Security professionals barely get a passing grade on Active Directory security
Seed on Wednesday reported of the 1,000 IT and security managers who used their free security assessment tool, the average score in five Active Directory categories was 68%, barely a passing grade.
The research found that insurance and health care – at 55% and 63%, respectively – reported the lowest overall scores, followed by transportation, which reached 64%.
Some of the key findings of the report are:
- Organizations fail to properly secure AD environments, primarily because they lack visibility into risky configurations.
- Large enterprises fare the worst due to legacy applications and complex environments.
- Lack of in-house AD expertise hampers AD hygiene efforts, especially in smaller companies or verticals with fewer resources.
It’s been 23 years since Microsoft launched Active Directory, and unfortunately for everyone, most organizations haven’t taken the necessary steps to ensure the operational integrity of one of the most important security controls in environments. computing, said Aaron Turner, vice president of SaaS. Posture at Vectra.
Turner said Semperis’ findings in the insurance and healthcare sectors are representative of the business pressures IT operations and security teams face. Companies in these verticals typically grow by acquisition and also have extremely long system life cycles. Combine those two factors and Turner said it results in “Frankenstein’s monster-like” directories that have all sorts of legacy security configurations.
“Organizations must have the operational discipline to eliminate the practice of simply importing settings from other directories into the production version of Active Directory and instead adopting minimum standards of hygiene for configuring users, attributes and settings,” Turner said. “Without this discipline, attackers will exploit legacy protocols and overprivileged user accounts to gain unauthorized access to systems that rely on AD for authentication and authorization.”
Windows AD has become notorious for its complexity, said Alex Ondrick, director of security operations at BreachQuest. Ondrick said the AD has a reputation for being difficult to secure and is increasingly being targeted by attackers: Colonial Pipeline, Red Cross, Ukraine and NOAA are prime examples.
“At the same time, many enterprises are also trying to adopt a zero-trust framework, further straining their already overextended access/identity security initiatives,” Ondrick said. “If we consider that in addition to all these changes, many companies are also migrating from on-premises to the cloud, or have some kind of hybrid AD environment, then it could be argued that attackers are converging towards a ” softer target” in Active Directory.”