4 common Active Directory and IT security mistakes made by admins inSouth Africa

Four common mistakes around Active Directory and IT Security

Relying on Active Directory's (AD's) native password policy

"61 percent of IT admins believe their AD password policy is not enough to protect against password attacks."

Managing employee passwords is a struggle for most businesses worldwide. It's costly to maintain healthy password security, but neglecting this crucial task can have devastating results. According to the recent Verizon Data Breach Investigations Report. The report finds a staggering "81 percent of hacking-related breaches leveraged either stolen and/or weak passwords."

Considering the importance of passwords, you’d expect AD, the most widely used directory service among businesses, to provide a strong mechanism to protect them.Unfortunately, the native password policies in AD leave a lot to be desired, the options are very basic and not strong enough to ward off attackers. Even with password complexity rules enabled, domain users can still set weak passwords. On top of this, AD's native password policies can't restrict employees from using passwords that include personal information, like a combination of their names and the years they were born.

So what's the solution?

  • Identify users with weak passwords.
  • Strengthen passwords by blacklisting common passwords, restricting patterns (such as asdf, qwerty, 1234, etc.), and implementing advanced password complexity rules.
  • Don't rely on passwords alone; enable two-factor authentication (2FA) for Windows machines. This adds another layer of security to user accounts.

ManageEngine AD360 solves this challenge by not only identifying users with weak passwords, but providing a password policy enhancer that enforces strong password policy settings, including dictionary rule, pattern check, and more.

AD360 adds another layer of security for Windows logons by forcing users to authenticate through SMS or email-based one-time passcodes, Google Authenticator, Duo Security, or RSA SecurID, in addition to using usernames and passwords.

Using NTLM authentication

"53 percent of IT administrators consider NTLM authentication to be unsecure, but find it difficult to track whether NTLM authentication is being used."

Exploiting Windows' weak authentication protocols is at the top of the list for most attackers. It's easy to do and can give the attacker access to resources without alerting most systems, such as an intrusion prevention system (IPS), antivirus solution, etc.

All NTLM versions use a relatively weak cryptographic scheme. Even though the hash is salted before it's sent over the wire, it's saved in a machine’s memory in plaintext. This makes it easy for hackers to crack hashes and see passwords in plaintext.

Unlike Kerberos, when a client authenticates to a server using NTLM, it cannot validate the identity of the server. This means that a malicious actor with man-in-the-middle capabilities could impersonate the server and send the client fake or malicious data.

So why is NTLM still around? Because it's a legacy protocol. Like many legacy components, NTLM is difficult to remove from the network without breaking anything.

To discover if NTLM is being used, you first need to track if your users are using NTLM or Kerberos for authentication against specific Windows servers, applications, or services.

  • Prevent NTLM hashes from being stored on local machines and inside the default domain controller policy. This can be done using the Group Policy Object (GPO).
  • Head to Security Settings > Local Policies > Security Options > Network security : Do not store LAN Manager hash for the next password change.
  • This will prevent users' LAN Manager hashes being saved the next time a password is changed. The existing hashes will still be in the SAM database, so you'll need to enable this policy in the GPO, and force all users to change their passwords.

ManageEngine AD360 provides real-time audit reports and alerts on critical changes made to your on-premises AD and Azure AD environments, including user logon and log off, authentication protocol used, means of logon, privilege escalation, solicited and unsolicited changes made across hybrid AD, data storage, and member servers. AD360 also helps you detect insider threats, analyze lockouts, and comply with IT regulatory mandates.

Neglecting to clean up Active Directory and other platforms

"38 percent of IT administrators said their AD is riddled with ghost accounts across platforms and find it challenging to clean them up."

AD is the primary authentication and authorization directory for more than 90 percent of the world's enterprises, making it a common target for cyberattacks. With the increasing adoption of Office 365, IT administrators have to manage hybrid environments, which are even harder to secure.

While hybrid IT environments are the perfect choice for most businesses, they inevitably introduce a number of challenges for IT teams. With data and user identities spread across on-premises locations and cloud infrastructures, and with credential-based attacks and data breaches on the rise, striking the right balance of security to achieve visibility and control over hybrid environments can be a tall order.

In short, any unintended access gained through on-premises AD can have repercussions not just in Office 365 or Azure AD, but in any web-based application. Therefore, an end-to-end hybrid AD security solution is critical for any organization.

The most important step in reducing the risk of unauthorized users logging in to AD is to clean up old accounts. This begins with thoroughly combing through the list of users across platforms and revoking access upon termination or abuse of authorized privileges, including access across AD, Office 365, Exchange, Skype, home folders, profile paths, etc. This process not only organizes the users in your environment, but it also restricts access to critical platforms, devices, and data.

ManageEngine AD360 helps automate the clean up of Active Directory and other platforms; AD360's automation capabilities can also be coupled with workflows, providing much needed flexibility to ensure tasks are carried out smoothly and effectively.

Having no visibility on privileged access

"35 percent of the IT administrators find that employees have more privileges than the ones granted to them."

The easiest way to classify privileged accounts is by their scope of control:

  • User/domain account — provides access on domain-based machines
  • User/local account — provides access on a single server or workstation
  • Service account — allows applications to interact over the network
  • Application account — provides administrative access to applications

Elevated privileges allow users to perform a wide variety of actions, which can lead to a number of incidents from data misuse to a compromised system. Malicious, tech-savvy users can use accounts with elevated privileges to install backdoors or exploits, giving them full access to the system. A disgruntled employee could even bring a whole system down just by altering a few critical settings within the IT infrastructure.

However, what makes privileged accounts dangerous is not the extent of their access, but how hard these accounts are to track and how difficult it can be to detect changes made by them. What you need is a real-time alerting and mitigation process that can track:

  • Unauthorized accesses
  • Unauthorized changes to privileges
  • Suspicious user behavior activity

ManageEngine AD360 helps govern access to resources, enforce security, and ensure compliance with regulatory mandates; it provides in depth-auditing across hybrid Active Directory (on-premises and Azure), file servers, member servers, and workstations. It also captures changes in real time, and creates an alert when activities happen otherwise. Any unexpected or suspicious activity can be mitigated instantly, as every alert is coupled with a Run Program mechanism.

Source: Data obtained from surveys conducted in our 2019 Cybersecurity seminar.

Ready to get started?Try a free, 60-day trial of AD360, and bolster your IT security.