Are Active Directory misconfigurations putting your organization at risk of serious security breaches and costly downtime? Almost certainly. In fact, many cyberattacks today exploit well-known Active Directory misconfigurations that are overlooked all too often.
The good news is that many of these misconfigurations are relatively easy to check for and fix. This article details the top 10 issues to know about and explains how you can mitigate them to strengthen your cybersecurity and cyber resilience.
1. Unconstrained delegation
Our first Active Directory misconfiguration, unconstrained delegation, is a doozy. A key benefit of this feature is that it enables seamless access across services without repeated user authentication prompts, since a service can impersonate the user and access resources on their behalf. Servers, workstations and other machines can also be configured for unconstrained delegation.
But while unconstrained delegation greatly simplifies the user experience, it creates a huge security hole. Adversaries can exploit this Active Directory misconfiguration to escalate their privileges and move laterally through the network to access sensitive information and systems. Indeed, unconstrained delegation can enable attackers to compromise the entire Active Directory domain.
It’s no wonder that avoiding unconstrained delegation is one of the top 10 best practices for Microsoft service accounts.
Identification and mitigation
It’s essential to regularly look for any users and machines that are configured for unconstrained delegation. If you discover instances of unconstrained delegation, assess them carefully and remove any that are not absolutely necessary. Strictly reserve unconstrained delegation to scenarios that cannot be effectively managed using constrained delegation, which enables you limit which services a service account can impersonate.
2. Kerberos pre–authentication disabled
Kerberos is the default authentication protocol in Active Directory. Its pre-authentication feature helps protect against password-based attacks, such as brute-force and dictionary attacks. Accordingly, this feature is enabled by default.
However, in many organizations, Kerberos pre-authentication is disabled for one or more users. This misconfiguration opens the door to attacks like AS-REP roasting, in which adversaries gain access to Kerberos tickets and use them to crack password hashes offline at their leisure without fear of detection.
Identification and mitigation
It’s vital to check for accounts that have Kerberos pre-authorization disabled and re-enable it. Look for the flag. It’s smart to scan for this Active Directory misconfiguration frequently — at least daily but preferably multiple times a day.
It’s also important to provide training to prevent the issue in the first place. All too often, the root cause is laziness: Administrators disable Kerberos pre-authorization for troubleshooting or testing and fail to re-enable it. To discourage this practice, make sure the entire IT team understands the serious security and compliance risks it entails. Back up that training with a policy that prevents anyone from disabling Kerberos pre-authorization.
3. Legacy encryption protocols
Both encryption technology and processing power have seen significant advances since Active Directory was introduced over two decades ago. As a result, legacy encryption algorithms like RC4 and DES are far less secure than modern standards such AES. Active Directory misconfigurations that allow the use of legacy encryption put your environment at serious risk.
A key reason is that Active Directory authentication relies on Kerberos tickets, which are encrypted for security. If a legacy encryption algorithm is enabled, attackers can more easily decrypt or forge Kerberos tickets to gain unauthorized access. Indeed, if Kerberos tickets are encrypted using RC4 rather than AES, attackers can crack passwords an estimated 800 times faster.
Abuse of legacy encryption protocols is a common technique in a host of well-known Active Directory attacks, including Golden Ticket, Kerberoasting and Pass the Hash.
Identification and mitigation
To mitigate your risk from this common Active Directory misconfiguration, set up your environment to allow AES encryption only. Be sure to monitor for any attempts to change this setting and investigate them promptly.
4. Misconfigured certificate templates
Certification templates in Active Directory control the issuance of certificates for secure communication, encryption and authentication. Misconfigured templates increase the risk of improper certificate issuance, which can enable man-in-the-middle (MITM) attacks that can compromise encrypted communications and intercept confidential data. Adversaries also exploit this Active Directory misconfiguration to achieve privilege escalation, lateral movement and unauthorized access to sensitive systems, all without tripping alarms.
Unfortunately, many IT pros don’t have a lot of experience with managing certificates, and certification templates are often overlooked in security audits.
Identification and mitigation
To address this Active Directory misconfiguration, regularly review your certification templates. Be sure to enforce strict policies for requesting and issuing certificates, including restricting certificate issuance to trusted users and machines.
In addition, use only the Microsoft certificate template MMC snap-in to edit certificate templates, since tools like ADSI Edit won’t update the version numbers.
5. Print Spooler service on domain controllers
The Print Spooler service is responsible for managing print jobs in a Windows environment. Adversaries often exploit vulnerabilities in this service during attacks. If the Print Spooler service is installed on a domain controller, they may be able to execute arbitrary code with elevated privileges to take control of the DC, which can lead to a complete compromise of the domain.
One famous flaw is so serious that it is known as PrintNightmare — it has enabled attackers to spread ransomware, exfiltrate sensitive data and do other serious damage.
Identification and mitigation
To mitigate this serious Active Directory misconfiguration, regularly check whether the Print Spooler service is running on DCs and disable it unless it is absolutely necessary. (While you’re at it, check out these additional best practices for protecting DCs.)
In addition, implement a robust patch management strategy to promptly mitigate known vulnerabilities in all your systems, including the Print Spooler service.
6. Over-permissioned service accounts
A service account is an account used to run one or more services or applications. For example, Exchange, SharePoint, SQL Server and Internet Information Services (IIS) all run under service accounts.
An adversary who takes over a service account gains all of its access rights. If the account has excessive permissions, the attackers can more easily gain access to sensitive data and systems, or even achieve full domain compromise.
Unfortunately, overprovisioning of service accounts is all too common. For one thing, vendors often say that their applications require elevated rights to run, but those privileges are actually needed only for installation. In addition, admins sometimes use their own highly privileged account as a service account out of expediency, for example, to quickly install and test a new application.
Identification and mitigation
To mitigate this Active Directory misconfiguration, it’s essential to rigorously limit each service account to only the access rights it truly needs. The first step is to create and maintain an accurate accounting of all the Microsoft service accounts in your environment.
Use that inventory to regularly review the permissions of each service account and remove any rights not necessary for its function. In particular, always constrain delegation for service accounts (see Active Directory misconfiguration #1 above).
In addition, do not allow admins to use their personal accounts as service accounts. For better control and security, use managed service accounts (MSAs) whenever possible.
7. Stale or inactive accounts
Inactive accounts are user or service accounts that are no longer in use, typically because the user left the organization or the service became obsolete. All too often, however, these accounts are often left enabled in the IT environment.
This Active Directory misconfiguration represents a serious security risk: Adversaries who compromise an inactive account gain all of the access rights granted to it. Moreover, they can move around in the network freely, since they are using a legitimate account that is unlikely to draw attention and there’s no associated user to notice anything unusual going on.
Identification and mitigation
It’s imperative to regularly check for inactive accounts and promptly disable or delete them.
Another important step in mitigating this Active Directory misconfiguration is to set up account expiration policies to disable accounts if they have not been used in a certain period of time. The number of days will depend on your organization’s specific requirements.
8. Weak password policies
Password policies govern important criteria such as the required length and complexity of passwords. Weak policies allow users to create passwords that are easy to guess or crack through brute-force attacks such as password spraying and dictionary attacks.
Another component of this Active Directory misconfiguration is failing to check candidate passwords against lists of leaked credentials. Weak policies without this check leave the organization vulnerable to credential stuffing attacks, where attackers use stolen username-password pairs from one breach to gain unauthorized access to another environment.
Identification and mitigation
To mitigate this Active Directory misconfiguration, become familiar with password best practices like those from the National Institute of Standards (NIST) and regularly review your policies against them. Pay special attention to minimum password length, complexity requirements and expiration settings. Remember that highly privileged accounts should be subject to more stringent requirements than less powerful ones.
Other best practices include the following:
- Blacklist commonly used passwords.
- Check candidate passwords against lists of compromised credentials.
- Provide users with a password manager so they need to remember only one (very strong) password.
- Implement account lockout policies to mitigate the risk from brute-force attacks.
- Consider eliminating passwords in favor of passwordless authentication.
9. Lack of multifactor authentication (MFA)
Multifactor authentication requires users to provide at least two different authentication factors, such as a password plus a one-time passcode or a fingerprint. Requiring MFA renders a stolen or guessed password useless on its own. However, many organizations have not implemented MFA at all or have adopted it only in a limited way, which increases their risk of security breaches.
Identification and mitigation
To mitigate this Active Directory misconfiguration, implement MFA on all accounts. However, be judicious about how often MFA challenges are issued, since they can frustrate users and delay critical business processes. Accounts with privileged rights, such as administrators and users with access to sensitive data, should be considered higher risk and therefore subjected to more MFA checks.
10. Misconfigured Group Policy objects (GPOs)
Our final Active Directory misconfiguration concerns Group Policy, a powerful component of AD that is a vital tool for cybersecurity professionals. However, its enormous power also makes it a top target of attackers.
We’ve already seen one example of how misconfigured Group Policy puts security at risk: by allowing weak encryption. But IT pros have literally thousands of GPO settings to choose from, along complex linking, precedence and other intricacies to master.
As a result, many organizations have important security gaps in their Group Policy that they don’t know about. And just one misconfiguration can enable attackers to access the network, move laterally, elevate their permission, avoid detection or establish persistent access. Common misconfigurations include:
- Permitting unlimited attempts to guess account passwords
- Granting groups like “All users” and “Everyone” access to sensitive information
- Allowing users who are not Domain Admins to access domain controllers
Identification and mitigation
To mitigate this Active Directory misconfiguration, implement a robust Group Policy management strategy. Key steps include the following:
- Regularly review all GPO settings and validate the intended scope.
- Make sure that only the right users have the ability to create, modify and delete GPOs in your environment.
- Regularly review GPO linking.
- Implement approval-based GPO change control that involves proper segregation of duties.
For a deeper dive, see “How attackers abuse Group Policy and how to thwart them.”
Conclusion
Active Directory misconfigurations are low-hanging fruit for attackers. Indeed, adversaries regularly exploit them to achieve initial access, lateral movement, privilege escalation, defense evasion, persistence and more. As a result, they are able to achieve goals like deploying ransomware, exfiltrating sensitive data and damaging business operations.
Fortunately, many Active Directory misconfigurations are fairly easy to identify and mitigate, so you can quickly reduce your attack surface. To maintain strong security and cyber resilience, be sure to follow best practices for Active Directory management, AD security, AD monitoring and AD reporting.
