Active Directory Security Review
Active Directory is a critical part of most organisations network security, as it controls authentication and authorisation across the network – and often for associated connection such as Wireless networks and VPNs.
During the engagement, your Active Directory domain will be reviewed across a range of Security Best Practices based on both vendor documentation, as well as our consultants experience of potential security issues.
The following gives a list of some key areas covered by this type of assessment:
- User Account Security
- Credential Reuse
- Domain Trust Configuration
- SPN Configuration
- Group Policy and Preferences
User Account Security
We will assess user accounts for instances with excessive permissions or group membership as well as accounts that appear to be inactive. Additionally, we will assess sensitive and highly privileged accounts for features such as membership of the Protected Users security group.
Password Security and Credential Reuse
Password security is an often overlooked but critical aspect of domain security. Often organisations implement a policy of complexity plus minimum password length – however common policies such as “Minimum 10 characters + complexity” can still lead to weak password choices such as Password1234 being used.
Additionally, other common weaknesses such as credential reuse, the use of reversible encryption, and the requirement for pre-authentication will be assessed.
Domain Trust Configuration
Generally, an Active Directory domain is a security boundary, however this boundary can be extended through the use of Domain Trusts. Trusting domains with a different security level can be a security risk, especially where bidirectional trusts are applied but not actually required.
Additionally, there are security options such as Selective Authentication that should be used where possible.
Service Principal Name (SPN) Configuration
SPNs are used to configure service accounts for a service, however whilst SPNs may be required for the use of service accounts they may be vulnerable to an issue commonly known as “Kerberoasting” which can expose the service account to an offline password guessing attack.
Group Policy and Preferences
Group Policy includes several optional features that can impact the domain security. For example, Fine-grained Password Policies (FGPP) allow for different password policies to be applied to different groups. This can be used to enforce a stricter password policy for privileged user accounts such as administrators. Additionally, some previous Group Policy features such as Group Policy Preferences may unintentionally expose credentials. Further, we will assess key security feature of Group Policy, such as whether credential caching is enabled.
Interested in an AD Security Review?
If you'd like to talk to the team about security testing for your Active Directory deployment, get in touch below: