![]() ![]() Within Active Directory, three built-in groups are the highest privilege groups in the directory (Enterprise Admins, Domain Admins, and Administrators), although a number of additional groups and accounts should also be protected. The Privileged Accounts and Groups in Active Directory section discusses the highest privileged accounts and groups in Active Directory and the mechanisms by which privileged accounts are protected. Included in this section are the following subjects: This section focuses on technical controls to reduce the attack surface of an Active Directory installation. Other infrastructure services that affect identity, access, and configuration management, such as public key infrastructure (PKI) servers and systems management servers "Privilege-Attached" Active Directory accounts Privilege Elevation and Propagation - Specific accounts, servers, and infrastructure components are usually the primary targets of attacks against Active Directory. Insufficient management of the security of domain controllers. ![]() Overpopulation and overuse of privileged domain groups Logging on to unsecured computers with privileged accountsīrowsing the Internet with a highly privileged accountĬonfiguring local privileged accounts with the same credentials across systems Included in this section are the following:Īctivities that Increase the Likelihood of Compromise - Because the target of credential theft is usually highly privileged domain accounts and "very important person" (VIP) accounts, it is important for administrators to be conscious of activities that increase the likelihood of a success of a credential-theft attack. Lack of secure application development practicesĪttractive Accounts for Credential Theft - Credential theft attacks are those in which an attacker initially gains privileged access to a computer on a network and then uses freely available tooling to extract credentials from the sessions of other logged-on accounts.Outdated applications and operating systems.Gaps in antivirus and antimalware deployments. ![]() These initial events, or entry points into the network, often exploit vulnerabilities that could have been fixed, but weren't. Initial breach targets - Most information security breaches start with the compromise of small pieces of an organization's infrastructure-often one or two systems at a time. However, for each type of vulnerability, we have provided links to additional information to use to develop countermeasures and reduce the organization's attack surface. It does not provide detailed recommendations about addressing each type of vulnerability, particularly in the areas in which the vulnerabilities are not used to directly target Active Directory. It contains general categories of vulnerabilities and how they're used to initially penetrate customers' infrastructures, propagate compromise across additional systems, and eventually target Active Directory and domain controllers to obtain complete control of the organizations' forests. This section provides information about some of the most commonly leveraged vulnerabilities used by attackers to compromise customers' infrastructures. Monitoring Active Directory for Signs of Compromise Reducing the Active Directory Attack Surface The only sure way to recover in the event of a complete compromise of Active Directory is to be prepared for the compromise before it happens. By implementing these recommendations, organizations will be able to identify and prioritize security activities, protect key segments of their organization's computing infrastructure, and create controls that significantly decrease the likelihood of successful attacks against critical components of the IT environment.Īlthough this document discusses the most common attacks against Active Directory and countermeasures to reduce the attack surface, it also contains recommendations for recovery in the event of complete compromise. This executive summary is intended to be useful as a standalone document summarizing the content of the document, which contains recommendations that will assist organizations in enhancing the security of their Active Directory installations. No organization with an information technology (IT) infrastructure is immune from attack, but if appropriate policies, processes, and controls are implemented to protect key segments of an organization's computing infrastructure, it might be possible to prevent a breach event from growing to a wholesale compromise of the computing environment. It may not reflect current best practices. Currently we are reviewing this documentation and it is subject to change. The following documentation was written in 2013 and is provided for historical purposes only. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |