Active
Directory
(AD)
is
a
powerful
authentication
and
directory
service
used
by
organizations
worldwide.
With
this
ubiquity
and
power
comes
the
potential
for
abuse.
Insider
threats
offer
some
of
the
most
potentials
for
destruction.
Many
internal
users
have
over-provisioned
access
and
visibility
into
the
internal
network.
Insiders’
level
of
access
and
trust
in
a
network
leads
to
unique
vulnerabilities.
Network
security
often
focuses
on
keeping
a
threat
actor
out,
not
on
existing
users’
security
and
potential
vulnerabilities.
Staying
on
top
of
potential
threats
means
protecting
against
inside
and
outside
threats.
Active
Directory
Vulnerabilities
From
the
outside,
a
properly
configured
AD
domain
offers
a
secure
authentication
and
authorization
solution.
But
with
complex
social
engineering
and
phishing
email
attacks,
an
existing
AD
user
can
become
compromised.
Once
inside,
threat
actors
have
many
options
to
attack
Active
Directory.
Insecure
Devices
With
“Bring
Your
Own
Device”
(BYOD)
growing,
there
is
increased
device
support
and
security
complexity.
If
users
connect
a
device
that
is
already
compromised
or
has
inadequate
security
measures,
attackers
have
a
simple
way
to
gain
access
to
the
internal
network.
In
the
past,
an
attacker
would
have
to
sneak
in
to
install
a
malicious
device.
Now,
however,
a
user
with
a
compromised
device
does
the
hard
work
for
them.
Moreover,
many
workers
may
also
connect
their
smartphones
or
tablets
to
the
network.
This
means
that,
instead
of
a
single
work-issued
laptop,
you
may
have
two
or
three
user
devices
that
are
not
subject
to
the
same
security
measures.
Over-Provisioned
Access
Adding
complexity
to
internal
security
is
the
common
issue
of
over-provisioned
access.
Organizations
often
tend
to
expand
access
instead
of
restricting
it.
A
single
act
of
convenience
to
solve
a
problem
can
have
the
unintended
consequence
of
creating
a
potential
attack
vector,
which
is
then
often
forgotten.
For
those
users
that
are
also
administrators,
there
is
not
always
a
highly
secure
“Administrative”
account
created
to
separate
the
different
access
levels.
In
this
way,
the
convenience
of
allowing
Administrative
tasks
via
a
standard
user
account
opens
the
door
to
rampant
abuse
due
to
a
compromised
and
highly
privileged
account.
Weak
Password
Policies
Many
organizations,
especially
larger
ones,
may
have
weaker
password
policies
due
to
the
various
applications
they
support.
Not
all
applications
are
the
same,
and
some
do
not
support
the
latest
security
standards.
Examples
of
this
include
those
that
do
not
support
LDAP
signing
or
TLS
over
LDAP
with
LDAPS.
A
weak
password
policy
coupled
with
a
lack
of
multi-factor
authentication
makes
it
easy
to
crack
a
retrieved
hash
through
a
technique
such
as
Keberoasting
via
a
privileged
internal
account.
This
is
in
stark
contrast
to
a
strong
password
policy
and
multi-factor
authentication,
which
makes
it
much
harder
to
gain
access
to
a
system
or
network
by
cracking
a
hash.
Best
Practices
for
Securing
Active
Directory
To
secure
Active
Directory,
there
are
many
best
practices
to
follow.
Based
on
the
previously
outlined
security
themes,
here
are
several:
Training
users
to
identify
potential
phishing
emails
and
social
engineering
attacks
is
essential.
Additionally,
users
should
be
discouraged
from
clicking
on
any
attachments,
and
organizations
should
use
systems
that
scan
for
malicious
content.
These
measures
can
help
to
reduce
the
risk
of
a
successful
attack.
But,
assume
that
AD
has
already
been
compromised.
An
organization
can
and
should
take
an
in-depth
look
into
the
permissions
assigned
to
active
and
non-active
or
decommissioned
users
and
systems.
Are
there
ways
to
separate
permissions
from
typical
user
accounts
and
assign
them
to
special
administrative
accounts
with
a
higher
security
level?
Enabling
multi-factor
authentication
with
a
strong
password
policy
is
essential
for
creating
some
of
the
strongest
protections
available.
As
many
social
engineering
attacks
rely
on
learning
and
compromising
a
user’s
external
sites
where
a
reused
password
could
offer
a
foothold,
an
organization
must
mandate
strong
passwords.
Keeping
Active
Directory
Secure
with
Specops
Password
Policy
Underpinning
many
of
the
security
recommendations
is
a
strong
password
policy.
The
default
Active
Directory
configurations
and
user
tools
are
inadequate.
To
ensure
users
comply
with
password
policies
such
as
NIST,
CJIS,
and
PCI,
and
block
weak
passwords,
organizations
can
use
Specops
Password
Policy.
It
gives
your
organization
the
ability
to
create
custom
dictionary
lists
and
block
user
names,
display
names,
specific
words,
consecutive
characters,
incremental
passwords,
and
reusing
a
part
of
the
current
password;
while
providing
real-time
feedback
for
users.
The
Breached
Password
Protection
add-on
further
enhances
security
by
alerting
users
in
real-time
if
their
chosen
password
is
on
a
list
of
breached
passwords.
It
also
provides
in-depth
scanning
to
detect
over
3
billion
compromised
passwords
on
accounts
throughout
an
AD
domain.
Protecting
Active
Directory
from
Insider
Threats
Though
it
may
be
impossible
to
protect
against
every
threat,
by
taking
in-depth
looks
into
existing
permission
structures,
active
users,
and
the
technical
implementation
of
Active
Directory,
an
organization
can
go
a
long
way
to
securing
its
environment.
With
Specops
Password
Policy,
take
your
password
policy
to
the
next
level
through
Breached
Password
Protection
and
mandating
unique
and
secure
passwords
across
the
board.
About Author
