Active Directory | Intel 471 Skip to content

Active Directory

A Microsoft technology used to manage computers and other devices on a network. Active Directory allows network administrators to create and manage domains, users, and objects within a network.
Homepage slide 1

Active Directory is a Microsoft service used to manage computers and other devices on a network. Active Directory allows network administrators to create and manage domains, users, and objects within a network.

Active Directory (AD) is an important part of many IT systems. AD stores information about users and computers in a database. AD controls much of the activity that takes place within the computer systems. AD uses authentication and authorization to ensure that users are who they say they are and that they have permission to perform certain activities.

The Active Directory database (directory), stores information about AD objects in the domain, including users, computers, applications, and printers. Users are organized into groups, and each group has a distinguished name called a “Group Name.” Each computer is associated with a user account and a computer name. A user account may be associated with several different user names. Computers are identified by their IP addresses and hostnames. Applications are identified by their application IDs. Printers are identified by their printer names. Shared Folders are identified by their shared names. Groups are identified by their distinguished names.

The Active Directory database (Directory) contains information about the Active Directory objects in the domain. Databases are designed by people who want them to work well together. The schema is very important to databases. In this case, the schema is defined by Microsoft. The schema defines everything about objects, attributes, and relationships.

What is Active Directory security?

Active Directory security is vital to protect user credentials, company systems, sensitive data, software applications, and more from unauthorized access.

Active Directory is an important part of any computer network. It stores information about people who use computers and how they interact with them. This helps make sure that you get what you need when you want it. Security experts think that if someone gets into your active directory, they could steal your personal information or even damage your computer.

Why is it critical to secure the Active Directory system?

AD is the core of any networked computer system. Accessing AD gives you access to everything else. An attack on AD could give criminals or spies access to your entire network. This makes AD a prime target. Since AD is so important, if someone gets into AD, there will be widespread damage.

Document your Active Directory

To keep a clean and secure Active Directory, you need to understand all aspects of an AD, including user accounts, groups, services, computers, domains, permissions, DNS, DHCP, GPOs, etc. The below list describes how to identify each aspect of an AD and prevent security gaps.

  • Backup your Active Directory regularly. You should back up your AD at least once per week. Backups help prevent disasters. and protect your intellectual property. They also allow you to restore AD quickly after an emergency.

  • Use strong passwords. Passwords must be unique and long enough to avoid dictionary attacks. Make sure that you change your password often. Never reuse passwords for multiple sites.

  • Use two-factor authentication. Two-factor authentication adds another layer of protection to your AD. It requires both something you know (a username and password) and something you have (your phone).

  • Protect your AD against malware. Malware includes viruses, spyware, and other malicious programs. These programs look like regular files but do not follow normal file protocols. If you download a virus, it may infect your AD.

  • Use encryption. Encryption scrambles data so that only those who have the key can read it. Encrypting data protects it from theft and tampering and any other security threat.

  • Implement firewalls. Firewalls block incoming connections from outside your network. A firewall allows only approved connections.

  • Use antivirus software. Antivirus software scans email attachments and downloads before opening them. It also checks websites before allowing you to visit them.

  • Keep your operating systems updated. Operating systems are constantly being improved by Microsoft and other companies. Updates fix bugs and add new features and prevent password attacks.

  • Keep your AD backed up. Your AD should be backed up regularly. Backup schedules vary depending on your needs.

Why do threat actors target Active Directory?

Internal security breaches are becoming increasingly common, but the damage done by cybercriminals is hard to measure. Because AD is central to authorization, access, and application management across an enterprise, it’s a prime target for attackers and a major vulnerability for the business. A cyberattack could allow an unauthorized person to gain access to any account belonging to anyone who uses the affected computer systems. For example, if an active security breach occurs, such as when someone hacks into a company’s network, then there could be widespread repercussions for both the business and its clients.

How Active Directory groups can help your security team

Active Directory groups are a type of user management system that allows you to organize users into different categories. Groups can either be assigned by using a security identifier (SID), or a globally unique identifier (GUID).

Both types of identifiers are used differently depending on what your needs are. Groups are collections of people who share common interests and goals. Users can join these groups by invitation. A group can also be created based on a particular user or an entire organization.

Security groups and Active Directory security

Security groups are used to control access to resources on networks. You can use them to give users rights to specific areas of a computer network. Users can be assigned rights to different areas based on their position in the company hierarchy.

For example, if you need to grant a manager full access to a database but restrict other employees' access to it, you could create a group called “Managers Only” and add the manager to that group. Then, you could limit the access of everyone else to read-only rights. A user added to the “Backup Operator” group inherits the rights to backup and restore files and folders.

Users in the “Backup Operators” group can perform these tasks without having to manually add themselves to the “Backup Operators” security group. Administrators should assign permissions to security groups instead of individual users. For example, if you want to give full control to everyone in your company, you could create a new security group called “Everyone.” Then, you could add any number of accounts to this group. Once you've done that, you'd be able to grant permissions to this group. This way, everyone in your company will receive the same permissions.

Security groups can be used as email entities. A security group can send messages to all members of a group. The group scope determines where the group can be applied. The scope of a security group must match the scope of the object or objects being protected. For example, if you want to protect files in a share named MyFiles, you must use a security group with a scope of Universal (the default). You cannot create a security group with a local scope and apply it to a share.

Groups are listed in order of size. Each group's scope is shown. A universal group can grant permissions to other universal groups. A local group can grant permissions to local groups and universal groups. A domain local group can grant permissions only to domain local groups. A domain local account can grant permissions to other domain accounts.

How cybercriminals can attack Active Directory

“Kerberoasting” is used to steal passwords or other sensitive information. Kerberoasting doesn't require any interaction with the victim machine. A malicious user gets access to the victim's computer by authenticating to the domain controller (DC). Then he/she requests a service ticket for a specific service. The DC retrieves the permissions from the Active Directory database and creates a service ticket encrypted with the service's username and password.

A DC should be able to provide users with the service ticket without revealing any information about the user or the service. This means that the ticket must be encrypted before being stored in RAM. Once the ticket is decrypted, it should be verified that the user has permission to use the service. In addition, the DC should track if the user actually connects to services after requesting a ticket, and prevent brute-force attacks by preventing any more requests until the previous ones have been processed.

  • Mimikatz

In its original form, Mimikatz was designed to show just how easy it would be for an attacker to gain access to user credentials stored by Windows systems. It has since been repurposed into a full-fledged password cracking utility. A password harvester is a software designed to steal login credentials from websites by harvesting them directly off their servers. Cybercriminals use Mimikatz in credential stealing and privilege escalation attacks.

Mimikatz is a powerful tool that allows attackers to steal credentials. It was first introduced in 2011, but has been used to attack organizations since then. It has also been repackaged and distributed in different ways. This is just one way into your system, although a very popular one.

There are ways to protect against credential theft and abuse. The best place to start is by understanding the risks and the necessary steps to mitigate them.

  • Kerberos

Attackers also target Microsoft’s Kerberos system, which uses passwords to authenticate users, to exploit vulnerabilities in the password protocols used by the service. In order for an attacker to gain access to credentials and accounts, they must first get into the system. Once inside, they may be able to use these credentials to move laterally through the network, gain privileges, and access services. In light of these findings, we're surprised by just how long an organization might be able to sustain its Active Directory after a compromise has occurred.

In Conclusion

Digital forensics teams need round-the-clock threat intelligence to anticipate and track bad actors’ every move, and how they might attack your business.

Intel 471 customers rely on TITAN, an intuitive intelligence SaaS platform built by intelligence and security professionals for intelligence and security professionals. It enables them to access structured information, dashboards, timely alerts, and intelligence reporting via the web portal or API integration.

But TITAN doesn’t stop there. Use TITAN’s programmable RESTful API to power numerous connectors and integrations, integrating and operationalizing customized intelligence into your security operations.

Intel 471 cybercrime intelligence empowers digital forensic experts and analysts to monitor and respond to threats in near real-time — enabling them to support the cyber defense mission with timely and actionable intelligence. These analysts can also explore the alert context in our intelligence reports and data collection giving them a richer understanding of your organizational risk to better mitigate threats.