How to secure Active Directory logins in remote work environments
The boom in working from home has become a bonanza for cyber attackers. Boost your corporate's network security by protecting the remote use of Active Directory credentials.
Updated October 3, 2023The boom in working from home is a bonanza for cyber attackers. Each time an employee connects to the corporate network from their home they create an access point that can often be exploited. With Windows Active Directory (AD) still being the core identity and access platform for businesses around the world, the single best thing you can do to improve security is to protect the remote use of these Active Directory credentials.
Since the world rushed to remote work three years ago, we’ve seen a rapid expansion in fully-remote or hybrid work. When it comes to securing Active Directory logins for remote working, it’s important to step back and take stock of how remote work has changed the game.
In 2020, we saw a flood of new phishing emails devoted to the coronavirus. And like COVID-19 itself, the hackers zeroed in on the most vulnerable: your remote workers.
Even though phishing doesn’t attack Active Directory directly, it takes advantage of your employees’ desire to click a link. And, of course, phishing continues to rank as a weapon of choice, responsible for 12% of all unauthorized access according to Verizon’s 2023 Data Breach Investigations Report.
According to the DBIR, credential theft is responsible for nearly half of all breaches. By looking to steal employee credentials, attackers want to then escalate privileges and move laterally within your network, looking for systems, applications and data of value that they can exploit. And what’s more, you might not even know they’re in your network. The average time to discover a breach is a massively reassuring NINE months.
In the best of times, the often inadequate protection of Active Directory logins puts businesses at significant cyber risk. And now, as work from home and hybrid work is standard, this threat surface is much larger than it used to be.
The risk is all the greater since many organizations moved rapidly to home working without the time to prepare. Many rushed to allow Microsoft remote desktop (RDP) access, and are only now addressing the security implications of that.
Remote desktop access allows employees to access desktop resources that they need, without the physical need to be on premise. While remote desktop access helps prevent common complaints from remote workers, such as not having enough computing power, or not having access to the files and applications they need, it’s a security risk if not handled carefully.
The priority has been the continuation of operations, with perhaps cybersecurity not having the attention it deserves.
Remote desktop access is not fully secure, as in most cases it is only protected by a single password. Three key recommendations to protect these remote AD logins are to strengthen passwords, use a secure virtual private network (VPN) for all remote desktop access and enable two-factor authentication on these remote desktop connections.
These recommendations allows businesses to significantly improve the security of employees working from home.
Two-factor authentication for remote work: Two-Factor authentication on Active Directory logins is a security enhancement that asks employees to prove they are who they say they are using two different factors (one is often a password) to gain access to the network. UserLock makes 2FA easy by seamlessly integrating with Active Directory to offer straightforward, effective 2FA and access management on all Windows logins and RDP connections. It can be added to all remote access requests and gives you the option to allow users to authenticate via push notification, hardware token or key, or authenticator application as their second factor.
As far as possible, favor remote working by using the means available, secured and controlled by the company itself. When this is not possible, give clear usage and security guidelines to employees.
Secure connections to your infrastructure by using a “VPN” (Virtual Private Network). When possible, limit VPN access to only authorized laptops. Any attempt to access from another machine should be denied.
As a first step, users need to follow best practices for strong passwords: they must be long, complex and unique on each device or service. Activate two-factor authentication (2FA) on remote connections, especially for connections to the network itself.
Since cyber criminals quickly exploit such vulnerabilities, deploy updates as soon as they are available and on all accessible equipment in your information system.
Sometimes, backups are the only way for your organization to recover data after a cyber-attack. Make sure to perform and test backups regularly to ensure that they are working.
You know that professional antiviral solutions can protect your organization from most known viral attacks, but don’t forget they can also sometimes protect against phishing messages, or even certain ransomware.
Have systematic logging of all access and activities of your infrastructure equipment (servers, firewall, proxy…), and workstations themselves. This auditing will often be the only way to understand how a cyber-attack may have occurred, the extent of the attack and how to remedy it.
Monitoring RDP connections and all access to files and folders is a great way to detect any abnormal access which could be the sign of a cyber-attack. For example, a suspicious connection of an unknown user, or of a known user outside of its usual hour, or an unusual volume or activity to sensitive files and folders. Real-time alerts and an immediate response allow you prevent damage.
Give remote workers clear instructions on what they can and cannot do and raise awareness of the security risks linked to remote working. Users are often the first barrier to avoid or even detect cyber-attacks.
News shows that no organization, whatever its size, is immune to a cyber-attack. Assessing possible attack scenarios allows you to anticipate what measures to take to protect your environment from attacks.
The involvement and commitment of managers in security measures is key, as employees will follow their lead. If managers take security seriously, it’s much easier to get employees on board.