Active Directory might contain the keys to your organization’s entire infrastructure.
In fact, it could have been set up for years, if not decades. Most IT managers are so focused on the latest vulnerability that they don’t have time to inspect legacy settings, or to take advantage of new features.
However, an old vulnerability may become a critical issue in the near future, which might provide your IT team with the motivation to make changes.
Active Directory Default Setting Alert
A website is going up for sale that could be very, very dangerous for many companies.
“Corp.com” is an inactive domain that Mike O’Connor has held for the last 26 years. Now approaching the age of 70, O’Connor decided he needs to simplify his estate. Thus, he’s selling the domain for $1.7 million.
At a surface level, Corp.com has value due to its simplicity. However, there is a hidden value — a threat — from an issue known as “namespace collision.”
Namespace collision, or naming collision, occurs when domain names used exclusively for internal use overlap with domain names on the internet. Unfortunately, early versions of Active Directory used ‘corp’ as the default, or example path within the directory service, and many companies never bothered to change it to a domain that they controlled.
For internal use, it’s not a problem.
But, with more and more users firing up laptops in hotels, airports and/or restaurants, an Active Directory path containing ‘corp’ often triggers a process that winds up looking for corp.com.
Far-fetched? Apparently not.
Top Companies Left Vulnerable
Jeff Schmidt conducted research on namespace collisions using a grant from the U.S. Department of Homeland Security.
He worked with O’Connor to set up servers that accept unsolicited corp.com traffic on the web. They found that, within eight months, 375,000 Windows PCs tried to send the domain credentials to log into internal corporate networks and access specific file shares.
They even tried accepting emails to the corp.com domain, but after receiving more than 12 million emails in one hour, they shut that experiment down. While many were unimportant emails, O’Connor & Schmidt did find some emails of a sensitive nature, and immediately deleted the data.
Are you one of the companies that still has ‘corp’ lurking in a legacy Active Directory?
If so, you’re not alone.
According to the researchers, 30 of the Forbes Global 2000 corporations were vulnerable to Corp.com issues. What’s more worrisome? Some of the queries may have come from Microsoft itself.
Issues with Fixes
IT managers often must choose either improved security, operational harmony, and/or user happiness. Active Directory fixes are no exception.
However, applying these fixes requires your organization to take down it’s entire Active Directory Network. As if that isn’t enough deterrent, applying those patches will also likely break or slow down relationships between your existing applications. Those issues are more than inconveniences – they can force you to push other corrections off to the side.
Unless a reputable company — such as Microsoft — obtains Corp.com, this issue could create a huge vulnerability.
When You Fix, Why Not Improve?
If you decide to implement Active Directory Fixes, you should also take advantage of the service’s features and techniques designed to improve overall use.
Here are a few illustrative techniques available to improve Active Directory security:
Microsoft’s fine-grained password policies allow you to implement different policies for different types of users within your domain.
In other words, you can require that administrators use very long passphrases. At the same time, you can set a policy where your finance team must update their 10-character passwords every 60 days. Then, have your warehouse team update their eight-character passwords every six months.
That sort of customization provides the most protection to users with the most sensitive data, and creates less of a burden to others within your organization.
As a tip, consider using multiple user ID/password combinations for your administrators with different permission levels. Most admins don’t need to use their admin credentials for all tasks. In those cases, you can create a basic login account independent of admin-level access for email access, task planning, and chat within your organization.
Password Restriction & Control
Once your password levels are set, administrators can use several techniques to restrict password to specific locations to improve security and monitoring.
Authentication policy silos create segregated sections of your domain, within which you can limit high-value account usage to high-value hosts.
Silos are Active Directory objects for users, computers, and services that do not allow passwords to function in the same fashion from one silo to another.
The silo technique directly protects you against ‘pass-the-hash’ attacks – expoits in which an attacker steals a hashed user credential and, without cracking it, reuses it to trick an authentication system into creating a new authenticated session on the same network.
For example, you could create specific levels of permission for secure data within certain folders. Then, you can adjust any user’s permissions level so that, if they were on a workstation, they could access the sensitive data. But, if they were remotely accessing the system via laptop, their access would be downgraded to prevent access.
Furthermore, the Local Administrator Password Solution (LAPS) creates a local administrator password for each machine, and stores them in Active Directory. Those passwords work on that machine only, which prevents attackers from using stolen admin passwords on that machine from other workstations.
Lastly, Microsoft recommends securing domain controllers by restricting access to machines containing the Active Directory Domain Services (AD DS) database to direct access. Removing remote access to AD DS limits remote exploits.
Microsoft also suggests that you use dedicated server racks, virtual domain controllers that operate on different physical machines from other virtual machines, and BitLocker drive encryption with TMP chips on servers that cannot be physically secured.
As with many security optimizations, trade-offs occur. By restricting usage to physical access, your IT team must be physically present to conduct any maintenance and/or troubleshooting of AD DS databases. Still, the added AD DS security makes it all worthwhile.
The Right Support
Adjustments to Active Directory create challenges. If you make a mistake, it can lead to critical vulnerabilities.
If your team is ready to implement adjustments, but you’d like some guidance, we’re here to help! Consult an IT expert at Ideal Integrations.
We maximize your return on IT by providing solutions unique to your organization.
Ready to get started? Complete the form below, or call us at 412-349-6680.
About Ideal Integrations
At Ideal Integrations, our focus is to provide you with a sustainable competitive advantage through the strategic use of technology. We combine cutting edge innovations with a creative and skilled team of engineers to deliver customized technology solutions that will help your company succeed.
Building networks and partnerships, we are by your side!