Why bother attacking a Windows server when attacking Active
Directory can provide you with the keys to the kingdom? And it
might be a large kingdom indeed.
Although externally facing platforms tend to get lots of
attention when it comes to security, it's also risky to leave any
other part of the infrastructure -- such as the directory --
unprotected. Active Directory is the foundation of the security
infrastructure in any Windows shop, and some of the inadequacies
and lack of control over user access are not always addressed in an
enterprise.
In the future, Microsoft's Vista should help by making it
possible for managers to control users' access rights through its
user account control feature. IT managers will be able to limit who
on staff has administrator privileges.
And even though Vista is expected to hit the streets by the end
of the year, that seems like a long way off.
In the meantime, a current problem for administrators is keeping
up with the massive changes that naturally take place within a
company when it transfers, promotes or fires people. A change in an
employee's status requires a different level of access to company
information, and the IT staff needs to stay one step ahead of it
all.
Gil Kirkpatrick, chief technical officer at NetPro Computing
Inc. in Phoenix, said Active Directory security is more of an issue
of proper configuring rather than it is of defense. What's
important is how administration rights are delegated, he said.
When companies had large installations of NT 4.0, Microsoft's
earlier generation of server software, it was common to have tens
or hundreds of domain administrators. "That's a bad idea with
Active Directory," Kirkpatrick said. "A large installation with
1,000 domain controllers needs maybe only two domain administrators
per domain."
"The risk for a malicious attack is in a disgruntled network
administrator scenario," Kirkpatrick said. "It's not a failure of
Active Directory."
Products that do the deed
As a former program manager of security on Microsoft's Active
Directory team, Sanjay Tandon said he thought he had had a unique
insight about what needed to be protected within the directory.
Tandon just launched a company called Paramount Defenses Inc. Its
product, called Gold Finger, is an access entitlement assessment
tool that takes into account everything that comes into play during
an access check and issues detailed reports about that check.
Gold Finger checks such areas as a user's identity, to which
group the user belongs and on which domain the computer sits. It
delivers its answers in business parlance. Tandon's company is not
the only one that delivers this sort of data. Established vendors
such as NetPro Computing Inc., Quest Software Inc. and ScriptLogic
Corp. sell similar software.
Active Directory is a multi-master directory service, which
means it replicates something updated on one domain controller to
other domain controllers. In a decent-sized enterprise, there might
be 100 domain controllers. This presents a rather large attack
surface to someone intent on causing trouble.
Within the directory there is a hierarchical database of
information with critical information such as user accounts,
passwords, Group Policies and access control lists. In fact, any
normal-sized Active Directory might have hundreds of thousands of
objects, Tandon said.
Impersonation rewards the hack with privileges
Active Directory might be compromised in several ways, but most
hacks are caused by people using escalation of privilege, he said.
The perpetrator finds an anonymous user and escalates that user's
privilege to an administrator or to a domain administrator. Most of
privilege escalations are facilitated or enabled by the presence of
excessive entitlements.
If a system has a delegated administrator who can create user
accounts, then that delegated administrator can use another
person's entitlements to reset passwords to that of a delegated
administrator. "It's a hard problem to solve because companies have
millions of assets," Tandon added. "They have thousands of
computers, lots of user accounts."
Because Active Directory is internally facing, it's not as easy
to attack as, say, a Web server, which sits in an enterprise DMZ.
But one directory expert said he's not aware of any Active
Directory breaches reported, though there is potential to cause
great harm.
If an enterprise has a large single forest -- a collection of AD
domains that share the same administrators and the same privilege
management -- then the domain administrator holds a lot of control,
said Daniel Blum, group analyst at Burton Group, a Midvale,
Utah-based consulting firm.
"For an attacker, the ability to acquire domain administrator
privileges would be having access to the crown jewels," Blum said.
"You could get into everything that was dependent on Microsoft's
security model."