Critical asset protection in the Active Directory: What do you need to know?

(Partner content)

In recent years, many cybercriminals have realised that Active Directory is an ideal way to gain control of an organisation’s information system. Seventy percent of ransomware attacks use Active Directory to spread to a company’s machines to encrypt data. And for good reason: “If someone is able to steal the hash of a password, they can steal the person’s identity,” said Sylvain Cortes, Security Strategist at Tenable, during an inCyber webinar dedicated to privilege administration workstations (PAWs).

This is one of the reasons why access to Active Directory is prioritised into three categories (Tier-0, Tier-1, and Tier-2), depending on the criticality of the assets. Tier-0 is the most secure category; it is reserved for domain controllers and to assets that will need to make requests to these.

Theoretically, someone who needs access to the three Tiers should work with four machines: three to administer the various Tiers (the PAWs) and their office device. In practice, however, this is not the case, as “it would be far too complex. (…) The PAW architecture has to be adapted,” admitted Sylvain Cortes.

Adapting PAW architecture

Theoretical principles to be respected in practice

“In the principles of good PAW configuration—such as those provided by the Center for Internet Security (CIS)—certain elements are absolutely necessary,” assured Sylvain Cortes. These include:

• Banning memory sticks;
• Banning the Internet connection;
• Pre-installing the administration tools; and
• Filtering incoming and outgoing connections to and from PAWs.

Adaptations often needed

For the sake of practicality, however, “there will usually be some deviation from the rules:”

• Many companies only have PAWs to manage Tier-0, which regroups the most critical assets;
• Separating asset users and administrators through different types of administration accounts is sometimes too difficult and not always put into practice;
• The requirement to place PAWs on dedicated networks (VLANs) is not always easy to implement, “especially when you have roaming administrators.”

How to properly administer a PAW

Four essential types of accounts

The PAW will best fulfil its role if four types of accounts are created:

• A Tier-0 administrator account, in Active Directory;
• An administrator account of the PAW itself, also in Active Directory;
• A local Tier-0 administrator account; and
• A local PAW administrator account.

The two local break glass accounts are used to administer the PAW and Tier-0 assets in the event of an Active Directory problem, such as a cyberattack. “Presumably, a rebound server will also be needed to act as a bridge between the PAW and Active Directory if a break glass account is required,” the expert added.

LAPS or PAM, depending on your needs

With local administration accounts, a solution such as LAPS—a Microsoft tool that is “easy to install” and that “ensures the complexity and renewal of the password of a local administrator account“—is also welcome, Sylvain Cotes assured.

But when an organisation needs to manage a multitude of local administrator accounts, it is recommended to use more comprehensive solutions: the Privileged Access Management (PAM) tools.

How to set up security policies on a PAW

Three types of GPOs

LAPS or PAM solutions allow companies to manage break glass accounts with management policies (GPOs), according to CIS best practices. These GPOs are of three types:

• Those that manage the membership of assets in local groups;
• Those that manage access restrictions; and
• Those that set up the PAW (firewall management, memory stick blocking, etc.).

“Of course, it is possible to integrate all these aspects into a single GPO,” said Sylvain Cortes.

1. Local group management

Two methods can be combined to manage local groups:

• Preferential GPO, which consists of assembling assets within groups; and
• Restrictive GPO, which allows you to restrict the access of certain groups to a type of asset.

“You will also be able to filter security policies by groups—a key feature of GPOs,” he continued.

2. Management of access restrictions

This involves allowing or denying access to certain assets or groups of assets to certain users, depending on their status and the tasks they have to perform.

“Since 2012, Microsoft has created in Active Directory a group called Protected users, which aims to make administrator authentication a little more secure, in particular by prohibiting the local cache mechanism,” noted Sylvain Cortes. This will require the use of either a rebound server or any other method to authenticate offline, or a secure access service edge (SASE) solution.

3. Management of PAW settings

When setting up the PAW, it is imperative to check that the Windows ISO file on which you are installing your PAW has never been reconfigured nor compromised.

Then there are also a myriad of settings and functions to secure the machine, among which:

• Secure boot;
• BitLocker encryption;
• LogForwarding;
• AppLocker;
• …

To help you secure Active Directory and detect attacks on it, Tenable has developed Tenable.ID, a solution that offers several tools, such as dashboards to facilitate the configuration of the various Tiers or exposure indicators (level of password policy, problems with the configuration of administrators according to the Tiers, etc.) and an alert system to the Security Operations Centre (SOC).

“Our newest feature, Attack Path, also allows you to check controls between Tiers—especially the more dangerous ones—to see if your users can move from one Tier to another via a PAW,” the expert concluded.

Stay tuned for the future release of Tenable’s full white paper related to this webinar and entitled “Designing Privileged Access Workstations (PAWs) in an Active Directory Tier-0 Environment.”