Active Directory serves as the keys to your kingdom, managing user and system access and policies on a daily basis. As such, it’s arguably one of the most important systems to secure, but are you doing it right?
In this post, you’ll learn why Active Directory is a top priority system to lock down, four ways to do it, and a few more tips to put into practice.
Putting up the blockades: Why Securing Active Directory is key
Active Directory is arguably as important and sensitive as company finances, trade secrets, and intellectual property. If malicious actors are able to gain domain admin rights, they automatically have the ability to edit existing accounts or create new ones, gain access to systems hosting sensitive data, and even wipe out any evidence of the attack.
Securing Active Directory means doing everything from putting the right user access policies in place, to ensuring policies are followed, to limiting admin access and segmenting network access. Trouble is, most companies don’t know how to configure all of this, and on top of that, domain admins often don’t pay attention to what other admins are doing (it’s called inherent trust), meaning malicious activity can easily go undetected. This post is designed to help you address these issues.
4 steps to securing Active Directory
No two organizations use and configure Active Directory exactly the same, so the way in which it should be secured will vary, too. However, there are a few basic steps all companies can take to implement the security basics, and then we’ll explain how to implement custom security practices.
1. Inventory your network
The first thing any organization should do is understand what kinds of networks, systems, and users are managed on Active Directory. Things to think about include:
- What does your network look like? Is it flat and simple or hierarchical and complex? How many distinct segments are there in the network? How is it interconnected?
- What are the different groups of users within your organization? Often users are grouped by roles or business units, such as developers, sales, finance, HR, and so on.
- What actions are common for each user group? Define what normal behavior looks like for users in finance, sales, development, etc., including the types of apps and services they log on to, tasks they perform, etc. This will help you baseline behavior.
- Identify what kinds of admin accounts exist. Between machine accounts, service accounts, and user accounts with admin privileges, it’s important to keep them in check.
2. Create Active Directory policies with security in mind
Once your inventory is complete, you can put pen to paper and set up policies and configurations within AD, which give certain users access to certain parts of the network. Here’s how to do this:
- Map which users should have access to which parts of the network. First, understand what your network topology should look like. Where do you group critical servers, and who really needs access to them on a regular basis?
- Limit users with admin rights. Most users don’t need global admin access, so follow the principle of least privilege access and give each user group access to only what they absolutely need in order to get their job done.
- Create group management rules. This puts in writing the privileges various user groups have, including what they can touch and modify from a system and services standpoint.
- Put expiration dates on user passwords. It’s shocking how many companies don’t do this, but with how easy passwords are to crack or steal, it’s important they’re changed often.
- Create a repeatable onboarding process. Create a process for each user group so that as new employees are brought on, it’s easy to set them up with the right access levels.
If a user is in finance, for example, there are certain things they’ll need to do on the network, like access accounting software and payroll services, and other things they should not be doing, like logging in to BitCloud or accessing a production server. This should be included in your policy.
Whether you’re just setting up Active Directory or are a long-time user, it’s never too late to go through this process to inventory your environment and ensure the right policies are in place.
3. Monitor for security policy adherence or deviations
Monitoring provides a way to track what users are doing and understand if there are violations based on access rights or anomalies based on historical user activity. There are a few ways to go about doing this. If you’re a small organization under 20 employees or so, you may be able to get away with building rules that detect activity like failed logins and then manually review the logs to see if there’s a real issue at hand. This requires logging in to different domain controllers and looking at the event viewer to find malicious behavior. This can quickly become a mind-numbing process; it certainly doesn’t scale, and your IT and security teams have better things to do.
You can’t not monitor the log data, though, especially considering that compromised credentials are the most frequently targeted attack vector today. Another way to go about doing this is to automate monitoring. This gives you wide and deep visibility into what’s happening on a day-to-day basis so you can begin to develop a baseline of normal activity and more easily pinpoint abnormal activity that could indicate a breach.
One solution, Rapid7’s InsightIDR, automatically monitors for user activity, identifying what regular and admin users are doing, determining if it’s normal, and helping you to baseline and continuously monitor for suspicious user behavior. As your AD environment expands and your team grows, automatic monitoring becomes particularly useful because it can rapidly detect sketchy behavior anywhere, by any user, at any time, allowing you to act months, weeks, or days faster.
Several solutions are available to help you secure Active Directory, but what makes InsightIDR particularly unique is it’s built not only to detect known-bad user behavior like privilege escalation, but it can also detect events that aren’t normal for a particular user. For example, if a developer suddenly accesses the finance server, this would be flagged as abnormal for them and the security team would be alerted. This is difficult for other solutions that aren’t behavior-based because they can’t monitor at such an individual level.
4. Customize the rest
From here, how you configure and secure Active Directory depends on what your unique environment looks like. When InsightIDR performs its first Lightweight Directory Access Protocol (LDAP) query, it pulls out your Active Directory tree (the structure that stores all your users, computers, etc.) and analyzes it to tell you things, such as which users have admin rights and what they’re doing with those rights. This is especially useful if you’ve inherited risky policies. InsightIDR will also show you which users have non-expiring passwords and any other potential user-related misconfigurations so that right out of the gate you can make some pretty powerful fixes. This intel allows you to fix misconfigurations and lockdown AD based on activity your own users are displaying.
Security that grows with Active Directory
Securing Active Directory is a continuous process because things are always changing as users come and go and move within the organization. At the end of the day, it’s your job to make sure users can access the systems they need and that the business is operating smoothly. Having complete visibility into your users is key, especially when a compromise occurs. Built to detect real attacker behaviors, InsightIDR is fast to spot true indicators of compromise beyond simple rules and commonly known-bad activity.