Active Directory is one of the most undervalued and overlooked components of the Windows enterprise. Many administrators view it as "just there taking care of itself" without a lot of security oversight. Still, there are certain Active Directory security issues that you want to make sure to get your arms around.
At a high level, one thing that often stands out to me is the lack of minimal security procedures and standards documentation outlining the technologies used to minimize business risks – including Active Directory. But there's more to it than what high-level audits would uncover. I've seen many cases where each and every administrator has equal access into the system regardless of their job or responsibilities.
Little to no delegation via security groups in Active Directory can create some pretty serious problems with separation of duties among staff members. This isn't a major problem for small shops with one or two people, but for larger enterprises where multiple people – sometimes teams – have their hands in the pie, one can imagine how such a lack of accountability could lead to all sorts of business risks.
There's also the issue of minimal use of one-way trusts between disparate forests. For instance, when a network starts out small and then evolves, sometimes there is no one who has the time to step back and rework the configuration. In such a case, an untrusted DMZ forest trusting the local forest could be a side effect. I've seen certain situations with critical internal networks (such as R&D and even law enforcement networks) that coexist with a larger Active Directory structure. In these situations, if any one part of the network is compromised via a missing patch, misconstruction, or even a weak password, then everything's put at risk.
Speaking of passwords…
They might seem trite on the surface, but passwords should still be a serious security consideration. All it takes to compromise your entire user base is one weak password on an account with administrative rights. Those credentials can then be used in a remote attack to harvest all other Active Directory password hashes that are stored in memory on a domain controller. It's easily accomplished, too, by someone maliciously using a tool such as Proactive Password Auditor. Once the internal attacker has the hashes, it's just a matter of time before he or she can crack pretty much every password. LAN Manager (LM) hashes stored in Active Directory are particularly simple to crack, especially when using the rainbow cracking methodology I covered in Hacking For Dummies.
Another common Active Directory security weakness involves minimal use of third-party tools that help manage security well beyond the built-in Microsoft components. While this doesn't pose a direct threat, it does create scenarios where you may not have the right tools to do your job effectively. There are lots of Active Directory-centric tools that can help in a variety of areas. Some examples include:
- Backup and restore (Active Administrator from Script Logic Corps.)
- Monitoring and reporting (Audit for Active Directory from Net Vision Inc.)
- Change management (Change Guardian for Active Directory Net IQ Corps.)
- Cleanup (Active Directory Janitor from Special Operations Software Inc.)
- Security analysis (DS Razor for Windows from Visual Click Software Inc.)
- Real-time security control and insight (User Lock from IS Decisions)
Interestingly, I also see minimal use of even the most basic Group Policy Objects (G POs) to lock things down. You can leverage everything from audit policies to password policies to wireless policies and beyond to manage Windows environments more effectively. I think this lapse stems from the lack of time and resources on the part of Windows administrators that are just too busy putting out fires. I also think it's a result of the limited adoption of Windows security standards, such as The Center for Internet Security's Windows Server 2003 Domain Controller benchmark and the Department of Defense's Active Directory Security Technical Implementation Guide. I'm not a strong believer that hardening standards and best practices are all you need to lock down Active Directory, but they certainly have their place.
I've also seen a disconnect between the "main" Active Directory system on many networks and ancillary Active Directory tie-ins from web sites and applications that use basic or NTLM authentication. Both administration and maintenance tend to lag behind because neither the developers who manage it nor the administrators who initially configured it (or vice versa) take full responsibility for its upkeep.
Finally, I often see auditors and penetration testers looking at Windows systems as untrusted users (i.e., not logged in). Note that there's a lot of value in running vulnerability scanning tools, such as Quays and GFI LAN guard with administrator login credentials.
As I have previously outlined, testing for security flaws on Windows domain controllers isn't all that different than on any other system, but it'll certainly pay to dig into these systems as deeply as possible (within reason). You'll undoubtedly find issues with Active Directory, and other Windows components, that you never thought about or would ever have found until too late and they had already been exploited.
|Kevin Beaver, is an information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC. Kevin specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wily). He's also the creator of the Security on Wheels information security audio books and blogs providing security learning for IT professionals on the go. Kevin can be reached at firstname.lastname@example.org.|
This was first published in April 2009