The recent Target compromise was a wake-up call for many firms, especially all of the Target stores across the U.S. Let’s face it – IT security is often not at the top of the priority list for budgeting every year. Your organization needs to be proactive in applying smart, effective security practices. One area of particular interest should be your Active Directory environment.
Target Takes A Hit
Understandably, the biggest headlines about Target compromise focused on the theft of 40 million credit card numbers and other personally identifiable information. One overlooked element in most media reports was the extent to which Target’s internal Active Directory environment may have factored into the attack. Brian Krebs included an interesting tidbit in his reporting: like many firms, Target’s backend systems included extensive integration with Active Directory.
Active Directory Popularity
Active Directory has become ubiquitous, with Gartner estimating that between 90 and 95 percent of organizations have at least one AD forest deployed in their environment. If an attacker managed to compromise even a single Active Directory account – and particularly one used by IT – the exposure to an organization would be huge. At a minimum, the sheer amount of information in the directory would be useful for social engineering.
Oakwood is advising our clients to be ever vigilant in securing their environments. Microsoft offers a comprehensive list of AD security best practices. There are a number of steps you can take right now to enhance the security of your Active Directory environment:
Stop Passing the Hash for Administrator Accounts
Active Directory’s Kerberos security model enables incredible functionality, including single sign-on and access to resources such as file shares. However, if not properly secured, you might as well just hold the door open for intruders. With enough access to even a single server or workstation, an intruder could pilfer the password hashes of any account that might have logged into the system – including Domain Administrator credentials. Leveraging a pass-the-hash attack, the attacker could obtain full Domain Administrator access across a domain – with or without the actual password. Recent enhancements in Windows 8.1 and Server 2012 R2 such as Kerberos Armoring and Protected Users could mitigate pass-the-hash and other sophisticated techniques used by intruders.
Control Applications in your Environment
Users may knowingly or unknowingly be exposing the organization to risk by executing untrusted applications. In addition to deploying proactive anti-malware systems, two technologies that I highly recommend are AppLocker and Microsoft’s Enhanced Mitigation Experience Toolkit (EMET), which, in combination with Group Policy and System Center, can be used to protect against legal riskand prevent malware and zero-day threats from compromising your environment.
Design for Security, not Insecurity
Policy, architecture, and governance are critical elements in your security strategy. Organizations need to think carefully about the benefits and costs of their Active Directory design. Consolidation of non-revenue systems can significantly decrease the cost and complexity of IT operations, but revenue systems should be properly segmented to airgap critical data.
Be sure to also review your OU and GPO design. Effective use of GPOs can significantly improve user experience and security – but overly complex GPO designs may create unexpected and unintended consequences.
Take Control of Administrative Rights
Evaluate your organization’s posture regarding administrative rights. Administrative rights should be properly scoped and delegated based upon role and not merely the convenience. Ensure that administrators limit usage of administrative rights to a separate account on a secured administrative workstation.
To the surprise and delight of many IT auditors, managing local administrator rights on servers and workstations alike can be centrally managed through the clever application of security groups, Group Policy Preferences, and your organization’s Identity Management or Access Management system.
Target Stores Warning Signs
Apply effective auditing, logging, and intrusion detection to your systems. Defense in depth is critical. Simply logging changes may not be enough to raise the alarm if malware sanitizes logs. Also, if your operations staff fails to heed warning signs. Beyond simply logging activity in your environment, implement proactive intrusion detection AND protection measures. Unless your IT or security operations team catches on quickly (which sadly did not happen at Target), an attacker will have already executed their payload, deployed malware, and gained free rein to your customer’s data.
Most importantly, don’t wait and be the next Target. Keep your organization and its customers safe by securing your Active Directory environment today.
Review our case studies and engagements where we helped companies just like yours solve a variety of business needs.
Since 1981, Oakwood has been helping companies of all sizes, across all industries, solve their business problems. We bring world-class consultants to architect, design and deploy technology solutions to move your company forward. Our proven approach guarantees better business outcomes. With flexible engagement options, your project is delivered on-time and on budget. 11,000 satisfied clients can’t be wrong.