Establishing Context - What does a Domain Account Compromise have to do with Cyber Security?
Consequently, it also follows that the compromise of an organization's Active Directory could potentially be used to compromise any account, group, laptop, desktop, server, any file stored on any server, any application, LOB server etc.
By default, a Domain Admin account holder has complete unrestricted access to all resources in the entire IT infrastructure. This is because every system needs at least one admin account for administration purposes.
Impact of a Domain Admin Account Compromise
It continues to read -
"Even if you reinstall every domain controller in the forest, you are simply reinstalling the hosts on which the AD DS database resides. Malicious modifications to Active Directory will replicate to freshly installed domain controllers as easily as they will replicate to domain controllers that have been running for years."
In other words, a Domain Admin account compromise is potentially tantamount to a system-wide compromise.
If the ONLY way to re-establish a 100% TRUST is to rebuild the entire IT infrastructure, which costs a proverbial BILLION dollars, and is not really feasible, is there a proverbial MILLION dollar (i.e cheaper) way to address this challenge?
Yes, and No.
- Immediately, REDUCE the number of Domain Admin accounts to a bare minimum
- Ensure that you can impose the HIGHEST levels of trust in the few Domain Admin accounts
- Disable their use. Enable them on a need basis, and when used ensure that 2 PAIRS of eyes are involved
- Establish policies that communicate in no uncertain terms, that should a willful or abetted misuse of administrative authority be found, there will undoubtedly be legal repercussions for the perpetrator
- Proactively audit administrative access in Active Directory on a weekly/fortnightly basis
- Implement 24-7 Active Directory Auditing to monitor the management and use of Domain Admin accounts
Lastly, let me also state unequivocally there there is no shortcoming in Active Directory in regards to being able to precisely authorize/specify access. In fact, Active Directory offers arguably the world's most highly securable security model, wherein access can be very precisely specified based on the principle of least privilege.
- Is the vendor offering this solution at least as trustworthy as Microsoft?
- Is this solution developed by highly proficient developers?
- Is it developed in a trustworthy country, or in some foreign country, where hackers or other malicious entities could easily (physically or via network security compromise) obtain access to its code-base?
PS: 2016 Update: If you liked this post, perhaps you'll like this too - Defending Active Directory Against Cyberattacks