Feb 28

How Windows Active Directory Is Failing User Security

François Amigorena | 29 Septembre 2017

”We now know that 75% of attacks now use compromised credentials somewhere along the line„

Windows Active Directory (AD) is used by a great proportion of businesses to authenticate users and grant access Windows domain-type networks. It makes managing a vast number of employees who access corporate networks in different ways relatively simple.

But despite all its benefits, AD is now the root cause of many logon security issues. The problem with AD is that it does not protect against cybercriminals using compromised credentials to gain access to corporate networks, files and folders. As far as AD is concerned, anybody using a correct username and password is exactly who they say they are. But we now know that 75% of attacks now use compromised credentials somewhere along the line, so AD is poorly equipped to deal with modern-day attacks.

Analyst and director Bob Tarzey at Quocirca agrees, arguing: “Active Directory provides basic user security, checking that credentials supplied match stored user profiles and then opening up access to resources. Stronger techniques are needed to ensure a user really is who they say they are.”
Moreover, many IT experts and professionals are growing weary of AD’s inability to secure access effectively on its own. Cybersecurity company IS Decisions recently compiled a peer report curating IT professionals’ feedback on AD from various online community groups like Peerlyst, Spiceworks, DaniWeb, and Reddit. The top-level finding? Compromised credentials are just the tip of the iceberg.
AD – basic and insecure
A man who calls himself “Guurhart” on Peerlyst, for example, believes “the biggest challenge is Kerberos and the weaknesses inherent in AD. Only the latest versions of windows give you any real chance at beating attackers who’re trying to move laterally.”
Scott on Spiceworks adds to this saying: “A major limitation of AD is the assumption that you will have a LAN. Azure AD (which is not AD) breaks this barrier and is worlds better as a concept. Unless you are totally LAN centric, AD adds so much complication.”
Brad on Peerlyst also comments on the inflexibility of group logs, saying: “Audit logs are in the form of event logs with specific error messages, some of which require Group Policy configuration changes on the Domain Controller Default Policy. Initially there is VERY limited logs and in order to get more data you have to make a fair amount of changes to Group Policy. Very important.”
Indeed, a previous piece of IS Decisions research in The Insider Threat Manifesto found that nearly half (49%) of IT security professionals believe there to be security holes in AD.
What’s the worst that could happen?
When asked what’s the worst that could happen as a result of poor user security, another member of the online IT community said: “Social engineering, gathering data, installing software, running ransomware on shared resources”. Each and every one of these prospects is a nightmare waiting to happen for IT administrators using AD.
And we have all seen what happens when businesses fail to authenticate users properly. When login credentials fall into the hands of cybercriminals, they wreak havoc on a company’s corporate network. And they’re able to do all this virtually undetected by the IT department because no security system raises an alarm when someone uses the right login credentials.
What companies can do about it
So what exactly can you do beyond AD to shore up user security? Brad argues that because “there’s no real native support for MFA/2FA, third-party tools should be used” and Guurhart argues that it’s “very important to get an alert when certain access events occur. When detected or alerted, you need playbooks for handling these situations. If you don’t have playbooks and someone trained in using those, you will respond inconsistently and randomly.”
Technology now exists that can run alongside Windows AD to plug the growing number of security holes with regards to user access. These tools can restrict logons to a combination of particular workstations, geographies, mobile devices, times of day and more – whatever the IT department deems fit – to close the window of opportunity for would-be attackers. Should an employee’s login credentials fall into the hands of an attacker, that attacker would likely attempt to log in outside of the restrictions set up by the IT department.
This kind of security minimises the damage of a number of attack vectors like phishing and ransomware. But not only does it halt outside attackers, it can monitor and audit everyone on the network and attribute network activity back to each user, which many regulations like SOX, PCI DSS and more are beginning to crack down on.

User security – the most important part of IT’s job
Nobody wants an undetectable intruder on their corporate network. Look what happened to the likes of Three, Anthem, Sage, Dropbox and countless others who have not given user authentication due diligence in the past. They’ve all suffered significant data breaches and fines, while taking a serious hit to their reputation.
Managing access to corporate networks is therefore one of the most important parts of an IT professional’s job. Once those credentials are out in the open, you’re unlikely to find out until it’s too late.


OverWatch™ is a new cybersecurity solution that leverages the power of true Artificial Intelligence (AI) to level the playing field against hackers!  OverWatch™ scours the internet, darknet, social media, and thousands of other data sources to identify if your domain is breached or user credentials are compromised.  Operating 24/7, OverWatch™ immediately identifies evidence of compromises or breaches.  Most data loss happens before a company identifies their networks have been breached!

Leave a Reply

Your email address will not be published. Required fields are marked *