Active Directory Security 101

Image courtesy of Pixabay

Most companies today rely on Microsoft Active Directory (AD) to keep their operations running. But what exactly is AD? 

AD is, in essence, the gateway connecting employees to their resources on a company network (such as email or network file shares). It is used by administrators to manage the permissions of each user, authenticating them as they log on and determining which resources they can access.  

AD has many benefits. It’s easy to use, has been around for many years, and is extremely reliable. Yet many companies simply don’t know about the security risks that come with it. 

A Brief History of AD 

Prior to AD’s launch in 2000, Microsoft IT directory servers did not scale to adequately support the needs of medium and large enterprises, and so many servers were required. A company of roughly 1,000 people might have needed 200 different servers, for example. 

This was a major pain point for companies. Not only were all these individual servers hard to manage, each requiring unique login credentials, but it also made activities such as file sharing difficult as they could not easily communicate with each other.  

AD solved this challenge. Integrating easily with applications and providing single sign-on capabilities across an entire business environment, it transformed the network experience, quickly becoming ubiquitous. 

Its prevalence has not changed in two decades. Rather than fading away, this almost quarter-century old technology is now more important than ever, acting as the foundation for most cloud identity systems used by enterprises globally.  

However, while AD is still essential for most organisations worldwide, it has also become a security liability.  

Why AD is a Problem Today 

AD is vulnerable for several reasons.  

First, it wasn’t designed to deal with complex security threats. It was released in an era before ransomware, sophisticated nation state-backed cyber outfits, and the widespread adoption of cloud computing. It’s a technology from a different time, and therefore can’t effectively confront many of the advanced threats we face today.  

Secondly, AD was designed to be open to facilitate ease of use. It trusts those users logged into a network in order to prioritise a seamless user experience. Yet this openness today is a tricky challenge for defenders, presenting few barriers to successful infiltrators. 

Thirdly, its age means that, in many cases, it has harboured 20-plus years of poor security decisions originally made for expediency’s sake that have accumulated to create a massive target that even amateur attackers would struggle to miss. 

It is for this reason that roughly 90% of all businesses are exposed to security breaches as a result of AD vulnerabilities, and nine in 10 of all cyberattacks involve AD in some way.  

Such statistics are truly frightening, and so is the simplicity of the attack methods used to target AD. Let’s look at the process step by step… 

  1. An attacker will compromise a PC through phishing – An attacker will send a fraudulent message or email designed to trick their target into revealing sensitive information, such as their login credentials for AD.
  2. They then work to get privileges on that local machine Attackers can elevate their privileges on the machine in a variety of ways, exploiting vulnerabilities on the device.
     They use AD to find other devices  The attackers then use AD to find other computers, mapping out all the machines connected and used within that network.
  3. Next, attackers home in on more devices – From here, attackers move around a network conducting hard-to-detect reconnaissance, attacking many machines to find one that has AD administrator rights. 
  4. And finally secure access to a privileged account – Eventually they get access to a privileged or admin account’s credentials. Once they have that, they have full control of AD and everything that depends on it. 

One example of a popular AD attack is the so-called Golden Ticket attack. We’re all familiar with the golden ticket in the Roald Dahl novel Charlie & the Chocolate Factory. In the digital world, Golden Tickets also provide access to your organisation’s IT environment. A Golden Ticket attack gives threat actors unfettered access to networked resources and the ability to reside on networks indefinitely, disguised as credentialed administrator-level users.  

Outlining the Threat 

AD is not simply a problem because it is easy to attack. Equally, the rewards for attackers are significant. 

AD essentially holds the keys to your kingdom. Picture a safe where you store the physical keys to your office—AD is just like that safe. It is the central hub of access to your critical systems—your computers, software applications, and other resources.  

It is dangerous because it is both simple and lucrative. In 2021, one company paid a ransom of up to $40 million to get access back to its network.  

At the same time, the barriers to entry for attackers are lowering. Thanks to a booming ransomware-as-a-service (RaaS) market, they no longer need to be technically savvy. Instead, they simply purchase tools and services from those who are. 

It is a devastating cycle. The rewards for attackers are increasing while the technical knowledge needed continues to drop, exponentially widening the attack landscape.  

It is therefore easy to see why an International Data Corporation’s 2021 Ransomware Study recently revealed that more than a third (37%) of global organisations were the victim of a ransomware attack in 2021. Indeed, the odds are firmly tilted in the attackers’ favour.  

How Can Companies Respond? 

Companies must respond to turn this rising tide. 

To minimize your vulnerabilities, you first need to know where you are vulnerable. For many companies, trying to gain this understanding can feel overwhelming—especially for those with little to no knowledge of cybersecurity. However, rest assured, there are solutions and support available to help.  

Purple Knight is a good starting point. A free Active Directory security assessment tool built and managed by a leading group of Microsoft identity experts, it can help you to spot weak points in your Active Directory before attackers do, highlighting common vulnerabilities that should be addressed. 

A full range of potential vulnerabilities are listed in the latest Purple Knight report. But for starters, some common examples include: 

  • Configuration drift – Configuration drift is the result of years of poor AD practices. Apps need to be configured in AD to work, but this takes time. A quick solution to this is to give too many administrative rights to the application—something that companies have done historically, wanting to get their shiny new tool up and running ASAP. As a result, administrative accounts start accumulating in AD. Yet it just takes one of these to be attacked for catastrophic consequences to ensue.
  • Legacy admin accounts – Legacy admin accounts pose similar issues. They are skeletons in the closet. If an attacker manages to access these privileged accounts, then they will come back to haunt you.
  • Weak or common passwords – Attackers will also still try to access multiple accounts by trying a range of commonly used passwords. This is known as password spraying—a technique that can easily be thwarted by eliminating the use of weak or common passwords in your network.

Of course, identifying and addressing these vulnerabilities is just a small part of the puzzle. To effectively combat the growing threat of cybercrime on a long-term basis, organisations need to actively adopt a range of best practices.  

These can include anything from conducting regular internal security audits and making succinct operational improvements to delivering regular staff training on phishing and investing in recovery processes to ensure a quick rebound should an attack take place.  

For support or guidance in developing a strong defence across the board, it is worth consulting dedicated professionals specialising in AD security to understand the core changes that you need to be making.  Active Directory attacks are no longer a question of if but when. If companies address their critical AD vulnerabilities, they stand a fighting chance. If not, they will continue to be sitting ducks primed to face the worst possible outcomes.

About the author


Sean Deuby

Sean Deuby brings 30 years’ experience in Enterprise IT and Hybrid Identity to his role as Director of Services at Semperis. An original architect and technical leader of Intel's Active Directory, Texas Instrument’s Windows NT network, and 15-time MVP alumnus, Sean has been involved with Microsoft identity technology since its inception. His experience as an identity strategy consultant for many Fortune 500 companies gives him a broad perspective on the challenges of today's identity-centered security. Sean is also an industry journalism veteran; as former technical director for Windows IT Pro, he has over 400 published articles on Active Directory, Azure Active Directory and related security, and Windows Server. He has presented sessions at multiple CIS / Identiverse conferences.