Microsoft's Active Directory (AD) has been a hot target for attackers for about as long as businesses have relied on the directory service to manage users, applications, data, machines, and myriad other components of their enterprise networks.

Securing AD is essential to protect user credentials, domain-joined systems, and sensitive data from unauthorized access. But it's no small task: AD is a large and complex environment with several moving parts and multiple groups involved in its management. Defenders have a lot to cover, and attackers have plenty of opportunity to take advantage.

"As AD servers are central to authenticate and authorize identities to access crown-jewel resources, they are always a prime target," says Thirumalai Natarajan, principal consultant at Mandiant Services.

In most cases, attackers aim to compromise AD servers so they can harvest the credentials of all or targeted domain users. They'll then use the stolen credentials to access and exfiltrate sensitive data, he adds. Some may implant backdoors to maintain persistent privileged access.

AD's vast wealth of information is the primary reason attackers are drawn to the service. However, other factors make it a high-profile target. As Merritt Maxim, vice president and research director at Forrester, points out, most organizations use AD in some way, shape, or fashion – meaning there is also plenty of public material to aid malicious activity.

"It's a rich repository of data; it's a system that's widely known and understood," Maxim says. "Therefore, the knowledge about how to break into it is more widely known than, say, some esoteric embedded system for which there may not be as much availability."

Offensive security experts have done a lot of work to inform defenders on where they need to protect AD and the things they need to pay attention to, says Lee Christensen, technical architect at SpecterOps. But he calls this a "double-edged sword" because attackers can also access this information and learn where they should be targeting their attacks.

How Attackers Take Aim at Active Directory
Threat actors typically need initial access on a domain-joined system in an organization, says Natarajan, and they can achieve it in multiple ways, including spear-phishing emails with malicious attachments, drive-by download attacks, and exploiting a vulnerability in an Internet-facing system.

Once a victim runs the malicious binaries, the attacker has a better chance of getting initial access over the system. They could exploit other system flaws to gain administrative privileged access, and AD reconnaissance tools can help them understand the directory structure and choose their targets. Various misconfigurations – which experts agree are plentiful in AD environments – can help them escalate their privileges to domain administrator.

"To me, it's almost more attractive because there's not a patch for that," says Will Schroeder, technical architect at SpecterOps, of misconfigurations from an attacker's perspective. "There are ways that people can fix it, but over time this kind of debt and misconfiguration can build up." Because AD systems are so complex, little things can create large security holes over time.

Some common misconfigurations and poor practices include service accounts running with high privileges, systems with unconstrained delegation settings, privileged users accessing nonprivileged systems, and over-permissive rights to standard users, says Natarajan. Attackers with domain admin credentials can extract the credentials of all the domain users.

"With all these credentials, threat actors can access any databases, web servers, finance data, personally identifiable information, personal health data, executive mailboxes, and more," he adds.

Because AD is so complex, attacks don't have to be advanced to be effective. Schroeder points to password spraying and "Kerberoasting," a post-exploitation attack targeting AD service account credentials, as examples of common attacker techniques. But advanced attackers leverage AD as well: Last year's SolarWinds attack drew attention to an Active Directory Federation Services (ADFS) bypass technique dubbed "Golden SAML."

Lee and Schroeder recently published the findings of their investigation into Active Directory Certificate Services (AD CS), an aspect of AD that has several associated security risks but has often been overlooked in the conversation around Active Directory. While AD CS isn't installed by default, it's a commonly used, key system that ties into authentication and security.

"Almost every single environment we've looked at since January has had a misconfiguration that allows the domain to be compromised by low-privileged users," says Schroeder. Because it has been around for so long, most organizations tend to let these misconfigurations pile up. Certificate abuse, researchers warn, can lead to credential theft, machine persistence, domain escalation paths, and domain persistence, which can let attackers forge "golden" certificates.

These details are important for defenders to understand, says SpecterOps' Christensen. If a machine or account is compromised, they should be looking at AD CS to see whether it has been abused or attackers have stolen certificates to ensure attackers have been expelled from the network.

The Factors Complicating AD Defense
Attackers have the upper hand with AD as defenders struggle to protect a large and complex environment. Some of their top concerns aren't necessarily related to security, says Forrester's Maxim. Many are operational, such as the fear that AD is so widespread.

"Companies may have a poor understanding and visibility of how many domain controllers they have, how many domains, how many people have administrator privileges in Active Directory, and what's the overall hierarchy," he explains. "There's that lack of understanding of how big the environment is."

In parallel, another common challenge is AD isn't always exclusively owned by the security team. As an infrastructure technology that underpins many applications and other components, it may be owned by an infrastructure and operations team that may not have security concerns foremost in their thoughts. This means security teams will have to try and engage to get their requirements into the system and ensure protective steps are taken.

Sometimes security issues arise because IT administrators don't understand the implications of their actions, Christensen notes. They may see no harm in granting one user access to a machine, but an attacker with the same access could cause further damage. A seemingly innocent step, combined with the misconfigurations in AD, can lead to complete compromise.

Security concerns not only apply to employees who work at an organization, but also those who leave, Maxim notes. If their credentials are not removed or expired, they could still prove useful to both disgruntled former employees, as well as attackers who gain access to their credentials.

Will Moving to the Cloud Aid or Harm AD Security?
As more organizations move to the cloud with Azure Active Directory, it begs the question: Will this increase or decrease their security risk?

It's still early to fully tell, says Schroeder. After all, it took the security industry a long time to grasp the implications of AD. Azure AD is new, different, and also very complex. As with many cloud transitions that were so common in 2020, he worries organizations are moving to the cloud as fast as they can without pausing to consider the full security implications.

"I'm not saying it's less safe or more safe … it's just more of an unknown, at least to a lot of us, and we just don't have the same grasp," he says.

Even at this stage, it's clear the cloud has piqued the interest of attackers and organizations.

"Hybrid AD environments are of interest to threat actors and defenders alike," says Natarajan. Attackers can move laterally from on-premises to cloud or from cloud to on-premises based on their initial foothold and by exploiting misconfigurations or security flaws. If multitenant applications are compromised, it creates more opportunities for attackers to laterally move into consumer tenants based on the app permissions.

Moving to the cloud does not mean removing all the security problems that existed on-prem, Maxim notes. Organizations sometimes assume moving to the cloud means handing security responsibilities to the cloud provider – a dangerous mindset. Many of the same threats and problems exist in hybrid and cloud environments.

"What you have to do with AD … it doesn't matter if it's on-prem or cloud, you should be following the same best practices regardless," he says.

Tips and Tools for Active Directory Defense
The underlying construct with AD is simplicity, says Maxim.

"How many forests do you have? How many domains do you have? How many domain controllers do you have? Keep that number to a manageable number," he continues. As companies expand, reorganize, and acquire new businesses, the AD environment can get bloated and interfere with visibility in understanding it. Staying on top of the underlying architecture to keep it as simple as possible will keep management simple as well.

Natarajan advises conducting periodic security assessments to not only identify exploitable misconfigurations, but to understand the full security posture of the AD environment. Businesses should also perform red-team exercises against AD servers to assess their detection and defense posture and enable security tools baked into AD to protect privileged accounts.

Other defensive tips, he says, include enforcing logon restrictions and minimizing the exposure of privileged accounts, using privileged administrative workstations for any administrative tasks, using a protected users security group, enforcing strong password policies, and implementing multifactor authentication (MFA).

In addition to visibility, Schroeder and Christensen recommend IT teams create a plan for how to handle misconfigurations and network changes, and to limit the "blast radius" when an attack occurs. Businesses should give their IT teams the resources, both in tools and time, to address AD security issues and build protections to limit the impact of a compromised endpoint.

Some of the resources they suggest include Bloodhound, a free and open source tool built by the team at SpecterOps; PingCastle, an AD enumeration and risk assessment tool; and Microsoft's Securing Privileged Access Documentation, which contains guidance on how organizations should architect their networks to secure accounts and restrict resource access.

While technology plays a role in AD security, people and processes are key, Maxim emphasizes. AD is integral to how companies are organized, and you need to understand how that works.

"How do security, infrastructure, and operations teams work together? How do they cooperate? How do they collaborate?" he says. "Understanding those kinds of rules of engagement, and having well-documented procedures in place for how you're going to do AD … I think those are all really essentially parts of being successful."