Active Directory (AD) is at the heart of Windows networks. That means AD is also a prime target for ransomware actors, who would love nothing more than gaining control over it. The good news is there are numerous measures available at your disposal to create a defense-in-depth strategy to protect your network’s valuable AD infrastructure. Here are a few.
To secure your AD, you must end the practice of solely relying on it for authentication. Password protection did its job 15 years ago, but the threat landscape has now changed. Passwords today are too easily compromised through social media attacks or cracking utilities.
Password protection must be supplemented by an additional authentication sequence. While many organizations have been requiring privilege account users such as network administrators to utilize multi-factor authentication (MFA) when accessing resources remotely, the time has come to enforce MFA for everyone. This second tier of login protection bolsters network access and reduces the potential compromise of user credentials.
The lethargic practice of allotting blanket-like admin rights to standard users is another vulnerable practice that needs to be eradicated. One of the reasons for this continued practice is that it’s easy and helps reduce help desk call volume.
The problem is that when a user with admin rights logs on to a computer, any malware or malicious code inadvertently downloaded retains that user’s rights. Admin rights allow malware to infect a machine and establish a beachhead from which a command-and-control center can spread the attack.
Adhering to the principle of least privilege (PoLP) serves as a great guide to stick to the straight and narrow. The PoLP requires that you allot users rights to only the exact resources and services they need to fulfill their job duties. This means that membership of privileged groups should be restricted to the exact job roles or employees that need it.
It’s not just about restricting privileged access; it’s about knowing when and where to use it. Enterprise admins should not be checking their email or surfing the web from a client machine. Even though high privileged users may practice better security hygiene, it does not eliminate the potential for their accounts to be unknowingly compromised. A tier-1 user such as a domain admin should use a standard user account when doing standard things.
The use of privileged AD accounts should be limited devices that are properly secured for AD management purposes. One alternative to swiveling back and forth between AD servers is to secure a privileged access workstation (PAW) that’s used for performing privileged tasks. This machine could be a stand-alone machine, requiring the admin to log on locally to the PAW and remoting into a designated server or running a tool under their privileged account.
The most effective way to recover from a ransomware attack is to have a well-designed backup strategy. Backing up a domain controller (DC) requires a System State backup. If your enterprise consists of a multi-domain forest, you will need to back up a separate DC from each domain. You should perform these backups at least once a week to ensure you are backing up the latest information about your AD accounts.
Some enterprises use a disabled virtual DC for backup that can be spun up into production should all production DCs become corrupted. This is a good method, although you must spin it up on a regular basis for it to get replicated with the latest AD changes from a production DC. Failure to do so will not only result in outdated information, but can result in the DC becoming tombstoned.
All of these are simple measures that can be taken to secure your AD infrastructure from a potential ransomware attack. Of course, these steps don’t negate the necessity for other security measures such as endpoint protection and enabling the native internal firewalls. As critical as your AD infrastructure is to your enterprise, it’s critical to bolster your defensive line to protect it.