Defending Active Directory: Containing the threat of privilege abuse and escalation
Attackers often try to elevate their account privileges to move laterally inside the network. Stop privilege abuse in Active Directory with UserLock.
Updated December 5, 2024Proactive Windows Active Directory (AD) access management is essential to securing today’s networks. Here's how UserLock, from version 12.2, allows you to manage and report on multi-factor authentication (MFA) on UAC (User Account Control) prompts, mitigating the threat of privilege abuse.
Unfortunately, one reason for AD security vulnerabilities is that the size and complexity of the platform mean that many aspects of securing AD are not straightforward. This is especially true for on-premise AD accounts, where organizations must assemble security on their own.
Challenges include:
Managing privileged accounts
Monitoring for privilege escalation, and
Imposing additional security layers such as MFA.
To implement these security measures, organizations must look to third-party access security and IAM solutions.
Good AD defense is not only about stopping attackers at the initial point of access but also about making it difficult to move laterally inside the network once they have gained a bridgehead.
In 2021, a ransomware attack against Colonial Pipeline led to days of severe fuel shortages across several U.S. states. Remarkably, it later emerged that the cause of this major national incident could be traced back to a single poorly secured VPN account. The ransomware gang had discovered leaked credentials for the account on the dark web. Despite being an inactive or “stale” account, multifactor authentication (MFA) was not enabled.
Using this account, the attackers gained access to the company’s network, and then apparently elevated their account privileges to move laterally inside the network.
The first weakness was the existence of an inactive VPN account. By all appearances, this account hadn’t been detected and de-provisioned. Interestingly, this is a common issue. Microsoft estimates that more than 10% of AD accounts are in this risky “inactive” state.
The second weakness was that the VPN account wasn’t secured with MFA, despite this being a recommended access security measure for any AD account, and even more so for a privileged or remote access account.
The third issue, and possibly most alarming of all, is that the attackers successfully elevated privileges in AD. Just because an account is a standard user account in AD doesn’t mean attackers can’t elevate from there to far more privileged and dangerous access if the right protections aren’t in place.
Although the Colonial Pipeline breach is a well-known incident, it is hardly the only example. Numerous other cyberattacks have exploited similar weaknesses in AD management and security.
For adversaries, no target has more value than Windows Active Directory, the foundation of most organization’s identity and access management systems.
The biggest challenge of AD security is that its attack surface is huge. As the Colonial Pipeline example underlines, the most exposed part of this is through user accounts and credentials.
So when experts talk about password compromise, they’re usually talking about Active Directory account compromise. Attackers try to compromise non-privileged AD user accounts to get inside the network, which gives them an entry point into AD itself. Once they’re in, they open their pandora’s box of tools and techniques to further manipulate AD from within.
This issue of credential and user compromise is central to AD security. Every compromised account exists somewhere in AD. That makes the way accounts are managed, monitored, and secured a fundamental part of defending AD.
The idea of privileges in AD is easy to misunderstand. Normally, we think of privileged access as relating exclusively to special accounts such as those operated by admins that confer system-level powers.
In reality, AD has an array of privileged user accounts. Each has slightly different access rights, including enterprise admins, domain admins, schema admins, group policy admins, backup admins, account admins, and application service accounts. In some cases, an administrative account might perform more than one of these roles.
Admins are normally thought of as a single god-like entity so why have so many admin types? The answer is that, as with network management in general, good AD administration is based on the principle of least privilege security. Every account should only have the privileges needed to do the job assigned to it. This is especially important where those privileges confer admin-level powers.
But it follows that the same principle should apply across all accounts. This raises the important fact that all accounts in AD — including the humblest user accounts — have some privileges. In AD, even the most basic privilege is a privilege that poses a risk and therefore needs to be controlled.
As with any computer system, the soft underbelly of AD is the ability of an attacker to elevate privileges.
This draws our attention to a technique common across numerous cyberattacks.
Attackers compromise an ordinary Active Directory user account and can then elevate its privileges to reach more sensitive areas of the network.
The lesson we should draw from this? Don't underestimate the importance of securing all AD accounts, including the most basic ones.
How do attackers elevate privileges? Numerous techniques exist, including exploiting software vulnerabilities or internal misconfigurations and hijacking internal AD processes. However, today’s attackers are just as often aided by network tools that allow them to identify and target the credentials of more privileged accounts. If these haven’t been adequately secured, the attackers can assume the privileges of these accounts to expand their access.
Securing AD, of course, requires multiple layers of security. These include defending against phishing attempts, enforcing strong passwords, and securing all accounts using MFA.
However, a critical element of AD security is privileged access management focusing on privileged accounts, which are always a hacker’s biggest target in any attack.
It’s key to monitor and audit privileged account access and actions, and receive alerts if an account with admin access modifies policies. This not only protects against external attacks but also insider threats.
However, because AD management is never one-size-fits-all — even for privileged users — admins must be able to apply access policies granularly so that this type of account can be permitted either to “read” or view group properties or members without changing them, or to “write” and modify them.
To stop unauthorized privilege elevation and prevent lateral movement, you can apply UserLock MFA for UAC (user account control) prompts displayed as administrative tasks (e.g., disabling a firewall) or "run as administrator" requests.
Alerts on these requests also help better detect threat actors trying to move through your network. With UserLock, you can set up alerts specifically for UAC events.
As we all know, MFA for UAC isn’t created equally across MFA solutions. Often, solutions only allow admins to apply UAC MFA prompts on a single-machine basis. And almost all solutions display MFA UAC requests as a Remote Desktop Protocol (RDP) MFA event.
Since UserLock recognizes UAC as a separate event, you can monitor and report on UAC events separately.
Ultimately, MFA on UAC prompts packs a strong punch in the fight against privilege abuse and AD compromise. By default, UAC prompts at the admin level require only a password. Adding MFA to this hugely reduces the vulnerability of the attack surface.
Defending AD is not easy. It is a large and complex platform that assumes organizations will assemble additional layers of security to defend it.
To succeed, defenders must address a wide range of possible threats:
Credential compromise
Lateral movement inside the network
Privilege abuse and privilege escalation
Modification of critical system files
Privileged insider threats
In addition, defenders must ensure that the security solutions they onboard to meet compliance and cyber insurance requirements also offer the security benefits necessary to prevent the above threats. Some solutions check boxes, others offer effective security that also happens to check boxes — the latter are harder to find.
What’s the takeaway here? Even if you have implemented technologies such as MFA to secure the logon, can you control and monitor what happens once a user gains access?
Attackers count on organizations paying less attention to this dimension of AD defense. And unfortunately, time and again, they are proven correct. Organizations don’t dedicate as much effort to defending internal actions inside AD as they do initial access.
Real-world cyberattacks tell us that this is a mistake. What happens after an attacker gains access is just as important as the initial compromise.