Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

external domain coverage

Posted on 2013-10-30
1
Medium Priority
?
163 Views
Last Modified: 2013-11-14
I am trying to do some risk assessment work on the impact of having a weak domain password associated with a domain account. A 3rd party assessment found some domain accounts had weak passwords. Typically we would look at this as an internal only security issue, i..e only people with physical access to the offices would be able to exploit it. But I wondered what kind of external services would rely on domain passwords? Can you provide some examples where a weak domain password would possible be exploitable by someone outside your AD - i.e. from the Internet?
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 13

Accepted Solution

by:
Daniel Helgenberger earned 2000 total points
ID: 39611301
Using weak passwords in domain accounts does not pose a threat from the 'outside internet' by definition.
The same is true for 'weak' passwords. They do not pose a threat - but are of course much easier compromised.
A threat are only compromised accounts.

The problem is rather how many services use domain accounts (starting with LDAP binds) and how they are accessed from the outside.
Example:
Your organization uses Active Directory internally. There is a firewall which is blocking all AD traffic to the outside. There would be no thread. But this setup is rather ancient, since most organizations use some kind web based access nowadays.

You have to assess:
- Which services are accessible from outside the internet using domain based access? For instance this can include Exchange, VPN, Company Web, WLAN, LAN, ect.
- Then you need to assess how one compromised account could impact your organization

The range can be very wide. For instance, if you only have access to a company web side, the attacker can only view the resources there. If it is an Exchange account, the attacker can retrieve all kind of info about your organization, being OAB, confidential emails and as well using this account for spam mails; resulting in your mail server getting blacklisted by RBL's - which may have a huge impact on your business.

The most imminent threat poses a VPN access; which will grant the attacker access to all the resources the user account may access. If the compromised account is a domain admin, then you can start digging your grave.
The same is true for instance with WLAN when used with RADIUS. An attacker only needs to be in range of the WLAN.

This is the reason why domain accounts should be on a 'need to know' bases, eg. only have access to the resources they really need to have. And even if users do not like it, you need to impose a strong password policy. Further, run a script with deactivates domain accounts not being used for certain period.
Also, protect access to domain admin accounts. These should not be used for common users, not even an administrator should be in the 'domian admin' group but rather use a separate account with short term rotating password. Rotating passwords help a lot here, if maybe an old password is found or users cannot apply a 'same password everywhere' policy; compromising their domain password if a private account gets hacked.
Also, protect VPN and Terminal Services access with two-factor-verification; eg. a PKI or SmartCard on top the domain credentials. As a general method with these services you should employ every security measure possible updating security policies ASAP when new options become available.
0

Featured Post

How Blockchain Is Impacting Every Industry

Blockchain expert Alex Tapscott talks to Acronis VP Frank Jablonski about this revolutionary technology and how it's making inroads into other industries and facets of everyday life.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question