Image credit: https://github.com/Orange-Cyberdefense/arsenal
Active Directory is responsible for authorisation, authentication and privilege control as the core of most organisations’ IT infrastructure.
And the image above is how a hacker sees it – the mind map is specifically called “Pentesting Active Directory,” created by an organisation specialising in attacking Active Directory the same way a hacker would.
In our experience, many (or most) IT admins don’t see Active Directory security the same way or with the same level of complexity. They take care of 2-5% of the image above, as their main objective is to keep the business running.
An IT admin sees Active Directory as a tool to achieve specific objectives – place a user in a group, install a server and join it to the Directory, edit a group policy here, or disable a user.
You could understand how an IT admin views Active Directory if you think of an architect, or a construction worker, building a skyscraper. They don’t think of all the potential ways a burglar might bypass the building’s defenses, and that’s not their job. Their job is to ensure the building has all the amenities and quality required by its inhabitants; everything works and will continue to work for decades.
Assessing Active Directory Security
If we look at your AD from a defender’s point of view, compared to the construction workers’/architect above, we see a completely different picture.
An attacker doesn’t simply look for vulnerabilities; they look for a combination of improper configurations that might represent a weakness.
A hacker also looks for ways an IT admin is used to configure things for decades, which might be less secure today than they were ten years ago.
But IT admins keep doing things the way they used to, with little regard for security, because security is not their job. Security is the job of the security department if you have one.
For example: when people experience IT issues on their computers, your IT helpdesk or even your main IT admin might sign in to their computer for troubleshooting.
No big deal, one might say.
But if the admin signs in with their main admin account, this simple action might have exposed your entire organisation to an immediate and devastating security breach.
Here is why:
Imagine, if the regular employee calling IT for help did not know that the issues they were having were caused by a hacker, instead of a software malfunction.
The hacker might intentionally cause a fault, to get an IT admin to sign in to the already compromised regular employee machine.
The moment your IT admin signs in to a compromised computer, their admin password, which has access everywhere, becomes known to the hacker.
As simple as taking a candy from a child.
And this is just one way hackers could compromise your company through a weakness in the way your IT administrators do their job.
The issue I described above is related to processes and procedures, and the image linked in the beginning of this article has processes and procedures as a vector of attack as just one of many attack vectors.
If you would like your Active Directory to be secure, the first step is to discover all the ways in which it can be misused today and all of its people, process and technology vulnerabilities, with the help of our Active Directory Security Assessment service.