Attack surface reduction explained: How to secure Active Directory
An organization’s attack surface includes any area of a network, device, or IT infrastructure that could be compromised in a cyberattack. As you can imagine, attack surfaces are growing as quickly as our reliance on various devices and remote applications.

In this blog, we will dive into the topic of attack surface reduction (ASR)—a crucial concept in cybersecurity that focuses on minimizing the vulnerabilities that potential attackers can exploit within a system, and the central role that securing Active Directory plays in reducing your overall attack surface.

What is attack surface reduction?

In short, the attack surface of a system is the sum of all the attack vectors an unauthorized user can leverage to try to break into an environment in an attempt to achieve their goals, like wreaking havoc, exfiltrating data, or launching additional attacks on (other) targets. Attack surface reduction (ASR) is a core concept in cybersecurity and involves minimizing the vulnerabilities that a potential attacker could exploit in a system.

ASR strategies aim to shrink these attack surfaces by eliminating unnecessary functions, strengthening the overall hardening of the services and features, tightening access controls and updating software regularly.

Amongst other things, strategies to reduce the attack surface of an environment may include:

  • The principle of least privilege. Limit the damage attackers can induce when compromising a user’s account or application by limiting access to only allow what is required for a user’s role and nothing more.
  • Network segmentation. Divide the network into separate segments, limiting the spread of threats within the network or making it considerably more challenging. If an attacker gains access to one part of the network, network segmentation can help keep them contained within that portion of the network, forcing them to take additional steps to move throughout the environment, and providing more time and opportunities for you to detect malicious activities.
  • Hardening (securing) the configuration. Enhance the security configuration of your applications and systems. For example, disable unnecessary services, close unused ports, install and configure appropriate security tooling (like an Endpoint Detection & Response solution), etc.
  • Auditing and monitoring. Regularly audit and monitor systems and networks for unusual behavior, policy violations, or signs of an attack. This can help identify potential vulnerabilities or attacks in progress.

Now that we’ve explored the overall concept of attack surface reduction, let’s see how it applies to Active Directory—one of most critical components of an IT infrastructure.

Why Active Directory is a common attack surface

With a history spanning over two decades, Microsoft Active Directory holds the distinction of being one of Microsoft’s oldest products. Even today, it remains a crucial component in many environments, providing essential services like authentication and policy enforcement (Group Policies). While Active Directory has undergone significant evolution and received numerous improvements, it continues to be a challenge for organizations, often serving as the Achilles heel in security breaches. As Alex Weinert, V.P Directory of Identity Security at Microsoft, highlighted at The Experts Conference 2022 in Atlanta, breaches primarily happen on-premises.

Considering the extensive duration of Active Directory’s existence, one might assume that defenders would have become adept at protecting it. Unfortunately, the opposite is true. As cloud technology gains prevalence and attracts the workforce, familiarity with Active Directory appears to diminish rapidly. Moreover, attackers have also had the opportunity to hone their skills for over two decades, presenting a potential recipe for disaster.

If anything, all the above highlights the utmost importance of maintaining a robust Active Directory infrastructure. Organizations should strive to minimize the attack surface within their environment. By doing so, they can enhance the security posture of Active Directory and mitigate or dramatically reduce potential risks.

Attack surface management best practices for Active Directory

Reducing the attack surface of Active Directory requires consideration of several elements and implementation of specific measures, including the following areas:

Regular patching and updating

With software, bugs occur. Depending on the (type of) bug, a vulnerability might exist, providing attackers with an opportunity to gain access to the environment. Although not all bugs and vulnerabilities are created equal, they have one thing in common: software updates are issued to remediate them. As such, staying current with the latest software updates and patches is crucial. Patch management is probably the single most effective attack surface reduction activity you can perform.

Implement tiered administration

Separating administrative activities from regular user activities minimizes the risk of lateral movement and privilege escalation. This approach limits the potential impact of compromised accounts and reduces the attack surface. Because the topic of tiered administration deserves an article in its own right, consider reading this article on Tier 0 for more information.

Implement monitoring and auditing

There are several aspects to monitoring and auditing Active Directory.

  • Make sure that you monitor the activities within the environment. This requires regularly looking at sign-in logs to check for anything out of the ordinary. This allows you to detect potentially malicious activities as they happen, enabling you to respond in a timely manner. Monitoring these activities is not simple, especially considering that Active Directory is responsible for so many services. Although you could create your monitoring system by enabling advanced auditing and logging and exporting these logs to a SIEM in an attempt to correlate events, it is far more efficient to consider off-the-shelf third-party auditing solutions that can simplify these processes.
  • Consider auditing changes to the environment. Given sufficient privileges, attackers love to make changes to the environment’s configuration, enabling them to, for example, remain undetected, provide broader access to systems or create a backdoor for continuous access. Change Auditor for Active Directory is an excellent example of a solution that can help you stay aware of what is happening. It even allows you to quickly revert changes made either in error or maliciously.
  • Regularly review the configuration of the environment. Like many applications, Active Directory is a living environment: the configuration may change over time, accounts are created and removed, permissions granted, and so on. The larger the environment, the harder it may become to stay informed about everything happening within it. Considering that a single misconfiguration may increase the exposure of your environment, you must regularly review its configuration. Here, the same recommendation as before applies: even though you could do it yourself, consider leveraging third-party solutions to help you with tasks like monitoring, auditing and exposing attack paths.

Regularly reset the KRBTGT password twice

The KRBTGT account is a critical target for attackers, as compromising it allows them to create valid tokens for all domain resources. Resetting the password twice – following a specific procedure – invalidates previous passwords, rendering tokens issued by a compromised account useless. Remember that doing so is only part of the work: resetting the password will not prevent attackers from gaining access to the environment if they have established other attack paths or backdoors.

Protect domain controllers

Harden domain controller systems by limiting internet access, restricting inbound traffic to specific well-known ports, and securing the operating system with modern security tools like Endpoint Detection & Response (EDR) and anti-malware solutions.

Eliminate the use of insecure protocols and ciphers

Some protocols supported by Active Directory are known to be susceptible to attacks. Examples include SMB v1 and NTLM v1. Unless otherwise impossible to support some legacy applications, you should eradicate the use of these protocols from your environment by disabling support for them at the domain and domain controller level.

Reduce your AD attack surface

Reduce your AD attack surface.

See where you’re exposed and how to remediate it.

Implement a strong password policy

Instead of rotating passwords every so often, consider implementing a strong password policy that requires longer passwords. When a password is long enough – for example, like a passphrase – the complexity of the password does not dramatically increase its security. With a decent password policy, changing passwords once a year is more than enough. If you can, augment password security by implementing Password protection (Azure AD) for on-premises Active Directory. By doing so, password hashes from the on-premises environment are compared against a set of known leaked/breached passwords. Administrators will be alerted if such a password is detected in the environment.

Attack surface reduction and AD security are vital

Securing Active Directory is important due to its critical role in an organization’s environment. While native support for modern authentication mechanisms like multi-factor authentication may be lacking, you can take numerous other actions to enhance its security. The key is to focus on reducing the attack surface and implementing continuous monitoring of the environment. By reducing the attack surface, you limit the opportunities for an attacker to gain access to the environment.

Continuous monitoring is essential for daily activities and regular check-ups of the environment’s configuration. By actively monitoring the environment, you can more quickly and efficiently detect and respond to suspicious or malicious activities.

While none of these measures guarantee that you will never encounter a breach, they may significantly slow down and impede attackers, providing you with more time and opportunities to identify and mitigate potential threats.

Controlling the control plane: Defining gaps in Tier Zero to shut down attack paths

Explore the Enterprise Access Model and why it’s critical for securing identities and shutting down attack paths targeting Tier O assets.

Watch On-Demand
Michael Van Horenbeeck is a Microsoft Certified Solutions Master (MCSM) and Azure Threat Protection MVP from Belgium, and one of the few people worldwide to hold both the coveted certification and award at the same time. He is a dynamic tech enthusiast and focuses on Security, Identity Management, with a history in Messaging and Collaboration. In his daily job, Michael is the CEO at The Collective and works with customers of all sizes around the globe to help them become and stay secure with, and through, Microsoft's solutions and services. Besides his job at The Collective, Michael loves to engage with the community and inspire people. He is the driving force behind the Microsoft 365 Security for IT Pros e-book and you can regularly find him writing about technology for a variety of tech websites or catch him speaking at different events across the globe.

Related Articles