Secure Active Directory Design
Microsoft has reported that, every day, 95 million Active Directory accounts and 10 million Azure AD accounts are the target of cyberattacks.
The primary vector has now shifted from direct attack on a compute resource to theft of user credentials, often by means of a phishing attack. Once a user’s credentials are obtained, the attacker has access to a workstation on which to run software that captures the credentials of other accounts. Preferred targets are service accounts and Domain Administrator accounts, allowing the attacker to traverse the infrastructure horizontally and vertically.
An employee stealing intellectual property to take to a new job or a fat-fingered administrator making a critical configuration error are examples of breaches caused by someone inside the network. Often, an outside attacker takes over a legitimate account:
Data breaches and other security incidents over the last few years have caused vulnerabilities such as “Pass the Hash” to resurface. It has been said before but bears repeating that perimeter security alone is no longer sufficient to secure our highly dynamic, connected and mobile enterprises. Instead, organizations must focus on protecting the enterprise at the identity—or the user level. With insider threats on the rise, it’s important that any organization maintain an active insider threat program to protect these identities—most critically, privileged or administrative identities. Because 99% of enterprises rely heavily on Active Directory (AD) as their primary user authentication mechanism, AD has remained the most popular target among bad actors and is a critical component to any insider threat program
NTLM hashes Privileged Account Abuse and escalation
The legacy NTLM hashes generated by AD are specifically a primary focus of nefarious actors. If you’re not familiar with the common “Pass the Hash” attack, here’s a brief synopsis of how it often works:
- A user’s workstation is compromised, for example, by a phishing attack.
- The bad actor gains administrative permissions to the user’s workstation and may create a problem with the workstation that will require someone with elevated permissions to fix it.
- An administrator logs onto the workstation to remedy the issue, leaving the administrator’s hash stored in memory.
- The bad actor executes software to extract the hash and makes network connections from the workstation to resources, data stores, databases and more sensitive systems and data as the perceived privileged user.
To thwart attackers pursuing horizontal kill chains with pass-the-hash and related methods, Microsoft has delivered a reference architecture and other best practices that seek to isolate privileged credentials. Microsoft recommends a new security model, the Enhanced Security Admin Environment (ESAE), for holding the accounts that require additional security due to their privileged access to the production forest. ESAE is a special administrative forest, also known as a Red Forest, used to manage all privileged identities in AD, making it more secure.
A key principle of the Active Directory Red Forest model is that admin accounts are divided into three levels of security:
- Tier 0 — Domain Controllers (DCs), identity management resources, administrator user accounts and service accounts
- Tier 1 — Server, application and cloud admin authority
- Tier 2 — Standard user accounts, workstations, printers and devices
The basic forest design of the ESAE environment looks something like this:
The recommendations only include Microsoft products (this makes sense as it would be hard to recommend other products that they have no control over). When using this architecture, one component that may not work for most organizations is disabling NTLM authentication. With that said, this may not be practical for all organizations (although I’d highly recommend this model if possible, but you many need to re-architect legacy applications).
Does Multifactor Authentication Help?
Multi-factor authentication (MFA) can add some value for administrators, particularly when it comes to phishing attacks, like the Pass The Hash example. But the reality is that the vulnerability the ESAE is designed to prevent do not involve passwords. While a user or administrator authenticates interactively using a password and in some cases MFA, the generated hash—not the credentials themselves—are a target of the bad actor.