AD Security: Best Practices for Your Active Directory!

The term AD security refers to any steps, settings and safety measures used to protect Microsoft’s directory service Active Directory from attacks and data breaches. Aside from installing official security patches that address the latest vulnerabilities and exploits (just ask your admins about Patch Tuesday), Active Directory security is primarily a question of applying best practices and secure configurations. In practice, how organizations use and configure their AD is the biggest factor in the overall security of Active Directory.

As a key part of the Windows infrastructure, Active Directory is widely used across businesses, government agencies and other organizations in both the public and private sector. The vast majority of organizations with more than a handful of users rely on Active Directory to manage user accounts and access to digital resources.

As an omnipresent part of IT departments around the world, AD is also one of the main targets for cyberattacks, especially since many companies fail to implement safety measures or follow the best practices Microsoft provides for securing your AD. Unfortunately, errors and misconfigurations can leave you wide open to leaks, employee data theft and ransomware.

IT security is a constant arms race: criminals and security researches discover new exploits and vulnerabilities and software companies quickly patch any known issues. Like most software products, Active Directory has been known to suffer the occasional critical vulnerability. To prevent attackers from exploiting these flaws to gain access to your network, it is essential for organizations to apply security patches in a timely manner and on all potentially at-risk devices.

The grim reality, however, is that most successful Active Directory attacks don’t rely on an unforseeable zero day vulnerability, but long-standing flaws in the security configuration and policies of an organization. The table below provides an overview of common AD security mistakes that a shocking number of companies suffer from. Is yours among them?

AD Security Issues	How to solve the problem
Weak Credentials	Weak, common or reused passwords make it easy for attackers to hijack accounts. To stop credential-based attacks, implement password policies, limits for login attempts and multi-factor authentication.
Legacy Services and Protocols	Legacy authentication protocols such as NTLM authentication are a major security risk. They should be replaced with current standards such as Kerberos.
Too Many Privileged Users	Attackers that gain control of privileged accounts such as domain admins can cause significant harm. Administrator accounts must be strictly limited and their usage monitored.
Incorrectly Configured Service Accounts	Service accounts are often not properly protected and given more permissions than are needed to fulfil their intended task. Follow the principle of least privilege and replace normal service accounts with managed service accounts.
Not Securing Built-in Admin Accounts	Every AD domain includes a built-in admin account for maintenance and recovery purposes. To prevent abuse, limit logons and usage through group policy objects (GPO). More information.
Inactive and Abandoned Accounts	Since orphaned accounts are neither used nor maintained, their outdated security configuration can make them particularly vulnerable. With no account owner, there is no one to raise the alarm in response to suspicious activity. Accounts that are no longer needed must be removed.
No permission reporting	Privileges granted to users must be reviewed and controlled to to limit the exposure of sensitive data and systems. Since Microsoft’s default tools are severely limited, using a third-party solution for permission reporting is highly recommended.

The importance of securing your AD can be summarized quickly: Microsoft Windows is the foundation of nearly all IT environments worldwide and Active Directory is the foundation of Windows networks. Consequently, the threat posed by a compromised AD is huge: Once an attacker gains access to your network, they can use a variety of tools and techniques to either access higher permission tiers (privilege escalation) or spread to additional systems and devices (lateral movement).

If a hacker manages to spread across your AD or gain administrator privileges, they can cause enormous damage. Intruders with control of your Active Directory can not only steal and destroy large amounts of data, but also shut down your IT operations entirely. No one in your entire network can use their PC or log in to Windows until the attack has been fought off and your AD has been restored. Depending on your level of preparation, that can take quite a while.

Given the central role Active Directory plays for IT departments around the world, the best ways to secure AD are much discussed topic among admins and experts. Microsoft itself offers a list of Best Practices for Securing Active Directory as part of its official documentation. Beyond that, there are a wide variety of cybersecurity experts and third-party services that deal with AD security.

Organizations that want to secure their AD should approach the issue in two stages: First, adjust the policies and settings included in Active Directory to achieve the best level of security that your business needs and the tools provided by Microsoft allow for. Next, consider using third-party solutions to expand upon to the existing AD security features in areas where Microsoft’s default tools are not up to the task. For example, the severely limited Active Directory permission reporting.

To help you get started, we have compiled a quick overview of the most important best practices and security goals for your AD.

The attack surface of an IT environment refers to the sum of all potential entry points for attackers, such as devices, user accounts and connected services. Simply put, the fewer entryways your network provides for hackers, the lower the risk of a successful cyberattack. This has two reasons: 1) Adding more services and devices to your IT brings new dependencies, vulnerabilities and security holes with it and 2) The more accounts your admins have to manage, the higher the risk of mistakes.

Consequently, practicing good cyberhygiene by keeping the number of accounts in your AD as low as possible is a proven way of stopping attackers. On a technical level, deleting unused or inactive accounts is a simple process. But admins can only carry it out if they are kept in the loop regarding any staff or role changes. Unfortunately, problems with internal communication often lead to stale, outdated and abandoned accounts: ones that were created with a specific goal or timeframe in mind and then simply forgotten about once they served their purpose.

The easiest way to ensure that any changes to user accounts are implemented swiftly and correctly is to automate the entire process, also known as user lifecycle management. This approach guarantees that employees have the exact resources and accounts they need from their first to last day at your company. And the best part? It does so without any effort from your IT staff.

If an attacker manages to hijack one of your AD accounts, they will use any permissions and privileges it holds against you by stealing shared files, spreading to connected services or changing security settings to their advantage. In the wrong hands, any permission you grant one of your users can become a threat. This applies to insider threats like employee data theft just as much as it does to outside forces.

To prevent abuse, accounts should only be given the minimum amount of access needed to perform their intended role. This goes for application and service accounts, too. Limiting access rights to the bare minimum is a best practice also known as the principle of least privilege or POLP.

One common problem with implementing least privilege access is that organizations often do not know which assets their users can currently access and which ones they actually need for their job. To remedy this, you need to establish an access control policy that clearly defines the intended permissions for every user in your company. This can be done by grouping users based on factors like department or position and setting default permissions for these different roles. Learn more about this approach in our article on role-based access control.

However, enforcing least privilege access takes more than a one-time fix: Since both the responsibilities of your users and the structure of your IT change regularly, maintaining safe, minimal access requires ongoing checks and controls during which any unnecessary privileges users may have accrued are removed. This process is also known as a user access review. Once again, an automated platform is the easiest way to guarantee that reviews are carried out consistently.

The sensitive permissions administrative accounts are equipped with make them a very attractive target for hackers. Consequently, the security level for privileged accounts should be equally high. During everyday operations, IT staff must keep privileged accounts and their regular accounts strictly separate. As tempting as it may be, privileged accounts must never be used for normal work tasks, such as for routine maintenance and help desk tickets.

The admin, domain admin and enterprise admin groups should have no permanent members aside from their built-in administrator accounts. Instead, users should only be granted temporary membership for specific tasks, after which they are removed from the group. Local administrator accounts must be protected through group policy objects and the use of Windows LAPS (Local Admin Password Solution) to manage credentials. You can find more information in these guides:

Note: Administrative accounts are not the only privileged accounts you need to secure. Device and service accounts, too, are often equipped with sensitive permissions that make them a potential security risk. Attack patterns like Kerberoasting aim to extract and crack the password hash for service accounts. Managed service accounts, which change their passwords automatically, can protect from attacks like these.

Cybersecurity is as much about people as it is about technology. To keep your Active Directory safe, everyone in your organization, from the CEO to the front desk clerk, needs to understand and follow fundamental guidelines and principles. Training your users to recognize suspicious activity or attempts at social engineering and avoid unsafe behaviors is one of the most effective ways to lower the risk of security incidents. Safety features such as automated phishing filters provide an additional layer of protection.

To protect against the lastest threats and exploits, your information security team must stay up to date on new vulnerabilities and take appropriate steps to remedy them. In the best case scenario, this simply means installing the latest patch in a timely manner. However, if parts of your IT infrastructure suffer from (currently) unresolved vulnerabilities, it may be necessary to temporarily disable certain features and services until a solution can be found.

Aside from weaknesses in individual systems and software products, the specific structure of your network can also create unintended avenues of attack for cybercriminals. By analyzing their own network from a hostile perspective, admins can identify and close potential attack paths before they become a problem.

For example, the free tool BloodHound can be used to analyze relationships between AD groups and users to stop hackers from gaining access to protected functions. During penetration tests, the tool mimikatz allows you to test pass-the-hash, golden ticket or other complex attacks.

Continuous monitoring of certain system events allows you to identify early warning signs for possible attacks and prevent further harm. This requires you to set up and configure the relevant audit policies in order to track relevant changes. Events to monitor include:

Keep in mind: the data collected this way is only useful if your admins have the time to review and respond to it. Since IT environments produce an enormous amount of log data even during normal operations, it is recommended to employ automated tools to help with analysis. Software solutions from the fields of security information and event management (SIEM) or extended detection and response (XDR) deal with this exact problem.

While these tips and best practices while help you stop a lot of AD attacks, it’s important to remember that there is no such thing as 100% security. That’s why a successful Active Directory security strategy also requires you to plan for the worst case scenario: a successful attack on your AD.

Security trainings and simulated attacks can help your staff prepare for the real emergencies and help them react more quickly in the extremely stressful scenario of a security breach. Ideally, a swift response can limit the scope of the attack, but your emergency plan shouldn’t depend on this outcome. Your emergency and recovery strategy should cover every scenario, up to and including a complete compromise of your AD. There are two separate areas you need to plan for:

Protecting your Active Directory requires constant vigilance and ongoing adjustments, that must be implemented both swiftly and accurately. To reduce the risk of successful attacks, organizations must limit accounts and permissions, manage their security settings and track and document changes. The easiest and safest way to ensure your AD follows best practices and security recommendations is through an automated software solution from the field of identity and access management.

By automatically creating, updating and removing accounts and permissions, tenfold‘s user lifecycle management not only saves precious time for your IT staff, but also ensures the strict adherence to least privilege access. Clear, detailed and central permission breakdowns as well as automated user access reviews help you manage and control access rights in your organization. Additionally, tenfold‘s dashboard highlights errors and misconfigurations, allowing you to quickly address common problems.

Best of all: Thanks to tenfold‘s deep integration with both Microsoft’s on-premise infrastructure and the cloud services included in Microsoft 365, you’ll enjoy the benefits of automated user and permission management across all systems.

Would you like to learn more about the advantages of tenfold? Our video overview will introduce you to the key features of our IAM solution. Compare editions to see which plugins and interfaces are included in each of tenfold‘s three subscription tiers. Or sign up for a free trial to experience our powerful features and user-friendly interface firsthand.