Taking Action on Active Directory

Active Directory (AD) is ubiquitous cross-industry and due to its popularity, cybercriminals have continually targeted it. Therefore, prioritizing safe passwords in AD is crucial. Here are five ways to address the problem.

1. Use the Principle of Least Privilege (POLP)

When a network administrator is establishing the levels of access for every user of AD within the enterprise, it can be tricky. If the IT team is too tight with privileges, they may find employees constantly asking for access to files or systems they need. If the IT team is too generous, it can be extremely dangerous and pave the way for cybercriminals to attack and access the system.

Starting with a policy of least-access can help establish individual accountability and protect the system if attacked. POLP is straightforward: only give administrative privileges to those who are going to need it—and as an administrator, only give employees access to the domains they work on daily. Also, make sure that everyone has their own, identifiable account (as opposed to shared team accounts). This helps IT teams assign the most productive privileges to individuals.

2. Document and Backup

Document everything, especially the policies and configuration changes, so you can establish a miniature history of what happened when. Documenting your activities can be a saving grace if something goes wrong in the network or if an attack occurred from an external force.

Create ways of documenting, and backing up, network information including server names, IP addresses, trust relationships, group policy objects, organizational units, and domain configurations. If any of these things change, having a documented map of these actions—who did them, and when—within AD will help you backtrack, find the cause of the issue, and identify possible threats.

3. Employ a Password Management Tool

A password management tool can improve the security of employee passwords. It eliminates the need for users to memorize tens of unique passwords and reduces the chance that users will choose a single root password and re-use it across their accounts.

Additionally, a user-friendly password manager can discourage users from writing their passwords down or in a plain text file. Many password managers are freely available and can help change user routines almost overnight.

4. Revisit Existing Password Policies

The most important layer of security in AD is the password layer. Due to the vulnerability of user-generated passwords, you must revisit and potentially renovate the default password policies and complexity requirements.

The default AD policies include policies like, ‘no use of name or account name in the password,’ and various character complexity requirements like a mix of upper and lowercase, digits, and special characters.

These policies are so well known, but many of the requirements are outdated. NIST guidelines and research show that many of these complexity requirements backfire, and cause users to reuse passwords across personal and professional boundaries.

Your AD password policies should be built to make passwords as secure as possible. Read more about changes you can make here and here.

5. Screen for Compromised Credentials

The most effective way to enforce secure password usage is to screen for compromised credentials. Screening for passwords that have been found on the dark web or leaked in a recent breach acts as an active layer of defense for your enterprise’s network.

There are simple seamless plug-in tools, like Enzoic for AD, designed to scan the dark web for breached passwords without disrupting the other existing policies or impeding the user experience.

Neither AD nor passwords are going anywhere anytime soon, but breaches continue to occur at alarming rates. Addressing these safety concerns can smooth the security journey for users, MSPs, and IT teams alike. It’s time to take action and improve how you use Active Directory.