Cybersecurity Products and Vendors
      Back to home
      1. Knowledge Base
      2. Cybersecurity
      3. Cybersecurity Products and Vendors

      Cybersecurity - PingCastle

      Brian Johnson showed a free, downloadable, tool - PingCastle that firms can use to review their Active Directory.

      Cybersecurity Open Call - August 18

      Speaker: Brian Johnson: brian@7minsec.com

      It produces graphic reports using CMMI (a well known methodology from the Carnegie Mellon university to evaluate the maturity with a grade from 1 to 5) and applying it to your Active Directory security. To learn more about the approach and how to use this tool - click here).

      Another - free - tool is PowerHunt Shares: https://github.com/NetSPI/PowerHuntShares 

      This "is an audit script designed in inventory, analyze, and report excessive privileges configured on Active Directory domains."

      Purple Knight

      This an alternative - similar - tool to Ping Castle:

      https://www.purple-knight.com/ 

      a free Active Directory (AD) and Azure AD security assessment tool . . . to close security gaps that leave your hybrid AD environment open to cyberattackers.

      ​Purple Knight scans the Active Directory environment for 100+ security indicators of exposure or compromise. Users receive a graphical report with an overall score, 5 category scores, and guidance on how to remediate security risks.

      New Purple Knight users report an average initial security score of 61%—a barely passing grade. But users who apply the prioritized guidance provided with the assessment can systematically close AD security gaps, reducing the attack surface by up to 45%

      For more on how it works: https://www.semperis.com/wp-content/uploads/PDFs/Purple-Knight-2022-Report.pdf 

      From BeyondTrust: https://www.beyondtrust.com/resources/glossary/active-directory-security

      Active Directory (AD) is a Microsoft Windows directory service that allows IT administrators to manage users, applications, data, and various other aspects of their organization’s network. Active Directory security is vital to protect user credentials, company systems, sensitive data, software applications, and more from unauthorized access. A security compromise of AD can essentially undermine the integrity of your identity management infrastructure, leading to catastrophic levels of data leakage and/or system corruption/destruction.

      Why It Is Critical to Secure the Active Directory System

      Since AD is central to authorizing users, access, and applications throughout an organization, it is a prime target for attackers. If a cyber attacker is able to access the AD system, they can potentially access all connected user accounts, databases, applications, and all types of information. Therefore, an Active Security compromise, particularly those that are not caught early, can lead to widespread fallout from which it may be difficult to recover.

      Threats to Active Directory Systems

      Let’s delve into several key areas where Active Directory systems may be susceptible to threats:

      Default Security Settings

      AD has a set of predetermined, default security settings created by Microsoft. These security settings may not be ideal for your organization’s needs. Additionally, these default security settings are well-understood by hackers, who will attempt to exploit gaps and vulnerabilities.

      Inappropriate Administrative Users and Privileged Access

      Domain user accounts and other administrative users may have full, privileged access to AD. It is very likely that most employees, even those in IT, do not need high-level or superuser privileges.

      Inappropriate or Broad Access for Roles and Employees

      AD allows administrators to grant access to specific applications and data based on employee roles. Roles are assigned to groups that determine access levels. It’s important to only allow the levels of access to individuals and roles need to perform their job functions.

      Uncomplex Passwords for Administrative Accounts

      Brute force attacks on AD services often target passwords. Uncomplicated passwords and easily guessable passwords are most at risk.

      Unpatched Vulnerabilities on AD Servers

      Hackers can quickly exploit unpatched applications, OS, and firmware on AD Servers, giving them a critical first-foothold within your environment.

      Lack of Visibility and Reporting of Unauthorized Access Attempts

      If IT administrators have awareness about unauthorized access attempts, they can more effectively disrupt or prevent such access attempts in the future. Thus, a clear Windows audit trail is vital to identify both legitimate and malicious access attempts, and to detect any AD changes that have been made.

      Best Practices for Active Directory Security

      There are at least 7 best practices IT departments should implement to ensure holistic security around Active Directory. These should at minimum include:

      Review and Amend Default Security Settings

      After installing AD, it’s vital to review the security configuration and update it in line with business needs.

      Implement Principles of Least Privilege in AD Roles and Groups

      Review all the necessary permissions for data and applications for all employee roles in the organization. Ensure that employees have only the minimal level of access they need to perform their job roles. Also, ensure separation of privileges, so there is tighter auditability between roles and to help prevent lateral movement in the event an account is compromised. Apply strong privileged access management (PAM) policies and security controls.

      Implement Robust AD Administration Privileges and Limit Domain User Accounts

      Carefully review all IT staff responsibilities and only provide administrative privileges and superuser access to those who absolutely need this access to perform their roles. Use PowerShell Just Enough Administration (JEA) and/or a PAM solution to ensure this access is limited in the most granular way practical. Ensure these accounts are properly protected with robust passwords.

      Use Real-Time Windows Auditing and Alerting

      Conduct reporting of unusual access attempts. Provide full windows auditing and alerting of any access from inside or outside the organization. Pay special attention to Windows AD change auditing. This will also help to meet PCI, SOX, HIPAA, and other compliance requirements.

      Ensure Active Backup and Recovery

      Backup the AD configuration and directory on a regular basis. Practice disaster recovery processes to allow for fast recovery in case AD integrity is breached.

      Patch All Vulnerabilities Regularly

      Identifying and patching vulnerabilities is one of the IT department’s most important tasks. Ensure a fast, efficient, effective patching and maintenance process for AD and other flaws.

      Centralize and Automate

      Centralize all reviews, reports, controls, and administration in one place, and look for tools that can provide automated workflows for alerting and helping to reconcile issues.

      Understanding AD vulnerabilities and implementing security and least privilege access controls is vital to protecting domain accounts and keeping the IT ecosystem safe. Proper visibility, management, reporting, and auditing capabilities can significantly enhance AD security an ensure systems integrity.

      Other topics

      • Protected Users Security Group | Microsoft Docs This security group is designed as part of a strategy to manage credential exposure within the enterprise. Members of this group automatically have non-configurable protections applied to their accounts. Membership in the Protected Users group is meant to be restrictive and proactively secure by default. The only method to modify these protections for an account is to remove the account from the security group.