Most Common AD Misconfigurations Leading to Cyberattacks
Active Directory (AD) is one of the most widely used services that allow organizations to manage users, computers, and other resources inside their internal network as it offers centralized authentication and authorization mechanisms for Windows and applications.
Moreover, Administrators can easily manage the control to access network resources, enforce security policies, manage device configuration, and much more. Additionally, the setting up of Active Directory is relatively easier for organizations, which makes it widely adopted by organizations worldwide.
Though there are several security implementations in place inside Active Directory, Administrators must be aware of some default configurations and take necessary actions to secure the environment with best practices and security measures.
Common Active Directory Misconfigurations
According to the NVISO Labs report, organizations implementing Active Directory have several possibilities of misconfiguration, which can allow threat actors to infiltrate the organizations. Some of the common misconfigurations are,
- Administrator accounts are allowed for the delegation
- AES encryption is not forced on service accounts
- Print Spooler is enabled on Domain controllers
- Users can create machine accounts
- Unchanged GPOs are not processed on Domain Controllers
- Password policy and least privilege
- Service accounts
- KRBTGT account
Administrator accounts are allowed for the delegation
There is a default account delegation in Active Directory in which an application can act under the name of a user (Kerberos delegation), impersonate a user anywhere within the network (unconstrained delegation), or only impersonate the user to a specific service on a specific computer (constrained delegation).
If an attacker gains access to a delegated administrator account, he could try to impersonate an administrator account and move laterally or compromise the domain.
AES encryption is not forced on service accounts
A kerberoasting attack is possible if AES encryption is not enabled on service accounts and RC4 is not specifically disabled, which will allow a threat actor to request a Kerberos ticket for a specific SPN and brute force its password.
Print spooler is enabled on Domain Controllers
The print spooler service, which is an executable that manages the printing process, can be abused by a threat actor to gain access to the hash of the KRBTGT account. This will result in gaining almost unlimited access to the Active Directory domain.
Users can create machine Accounts
A machine account is an Active Directory object that represents a computer or a device connected to the domain and can have different attributes that store information about the device, can be a member of security groups, can have Group Policies applied, etc.
Suppose a Public Key Infrastructure (PKI) is present in the domain. In that case, an attacker can use it to take advantage of the default Machine certificate template in order to perform a DCSync attack and dump hashes of all users and computers.
Unchanged GPOs are not reprocessed on Domain Controllers
Most GPO settings are only applied when they are new or when they have been changed since the last time the client requested them, which could allow a threat actor to modify a registry key that is normally managed through a GPO for disabling specific security measures.
Password policy and least privilege
Service accounts
Most of the time, there are no password policies for service accounts. Additionally, administrators are allowed to set weak passwords that can be easily brute-forced. In other instances, the passwords for the service accounts were included in their description.
KRBTGT account
The KRBTGT account is a default account that exists in all Active Directory domains and handles all Kerberos requests in the domain. A compromise of this account will allow threat actors to gain access to domain resources.