Fending off an Active Directory attack

Whether you view the security of Active Directory as a matter of defence or of improving its configuration management, it's a system that must be protected.

Why bother attacking a Windows server when attacking Active Directory can provide you with the keys to the kingdom? And it might be a large kingdom indeed.

Although externally facing platforms tend to get lots of attention when it comes to security, it's also risky to leave any other part of the infrastructure -- such as the directory -- unprotected. Active Directory is the foundation of the security infrastructure in any Windows shop, and some of the inadequacies and lack of control over user access are not always addressed in an enterprise.

In the future, Microsoft's Vista should help by making it possible for managers to control users' access rights through its user account control feature. IT managers will be able to limit who on staff has administrator privileges.

And even though Vista is expected to hit the streets by the end of the year, that seems like a long way off.

In the meantime, a current problem for administrators is keeping up with the massive changes that naturally take place within a company when it transfers, promotes or fires people. A change in an employee's status requires a different level of access to company information, and the IT staff needs to stay one step ahead of it all.

Gil Kirkpatrick, chief technical officer at NetPro Computing Inc. in Phoenix, said Active Directory security is more of an issue of proper configuring rather than it is of defense. What's important is how administration rights are delegated, he said.

When companies had large installations of NT 4.0, Microsoft's earlier generation of server software, it was common to have tens or hundreds of domain administrators. "That's a bad idea with Active Directory," Kirkpatrick said. "A large installation with 1,000 domain controllers needs maybe only two domain administrators per domain."

"The risk for a malicious attack is in a disgruntled network administrator scenario," Kirkpatrick said. "It's not a failure of Active Directory."

Products that do the deed

As a former program manager of security on Microsoft's Active Directory team, Sanjay Tandon said he thought he had had a unique insight about what needed to be protected within the directory. Tandon just launched a company called Paramount Defenses Inc. Its product, called Gold Finger, is an access entitlement assessment tool that takes into account everything that comes into play during an access check and issues detailed reports about that check.

Gold Finger checks such areas as a user's identity, to which group the user belongs and on which domain the computer sits. It delivers its answers in business parlance. Tandon's company is not the only one that delivers this sort of data. Established vendors such as NetPro Computing Inc., Quest Software Inc. and ScriptLogic Corp. sell similar software.

Active Directory is a multi-master directory service, which means it replicates something updated on one domain controller to other domain controllers. In a decent-sized enterprise, there might be 100 domain controllers. This presents a rather large attack surface to someone intent on causing trouble.

Within the directory there is a hierarchical database of information with critical information such as user accounts, passwords, Group Policies and access control lists. In fact, any normal-sized Active Directory might have hundreds of thousands of objects, Tandon said.

Impersonation rewards the hack with privileges

Active Directory might be compromised in several ways, but most hacks are caused by people using escalation of privilege, he said. The perpetrator finds an anonymous user and escalates that user's privilege to an administrator or to a domain administrator. Most of privilege escalations are facilitated or enabled by the presence of excessive entitlements.

If a system has a delegated administrator who can create user accounts, then that delegated administrator can use another person's entitlements to reset passwords to that of a delegated administrator. "It's a hard problem to solve because companies have millions of assets," Tandon added. "They have thousands of computers, lots of user accounts."

Because Active Directory is internally facing, it's not as easy to attack as, say, a Web server, which sits in an enterprise DMZ. But one directory expert said he's not aware of any Active Directory breaches reported, though there is potential to cause great harm.

If an enterprise has a large single forest -- a collection of AD domains that share the same administrators and the same privilege management -- then the domain administrator holds a lot of control, said Daniel Blum, group analyst at Burton Group, a Midvale, Utah-based consulting firm.

"For an attacker, the ability to acquire domain administrator privileges would be having access to the crown jewels," Blum said. "You could get into everything that was dependent on Microsoft's security model."

Read more on IT risk management