Credential theft in Active Directory (AD) has been a longtime vulnerability issue. With the outbreak of reason ransomware and malware viruses, however, the act of properly securing these credentials is now of utmost importance.
As Bhavik Shan, solutions architect at Skyport Systems, informed us in yesterday’s webinar on “How Hackers Steal Your Credentials”, this problem is more widespread than you’d think.
“We ask, ‘How do your admins actually log in to the domain controllers today?’ Nine times out of 10 people are saying that they use their laptop and RDP directly to the domain controller using domain admin credentials,” Shan said.
What users don’t realize, he further explained, is when they log in directly from a laptop or desktop, those admin credentials are cached locally on the machine and stored in memory. This makes credentials very vulnerable to attack.
Consider, for example, the way the Petya attack worked: the malware gains access to a workstation, steals credentials from the memory, and then infects other systems on that network—including the domain controller. This sophisticated virus can immediately pivot to reach the expanses of the entire company. In other words, if even one workstation is vulnerable by storing admin credentials, everything else it is connected to is also vulnerable.
“When you think about your Active Directory being connected to everything—payroll, backup systems, your entire IT infrastructure. The blast radius could be bad here,” Shan warned.
To combat this worry, Microsoft recommends companies create a dedicated workstation for AD work. This would be locked down in a secure location with the inability to browse the internet or complete other work tasks, making it a device that solely handles AD administration. It’s a physically laptop that remains physically secure.
“That’s exactly what the best practice says: you should have a safe place—which is the only place where the keys are used. And that’s what this idea of an admin workstation is all about,” said Dan Backman, director of technical marketing at Skyport Systems.
This practice is great in theory, but Shan explained it’s difficult for implementation, tough to determine if a device is even clean to begin with, and a struggle to continuously prove it’s not compromised. To do so, so many tools—and lots of manpower—would be needed to maintain this workstation and keep patches current and make sure no one else is using it.
“There’s a lot of work to maintain one of these,” Backman said. “Oh and then, by the way, if this the only place where you’re allowed to log in as domain admin through group policy, if this is a physical box this means you have to go to the box.” He gives the example of needing to make a fix in an emergency or last minute when you’re at home, an hour from the office. In that situation, what do you do?
A fix for this dilemma of time and resources needed to properly and continuously secure AD is to invest in a separate tier that will segregate duties and be cut off from the IT infrastructure, Shan suggested. Services like Skyport Systems that are hyper-converged and easily managed provide a cloud management service experience that would keep the environment secur, operational, and give admins the tools they need to manage their AD. Tools like this would act as an intermediary, allowing for:
Having a “middleman” enables companies to keep data on premises with the ability to reach out to the cloud for telemetry checks. Companies can then implement new policies for security and data in a centralized way. It also reduces the cost of integration and maintenance in keeping up with all the external tools that would be needed to keep AD secure without the interim software.
Consider, for example, what happened this week with Verizon. Data was moved to the cloud and a rule was set by a sole employee that allowed account information to be exposed to the internet. Backman explained this is the risk when moving information to the cloud without an intermediary gatekeeper.
“The cloud makes it easy to deploy work, but there’s a default allow. This is an easy mistake to make,” Backman said.
To learn more about the anatomy of an attack, readily available tools, and the Skyport Solution, check out their webinar here.