To Secure Active Directory, Think Like an Attacker
Craig Birch, a Technology Evangelist and Principal Security Engineer at Cayosoft, shares his take on how companies can secure their Active Directory solutions by thinking like a cyber-criminal. This article originally appeared in Insight Jam, an enterprise IT community that enables human conversation on AI.
Microsoft Active Directory (AD) and its cloud counterpart Entra ID form the identity management backbone for over 90 percent of large organizations. AD functions as the ‘keys to the kingdom,’ with centralized control of critical resources, making it an irresistible target for cyber-criminals. Many ransomware incidents involve compromising AD to gain widespread access to an organization’s systems and data. Despite its pivotal role in controlling access to sensitive resources, AD is often overlooked in security strategies.
To secure AD and Entra ID environments, IT professionals must adopt an attacker’s perspective, anticipating potential exploits and fortifying defenses accordingly. This approach is crucial, as identity-related security incidents are on the rise. In fact, AD was the entry point for many high-profile cyber-attacks, including the SolarWinds breach, the Colonial Pipeline ransomware attack, and the recent Toyota data leak.
According to the IDSA 2024 Trends in Identity Security Report, 84 percent of identity stakeholders reported that identity-related incidents directly impacted their business – a significant increase from 68 percent in 2023. By thinking like adversaries, security teams can proactively identify and address AD and Entra ID vulnerabilities to safeguard organizations’ most critical assets.
Taking on the Attacker’s Mindset
Attackers want elevated privileges and aim for the easiest target with the least amount of effort. So, security teams should ask themselves: What’s the quickest attack pathway that leads to the most privileges? The answer is often Active Directory and Entra ID. This is due to the immense level of access these systems provide and the fact that they are usually managed by infrastructure teams and are thus overlooked by security teams.
Once inside, attackers focus on lateral movement and immediate privilege escalation. They may also exploit legacy systems, searching for old credentials on outdated machines. This approach is particularly effective against organizations that run hybrid AD environments, making it crucial for security teams to understand the complete picture of all environments to anticipate these tactics.
Mapping the Attack Surface of Active Directory and Entra ID
AD and Entra ID are inherently vulnerable due to their default configurations and the complex interplay between on-premises and cloud environments. Neither system is secure by default, exposing organizations to various attack vectors.
In AD environments, attackers frequently exploit weak passwords, use Kerberos ticket attacks like Golden Ticket and Silver Ticket, and exploit Active Directory Certificate Services to escalate privileges. Hybrid attacks that bridge on-premises and cloud environments pose a significant threat, while AD delegation issues and misconfigured attributes can lead to unintended privilege escalation.
Password-based attacks remain prevalent for Entra ID, but security token theft and manipulation have become more common. Illicit consent grant attacks exploit OAuth 2.0 permissions, while malicious Entra ID applications can be used to gain unauthorized access. Cross-tenant attacks targeting multi-tenant environments and hybrid identity scenarios present unique challenges that span both AD and Entra ID infrastructures.
Unmasking Active Directory and Entra ID Misconfigurations
AD and Entra ID environments are plagued by over 270 potential attack pathways that can leave organizations vulnerable to attacks. The complexity of user accounts, computer accounts, and permissions within AD creates ample opportunities for misconfigurations. Attackers often start with those that are the most often overlooked. Here are just a few of the most common ones:
-
The default attribute setting, “Account is sensitive and cannot be delegated,” requires manual configuration but is frequently overlooked by AD administrators.
-
Misconfigured Multi-Factor Authentication (MFA) settings allow attackers to exploit the “password not required” option to bypass security measures.
-
The AdminSDHolder container—used as a permission role template by the process SDProp—controls and secures administrative access to Active Directory. If manipulated by the attacker, it provides an easy way to establish persistence inside Active Directory, allowing complete control over AD and potentially any resources that use AD.
Active Directory is complicated—it’s simply not feasible to bulletproof 270 potential attack pathways, especially when security posture isn’t static. While threat assessments are crucial, they’re not a comprehensive solution when done sporadically. Infrequent assessments provide only a snapshot in time, potentially lulling organizations into a false sense of security. Identity Threat Detection & Response (ITDR) and Identity Posture Management enable organizations to move beyond periodic assessments and implement a continuous monitoring approach to identify the vulnerabilities that Endpoint Detection and Response (EDR) tools may miss.
Passwords Matter
MFA should be the cornerstone of every defense strategy. The principle of least privilege should also be implemented to ensure users have only the access necessary for their roles. Just-in-time and just-enough access protocols should also be established and closely monitored.
That said, given the rise in credential attacks, prioritizing password health across the organization is a must. According to 2024’s IBM X-Force Threat Intelligence Index, cyber-attacks using stolen or compromised credentials have increased 71 percent yearly.
While MFA provides an essential layer of security, it is not a silver bullet. Previous breaches have shown that MFA can be bypassed using social engineering and session hijacking. Accounts using weak or compromised passwords boost the success of these techniques significantly. Attackers also often focus on service accounts and other non-human identities, such as those found in Entra ID, which may lack MFA capabilities.
To strengthen defenses beyond MFA, organizations should consider specialized tools that can pinpoint areas where weak, previously breached, or commonly used passwords are being used within their infrastructure.
Assessing identity infrastructure through the eyes of an attacker is a continuous effort. By implementing these defensive tactics, organizations can significantly enhance the security posture of their Microsoft environments. Adopting an attacker-centric approach to securing AD and Entra ID is more than a best practice—it’s a path to safeguarding an organization’s most valuable assets.