How To Protect Corporate Active Directory During Work From Home Scenario?

How To Protect Corporate Active Directory During Work From Home Scenario?
3 Minutes 55 Seconds | 5574 views

Listen This Blog Now!

Table Of Content

While in COVID times 65% plus of office staff continues to work from home, IT staff struggles to keep up Infrastructure running and secured, Active Directory as common authentication service remains to be most critical Services to keep up and running for the smooth operation of the user, security controls and secured application authentication

While Single Sign On enables easy of doing authentication across various application using Single user credentials it also enables the risk of losing full control if the password is leaked.

An attacker may or may not have reason to create attack surface some may do for fun or for fraud, they would simply like to target central authentication services, doing so would provide complete control of all application and data resigning in an application, recently ransomware named as SaveTheQueen”, encrypting files and appending them with the extension “.SaveTheQueen”. The ransomware tracks its progress using the SYSVOL share on Active Directory Domain Controllers, found researchers at Varonis.

The attacker injected the malware into winlogon.exe, which is a normal process that runs on the victim machine as part of Windows. It is likely that the attacker has obtained and used domain admin privileges to write files to SYSVOL. The attacker ran PowerShell code on the infected hosts that created a scheduled task to open, decode and run the malware, explained a Varonis blog post.

Ransomware tactics are becoming extremely sophisticated by leaving the victims with no solution other than having to pay the ransom. Previously, most of the ransomware compromise were merely hindering victims’ daily operations, as organisations with daily backups and other important cyber-security processes managed to recover quickly and without any losses though the situation is not the same today it either you pay or you loose.

I have personally seen situation wherein midsize organization with turnover of over 500 Cr struggled to keep up customer data and CEO had himself get involve to overcome and negotiate to address such situation.

Hence, it is best to keep IT Team on toes by ensuring maximum controls and hygiene are taken care build internal RED Team to ensure gaps are identified and security holes are filled on priority.

For Better controls below are few tips to address such situation.

  • Restrict logon hours of Users, using the configure logon hours feature, you can control when users can logon to the network. Regulate user activity. Block out a malicious user and. Restrict users from accessing the network after normal working hours.
  • Critical Default Security Group needs a close watch, keep a regular watch on Administrative Group & Power User group and common service accounts are common pitfalls of getting in a trap of attacker, avoid using default Security groups because hackers know default SID of such groups and it’s easy to enumerate, also keep monitoring critical groups as assets.
  • Running non-essential roles and services on Domain Controllers. Domain Controllers should have limited software and agents installed including roles and services. Non-essential code running on Domain Controllers is a risk to the enterprise Active Directory environment. A Domain Controller should only run required software, services and roles critical to essential operation, like DNS
  • Enable Self password provisioning for users using Share Point or ADFS Portal, ensuring passwords changed frequently, most common mistakes done by IT is resetting the password to default common password which users don’t care to change.
  • Patch, Patch, Patch, security updates should be deployed to keep up with vulnerabilities entire domain and forest are at risk. MS14-068 is a great example of how improper patching can risk the AD Forest.
  • Clear text password is not used nowadays though hacks happened by enabling clear text password using a simple registry setting for WDIGEST
  • Powershell is key to compromise, ensure powershell modules are updated with UAC enabled.
  • The same local Administrator account passwords on multiple computers.

It is now critical to ensure that the local Administrator password is unique on every computer on the network. Microsoft LAPS is a no-cost option leveraging existing Active Directory features.

Active Directory Admins logging on to untrusted systems (non-DCs, regular workstations, servers, etc). Always restrict domain admins to limited servers only.

  • Multi-Factor authentication is must, use of third party solution for MFA via email should be sufficient.
  • Wish small and enterprise are on Client to site VPN today, how often their endpoint are updated for security patches or vulnerability assessment are done, most common used OpenVPN solution ran in vulnerabilities for month. Such entry points for user corporate logons should be marked as critical assets and needs close attention, features such as MFA for users and IDS/IPS are key to such entry points solutions.
  • For customers extended to Azure Active Directory will have lot better controls for multifactor authentication but comes with price of subscription such as P2, there are other free options to consider such as Last pass, due & Auth0 or simply use inbuilt capability of MFA using MFA through email such as of RRAS.

To conclude how Active Directory is critical and most used asset in any organization, with work from home increasing day by day Active Directory Services is at hackers radar once inside the network it is difficult to control blast radius and damage, backup only help in restore service or data but does not help in remediating hack situation and if backdoor entry is still open your IT Infra is at high risk.

Author - CyberNX Admin

Share this on:

Typically replies within 10 minutes

Hi there 👋

How can I help you?
Enquire Now!