Your IT Consultant

Active Directory Under Attack: How to Secure It

February 7, 2017

In a recent post, I mentioned that Windows 10 can block zero-day attacks without being patched. In another Microsoft report, the antivirus suite contained in Windows 10 detected a 400% increase in ransomware attacks from December 2015 to July 2016. These attacks leave you vulnerable to attacks of Active Directory (AD), which manages access to almost every piece of a Windows IT infrastructure. CSO has identified several steps you can take to protect Active Directory.

• Assume a breach. Start from a position of "zero trust" and apply controls around AD that assume the network and other systems are not secure.
• Only approve a few admins. Everybody doesn't need to be an administrator. Only a handful (or just one) of people require the ability to make domain-level changes.
• Separate admin and user accounts. The default operation should be to run at a user level and not administrator.
• Whitelist admin workstations. Besides controlling administrator accounts, only allow administrator tasks from specific computers.
• Use strong authentication. Don't reuse passwords and implement multifactor authentication.
• Use a SAW. Like whitelisting, use a virtual or physical Secure Administrative Workstation.
• Block Internet access for admins. Domain controls should have tight restrictions and only allowed to communicate to the internal network.
• Safeguard against Active Directory attack tools. Make sure you know what tools are available to attack AD.
• Restore from a clean state. If you do get compromised, restore Active Directory from a known clean backup.
• Build an isolated admin enclave. Separate systems and people responsible for AD changes from the production environment.

E-mail: Phone: 703.359.0700
Digital Forensics/Information Security/Information Technology
http://www.linkedin.com/in/johnsimek
https://amazon.com/author/johnsimek
http://www.senseient.com