Solved

external domain coverage

Posted on 2013-10-30
1
158 Views
Last Modified: 2013-11-14
I am trying to do some risk assessment work on the impact of having a weak domain password associated with a domain account. A 3rd party assessment found some domain accounts had weak passwords. Typically we would look at this as an internal only security issue, i..e only people with physical access to the offices would be able to exploit it. But I wondered what kind of external services would rely on domain passwords? Can you provide some examples where a weak domain password would possible be exploitable by someone outside your AD - i.e. from the Internet?
0
Comment
Question by:pma111
1 Comment
 
LVL 13

Accepted Solution

by:
Daniel Helgenberger earned 500 total points
ID: 39611301
Using weak passwords in domain accounts does not pose a threat from the 'outside internet' by definition.
The same is true for 'weak' passwords. They do not pose a threat - but are of course much easier compromised.
A threat are only compromised accounts.

The problem is rather how many services use domain accounts (starting with LDAP binds) and how they are accessed from the outside.
Example:
Your organization uses Active Directory internally. There is a firewall which is blocking all AD traffic to the outside. There would be no thread. But this setup is rather ancient, since most organizations use some kind web based access nowadays.

You have to assess:
- Which services are accessible from outside the internet using domain based access? For instance this can include Exchange, VPN, Company Web, WLAN, LAN, ect.
- Then you need to assess how one compromised account could impact your organization

The range can be very wide. For instance, if you only have access to a company web side, the attacker can only view the resources there. If it is an Exchange account, the attacker can retrieve all kind of info about your organization, being OAB, confidential emails and as well using this account for spam mails; resulting in your mail server getting blacklisted by RBL's - which may have a huge impact on your business.

The most imminent threat poses a VPN access; which will grant the attacker access to all the resources the user account may access. If the compromised account is a domain admin, then you can start digging your grave.
The same is true for instance with WLAN when used with RADIUS. An attacker only needs to be in range of the WLAN.

This is the reason why domain accounts should be on a 'need to know' bases, eg. only have access to the resources they really need to have. And even if users do not like it, you need to impose a strong password policy. Further, run a script with deactivates domain accounts not being used for certain period.
Also, protect access to domain admin accounts. These should not be used for common users, not even an administrator should be in the 'domian admin' group but rather use a separate account with short term rotating password. Rotating passwords help a lot here, if maybe an old password is found or users cannot apply a 'same password everywhere' policy; compromising their domain password if a private account gets hacked.
Also, protect VPN and Terminal Services access with two-factor-verification; eg. a PKI or SmartCard on top the domain credentials. As a general method with these services you should employ every security measure possible updating security policies ASAP when new options become available.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolve DNS query failed errors for Exchange
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question