Assessing Active Directory Security During Times of Transition

Organizations are experiencing dramatic changes in the way they do business - this is a new reality. During these turbulent times of layoffs, furloughs, and remote work, the workload on IT security administrators has increased significantly for offboarding of users or onboarding new users, access privilege modifications, remote access requests, and not to mention an increase in phishing attacks resulting from COVID-19 opportunists. All of these changes to the IT environment compounded by IT teams working remotely and potentially short-staffed increases the exposure to an organization’s network security. Laid off users may not be disabled timely, inappropriate access may be granted, vendor personnel accounts may not be disabled, user accounts may be shared inappropriately, and system changes may be made without documentation or without approval. These are just some of the things that can go wrong. Internal Audit should consider performing a network security review during these times of transition as a safeguard to protect the organization’s investment in systems, intellectual property, and data. The following are some key areas to consider when performing a network security review.

Microsoft Active Directory (AD) is the primary directory service utilized by a majority of organizations worldwide. Active Directory allows IT administrators to manage users, security, applications, and data across the organization's networks. As organizations have become increasingly reliant on computer systems and electronic data, securing those systems has become even more critical. An attacker, either internal or external, that breaches the AD defenses of an organization can potentially gain access to user accounts, databases, applications, and data, including sensitive data.

While Active Directory comes with some pre-defined default security configurations, these settings can be tweaked to allow for stronger and more proactive security of the network environment. This article walks the IT auditor through a few key areas to consider during an Active Directory security audit.

Network Topology – Sometimes, you just need a map. The first step to auditing Active Directory is to understand what you are auditing. A network topology helps the auditor to understand the environment. How many sites? How many countries? Where are the Domain Controllers? Is Active Directory replicated over firewalls? Are there trust relationships between domains in the forest, or with other forests? Obtaining this essential information early in the audit process is key to the planning process. At a minimum, the auditor should request:

• Locations of sites

• Number of users

• Names of all domains

• Locations of all Domain Controllers (by domain)

• Organizational Units (in each domain)

• Internal and External trust relationships

Domain Admins Group – Over the years, we have experienced many clients that have too many users in the Domain Admins group. This level of access is extremely powerful and has admin rights on every domain-joined system. There should be no daily use accounts in the Domain Admins Group. All personnel requiring Domain Admin or near Domain Admin level security privileges should have a separate account for administrative purposes only, and a daily use account for routine activities. This is based on a least-privilege model. We highly recommend that any Domain Admin level accounts are locked, and only when administrative tasks are required is the account temporarily unlocked for a pre-defined duration. Hackers seek this level of access, and if the access is not prevalent, it is considerably more difficult for them to gain this level of access. We also recommend this for Enterprise Admin, Schema Admin, and Backup Admin groups.

A word of caution, if the auditor is recommending to the client to begin removing accounts, make sure to strongly recommend that they research on the purpose of the account, who has access, and what may stop working if the account is no longer available. Remember, things can break. Once the research is complete, IT administration should consider inactivating the account for a while before removing the account.

Domain Administrator Account – The Administrator account is a default Microsoft account and, by default, a member of the Domain Admins group. Too many times, we see that IT functions have too many personnel with access to this account. This shared account strategy diminishes traceability of who has performed what administrative activities even if logging is enabled. This account is a prime target for malicious intruders. This account should only be used for initial configuration and disaster recovery purposes. The account password should be set to a very long, complex password, not shared with others, and securely locked up only to be accessed in the event of a critical emergency, requiring recovery. Setting up individual accounts for those users requiring Domain Admin privileges provides traceability of what personnel performed specific administrative activities.

Audit Policy Settings – IT functions typically have Windows auditing turned on, but only with baseline configurations set. The auditor should review these settings with the organization's security and hardening standards and against Microsoft's best practice recommendations or other reputable guidance. Where exposures in the log configurations and log retention are identified, recommendations should be made to reconfigure the logging policy settings. The auditor should note that Windows log files have a size restriction. On networks with considerable activity, the log files may not meet recommended retention periods.

Monitoring Security Event Logs – The auditor should identify whether the logs are captured and used. IT systems create a tremendous amount of data and manual review of all log events is not reasonable or even possible in many instances. Routinely reviewing the logs can give a heads up to a potential issue or attack. A policy should be in place to define how logs are to be reviewed, how often logs are reviewed, and the granularity of the review. Security information and event management tools (SIEMs) and other log analysis tools make the event log monitoring process easier on an ongoing basis. Still, proper upfront planning of configurations is vital. Key events that auditors should ensure are being monitored include:

• Modifications to privileged groups (Domain Admins, Enterprise Admins, Schema Admins)

• Activities performed by privileged accounts

• Account lockouts

• Logon Successes/Failures

• Logon Failures due to bad passwords

• Members added to groups/Members removed from groups

• Audit log was cleared

• System time was changed

• A registry value was changed

• An attempt was made to install a service

• A computer account was deleted

Passwords – How secure is that password on a sticky note? Many corporate security policies still require the standard eight-character password with complexity. The June 2017 release (and subsequent 2019 update) of the National Institute of Standards and Technology (NIST) Digital Identities Guidelines (Special Publication 800-63), provides guidance, specifically for federal agencies, for identity frameworks, authenticators, credentials, and federated assertions. In summary, these password guidelines look different from traditional practices. Eight character minimum with 64-character maximum length. Allowance for all ASCII characters with no complexity requirements. No password expiration and no password hints. No SMS two-factor authentication. Blacklist of known passwords. This approach goes under the premise that frequent changes and complexity requirements force users to less-than-optimum password behaviors and increase the risk of compromise. NIST's recommendations guide the user to set lengthy, random, not-meaningful, and easily memorable passphrases, for example, guitarbucketleftvansurferTucson87. While these recommendations are a leading practice and primarily required only by federal agencies, auditors should ensure that Active Directory password policy for passwords meets or exceeds the organization's security policy.

Active Directory Groups – least-privilege access is key to protecting data. Permissions should be applied to all user accounts and service accounts through the use of security groups, not individualized accounts. This approach provides for considerably easier maintenance in the long run and adds a layer of consistency and logic to the environment. That said, auditors and IT personnel are often walking into older environments and environments previously managed through multiple approaches. Basically, environments that are not well defined or logically organized. There are many approaches to managing groups and as many tools available for the process. That is not an auditor's decision. Auditors should focus their work around members of groups, nested groups, and users with delegated permissions for privileged access and other high-risk access. Utilization of Active Directory reporting tools makes this task somewhat less arduous, but even with a tool, understanding all permissions of an extensive network is still a daunting task. It is vital to look for all of the paths to potential access.

Inactive Accounts – The auditor should confirm that procedures are in place to routinely identify unused user and service accounts in Active Directory. These accounts, especially those with elevated privileges, are an exposure if sitting unused. Another related exposure area is accounts created for third-party users. These users typically do not go through the traditional onboarding/offboarding process and in some cases, could have elevated privileges. A process should be in place for requesting third-party access and a duration restriction should be set on these temporary accounts.

Domain Controller Security - Initially, the auditor should determine if the domain controllers (DC) are housed in physically secure locations, either in data centers or locked rooms where access is logged. DCs should be built to a standardized, repeatable configuration that is approved. DCs should not have email applications or browser applications installed. IIS, SMTP, and portable media services should be disabled. Ensure that auditing is enabled for all DCs. Ensure policy settings are consistent across DCs. Remember that DC Security logs are on each DC and logs on each must be viewed, or logs must be consolidated for a holistic picture. DCs should be backed up routinely with backups stored in a secure off-site location.

Patch Management – Patch management is a critical component of a safe and secure operating environment. Operating Systems patches fix identified problems and vulnerabilities in operating systems and applications. Microsoft security releases are critical to apply to the Windows operating system. The auditor should ensure that a patching process is in place, either automated (preferred) or manual, that requires application of patches in a timely manner to non-essential systems and then allows the application of the patches to essential systems, once adequately tested. The auditor should ensure that patches are up to date on essential systems and note an exception for any systems that are beyond support and no longer being patched.

Remote Access – Remote access to networks increases the risk of compromised accounts. Attackers do not have the physical constraint of being within the organization's walls with remote access accounts. Multi-factor authentication (MFA) mechanisms are a necessity for users with remote access to the organization's network. The auditor should confirm that there is a routine review of users with remote access to the company's systems, that non-active users are removed as appropriate, and that MFA mechanisms are in place for remote users. Another non-Active Directory related area to consider is remote access to SaaS, PaaS, and IaaS providers. The auditor should ensure that processes are in place for onboarding/offboarding, routine active user access reviews, and MFA mechanisms for these services.

Service Accounts – Service accounts are user accounts set up for system and automation purposes. These accounts are widely utilized and, typically, the password is set never to expire. These accounts typically also have Domain Admin access privileges. Is this level of access necessary? Many auditors overlook these accounts because "no one knows the password," or "that account is only used by the backup software." IT Management should have a process in place for these accounts that includes setting strong passwords, securing those passwords in a vault, restricting access to only what is required, denying local logon, denying logon as a batch, limiting login times (as applicable), and enabling auditing.

Antivirus Software – The auditor should ensure that Antivirus software is protecting all servers, DCs, and endpoint devices, that critical directories are not restricted from scans, and that virus definition files (as applicable) are updated regularly. Ensure that users are not permitted to permanently stop the antivirus software service. A monitoring mechanism should be in place, either manual or automated to alert responsible personnel of infestations or other critical events.

Disaster Recovery Planning – Windows servers and Domain Controllers must be part of the organization's overall backup and recovery process. In most organizations, Active Directory is the foundation for the overall technical infrastructure. Not being able to recover Active Directory in the event of a disaster quickly could significantly delay becoming operational and would expose the organization as security is built back into the infrastructure. The auditor should confirm that Windows Servers and Domain Controllers are part of a routine backup process, that backups are securely stored in an off-site location, and that there is a routine test restore process to ensure recoverability.

In closing, there are many resources available to auditors providing Active Directory security best practices and benchmarks. Microsoft offers best practice guides and hardening guides, as well as, a Security Compliance Toolkit. The Center for Internet Security (CIS) offers security benchmark programs for most operating systems and database applications. GitHub also has a directory of security hardening guides and best practices. These are just a few of the many resources available to auditors when performing an Active Directory security audit.