Active Directory (AD) is a convenient service for administrators to manage several Windows systems. However, there is more risk from a security perspective because all the sub-systems are connected. In particular, there is a large volume of traffic in the AD DC (Domain Controller), and unless any trace is detected in the server, it is hard to detect infiltration. Attackers need rights greater than Administrator group rights in order to perpetrate activities like spreading malware. This is why secure account management is so crucial. To this end, it is important to minimize the servers that are logged on with or managed by the rights of the Administrator group. In order to prevent incidents like these, refer to the following to strengthen security levels.
- Are all the accounts issued included in the Administrator Group?
- Do you logon with the Administrator Group account to manage the server?
- Are there any services that are run unnecessarily on the system with the Administrator group account?
- In an urgent situation, can you swiftly change the AD Administrator group account password?
- Is the backup server joined to the AD?
- Does the operating system have the latest updates?
Countermeasures
Strengthening account management
- Using the privileged administrator account separately
The AD administrator account used by the AD domain controller must be managed as an exclusive account and used separately from the general AD account. In addition, the exclusive administrator account should not be used as a common account but should be issued and used separately for each individual, so that those with a privileged administrator account can be quickly identified, deleted, or modified in the event of failure or personnel change. In addition, the administrator account should be disabled when not used in frequently and enabled when necessary in order to prevent breach attempts even though the credential is leaked.
- Periodic credential management
Changing the password on a regular basis must be applied to all users and administrator accounts, although this countermeasure is not applicable to the administrator account only. If the credential is inadvertently leaked due to a document file leak or a breach incident, a serious risk persists for a long time unless the password has expired. A constraint should also be considered in the password renewal policy that prohibits the reuse of recently used passwords.
Strengthening access control security
- Protecting the privileged administrator’s terminal
The administrator terminal for domain controller management should be configured in a network environment that is separated from the Internet. If the separate network cannot be configured physically, disconnect the host OS from the Internet using virtual machine software or the built-in virtual machine of Windows 10, and then use the OS for AD connection and the OS for Internet connection separately using the virtual machine installed in the host OS.
- Strengthening access path control
AD servers must allow administrator access from a system that is registered and authenticated in advance. In particular, the administrator’s credential can be leaked if the user accesses the AD server with an administrator account from the working PC or server, because AD server access is needed when managing Windows terminals or systems.
Improving abnormal symptom detection and response
- Securing the visibility of major systems
Centralized log collection and monitoring are needed for the major systems belonging to the domain, such as AD and DB server. If system logs were deleted, abnormal logs were saved, or abnormal service was installed when logs were collected and managed centrally, such should be deemed a sign of a breach an incident, and cause analysis and response should be prepared.
- Notifying the privileged administrator’s authentication event
The login authentication event of the AD administrator is a very important security item to monitor. Therefore, a notification system that notifies the occurrence of administrator authentication and login event via email or text/messenger message should be implemented. This notification system enables the administrator to recognize login events that were not attempted by the administrator and the security team to detect a login attempt from the abnormal area or during non-business hours. In general, login events are notified using the SIEM (Security Information and Event Management) system or integrated log management system. Note, however, that it can also be implemented using simple PowerShell script or commercial tool.