Top 10 Active Directory Security Risks
Top 10 Active Directory Security Risks
Active Directory plays a critical role in helping sys admins manage user privileges and secure their IT infrastructure, yet the threat ‘privilege escalation’ still remains. This is because sys admins face a large number of a security challenges – many of which are not easy to anticipate. Below are 10 important Active Directory security risks, which can admins should address in order to keep their system secure:
- Using Mimikatz, an attacker can compromise any account which has the Get Replication Changes All right enabled. Mimikatz is an open-source tool which can expose user credentials stored in the Local Security Authority Subsystem Service (LSASS). Mimikatz has a new feature called DCSync, which impersonates a Domain Controller and is able to request password information from the target Domain Controller, and change permissions on the domain root. While most anti-virus tools are able to detect Mimikatz, it continues to pose a threat to many Active Directory setups.
- The AdminSDHolder is an Active Directory container, which is used to hold ACL’s and provide a reference for all AD protected objects. Unauthorized access to this object can result in a major security risk as the perpetrator can easily modify permissions of domain admins and effectively take over the entire Active Directory forest.
- Single, unauthorized access to the domain root, may compromise Active Directory assets, who’s ACL’s are not marked as ‘protected’.
- Unauthorized access to the default Domain Controller’s OU, makes it possible to link a malicious group policy to all domain controllers in your AD setup.
- Organisations often choose to the deploy their systems using the default settings – making the assumption that the default security settings are the most secure. While it’s true that the default settings of newer versions of Windows are relatively secure, this practice still remains one of the biggest security issues associated with Active Directory.
- By default, Domain Admins (DA’s) have full permissions to all Domain Controllers, servers, workstations, AD and Group Policy accounts. Such a liberal policy for granting privileges presents a significant security risk. To make matters worse, it is common for the number of Domain Admin’s to exceed the number of Active Directory administrators.
- A service account is a special type of account which allows applications or services to interact with the underlying OS. These accounts are often granted too many privileges, which can lead to an escalation of access rights. As you can imagine, this presents a significant security risk. Likewise, an application running on a service account may have access to the LSASS, which stores user credentials. Should these credentials be exposed by such a service, the domain could be compromised.
- It is easy for an attacker to request data that has been encrypted with a Service Account’s password. If the password is supported by the Kerberos network authentication protocol, it is possible for an attacker to decrypt the data and expose the account’s password. In order to mitigate this problem, account passwords should be 20+ characters.
- With each successive release of Windows Server, more sophisticated security features are introduced, and previous security flaws are patched. As such, Domain Controllers running older versions of Windows Server present a security risk.
- While it’s possible to change local admin passwords, create accounts and services, and deploy scheduled tasks using Group Policy Preferences, this is a very bad idea from a security perspective. The problem is that the credentials required to perform such operations are stored in an XML file, which is accessible on every Domain Controller. This makes it easier for attackers gain access to, and reverse-engineer, the credentials stored in this file.
So, that’s all in this blog. I will meet you soon with some other stuff. Have a nice day !!!
Recommended content
RODC Installation Guide- Step by step guide to install read only domain controller
RODC Filtered Attribute Set
Installing and configuring a RODC in Windows Server-2012
How to find the GUID of Domain Controller
Group Policy Understanding Group Policy Preferences
Group Policy Verification Tool GPOTool Exe
Group Policy Health Check on Specific Domain Controller
What is Netlogon Folder in Active Directory
How to Create Custom Attributes in Active Directory
How Can I Check the Tombstone Lifetime of My Active Directory Forest
How to Determine a Computers AD Site From the Command Line
How to Check the Active Directory Database Integrity
How to Check the Active Directory Database Integrity
Disabling and Enabling the Outbound Replication
DFS Replication Service Stopped Replication
What is Strict Replication Consistency
The replication operation failed because of a schema mismatch between the servers involved
Troubleshooting ad replication error 8418 the replication operation failed because of a schema mismatch between the servers
How to export replication information in txt file
Repadmin Replsummary
Enabling the outbound replication
Guys please don’t forget to like and share the post. You can also share the feedback on below windows techno email id.
If you have any questions feel free to contact us on admin@windowstechno.com also follow us on facebook@windowstechno to get updates about new blog posts.