Configuration drift in Active Directory (AD) can have profound implications for security, compliance, performance and business continuity. Unfortunately, it is quite a common problem; the Microsoft Digital Defense Report 2023 notes that 43 percent of customers suffer from insecure Active Directory configuration.
There is good news, however: The same report reveals that Active Directory misconfiguration has one of highest return on mitigation (ROM) scores, with a rating of 12 on a 15-point scale. Simply put, tackling this issue is a valuable use of your time and budget because it delivers a high impact but requires relatively low effort and expense. Indeed, the Microsoft reports finds that mitigating Active Directory configuration drift has a strong impact on many stages of a cyberattack, including reconnaissance, execution, persistence, privilege escalation and lateral movement.
This article will help explain exactly what Active Directory configuration drift is, what causes it and the impacts it can have. We will also dive into some effective strategies that can help you prevent and mitigate configuration drift at your organization.
What is configuration drift?
Configuration drift is the deviation of a system’s configuration from its intended state. It applies to a wide range of systems, including not just identity platforms like Active Directory but operating systems, databases, web servers, firewalls and more.
How does this drift in configuration happen? Well, organizations do their best to configure their systems properly, often relying on guidance like benchmarks from the Center for Internet Security (CIS). But IT systems are highly dynamic, so over time their various configuration settings are modified for a variety of reasons. These changes move the system away from its desired configuration. While “drift” implies gradual movement, the process can be slow or sudden.
How does this apply to AD? Active Directory is a complex system that stores critical identity and access information and provides vital authentication and authorization services. Accordingly, configuration drift in Active Directory can take many forms. For example, the configuration of AD often drifts from its secure baseline when:
- A user changes roles within the organization and retains permissions they no longer need.
- A project ends but the associated security groups are not deleted, leaving unneeded access rights in place .
- An admin or an adversary with elevated access rights makes improper changes to Group Policy objects (GPOs).
Common causes of Active Directory configuration drift
Configuration drift in Active Directory results from a variety of factors, including the following:
- Human error — Administrators may inadvertently make improper changes to Active Directory objects or other configuration elements. Errors are particularly common when there is a pressing business need. For example, an admin might grant an executive access certain data or applications by directly assigning access rights rather than following the policy of using security groups. Or, under the tight deadline of a merger or acquisition (M&A) deal, an admin might link a GPO to the wrong organizational unit (OU).
- Lack of automation — Configuration drift is especially common in environments where routine tasks are performed manually. Without automation to execute processes exactly as mandated by established policies, inconsistencies are bound to arise.
- Patches and updates — Updates or patches applied to Active Directory components can introduce configuration changes that result in deviations from the established baseline. Failure to thoroughly test updates before deployment can exacerbate this issue.
- Shadow IT — Departments or individual users may deploy software or services in the network without the knowledge and oversight of the IT team. These systems are unlikely to be configured in compliance with the organization’s policies, which can result in an insecure Active Directory configuration.
- Malicious changes — Because of its critical role in identity and access management, Active Directory is a top target of adversaries. For instance, modifying GPOs has become such a key technique in modern cyberattacks that threat intelligence firm Mandiant devotes an entire step of its five-step attack playbook to it.
- Inadequate Active Directory auditing — Lack of visibility into changes to AD configuration makes it difficult to detect and rectify improper modifications in a timely manner. As a result, AD misconfigurations can snowball.
The key impacts of configuration drift
Drift in Active Directory configurations poses significant challenges to security and compliance, productivity, and cyber resilience. Let’s dive into each of those areas.
Security and compliance impacts
As we have already seen, misconfigurations can enable user accounts to reach systems and data they should not be allowed to access. These excessive access rights can be misused accidentally or deliberately by the legitimate account owner or abused by an adversary who compromises the account. Indeed, the Microsoft Digital Defense Report 2023 states: “Misconfigurations and exposure of identity platforms and their components are common vectors for attackers to gain unauthorized high-privilege access.”
The consequences can be quite serious, including:
- Data exfiltration by malicious actors
- Inadvertent misuse of data and systems by users who do not realize they should not have access
- Increased risk of malware infections and extended reach of ransomware
- Hefty fines for violations of GDPR, HIPAA or other regulatory mandates
- Lasting damage to the organization’s reputation
To see how real these risks are, let’s walk through a simple scenario that involves Active Directory Certificate Services (AD CS). AD CS enables the issuing, management and revocation of digital certificates that are used for various purposes in an Active Directory environment — including user authentication. Suppose configuration drift has resulted in one of our organization’s certificate templates becoming misconfigured. Here’s how we can abuse this misconfiguration to gain Domain Admin rights:
- We compromise an ordinary user account that does not have access to any domain controllers (DCs).
- We use an open-source tool called Certify to list vulnerable certificate templates and discover one called UserTest.
- Using Certify, we request a certificate based on the misconfigured UserTest template. For the ASN (alternative subject name), we supply the name of a Domain Admin account.
- We convert the certificate to a .pfx file using OpenSSL.
- We use this file in a TGT request. Now our session has access to the domain controller because we are using Domain Admin privileges.
Productivity impacts
Configuration drift does not always result in overprovisioning of accounts; it can also take away access rights that users need to do their jobs. For example, a routine update or administrator error might result in replication issues that interfere with user authentication and authorization processes. Or a change to Group Policy could block all the users in a particular OU from accessing a necessary database or application.
Cyber resilience impacts
More broadly, improper changes to AD configuration can have a devastating impact on cyber resilience. Cyber resilience refers to an organization’s ability to stay up and running in the face of a variety of adverse events, including not just cyberattacks but errors, power outages and equipment failures. Accordingly, it involves preventing IT system disruptions or downtime that could affect business processes, as well as getting it back up and running quickly when a disruption does occur.
Addressing configuration drift is vital for cyber resilience because it can lead to:
- Downtime of essential services — Misconfigurations can cause availability issues directly, as well as by enabling adversaries to move laterally and escalate their privileges until they can do deliberate damage.
- Performance degradation — Even if a system does not go down entirely, poor performance can impair critical business processes.
- Unpredictable behavior in deployment — Drift can lead to inconsistencies between development, test and production environments.
- Inability to recover — Misconfigured backup and storage settings can make it impossible to restore vital data and systems.
Best practices for combatting Active Directory configuration drift
Clearly, organizations need to do their best to prevent drift in their Active Directory configuration, as well as ensure they can promptly spot and remediate unwanted configuration changes. Here are the best practices to implement:
- Understand and minimize your Tier 0 assets.
- Establish secure configuration baselines.
- Regularly assess your environment for configuration issues.
- Implement change management.
- Enable real-time monitoring and alerting.
- Automate whenever possible.
- Remediate configuration drift promptly.
- Provide regular training
- Have a solid backup and disaster recovery strategy.
Understand and minimize your Tier 0 assets.
Your critical systems and data are collectively called your Tier 0 assets. They are a top target of cyberattacks because by compromising a Tier 0 asset, an adversary can gain full control of the organization’s IT infrastructure. With a solid understanding of your Tier 0, you can focus on protecting and monitoring your most valuable assets.
However, determining exactly which assets comprise your Tier 0 is not an easy task. Some objects are obviously Tier 0, while others require more consideration. However, Tier 0 definitely includes your domain controllers and other powerful servers, such as Public Key Infrastructure (PKI) servers, AD administrative servers used by solutions such as One Identity Active Roles, the server hosting Microsoft Entra Connect in hybrid environments, and servers that host sessions for privileged accounts.
Tier 0 also clearly includes all accounts and security groups that have direct or indirect administrative control over your forest, domains or DCs. These include powerful security groups like Domain Admins, Account Operators and Backup Operators, along with all user accounts that are members of those groups. Another common example is any service account that is granted elevated rights.
Often overlooked are accounts that do not presently have elevated access rights but that could gain them. The chain of actions involved in this privilege escalation is called an attack path. These actions often involve abusing things like concealed permissions and nested group membership, both of which often arise from AD configuration drift. Organizations often have literally hundreds or even thousands of attack paths, many of which involve only a handful of steps. Moreover, there’s an open-source tool called BloodHound that adversaries can use to map them out in detail.
Fortunately, there’s also a version of BloodHound designed for IT security teams that not only uncovers the attack paths in your environment but also visualizes the choke points that they share. By taking the mitigation strategies the tool lays out, you can dramatically reduce the number of Tier 0 assets you have and therefore the risk your organization faces.
Establish secure configuration baselines.
Of course, to guard against configuration drift, you must have standard configurations against which to measure the current state of your systems. A cornerstone of AD configuration is to enforce the principle of least privilege: Limit each user’s privileges to only those necessary for performing their designated tasks. Other long-standing best practices are to implement segregation of duties (SoD) and utilize privileged access workstations (PAWs).
Microsoft provides a wealth of information about how to configure Active Directory to ensure strong security and performance. Various national IT security agencies provide AD security best practices and guidelines, including:
- Active Directory Security Assessment Checklist (France)
- 2.2 Active Directory Domain Services (Germany)
- NCSC CAF guidance (UK)
As specialists in Active Directory, we have developed several helpful best practice guides for enhancing Active Directory security, protecting domain controllers and managing Group Policy that you can reference.
Additionally, be sure to periodically review your baseline configurations and update them to reflect changes in business requirements, compliance requirements, security standards and your overall threat landscape.
Regularly assess your environment for configuration issues.
As we have seen, you cannot simply establish strong baseline configurations and expect systems to continue to adhere to them. Instead, you have to be constantly on the lookout for configuration issues such as:
- Non-privileged accounts with write access on certificate templates — An adversary can abuse this misconfiguration to create illegitimate certificates that elevate their privileges and possibly even compromise the domain.
- Non-privileged accounts that can link GPOs to the domain — Group Policy can be abused to weaken security or deploy payloads. If an adversary gains the ability to link a GPO at the domain level, they can effectively take over the entire domain.
- Privileged user accounts with Service Principal Names (SPNs) — These accounts are vulnerable to Kerberos-based authentication attacks that enable privilege escalation.
- Non-privileged accounts that can log onto privileged computers — If a user is able to log on to a privileged computer, such as a DC, either locally or by remote session, they can execute code or obtain a copy of all password hashes.
- Ability for privileged accounts to log on to non-privileged computers — When a user logs on to a machine, their password hash remains in memory and can be harvested by an adversary, so it’s essential to set up Group Policy to prevent privileged users like Domain Admins from logging on to enterprise servers (Tier 1) and standard user workstations (Tier 2).
- Computer accounts with unconstrained delegation — When unconstrained delegation is enabled, the Kerberos TGT ticket can be captured and used to elevate the adversary’s privileges to any service the TGT ticket has access to. Only domain controllers should have unconstrained delegation granted.
Implement change management.
One of the most important strategies for mitigating the risk of configuration drift is to establish and enforce strict change management for all modifications to Active Directory configurations. Require proper documentation, implement approval workflows, and test changes before rolling them out in production.
Change management processes help ensure that all configuration changes are authorized, validated and recorded, and that they will not introduce errors or conflicts that can cause configuration issues. Some change management solutions enable you to proactively block changes to sensitive objects such as key GPOs and highly privileged security groups.
Enable real-time auditing and alerting.
Real-time Active Directory monitoring will help you promptly detect drift away from your established configuration baselines. Be sure to leverage an auditing solution that can alert you to critical modifications and other suspicious activity. Here are some of indicators of compromise (IoCs) to watch for:
- Irregular DC registration or replication activity
- Attempts to access the AD database file (NTDS.dit)
- Unusual increase in failed attempts to make AD configuration changes
- Unusual increase in changes to permissions
- Spike in failed sign-in attempts or AD account lockouts
- Use of the built-in Administrator account
- Privileged accounts or groups with SID history populated
You can read more about how to build a truly effective program for auditing Active Directory, including the strengths and limitations of native auditing tools.
Automate whenever possible.
As noted earlier, manual processes are a leading cause of configuration drift, so automation can reduce risk significantly. While Microsoft PowerShell offers automation capabilities, many organizations find that third-party configuration management, change management and related solutions deliver a sound return on investment.
Reduce your AD attack surface.
Remediate configuration drift promptly.
When configuration drift is detected, it’s critical to promptly apply remediation actions to correct it and restore your intended AD configuration. Be sure to resolve any errors or conflicts that may have resulted from configuration drift, analyze the incident, and revise your processes to help prevent similar events in the future.
Provide regular training.
Educate everyone — including IT staff, business users, managers and contractors — about your configuration standards and security best practices, as well as the importance of adhering to them. Foster a culture of proactive risk management and accountability.
Have a solid backup and disaster recovery strategy.
Be prepared for the possibility that undetected configuration drift might lead to data loss or system downtime. Be sure to follow AD backup best practices. Ensure you can granularly recover individual AD objects and attributes, and that you have an airtight AD disaster recovery strategy that provides you with flexible recovery options, including the ability to restore to the cloud if your physical infrastructure is compromised and you can’t trust your hardware.
Start with a strategic approach.
It speaks volumes that mitigating Active Directory configuration drift earned one of the highest ROM scores from Microsoft. While it may seem overwhelming to tackle everything included in this article, you do not have to implement all of the best practices outlined here before you see significant benefits. Start out by determining which strategies are most relevant for your organization and begin addressing the configuration drift issues that are having the biggest impact on your Active Directory environment.
