The Art of Active Directory.
What is Active Directory?
Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was used only for centralized domain management. However, Active Directory eventually became an umbrella title for a broad range of directory-based identity-related services. Active Directory is a Microsoft® software that organizes and provides access to information in an operation system’s directory. It is a link between “objects” and “values”. A person, computer, printer, program, file, or other network resource can all be represented by an object.
Active Directory, often known as AD, is a critical database and collection of services that links users to the network. AD is a collection of databases that store crucial information about your environment, such as which users and computers are there, and who is authorized to perform certain tasks. Permissions granted to user and groups. Information’s such as job title, user privilege, phone number username passwords.
Before Understanding Active Directory, let us first understand what Directory is?
A directory is a hierarchical structure that contains information about network items. Directory service helps quickly access and manipulate the information that are store into its database. Example In an organization there are hundreds of employees, that belongs to different departments, different department means different assigned work, as they belong to different groups. With respective to work and group it is difficult to keep records of each and every employee. Here Active Directory comes into handy. With the help of AD for hundred employees, we can successfully apply policy. We don’t need to set it up on every computer in the company; instead, we can set it up on the AD and it will be applied to all computers. In simple words, AD makes admin’s jobs easy and effective as admin can retrieve, access and store resources such as user and device information, computers, files, servers, and much more using directory servers.
Active Directory structure.
· Group Policy:
Network administrators utilize Group Policy to configure and enforce a variety of Windows settings. Admins use Group Policy to restrict network access to users depending on their position within the company. For example, Administrator can imply a policy when an individual access the home page but s/he can restrict other folder existing in the AD
· Objects:
Objects in AD may be classified into two groups: resources and security principles. Users, computers, groups, servers, and other devices are made up of resources, whereas security principles are made up of users, computers, groups, and servers. In Active Directory, each item in an organization is represented by an entity, which is given a name and characteristics for identification.
· Forest, Tree and Domain.
Domain, tree, and forest are the three categories that make up an AD structure. To put it another way, a domain is a collection of objects, a tree is a collection of domains, and a forest is a collection of trees. When a new domain is formed within an existing domain, the new domain is referred to as the “child” and the “parent” domain.
· Organizational Unit (OU)
Organizational Unit are containers in Active Directory that group things inside a domain. OUs create a hierarchy inside a domain that might reflect the physical environment of a company. Company A, for example, has offices across a number of large cities. Cities are represented by domains, departments (HR, marketing, sales) are represented by OUs, and personnel are represented by objects in an AD structure.
· Trusts
AD Trusts enable domains to interact with one another and allow users in one domain to access resources in another. A domain develops trust with another domain and grants that domain permissions. A one-way trust is one in which one domain can access the resources of another but not the other way around. Both domains can exchange resources with each other thanks to two-way trusts.
· Domain controller:
A domain controller is a server that responds to authentication requests and verifies users on computer networks. The domain controller keeps all of that data organized and secured. The domain controller (DC) is the box that holds the keys to the kingdom- Active Directory (AD). It allows admin access to manage domain resource. A domain controller is considered as the controlling point for a domain. It manages the group policies and security of the computers under that domain i.e. keeps track of logs, users logged in, password policies
Advantages of Active Directory
· Active Directory provides easy to access resources, centralized control over users, computer objects through Active Directory group policy feature while making sure of security for organizations.
· Active directory enables the network administrators to manage and store information about user accounts, computer settings, and resources.
· Active Directory provides high-end security options with enhanced data protection capabilities which helps in protecting your business from external threats.
· Active Directory Data Protection capabilities protect the data from being viewed by unauthorized users.
Disadvantages of Active Directory
· Active Directory needs proper planning to implement Active Directory infrastructure in an organization.
· Active Directory is a Windows-only solution. If Linux or Mac machines need to be managed, they will require LDAP (Lightweight Directory Access Protocol) clients instead of an Active directory.
· Active Directory can be very expensive depending on how many systems are being managed by Active Directory and what kind of volume is required out of Active Directory.
· Active Directory can cause performance issues when used with larger networks or more DC’s than recommended by Microsoft.
Why should an organization use Active Directory?
Every organization has its organizational framework in which roles and responsibilities of the different departments such as sales, IT, manufacturing, and quality assurance to achieve the desired common goal. Employers use business resources such as applications and hardware tools to execute business operations along with the skills and expertise. To effectively use these resources, it is essential to have some access control tool in place. Active Directory is one of such tools that manage users, applications, and resources and allows to handle authorization and authentication of users for these resources.
· Active Directory provides easy to access resources, centralized control over users, computer objects through Active Directory group policy feature while making sure of security for organizations.
· Enable administrators to manage permissions and control access to network resources
· Active directory enhances the security of an organization.
· It provides scalability by using organizational units
Lightweight Directory Access Protocol (LDAP) vs Active Directory (AD)
Vulnerability that has arisen in Active Directory in the Past:
CVE-2021–40460 RPC RUNTIME SECURITY FEATURE BYPASS VULNERABILITY
CVE-2021–40460 is a vulnerability that could allow an attacker to bypass Extended Protection for Authentication provided by servicePrincipalName (SPN) target name validation over the network. The CVSSv3 score of this vulnerability is 6.5/5.7. RPC stands for Remote Procedure Call that helps to call feature.
CVE-2021–41337 ACTIVE DIRECTORY SECURITY FEATURE BYPASS VULNERABILITY
CVE-2021–41337 is a vulnerability that could allow an attacker to bypass Active Directory domain permissions for the Key Admins and Enterprise Key Admins groups over the network. The CVSSv3 score of this vulnerability is 4.9/4.3.
An update is available for domain controllers running Windows Server 2016, and up, as the above groups were introduced with Windows Server 2016.
CVE-2020–1472 Zerologon
Zerologon was caused by a flaw in the cryptographic authentication scheme used by Netlogon Remote Protocol (MS-NRPC) that causes authentication to be bypassed. By bypassing an authentication token for specific Netlogon functionality, the attacker was able to call a function to set the Domain Controller password to a known value. After that, the attacker can control the Domain Controller and steal the credentials of all registered users on the Domain Controller.
How to secure Active Directory:
AD is a major target for attackers since it is used to authorize users, access, and applications throughout an enterprise. If a hacker gains access to the AD system, they can possibly get access to any associated user accounts, databases, applications, and data. If an attacker gains access to Active Directory as a privileged user or manages to elevate their privileges after gaining access, they have complete control over the company. An attacker will then have access to all user identities and will be able to remain undiscovered for days, months, or even years. When the attacker is discovered, the attacker has the ability to collapse the whole Active Directory, rendering the company useless and perhaps resulting in a severe commercial loss.
• Minimalize surface attack
To provide users restricted permissions without elevating them to Domain Admins, create an Active Directory solution using a mix of Group Policy Objects. You can’t trust too many staff with insufficient qualifications with the keys to your Active Directory servers. Implement the least access privilege model, secure administrative hosts, secure Domain Controllers (DCs), secure privileged accounts, and take additional efforts to reduce the Active Directory attack surface.
• Strong password policy:
Strong passwords have many advantages, but you can’t expect everyone to use them on their own, and you don’t want to take any chances. For compliance and security reasons, start by enforcing a strong password policy from the top. Strong password rules, such as complicated combinations of numbers and characters and regular password changes, can help you achieve this.
•Use the limited group function of Group Policy.
‘Restricted Groups’ should contain all elevated built-in groups. It carefully enforces group membership criteria, reducing the likelihood of undesirable accounts being present in these groups. To keep groups like ‘Enterprise Admins’ small, use ‘Restricted Groups.’
- Use Group Policy Settings to apply strong security policy
Group Policy is a powerful tool for managing the security of your domain. Before using these regulations in a real project, test them in a lab. You may even roll out these rules in phases, such as linking them to certain OUs first, then the entire domain if necessary. To keep ‘Active Directory Domain Services’ (AD DS) safe and free of problems, you’ll need to plan ahead and carefully construct a highly available AD DS. If you destroy an object or attribute by accident, you should be able to restore it quickly and efficiently.
•Maintain enough free disk space on Domain Controllers (DCs)
Denial of service attacks might clog up available disk space with useless data, causing the DC to fail. Allowing this to happen is preventable by constantly checking disk space and deleting superfluous items.
Auditing and Compliances in Active Directory
The purpose of compliance requirements is to assist enterprises in protecting their most sensitive data and users. Controlling access to data and systems is one of the most critical tasks of every regulated business sector — healthcare, financial services, public infrastructure, and transportation. Failure to do so has severe consequences, including fines, litigation, brand harm, and customer turnover. Protecting and monitoring Active Directory is an important aspect of an organization’s strategy for managing security, guaranteeing ongoing business operations, and complying with regulatory compliance obligations in this reality.
Active Directory (AD) is a critical authentication and authorization point for critical organizational resources. As a result, the user IDs saved in AD, as well as the groups to which they belong, are critical control and audit points for understanding what is being accessed within your business. Any organization’s capacity to audit and be warned about changes to AD is crucial.
· Identity management and access control: to ensure that data is only accessible by personnel that have a business need.
· System configuration control: tracking of administrative activities.
· Monitoring of access to data: knowledge of who accessed what data and when and review on a regular basis.
· Data handling and encryption control: protection of data in storage and during transfers
While compliance requirements differ from country to country, it’s helpful to review a few key compliance regulations in the United States to get an idea of the basic information and processes you’ll need to satisfy auditors:
· SOX: The Sarbanes-Oxley Act (SOX): To safeguard the firm’s shareholders and reduce the risk of corporate fraud, the Sarbanes-Oxley Act (SOX) requires that every publicly held corporation adopt measures to preserve financial records from destruction, loss, and abuse. SOX also requires that these controls be audited and reported on.
· PCI: According to the Payment Card Industry Data Security Standard (PCI DSS), every business that takes card payments and stores, processes, or transmits cardholder data must do so securely utilizing a PCI-compliant hosting provider. To be PCI-compliant, you must monitor all network resource access, test security systems on a regular basis, and maintain an information security policy.
· The Gramm-Leach-Bliley Act (GLBA), often known as the Financial Modernization Act of 1999, regulates how financial organizations handle personal information about their customers. All financial institutions must establish, implement, and maintain safeguards to protect consumer information under the GLBA’s Safeguards Rule. Financial institutions must identify operational risks to client data, develop an information security program, and evaluate the safeguards program on a regular basis under the Safeguards Rule.
· HIPPA: HIPAA, or the Health Insurance Portability and Accountability Act, was originally designed to preserve healthcare coverage for people who lost or changed employment, but it has now grown into a set of security rules for patient data. HIPAA requires that every business that handles protected health information (PHI) install and follow physical, network, and procedural security safeguards. The Security Rule of HIPAA protects electronically transmitted PHI, or e-PHI, and companies must secure sensitive information by recognizing and guarding against risks.
· FISMA: The Department of Homeland Security established the Federal Information Security Management Act (FISMA) to protect government data, operations, and assets from all natural and man-made threats. Government agencies must also use tools to audit their information security programs, test security processes, and conduct periodic risk assessments, according to the law.
· NERC: The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standard provides. A cyber-security methodology for identifying and protecting Critical Cyber Assets that govern or impact the dependability of bulk electricity systems in North America. NERC-approved Reliability Standards must be followed by all bulk power system owners, operators, and users. These organizations must register with NERC via the relevant Regional Entity. You must be NERC CIP compliant if your company is a NERC-registered firm as a user, owner, or operator of the bulk power system in the United States.
Future of Active Directory:
If your IT department uses non-Windows or Microsoft resources, you’ll want to look for an alternative to Active Directory (and Azure AD). That’s no longer a problem. Directory-as-a-Service® (DaaS) is a cloud identity management technology that reimagines Active Directory for the cloud era. Simply defined, DaaS is the Active Directory of the future for modern businesses.
Microsoft’s next-generation cloud-based identity management system, Active Directory, is used to manage access to SaaS products like Microsoft 365 (Office 365), internally built Azure cloud apps, as well as conventional corporate applications and other on-premises resources. Among other things, it supports just-in-time access restrictions, multi-factor authentication and password less technologies, native mobile device management, and identity federation standards like SAML and Oauth2.