you have a good grip on who has access to what, the correct controls around granting access can then be implemented"

    • The views outlined above suggest that, despite all its benefits, Windows Active Directory is a route cause of many access management headaches, something compounded by the vast number of security challenges IT pros are dealing with.

    The lack of any uniform process for IT pros to follow has given rise to plenty of time-intensive and over complicated approaches to the problem, which can labour intensive, expensive or at worst, ineffective.

    At IS Decisions we have our own philosophy for making it easy to safeguard, secure and manage access to your Microsoft Windows and Active Directory infrastructure.

    Security does not have to be frustrating. Focus on solutions that are adaptive to your existing IT infrastructure and easy to deploy across all users. Select a solution that leverages on your existing investment and IT infrastructure that can be seamlessly installed.

    Many of these access management challenges can be mitigated with investment in tools that monitor and, to a certain extent, control users, for their own benefit and for that of the organisation they work for.

    About UserLock

    Over 3,000 customers around the world rely on UserLock to help prevent security breaches. Working alongside Active Directory to extend, not replace its security, UserLock offers powerful protection for all Windows Active Directory domain logins, even when credentials are compromised.

    • Using the contextual information around a user’s logon, UserLock can apply further restrictions on what users can do once authenticated
    • UserLock offers real-time visibility, risk detection tools and centralized auditing to help detect and respond to suspicious activity quickly.

    Discover UserLock