How Windows Active Directory is failing user logon security

Curated advice for IT administrators from your peers on :

Spiceworks Peerlyst Daniweb Reddit

Executive Summary

Despite all its benefits, Windows Active Directory is the root cause of many logon security headaches — something compounded by the vast number of challenges IT professionals are dealing with from the careless, exploited or malicious user.

Poor logon security can lead to devastating data breaches, but improving the way you manage access is no easy feat — especially if you rely on Windows Active Directory alone.

IT professionals’ opinion on how their companies are currently treating logon security show hugely varied techniques, from completely overhauling their security systems to, more shockingly, sticking their head in the sand and doing nothing.

However, many of these challenges can be mitigated with investment in tools that monitor and, to a certain extent, control users, for their own benefit and for that of the organisation they work for.

Introducing the modern-day logon security challenge

On average,
it takes
469 days
for a European
organisation
to spot a data breach

Managing access to corporate networks is one of the most important parts of an IT professional’s job. The reason why is simple. Poor access security can lead to devastating data breaches. The recent high-profile attacks on the likes of Dropbox, eBay, Sony, Anthem, Sage, Three and many others have directly resulted in an employee’s login details falling into an attacker’s hands.

And once those credentials are out in the open, you’re unlikely to find out until it’s too late — because your anti-virus, firewalls and perimeter defences won’t pick up on a login with a genuine username and password. On average, it takes 469 days for a European organisation to spot a data breach, and with the GDPR coming up in April 2018, chances are you’re already too late to do anything about your latest breach — and may have to face a fine of €20,000 or 4% of your turnover, whichever the greater.

Improving the way you manage access is no easy feat though — especially if you rely on Windows Active Directory alone. For all its benefits and uses, Windows Active Directory doesn’t provide you with all the information you need at your fingertips to be able to see who is on your network, from which workstation or device, since when, and what suspicious behaviour is going on.

Analyst and director Bob Tarzey at Quocirca agrees saying:

« Active Directory provides basic user security, checking that credentials supplied match stored user profiles and then opening up access to resources. Stronger techniques are needed to ensure a user really is who they say they are. »

IT’s opinion on the biggest Windows Active Directory headaches

We asked various IT community groups “what are your biggest challenges regarding access security” and the responses demonstrated a real mix of headaches, including the sheer number of users, access to different data types, having no real native support from multi-factor authentication and Kerberos:

Indeed, a previous IS Decisions study found that, when asked about the security of Windows Active Directory, nearly half (49%) of IT security professionals stated that there were security holes.

There are security holes in Microsoft Active Directory

49%

3% Strongly Agree

46% Agree

51%

48% Disagree

3% Strongly Disagree

From The Insider Threat Manifesto
(a survey of 500 IT decision makers in the UK and US)

Many of these challenges stem from the fact that Active Directory lacks the ability to do any of the following:

  • Defend against the use of stolen logon credentials

    1

  • Apply temporary logon controls

    3

  • Stop simultaneous logins from a single user

    5

  • Detect possible or suspicious access events

    7

  • 2

    Stop careless user behaviour such as password sharing

  • 4

    Ensure access is identifiable and attributable to an individual user who is then accountable for any activity — malicious or otherwise

  • 6

    Monitor systems in real time to get a clear picture of who, when and where is on the network at any one time

  • 8

    Audit with centralised, network-wide reporting

  • 1

    Defend against the use of stolen logon credentials

  • 2

    Stop careless user behaviour such as password sharing

  • 3

    Apply temporary logon controls

  • 4

    Ensure access is identifiable and attributable to an individual user who is then accountable for any activity — malicious or otherwise

  • 5

    Stop simultaneous logins from a single user

  • 6

    Monitor systems in real time to get a clear picture of who, when and where is on the network at any one time

  • 7

    Detect possible or suspicious access events

  • 8

    Audit with centralised, network-wide reporting

Current techniques to manage logon security

The responses we saw around how companies are currently treating access security show hugely varied techniques, from completely overhauling their security systems to, more shockingly, sticking their head in the sand and doing nothing due to a lack of budget to fund access security.

Meanwhile, some companies have ruled out real-time monitoring on the mistaken assumption that it is too time consuming and difficult, and would likely add additional strain on the IT department, rather than work alongside the team to its benefit.

Another common practice IT professionals are seeing in their places of work is dealing with different breaches in different ways. Often organisations are overcomplicating matters by implementing complex and costly solutions that only end up being disruptive.

Whatever companies are doing about improving access security, it’s still not enough. So poor, in fact, is the current state of many organisations’ access management policy mthat many are failing to address even the most basic of issues.

A previous piece of research by IS Decisions uncovered that as much as a third of ex-employees still have access to their former company’s data or systems — a hugely worrying statistic considering ever-tightening data protection laws.

From IS Decisions – A Study of Insider Threat Personas

36,3%

of employees have continued to have access to systems or data from an employer after they have left a job

I am always looking for any solution that can improve Active Directory security

Chart

17,9% Strongly agree

65,1% Agree

15,3% Disagree

1,7% Strongly disagree

The good news, however, is that IT administrators are not turning a blind eye as to what’s out there. Most (83%) are actually looking for ways to improve their Active Directory security.

Top tips to improve your user logon security

Our conversations with IT professionals prove that businesses are facing a variety of issues with access management and dealing with these problems in numerous different ways. It’s also clear from our discussions that these professionals have a wealth of knowledge and experience to share around access management security. Here’s a few of the best nuggets they had to say:

The views outlined above suggest that, despite all its benefits, Windows Active Directory is a route cause of many access management headaches, something compounded by the vast number of security challenges IT pros are dealing with.

The lack of any uniform process for IT pros to follow has given rise to plenty of time-intensive and over complicated approaches to the problem, which can labour intensive, expensive or at worst, ineffective.

At IS Decisions we have our own philosophy for making it easy to safeguard, secure and manage access to your Microsoft Windows and Active Directory infrastructure.

Security does not have to be frustrating. Focus on solutions that are adaptive to your existing IT infrastructure and easy to deploy across all users. Select a solution that leverages on your existing investment and IT infrastructure that can be seamlessly installed.

Many of these access management challenges can be mitigated with investment in tools that monitor and, to a certain extent, control users, for their own benefit and for that of the organisation they work for.

About UserLock

Over 3,000 customers around the world rely on UserLock to help prevent security breaches. Working alongside Active Directory to extend, not replace its security, UserLock offers powerful protection for all Windows Active Directory domain logins, even when credentials are compromised.

  • Using the contextual information around a user’s logon, UserLock can apply further restrictions on what users can do once authenticated
  • UserLock offers real-time visibility, risk detection tools and centralized auditing to help detect and respond to suspicious activity quickly.

Discover UserLock