Solved

external domain coverage

Posted on 2013-10-30
1
160 Views
Last Modified: 2013-11-14
I am trying to do some risk assessment work on the impact of having a weak domain password associated with a domain account. A 3rd party assessment found some domain accounts had weak passwords. Typically we would look at this as an internal only security issue, i..e only people with physical access to the offices would be able to exploit it. But I wondered what kind of external services would rely on domain passwords? Can you provide some examples where a weak domain password would possible be exploitable by someone outside your AD - i.e. from the Internet?
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 13

Accepted Solution

by:
Daniel Helgenberger earned 500 total points
ID: 39611301
Using weak passwords in domain accounts does not pose a threat from the 'outside internet' by definition.
The same is true for 'weak' passwords. They do not pose a threat - but are of course much easier compromised.
A threat are only compromised accounts.

The problem is rather how many services use domain accounts (starting with LDAP binds) and how they are accessed from the outside.
Example:
Your organization uses Active Directory internally. There is a firewall which is blocking all AD traffic to the outside. There would be no thread. But this setup is rather ancient, since most organizations use some kind web based access nowadays.

You have to assess:
- Which services are accessible from outside the internet using domain based access? For instance this can include Exchange, VPN, Company Web, WLAN, LAN, ect.
- Then you need to assess how one compromised account could impact your organization

The range can be very wide. For instance, if you only have access to a company web side, the attacker can only view the resources there. If it is an Exchange account, the attacker can retrieve all kind of info about your organization, being OAB, confidential emails and as well using this account for spam mails; resulting in your mail server getting blacklisted by RBL's - which may have a huge impact on your business.

The most imminent threat poses a VPN access; which will grant the attacker access to all the resources the user account may access. If the compromised account is a domain admin, then you can start digging your grave.
The same is true for instance with WLAN when used with RADIUS. An attacker only needs to be in range of the WLAN.

This is the reason why domain accounts should be on a 'need to know' bases, eg. only have access to the resources they really need to have. And even if users do not like it, you need to impose a strong password policy. Further, run a script with deactivates domain accounts not being used for certain period.
Also, protect access to domain admin accounts. These should not be used for common users, not even an administrator should be in the 'domian admin' group but rather use a separate account with short term rotating password. Rotating passwords help a lot here, if maybe an old password is found or users cannot apply a 'same password everywhere' policy; compromising their domain password if a private account gets hacked.
Also, protect VPN and Terminal Services access with two-factor-verification; eg. a PKI or SmartCard on top the domain credentials. As a general method with these services you should employ every security measure possible updating security policies ASAP when new options become available.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question