If you have made the decision to conduct an Active Directory Security Assessment for your production AD Forests, it is crucial to recognize the potential security threats that may exist within your Active Directory environment. However, neglecting to address health and configuration issues poses a significant security risk. In this article, we will explore the importance of performing a “complete” Active Directory assessment, in addition to recommended security tests by organizations such as MITRE and ANSSI.

Table of contents

Assessment Categories and Methodology

Why check Active Directory for Misconfiguration and Run Health Check Tests?

CASE 1: Replication Issues Including DCDiag Tests (Health Check)

CASE 2: Ensure Users with AdminCount=1 are not sending Too Many Bad Logon Attempts (Misconfiguration)

CASE 3: DNS Scavenging (Misconfiguration)

CASE 4: Non-Default Principals or EVERYONE having FULL CONTROL permission on Organizational Units (Misconfiguration)

CASE 5: Print Spooler Service is enabled on Domain Controllers (misconfiguration)

CASE 6: Ensure TLS 1.1 protocols are disabled on Domain Controllers (Misconfiguration)

CASE 7: Domain and FGPP Policies (Misconfiguration)

CASE 8: Default Administrator account is not protected (Misconfiguration)

CASE 9: Domain Controller Computer Accounts and Organizational Units are not owned by Administrators (Misconfiguration)

CASE 10: Ensure Undefined AD Subnets are defined in Active Directory or Identified (Misconfiguration)

CASE 11: Anonymous Access to Active Directory is Enabled (Misconfiguration)

CASE 12: Account Lockout Policies (misconfiguration)

CASE 13: Active Directory Replication Interval between Sites (misconfiguration)

CASE 14: Ensure Highly Privileged Administrative Groups do not contain more than 20 members (Operational)

CASE 15: Protected Users Group are not in use (Misconfiguration and Operational)

CASE 16: Allowing Unsecure DNS Updates in Active Directory (misconfiguration)

CASE 17: Security Groups without Members and Organizational Units without Objects (Misconfiguration)

CASE 18: Ensure AD Partitions are backed up regularly (Health Check)

Assessment Categories and Methodology

Let’s explore the assessment categories and methodology before delving into the specifics of the tests. Each assessment tool, whether it focuses on Active Directory, Office 365, or any other technology, should encompass five essential assessment categories: Health Check, Misconfiguration, Security and Risk, Non-Compliance, and Performance.

• Health Check: Health Check involves evaluating the tool’s capability to perform health checks on various components. For Active Directory, this may include assessing the KCC component, DNS, domain controllers, replication, active directory site coverage, partition backup, inconsistent states of domain controllers, orphaned domain controllers, undefined subnets, and DCDiag tests, among others.
• Misconfiguration: Misconfiguration entails the tool’s ability to identify and report misconfiguration items. In the context of Active Directory, this may cover aspects such as undefined subnets, AD Site Links, replication topology, time synchronization, Fine-Grained Password Policy (FGPP) parameters, Domain Account Policy parameters, strict replication, SMB1 protocol, unsecure updates, DNS scavenging, DNS round robin, manual connection objects, manual bridgehead servers, DNS static records and more.
• Security and Risk: Security and Risk assessment involves evaluating whether the tool can perform a comprehensive analysis of security vulnerabilities and risks. Specifically for Active Directory, this may include examining Lan Manager Hashes, SMB Signing, LDAP Signing, NT4Crypto, accounts with blank passwords, accounts using SPNs, unauthenticated domain controllers and servers, credential caching in RODC, duplicate SPNs, unprivileged accounts with excessive permissions on OUs, non-default principal accounts with full control or write permission on critical directory objects, anonymous access to AD, and numerous other AD security tests.
• Performance: Performance assessment focuses on the tool’s ability to evaluate component performance. In the case of Active Directory, the primary focus is on domain controllers. It is important to monitor KCC and LDAP performance, as they heavily influence domain controllers’ functionality, depending on the size of the environment. Issues such as dropped LDAP connections and incomplete KCC operations can arise due to performance issues, which should be categorized based on whether the domain controller runs on a physical server or within a virtual machine.
• Non-Compliance: Non-Compliance evaluation involves checking for non-compliant items. For Active Directory, although the number of such items may be limited, the tool should at least highlight the privileged users added in the past 10 days. It should also assist in closely monitoring admin and user activities and facilitating recovery from security incidents.

While the Assessment Categories assist in selecting the appropriate Active Directory Assessment tool, the Methodology provides an overall perspective for both the IT Management Team and IT Operations Team. The tool should adopt a methodology that caters to the needs of both teams. The methodology should include the following:

• Assessing the current environment level: The tool should evaluate the existing Active Directory environment and discover all domains.
• Identifying Critical and High Risks: The Management Team needs to be aware of any critical and high-risk factors in the environment that might potentially disrupt business applications.
• Prioritizing Items in an Action Plan: The Management Team must determine if there are critical and high-risk items that require immediate attention, considering the cost associated with addressing them. Since budget limitations may exist, prioritization becomes necessary.

Why check Active Directory for Misconfiguration and Run Health Check Tests?

With our expert’s extensive experience in Active Directory and we being certified ADRAP engineers, we have conducted numerous ADRAP engagements. While ADRAP primarily focused on assessing potential configuration issues and performing health checks on AD components like KCC functionality, domain controller health, Active Directory site related tests, bridgehead, replication topology, ISTG, DC Services, and identifying undefined subnets, it did not give much attention to the security threats we observe in Active Directory environments these days and some of the misconfiguration that we see in Active Directory environments. Therefore, it is important to understand that maintaining a healthy Active Directory environment and resolving all configuration and health issues is imperative in order to eliminate security threats entirely. Here’s why we believe this to be the case.

CASE 1: Replication Issues Including DCDiag Tests (Health Check)

Active Directory functions as a multi-master replication system, enabling changes made in one site to be replicated to other sites within the network. In the context of fixing dangerous permission issues on the AdminSDHolder object, it is crucial to ensure that these changes are replicated across all domain controllers in the AD Forest. Successful replication is needed for various important modifications, including:

• Managing Computer Objects with Privileged Accounts: Replication ensures that changes made to computer objects, particularly those involving privileged accounts, are propagated accurately throughout the domain.
• Constrained Authentication Delegation to Domain Controller SPNs: Replication plays a key role in maintaining the appropriate delegation of authentication to domain controller SPNs, ensuring that the necessary security measures are in place.
• Service Principal Accounts used by Computer and User Accounts: As part of your security assessment, certain computer and user accounts may have been modified. Replication ensures that the changes made to these Service Principal Accounts are properly distributed across all domain controllers.
• And more: There are a total of 80 AD Security tests (from MITRE and ANSSI) that rely on replication to ensure that changes are effectively distributed throughout the network, covering a wide range of security aspects.

In a large AD environment even if replication breaks normal users authentication would still happen with cached credentials but you cannot ensure that security items fixed as part of the assessment are replicated to all domain controllers unless you fix the replication issue. Therefore, it is important that proper AD replication is essential for guaranteeing the successful propagation of critical changes, maintaining the security and integrity of the Active Directory environment.

CASE 2: Ensure Users with AdminCount=1 are not sending Too Many Bad Logon Attempts (Misconfiguration)

If you are a legitimate Active Directory Admin, you would typically avoid making excessive failed logon attempts. In the event that your password fails to work after two or three attempts, it is advisable to seek assistance from a colleague to reset your password. However, if you observe a significant number of failed logon attempts from an AD Admin account, particularly if they occur rapidly, it may indicate that your Active Directory environment is being targeted by a potential attack.

While you may have Account Lockout Policies configured in the Default Domain Account Policy, it is essential to consider FGPP for privileged accounts. If these FGPP policies do not have Account Lockout values configured, it could present a security risk. It is highly recommended to protect all privileged accounts by implementing FGPP policies that enforce a robust set of password rules including account policies. However, some administrators may overlook configuring account lockout policies even within FGPP due to negligence or oversight.

CASE 3: DNS Scavenging (Misconfiguration)

By default, DNS Scavenging is not enabled on domain zones and Active Directory DNS Servers. However, enabling the Scavenging process is crucial as it plays a vital role in eliminating outdated or stale accounts from the DNS database. This process significantly contributes to faster loading of the DNS Database, which is particularly important when dealing with a high volume of DNS queries from various AD applications, users, and computers.

During a security assessment, if it is discovered that an attacker has registered a DNS record as part of their attack strategy, it becomes imperative to promptly remove those entries from the DNS Server. However, in case you inadvertently forget to remove these DNS entries, the DNS Scavenging process will recognize them as stale records and automatically remove them. This proactive measure acts as a deterrent against attacks that rely on the successful registration of a DNS record.

By enabling DNS Scavenging and diligently managing DNS entries, you can establish a more secure DNS environment. This practice ensures the elimination of stale records and enhances the responsiveness of the DNS service to meet the demands of AD applications, users, and computers.

CASE 4: Non-Default Principals or EVERYONE having FULL CONTROL permission on Organizational Units (Misconfiguration)

Granting Full Control permission to IT support accounts or the EVERYONE group on business organizational units presents a significant security risk. In the event of an issue where an IT support account encounters an “Access is Denied” error, it is common for administrators to assign Full Control permissions to troubleshoot the problem. However, during my ADRAP engagements with customers, I have observed that many organizational units have these excessive permissions assigned.

This configuration creates a potential vulnerability. If an attacker manages to gain access to a normal user account within the same organizational unit, they can easily exploit the granted Full Control or EVERYONE permissions. This access enables them to delete objects or gain unauthorized access to other objects residing in that specific OU.

CASE 5: Print Spooler Service is enabled on Domain Controllers (misconfiguration)

To ensure the security of domain controllers and Active Directory admin systems, it is crucial to disable the Print Spooler service due to potential vulnerabilities. Although seemingly innocuous, any authenticated user has the ability to remotely connect to the domain controller’s Print Spooler service and request updates on new print jobs.

Furthermore, users can instruct the domain controller to send notifications to the system with unconstrained delegation, thereby posing a risk of exposing the domain controller computer account credentials since the Print Spooler is owned by SYSTEM account. Therefore, disabling the Print Spooler service becomes imperative in order to mitigate these risks of exposure. Disabling the spooler service should be included as a standard checklist item when deploying a new domain controller in AD Forest.

CASE 6: Ensure TLS 1.1 protocols are disabled on Domain Controllers (Misconfiguration)

Cyber attackers often exploit legacy protocols as part of their attack strategies, targeting organizations that have not yet implemented appropriate countermeasures. One such protocol, TLS 1.1, which is nearly two decades old, has been identified as vulnerable to attacks like BEAST and POODLE. Additionally, TLS 1.1 supports weak cryptography, rendering modern connections inadequately secure.

TLS 1.1 can be likened to a forgotten middle child. It shares the flaw of supporting inadequate cryptography, much like its younger sibling TLS 1.0. In most software implementations, TLS 1.2 has surpassed TLS 1.1, making the latter relatively uncommon. However, from an attacker’s perspective, it becomes a potential weapon in their arsenal. So please include in your standard domain controller deployment guide to disable TLS 1.1 support completely.

CASE 7: Domain and FGPP Policies (Misconfiguration)

In a large Active Directory environment, organizations often implement different password policies using FGPP to cater to various teams’ requirements. However, it is crucial to acknowledge that the default setting for the “Minimum Password Length” in FGPP is set to 7, which is not considered secure and poses a significant risk.

To address this misconfiguration and enhance security, it is necessary to evaluate all existing FGPP policies and Domain Account Policy and identify those with the “Minimum Password Length” set to 7. It is recommended to set a minimum password length that is sufficiently long and robust to resist common password attacks. Microsoft recommended 8 characters as minimum password length.

Additionally, review and update the “Minimum Password Length” configuration in the Domain Account Policy. This policy applies to all user accounts within the domain that are not covered by FGPP policies.

Note: FGPP overrides Domain Account Policy parameters.

By addressing the “Minimum Password Length” misconfiguration in both FGPP and the Domain Account Policy, you can establish more robust password requirements across Active Directory environment, mitigating the risks associated with weak passwords.

CASE 8: Default Administrator account is not protected (Misconfiguration)

By default, the built-in administrator account in Active Directory is not adequately protected. To ensure enhanced security, it is essential to take specific actions related to the default administrator account. These actions include renaming the account, disabling it, and applying the “account is sensitive and cannot be delegated” setting in each domain.

Considering the importance of securing the default administrator account, it is recommended to include these actions in the “misconfiguration” category. Because an Active Directory deployment should adhere to a standard deployment checklist that encompasses protecting the default administrator account as a crucial step.

CASE 9: Domain Controller Computer Accounts and Organizational Units are not owned by Administrators (Misconfiguration)

The absence of administrative ownership for Domain Controller computer accounts poses a significant security risk and can be considered both a security vulnerability and a misconfiguration. If domain controller computer accounts are managed by non-privileged accounts, an attacker could exploit this and potentially gain full control over the Active Directory environment. To mitigate this risk, it is highly recommended to conduct regular checks to verify ownership of all domain controllers, ensuring that each one is assigned a privileged account as its owner. The same principle should be applied to all business organizational units within your environment.

CASE 10: Ensure Undefined AD Subnets are defined in Active Directory or Identified (Misconfiguration)

Even if you have defined the list of subnets in Active Directory for all your physical sites, it does not guarantee that an attacker cannot authenticate to a domain controller from an “undefined” subnet. It is important to note that Active Directory does not inherently restrict logon requests based on subnet definitions.

If you notice logon requests originating from a subnet that has not been defined or accounted for in your Active Directory configuration, it is crucial to investigate and address this security risk. You should obtain a list of these unrecognized subnets and review them carefully. By doing so, you can identify any unauthorized or suspicious network activity and take appropriate measures to eliminate the potential security vulnerabilities. This may involve adjusting your subnet definitions in Active Directory, implementing additional security measures, or investigating the source of the logon requests for further remediation.

Note: As part of the standard AD Deployment or AD Site creation process you are required to identify the subnets to be associated with the AD Site.

CASE 11: Anonymous Access to Active Directory is Enabled (Misconfiguration)

Granting anonymous access to Active Directory poses a significant security risk. Anonymous access allows authenticated users to read the Active Directory database using LDAP or other tools. This means that if an attacker gains unauthorized access within your network, they can connect their laptop and query all user accounts, including privileged accounts marked with AdminCount=1.

Once an attacker identifies the privileged accounts, they can potentially launch a brute force attack to compromise the security of the Active Directory environment. This task becomes even easier if the “Minimum Password Length” is set to a relatively short value, such as 7 characters.

To mitigate this risk, ensure that anonymous access to Active Directory is disabled. By doing so, you significantly limit the potential for unauthorized users to query sensitive information and launch attacks against your Active Directory infrastructure. Additionally, it is recommended to implement strong password policies, including longer minimum password lengths, to enhance the security of privileged accounts and make brute force attacks more challenging to execute successfully.

CASE 12: Account Lockout Policies (misconfiguration)

The BadLogonCount attribute on each user and computer object in Active Directory provides information about the number of authentication attempts that resulted in failures. It serves as a valuable indicator for security testing, helping identify potential security risks.

Account lockout policies play a critical role in mitigating these risks by ensuring that user accounts that exceed a certain threshold of unsuccessful login attempts are locked out. However, it is important to note that in Active Directory, there is no built-in mechanism to keep an account locked out indefinitely if the number of unlock attempts surpasses a certain limit.

While account lockout policies offer an essential layer of protection, it is crucial to strike a balance between security and usability. Setting appropriate thresholds for lockout policies helps prevent unauthorized access while also considering the possibility of legitimate users experiencing login issues due to password mistakes or other reasons. It is recommended to regularly review and adjust these policies based on the organization’s security requirements and the risk tolerance level.

CASE 13: Active Directory Replication Interval between Sites (misconfiguration)

The default replication interval for each Active Directory (AD) Site is set to 180 minutes. However, in large environments, it is advisable to configure a lower replication interval for AD Sites. This adjustment ensures that changes made within the AD environment are replicated as quickly as possible. You are expecting those changes to be replicated to all domain controllers world-wide that you addressed as part of your security assessment.

CASE 14: Ensure Highly Privileged Administrative Groups do not contain more than 20 members (Operational)

Adding users to privileged groups like Domain Admins and Enterprise Admins in Active Directory is not restricted. However, it is crucial to establish a procedure that mandates approval and review by the IT Management team for each user added to these highly privileged groups. There are several compelling reasons to support this practice:

• Mitigating Brute Force Attacks: With an excessive number of users in Domain Admins and Enterprise Admins groups, the risk of successful brute force attacks increases. This vulnerability arises because authenticated users can read Active Directory group members, making it easier for attackers to target identified administrators.
• Simplifying Maintenance: By limiting the number of users in privileged groups, organizations can more effectively manage and maintain their high privilege accounts. This includes implementing regular password changes for these users, facilitating the identification of admin accounts with excessive bad login attempts, and enforcing complex password policies via Fine-Grained Password Policies.
• Identification of Admin Bad Logon Attempts: Having fewer administrators makes it more convenient for you to track unauthorized login attempts on administrator accounts.

CASE 15: Protected Users Group are not in use (Misconfiguration and Operational)

Protected Users security Group is designed as part of a strategy to manage credential exposure within the enterprise. Members of this group automatically have non-configurable protections applied to their accounts. Membership in the Protected Users group is meant to be restrictive and proactively secure by default. The only method to modify these protections for an account is to remove the account from the security group.

CASE 16: Allowing Unsecure DNS Updates in Active Directory (misconfiguration)

Allowing unsecure DNS updates in Active Directory is a big security risk. You cannot allow any unauthenticated users to register the DNS records in DNS Server. If you allow to do so:

• DNS database size will be increased, which, in turn, will take time to load DNS database during DNS Service start.
• An attacker can register a DNS record and use it to initiate an attack. You are opening doors for attackers to perform DNS based attacks.

Always configure secure updates to all Active Directory domains.

CASE 17: Security Groups without Members and Organizational Units without Objects (Misconfiguration)

A security group without members if it is also a member of a privileged group and if an attacker adds a user account to that empty security group the attacker can gain access to Active Directory as a privileged user. In case of organizational unit without any objects and if someone assigns EVERYONE full control permission to that OU.

NOTE: Most Active Directory admins I have worked with do not have tendency to look at members of a nested security group. I would recommend if something is not in use in Active Directory then just disable it or move to an organizational unit called “Unused”. This way you can find all objects that are not in use in Active Directory easily.

CASE 18: Ensure AD Partitions are backed up regularly (Health Check)

It is important to recognize that a comprehensive backup of each AD partition is required for successful disaster recovery. Ideally, each AD partition should be backed up at least once every 7 days to maintain data integrity.

However, if an attack or issue is identified after 10 days, a backup from two weeks ago can be utilized to restore the AD data. This highlights the need to retain multiple backup copies to accommodate such scenarios.

One challenge with Active Directory is that it does not provide explicit information on whether a partition has been successfully backed up or not, unless you specifically run a PowerShell script or check using tools like LDP, ADSIEdit.msc, or attribute editor.

Summary

It is crucial to pay attention to various misconfiguration and health check items when conducting an Active Directory assessment. These items highlight potential vulnerabilities and areas of concern that require attention. Some noteworthy examples include identifying unsupported operating systems, manual replication connection objects, and ensuring adequate AD site coverage, among others.

To facilitate these assessments, SmartProfiler for Active Directory has been specifically developed. This tool is designed to perform comprehensive health checks, misconfiguration assessments, and security and risk evaluations for multiple Active Directory forests. It offers a wide range of 168 tests, covering not only MITRE tests but also security items identified by organizations such as ANSSI. Utilizing SmartProfiler enables organizations to gain valuable insights into the health, security, and risk posture of their Active Directory infrastructure.