It’s not often that the words “quick and easy” are used in the same sentence as “cybersecurity,” and yet sometimes, these two worlds do collide.
In the case of your Active Directory (AD), improving security is easier than you might think.
Active Directory manages the users, devices, and permissions within a Microsoft Windows network. Although well known, it’s easy to overlook simple options that strengthen security, without much trouble at all.
So, how can you improve your Active Directory security?
Let’s break it down.
1. Disable Obsolete Protocols in your Active Directory
Although Windows allows older protocols for legacy device compatibility, these are vulnerable to exploit.
Most organizations should disable protocols such as Link-Local Multicast Name Resolution (LLMNR), LAN Manager (LANMAN), and Server Message Blocks (SMBv1).
Link-Local Multicast Name Resolution links hostnames to IP addresses by sending a packet request. Unfortunately, and by default, this protocol accepts the first respondent to the request. This means an attacker can potentially replace an authorized device (file server, endpoint, etc.) on the network with their own, malicious device.
The LANMAN provides support for Windows 95, Windows 98 or Macintosh clients on a domain. This protocol uses a weak LM hashing algorithm, vulnerable to brute-force attacks.
To make matters worse, attackers often extract user credentials from saved password hashes.
The SMBv1 protocol provides support for network files and printers. However, SMBv1 contains several commonly exploited flaws. As with the other obsolete protocols, updated versions incorporate their functions.
Because of this, most organizations eliminate their use without much consequence.
2. Control Applications, Control Security
Attackers love unrestricted environments.
To combat this, Active Directory offers two major features to control applications and slow attackers down: whitelisting and security groups.
Whitelisting allows an organization specify which applications are permitted for use within a domain or user group. By default, this denies all other programs.
This is an extremely effective option, but you should be use it carefully. Failing to permit the necessary programs can lead to user backlash and disrupt business.
So, what do you do if you want to allow software access to some users, but not everyone?
These applications can be permitted and controlled using Active Directory security groups.
First, create a specific group with access to these programs, and then add only qualified users to those groups. This can be done on either a permanent or a temporary basis.
3. Disable the Local Administrator Account
Attackers know that by default, Windows installs a local administrator account. The kicker?
Most organizations use the same password for this account on every computer. Simply renaming this account doesn’t hide it since the Security Identifier remains the same.
Instead, eliminate this account altogether. Use individual accounts with appropriate rights to accomplish any necessary tasks.
If this account can’t be eliminated, restrict the ability to automate attacks by denying log on as a service, batch jobs, and remote access from other network computers.
4. Keep Active Directory Clean
A sprawling AD creates conflicts and increases the time required for management.
Active Directory should be streamlined. Two key approaches are to segregate the AD server and to eliminate unneeded credentials.
Placing AD services on a segregated server allows for tight restrictions, greatly improving security and performance for a key component of the network. Even for organizations with smaller budgets, virtual servers now provide cost effective ways to move Active Directory services onto a dedicated server.
Cleaning up unneeded credentials and sessions also make life easier for both IT and security managers.
Attackers often use stolen credentials to attack environments, so old employee and contractor credentials should be purged regularly to minimize an organization’s risk.
Inactive sessions pose a more subtle problem. Computer users may fail to log out of systems for a variety of reasons (convenience, system crash, etc.), but those inactive sessions retain permissions and passwords for the systems and software that had been accessed.
Active Directory security is improved by configuring it to lock devices after a reasonable amount of user activity, as well as terminating the session. When deploying these options, you’ll need to balance the usability of the system versus the security of the network.
The Takeaways
Boosting your Active Directory security isn’t necessarily challenging, but it might take a little consideration.
Eliminate obsolete data and credentials. Limit which applications can be used, and who can use them. Remove the default Local Admin account. These will go a long way towards keeping your business safe.
While boosting Active Directory security can be easily implemented, these tips might not suit all organizations and under all circumstances. When in doubt, feel free to reach out to Ideal Integrations by phone (412-349-6680) or by filling out the form below.
Our IT experts can walk through how these and other options can affect your current processes and improve your security posture. We can also provide assistance in implementing these options safely and without unintended consequences.