ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: What is the most serious security risk to Active Directory?


Member

Posts: 8
Date: May 25, 2011
What is the most serious security risk to Active Directory?
Permalink  
 


We are in the midst of planning an internal security assessment of our Active Directory deployment and we have been discussing a variety of potential security risks that we should be ideally be ready to react to, should they ever materialize.

As a part of our internal discussions, one of the things we have been trying to do is prioritize the risks to our Active Directory deployment. Naturally, we came up with over a dozen scenarios/settings/configurations/incidents that could be nasty, but we have not yet been able to figure out what might be the most damaging security risk to our Active Directory?

I was hoping to get some insight from others on this forum, and would invite any input from others. This is naturally very important to the security of our entire Windows Server network, so this is very important for us to get a grip on, plan for, manage and assess.

All inputs appreciated.

Thanks,

-R



__________________

Go Proteas... we are the champions!  (; and some boring stuff.)



Member

Posts: 16
Date: Jul 3, 2012
What is the most serious security risk to Active Directory?
Permalink  
 


Hi Rossi,

I think the most serious security risk to Active Directory would have to be the takeover of the Active Directory by a disgruntled administrator.

The administrator need not be a Domain Administrator. Even a delegated administrator could find ways to increase his powers and somehow takeover / control the Active Directory. 

Should that happen, virtually everything in the network could be at risk.

- Aaron.



__________________


Member

Posts: 9
Date: Jul 3, 2012
What is the most serious security risk to Active Directory?
Permalink  
 


Rossi,

I think that the most most serious security risk to Active Directory is the compromise of even a single domain controller, because if a domain controller were to be compromised, the entire directory database could be at risk, and in effect the entire Active Directory could be compromised.

That is why it is so important to adequately protect all Domain Controllers.

Abdul.



__________________

My little blog on Active Directory Delegation Tools



Member

Posts: 6
Date: Jul 3, 2012
What is the most serious security risk to Active Directory?
Permalink  
 


Rossi,

In my view, the most serious security risk to Active Directory is not knowing who has what powers in the Active Directory, and as a result not knowing how many people could compromise the Active Directory at any time.

Also, the risk is not just from the people who have sweeping powers in he Active Directory, it is also from someone who could force these people to do something bad, or perhaps compromise their account and then login as them to misuse their administrative privileges.

That is why I feel it is very important to know exactly who has what access in Active Directory at all times.

George.



__________________


Newbie

Posts: 4
Date: Jul 3, 2012
What is the most serious security risk to Active Directory?
Permalink  
 


Rossi,

I would say that the one of the most serious Active Directory security risks is having a large number of Domain Admin like accounts, because if any of these accounts could be compromised by someone, such as a disgruntled insider, by even as little as resetting the Domain Admin's password, then the entire Active Directory would be at a risk of compromise.

I would further add that this is why it is so important to delegated administrative access and have good access management and insight capabilities in place to minimize this risk

Imtiaz.



__________________

Sr. Systems Admin focused on Windows Management



Member

Posts: 17
Date: Jul 3, 2012
What is the most serious security risk to Active Directory?
Permalink  
 


Rossi,

I have a different take on this. In my experience, the easiest way to compromise an Active Directory is to have a powerful AD admin use a malicious tool, because an admin need only run a malicious tool once for someone to be able to take over his identity and compromise the entire Active Directory.

I cannot believe how many IT admins actively look for, download and use free tools to fulfill even the most basic of tasks. I doubt they ever check who wrote this tool, or whether it is even a genuine copy, or what ALL it does (i.e. covertly as well) and so the use of free/untrusted tools is one of the most serious risks to Active Directory.

In our organization, we have strict policies around the use of free/unsupported tools for any thing at all. We also have a zero tolerance policy for this kind of stuff.

Incidentally, the discussion on How to Assess the Security of Software Tools Used by Admins is a very pertinent discussion to look at.

 

So, in my experience, the use of untrustworthy tools is the most serious risk to Active Directory, but that's just my opinion.

 



__________________

I’m sorry, but having a DB9 on the drive and not driving it is a bit like having Keira Knightley in your bed and sleeping on the couch.



Member

Posts: 16
Date: Jul 3, 2012
What is the most serious security risk to Active Directory?
Permalink  
 


Hi,

If I were to think of all the challenges I have faced in managing Active Directory over the years, I'd have to say not knowing exactly who has what access in our Active Directory was the toughest challenge, and as result one of the most serious Active Directory security risks.

For instance, not knowing who can create user accounts, or who can delete an OU, or who can delete a server's computer account, are all very scary situations to be in, and I think most of us just either never think about these things, or hope like hell that no one can ever figure this out.

So I think not knowing who is delegated what access in Active Directory is one of the most serious Active Directory security risks I can think of.

Jeremy.



__________________
Driod Rules!


Member

Posts: 10
Date: Jul 3, 2012
What is the most serious security risk to Active Directory?
Permalink  
 


I have a completely take on this, which is based on having worked with Active Directory for many years now - I believe that the deployment of 3rd party agents on DCs is one of the most serious risks to Active Directory.

I say this because we don't often think about it, but if any piece of software is running on your Domain Controller, whether or not it is running as System, it basically effectively has Full-Control over your Active Directory.

Should this agent (it being software) turn out to have a vulnerability, or have a back-door, or be programmed to do something bad, or do some damage, that would effectively be the end of my Active Directory!

You'd be surprised if I told you where some of the most common Active Directory solutions that require the installation of agents were built - India, Romania, Russia!

Would you run a piece of software written in Russia on your home computer? Would you run it on your admin laptop? Would you run it on your company's DCs? 

You get the point. The risk of deploying software agents on DCs / admin workstations is one of the most serious risks to Active Directory today!

You should ask yourself what agents you're running on your DCs today.

Danny.



__________________


Member

Posts: 21
Date: Jul 3, 2012
What is the most serious security risk to Active Directory?
Permalink  
 


Guys,

I can't believe its not been brought up yet, but in my opinion, outsourcing the management of your Active Directory to the cloud, is easily one of the most serious risks to Active Directory and one of the most foolish things CIOs can do.

I don't think people who make such decisions realize the ramifications of outsourcing the management of their Active Directory on the security of their enterprise.

No outsourced management vendor will either care as much about your Active Directory's security as you do OR be able to afford your Active Directory the protection it deserves, because they'll most probably have 100s/1000s of Active Directory deployments to manage, and as a business, they too will to find the most efficient ways to manage all these deployments, and in doing so, your security will most likely be traded off.

It is shocking to see how companies can even consider moving such a vital piece of their infrastructure to be managed by someone else in the cloud!

Scary. Very Scary.

Geoffrey.



__________________

Wherever you go and whatever you do, may the luck of the Irish be there with you.



Member

Posts: 5
Date: Jul 3, 2012
RE: What is the most serious security risk to Active Directory?
Permalink  
 


Rossi,

I think that not having the ability to know who has what rights in the Actiive Directory is a very serious risk, because without visibility into who has what rights, we are all basically operating in the dark, with trust in God.

Chaitanya.



__________________

Never try to solve a problem on a Friday night. It can spoil your weekend :-)



Member

Posts: 10
Date: Jul 3, 2012
What is the most serious security risk to Active Directory?
Permalink  
 


Guys,

I think that the limitation of not being able to have more than 1024 SIDs in a user's access token is the most serious security risk to Active Directory, because it could be used to launch a denial-of-logon attack on the admins itself.

Of course, in order to launch it, you would need to be able to create a large number of groups in Active Directory, so anyone who could create groups in Active Directory or modify the membership of existing groups could launch this attack

Just my thought.

Andy.



__________________

Music is the soul of life! & IT Management Best-Practices 



Member

Posts: 5
Date: Jul 3, 2012
What is the most serious security risk to Active Directory?
Permalink  
 


Rossi,

I think the fact that authenticated users have full read access in the Active Directory is the most most serious security risk to Active Directory.

I say this because as a result, just about everyone in the network can, with the right tools, find out who is delegated what permissions in the Active Directory, and then misuse that knowledge to compromise delegated admin accounts or sensitive group memberships, or even delete OUs.

For example, if I could do some basic analysis of Active Directory security permissions with a tool like dsacls and find out that my colleague Larry who sits down the hall has Modify Permissions on the default Users container, I know that he can use that to modify permissions on the Domain Admins group as well, so in order to become a Domain Admin, I only need to compromise Larry's identity.

This information seems scrambled in Active Directory, but with the right tools, can very quickly yield very valuable information that can be used to compromise resources both in Active Directory and protected by it.

Armen.



__________________

لا مصيبة أعظم من الجهل (There is no calamity greater than ignorance)



Member

Posts: 16
Date: Jul 3, 2012
RE: What is the most serious security risk to Active Directory?
Permalink  
 


Guys,

I would say that having service accounts that run in Domain Admin context could possibly be the most serious security risk to Active Directory.

Chad.



__________________


Member

Posts: 10
Date: Jul 3, 2012
RE: What is the most serious security risk to Active Directory?
Permalink  
 


Fellas,

How about the misuse of unconstrained delegation on a domain-joined machine? That could be used to lure and compromise a Domain Admin's account easily, and once you've got Domain Admin creds, well, the rest is upto you! 

George.



__________________

"There is the finest line between data and evidence" - Dale Adams



Member

Posts: 12
Date: Jul 3, 2012
RE: What is the most serious security risk to Active Directory?
Permalink  
 


Gentlemen,

I'd say that the exploit involving passing the hash to impersonate a privileged account is one of the most serious risks to Active Directory security, although it can be reliably mitigated by using Authentication Mechanism Assurance, available in Windows Server 2008 R2.

Nicolas.



__________________
Bond: There’s a name to die for! (Die Another Day)


Newbie

Posts: 4
Date: Jan 3, 2013
RE: What is the most serious security risk to Active Directory?
Permalink  
 


One of the risks we have been dealing with is the risk associated with someone mis-using delegated access rights in the Active Directory to engage in a variety of hamrful actions.

For e.g. recently one of our junior admins found out that he accidentally was granted Modify Permissions on one of our OUs, and when he found this out, he used this to first grant himself Full Control over the OU, and then he was able to create additional user accounts in our Active Directory and misuse them to access certain servers.

The only way we found out was by looking at the access logs on these servers, but by then it was too late. We have since embarked on a project to identify and remove all unauthorized access grants in our Active Directory.

Tom.



__________________

When everything's coming your way, you're in the wrong lane.



Newbie

Posts: 4
Date: Jan 3, 2013
RE: What is the most serious security risk to Active Directory?
Permalink  
 


This is a very interesting question. Based on my experience, I'd say that the inability to obtain clear and reliable insight into who has what powers in Active Directory, would be the most serious risk to Active Directory. I say so mostly based on experience, because I've seen quite a few situations wherein a disgruntled tech-savyy insider (e.g. a temp IT contractor) was able to identify and mis-use unauthorized access rights in AD to obtain access to privilege data on some file server. I suppose the size of the problem (1000s of objects) makes it hard to figure this out easily & reliably.



__________________

Build The Bridge.



Newbie

Posts: 4
Date: Oct 8, 2013
RE: What is the most serious security risk to Active Directory?
Permalink  
 


Until recently, like most organizations, we too believed that one of the most serious risks to Active Directory was the risk posed by the compromise of Domain Admin credentials by using the Pass-the-Hash attack methodology, and of course, we had taken measures to mitigate it.

However, I believe the most serious risk to Active Directory deployments today is Active Directory Privilege Escalation based on the identification and exploitation of excessive access rights in Active Directory domains. This was recently brought to our attention by one of our MCS consultants, and it is sounds quite powerful.

Here's a link to a blog that has the details on this risk - http://www.active-directory-security.com/2013/09/Active-Directory-Privilege-Escalation-Top-Cyber-Security-Risk.html

I think it may be very well be the most serious risk to Active Directory deployments today.



__________________
Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me