top of page

Is your Active Directory a gateway for cyber criminals?

Active Directory is still the access backbone of most enterprises. It is often the primary gateway to networks that connect all of a company's users and resources. It is also, alarmingly, one of the primary gateways for cyber criminals, especially those launching ransomware attacks.

Such attacks don't encrypt Active Directory but rather use it to gather the necessary intelligence for an attack. Most organisations are woefully exposed in this particular area. According to Microsoft's 2022 Digital Defence Report, 90 percent of customers impacted by cyber attacks had insecure Active Directory (AD) configurations.

The Active Directory Problem

This is not an admission of failure from Microsoft. Rather, Microsoft works hard to spread the message that if companies don't audit and maintain their AD configurations, they are bound for trouble.

The report's statistics reinforce this advice: 88 percent of impacted customers didn't employ AD security best practices, and 84 percent of administrators didn't use privilege identity controls. A staggering 90 percent of companies had insecure AD configurations. Customers using Azure AD in the cloud have similar issues; 72 percent had insecure Azure AD configurations.

A misconfigured AD is synonymous with leaving the front door of your house open. As mentioned earlier, criminals don't tend to encrypt AD. Instead, they use access to query AD, gather intelligence and finetune their attack strategy. A misconfigured AD gives away all the necessary secrets, including where account privileges are. Criminals can then target those accounts through phishing and other tactics until they get the clearance and privilege they need to launch a devastating encryption attack.

There are many potential AD misconfigurations, such as:

  • Setting web-based access to the AD manager but not setting that interface as private, leaving it exposed to the internet.

  • Leaving Group Policy Preference files unencrypted or unprotected by passwords.

  • Exploiting the Kerberos Ticket Granting account (KRBTGT) to create a logon ticket with extensive rights.

  • Using low-privileged accounts to replicate domains and their rights, creating backdoor access.

The list goes on, and there are numerous reports noting different misconfigurations. No wonder criminals have started using AD as a primary attack path for ransomware. Several cyber-crime tools even specialise in AD attacks.

The Active Directory Opportunity

Yet, if we look at this in another way, securing AD severely limits what criminals can do. Thus, while AD can be a cyber-crime gateway, it can also be a cyber security catalyst. If companies can detect and fix AD misconfigurations, they fortify their security substantially.

AD misconfigurations are common. Some configurations might be perfectly sound in their time, but after a decade, new attack methods turn them into vulnerabilities. Mergers with other companies and their systems or working with multiple AD instances for different connected organisations can create unexpected configuration blind spots.

The simple fact is that AD configurations are like a garden; if you want to keep the weeds out and the plants healthy, you can't just leave it. You must give it attention. And periodic attention is more effective than extensive and exhausting attempts to suddenly fix everything at once.

Tending Your AD Garden

There are two considerable advantages to AD security. It is a well-known system, so there is an abundance of knowledge to deal with problems, and it is backed by Microsoft, a company that invests enormously in security. Between these two advantages, rooting out bad AD configurations is relatively straightforward:

  • Implement Microsoft’s Active Directory security best practices.

  • Routinely audit AD and Azure AD configurations, at least annually, and with the help of a qualified third party such as Performanta.

  • Establish an automated, policy-driven identity management regime.

  • Use automated alerts and time-controlled access policies to reject or eject lingering accounts.

  • Establish a solid event log system and scrutinise those logs to catch AD breaches early.

  • Develop AD security and recovery plans and test them regularly.

A system breach is almost inevitable. But just because criminals crossed a first hurdle doesn't mean they have control. They must scout, moving laterally through the organisation to gather intel and gain privilege.

Active Directory is often the unwitting accessory to their snooping. This also means a well-tended and security-hardening Active Directory places them at a considerable disadvantage. Work with partners such as Performanta to ensure your Active Directory is not a cyber-crime gateway but a cyber security asset instead.


bottom of page