The zero trust model is essential in modern cybersecurity, cutting the risk of human error and delivering maximum protection in a rapidly evolving environment. But a core aspect is often overlooked: the need to protect your Active Directory (AD).
Zero trust is a wide-ranging concept with varying approaches depending on the organization, but in general the idea is to remove implicit trust through strict identity verification, segmentation and continuous monitoring.
This is essential in an increasingly complex, and often confusing, threat landscape. Organizations today rely on hybrid environments that present countless entry points for attackers, ranging from the activities of remote workforces to third-party integrations and cloud services.
The zero trust concept is built on three core principles:
- Explicit verification: Commonly achieved through multi-factor authentication (MFA), this should utilize automation to ensure zero room for error or manipulation.
- Least-privileged access: Every user should get the privileges they need for their job and nothing more. That includes everyone, even the IT staff and the CEO.
- Assume you’ve been hacked: Act as though you have been breached on a daily basis. This means continuously verifying encryption, monitoring threats, and working proactively to bolster your defenses.
Active Directory: The Authentication Gateway for Zero Trust
So where does the AD fit in? Quite simply, the AD is ‘ground zero’ for any zero trust approach you adopt. In the words of Frost & Sullivan, it “holds the keys to your kingdom”. Indeed, use of AD is so common that the vast majority of companies in the Global Fortune 1000 (about 90%) use it as a primary method to ensure authentication and authorization.
Although ADs are built with security in mind, they’re a key target for bad actors. Attackers can work to gain a foothold, exploiting a compromised account or weak credentials, before going on to escalate privileges through attacks ranging from password spraying to kerberoasting.
Let’s look at some of the common problems that show up in audits of ADs.
Excessive Privileges
As noted by Microsoft, “credential theft attacks depend on admins granting certain accounts excessive privileges”. Administrator privileges should be restricted to those who need them for specific tasks that span AD domains or require elevated permissions. This limits the damage a hacker can do in the case of a breach, and it applies to everyone, including the IT staff and the CEO.
Unconstrained Delegation Risks
Unconstrained delegation is another common problem. This enables services to impersonate any user through a Ticket Granting Ticket (TGT) that is stored in memory and reused. It’s valid throughout the domain, so if attackers succeed in compromising the TGT, they can use it to impersonate users and compromise sensitive resources.
Stale and Orphaned Admin Accounts
Stale, unused or orphaned service accounts can be exploited by attackers who utilize them to access resources without being detected. This is connected to the need for least-privileged access. One way to address this issue is by ensuring that accounts only have access to the permissions they need for specific responsibilities. Stale accounts must be detected and removed through the audit process.
Weak and Reused Passwords
It might seem obvious, but passwords remain the cornerstone of security, and that includes ADs. Attackers can utilize kerberoasting attacks to request service tickets which they then attempt to crack offline; this is much easier for hackers if the password is insufficiently complex. And it’s not just commonly used terms or easily guessable passwords you need to worry about: even the strongest passwords can fall victim to password reuse.
Applying Zero Trust Principles To Active Directory
So how can you go about implementing zero trust in your AD environment? Here are three key approaches:
- Implement micro-segmentation: It’s important to isolate valuable assets, such as critical servers or domain controllers. This will ensure that every authentication request must first cross a defined security boundary.
- Enforce MFA: At a time when passwords are more vulnerable than ever, AD security depends on a layered approach: for instance, the use of biometrics or a one-time passcode sent via text or email. MFA is especially important for services and users accessing administrator tools, particularly privileged accounts
- Continuously monitor risk: Because the threat is constantly evolving, it’s vital to evaluate risk continuously, assessing user and device risks in real time. For example, behavior signals like login patterns or geolocation should be monitored, with access decisions adjusted as required.
Why Password Security Still Matters in a Zero Trust Model
It’s clear that the AD is the foundation of security and must be central to any effective zero trust approach. However, proper AD hygiene is easily overlooked, leading to problems down the line. So where should you begin? Start with the basics: password security. Weak passwords represent a vulnerability that attackers will happily exploit to gain access across your AD.
But there’s no need to despair. In fact, there are key steps you can take to boost password security as you place the AD at the center of your zero trust architecture.
Gain Visibility With a Password Health Check
To begin, it’s important to have visibility into potential vulnerabilities. After all, you can’t fix a problem if you don’t know it’s there. Specops Password Auditor enables users to audit their AD for free, providing a read-only audit tool that searches for any password-related vulnerabilities.
Enforce Policies and Prevent Compromised Passwords
Once you locate those weak points, you’ll want to ensure ongoing protection. Specops Password Policy helps ensure best practices across your AD. The system is designed to enforce complexity rules and to block known compromised passwords by checking accounts against a database of more than 4 billion breached credentials.
Despite the rise of MFA and other security approaches, passwords remain the bedrock of authentication. The right approach to password protection is a crucial element of the zero trust model and protecting your AD. Reach out to Specops to learn more.