Why in the heck would someone want to get into your Active Directory?
So many reasons. Performing reconnaissance to discover users to further abuse? Find inventories of servers or computers? See how to move laterally through your network to gain access to more lucrative resources and data? The list goes on.
From reviewing hundreds of MSP networks this year alone, I can say that many have protections in place for endpoints and the network at large, but little attention is given to making sure your Active Directory (AD) is hardened from cyberattacks.
I understand that your users are savvy. They’re not fooled by spoofed emails — especially the ones with grammatical or spelling errors. But just as they’ve become more conscious of their online life, so too have criminals become more in tune with engineering their way in to AD credentials.
How might they exploit AD?
Scripting. It can make life a whole lot easier when dealing with complex environments, but I’ve seen unknown dependencies and misconfigurations really open up doors that otherwise would not give a hacker as much control.
When you rely on one person to write scripts, others on your team are likely kept in the dark as to what is being run. One small change could lead to a break in a configuration, impacting your network’s security.
I often say that it only takes one. One programming error or config change to compromise everything. When I was running my MSP, this is what really kept me up at night. How could I know that that one little error wasn’t already on my network?
Why is AD even a concern?
It all goes back to users. Users and their credentials are being targeted. If someone had been targeted and they had extended access to your network (or that of your clients), you might imagine the nightmare on your hands.
4 Ways MSPs are leaving the door open to attacks through their AD?
In auditing hundreds of networks — specifically evaluating active directory, here or the ways we’ve noticed MSPs not doing enough to protect themselves:
Stale objects — it might be users, groups, or computers that are no longer needed. Many MSPs leave stuff lingering in their active directory that shouldn’t be around. The more clutter, the harder it will be to keep things clean long terms and the more difficult it will be for someone to pinpoint real problems with security. My first suggestion to all of my colleagues—clean your room. Throw away anything that doesn’t absolutely need to be there. Make sure you have someone owning this job, have a process with accountability metrics to the cleanup work being done as needed.
Service accounts are not locked down — I understand that several applications may depend on service accounts to run things properly in your environment or those of your clients. The problem is these accounts usually have elevated privileges and typically have passwords that do not expire. Look at these accounts and set up a way to make these passwords change.
Permanent membership in security groups — domain admin users fall into this group. They have the keys to the kingdom. When personal accounts are linked to these high privileged groups, you risk users in your organization getting phished and handing over access to everything. I know you’re saying that your team know better, but why open this risk in the first place? Either grant users temporary admin access or provide a secondary account that has administrative privilege to folks that need it (NEVER use everyday accounts for this purposed!).
Too many admins — I’ve seen networks where nearly every single user is an admin. This is relatively common in the MSP space. How often does your team need admin-level credentials? In my experience very few actually need this, especially during day to day operations. The less people you have with admin credentials or accounts, the less risks you have with a hacker getting their sticky fingers on everything.