Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Everything You Need to Know about Active Directory Security

Your How-to Guide to Find and Fix Active Directory Security Vulnerabilities and Eliminate Attack Paths

Active Directory security encompasses the people, processes and tools your organization uses to identify vulnerabilities, misconfigurations, and other security issues within your Active Directory. IT administrators use Active Directory, a Microsoft Windows directory service, to manage a range of functions including applications, users, and other components of your network. Active Directory is a key tool for identity and access management.

Many organizations overlook Active Directory even though it’s a target that bad actors want to breach to gain access to your systems and then move laterally throughout your network. As such, Active Directory security is an important part of your overall cybersecurity program, helping to protect your sensitive data, applications, systems, user credentials, and other network aspects from potential breaches.

In this Active Directory knowledgebase, we’ll share with you more information about what Active Directory is, how your organization can use it, and best practices for securing your Active Directory and including it as part of your overall risk-based vulnerability management program.

Security Vulnerabilities and Eliminate Attack Paths

Here are a few highlights of what you’ll find:

Top 10 Active Directory Security Questions CISOs Must Ask

Do you know what to look for in an Active Directory security solution? Here are the top 10 questions every CISO should ask.

Learn More

Secure Active Directory and Eliminate Attack Paths

Do you know how to discover and prioritize your Active Directory risks? Watch this webinar to learn how.

Learn More

Active Directory FAQ

Here are some frequently asked questions about Active Directory and Active Directory security.

Learn More

Active Directory Attack Path

Attackers want access to your Active Directory so they can move laterally, escalate privileges and take over your domain in minutes.

Learn More

Tenable Active Directory Community

Tenable’s Active Directory Community is a great place to talk with other professionals about common AD issues and tools.

Learn More

Tenable Identity Exposure for Active Directory Security

Tenable Identity Exposure can help you find and fix all of your Active Directory weakness in real-time and proactively prevent attacks

Learn More

Secure Your Active Directory to Eliminate Attack Paths

Tenable Identity Exposure Helps you See, Predict and Act to Proactively Address Active Directory Vulnerabilities

When successfully breached, your Active Directory can be a gateway for attackers looking to make lateral movements through your network, often undetected. Unfortunately, Active Directory security is an often-overlooked, but important part of securing your enterprise. With Tenable Identity Exposure, you can quickly find and fix Active Directory vulnerabilities, eliminate attack paths, prevent lateral movement, and stop privilege escalation before a breach happens.

Learn More

Securing Active Directory: How to Proactively Detect Attacks

 

Securing Active Directory: How to Proactively Detect Attacks

Attackers have a sophisticated approach to Active Directory attacks, an attack pathway often overlooked by organizations, even those with a relatively mature cybersecurity program. And even for organizations that are aware Active Directory can come under attack their traditional approach to security just doesn’t work well for Active Directory.

Over the years, Microsoft has offered up some security solutions for on-premises Active Directory security, but few, if any, of them have had the sticking power for organizations to commit to them. Instead, they’re often short-lived or replaced with other solutions. While other security solutions have edged into the market over the past two decades, for example, group policy management, they just don’t offer true, comprehensive security for your Active Directory environment. That’s because new attacks are complex and often hidden and detection isn’t always easy.

Most Active Directory solutions were created a decade or so ago and they just haven’t kept up with the changing Active Directory environment which now encompasses more assets and more diverse asset types. While some solutions like AD monitoring or SIEM may alert if they uncover an issue, few can proactively detect a wide array of attacks, preventing your organization from taking action to fix misconfigurations or other issues.

Tenable Identity Exposure, however, doesn’t need an attack log before it can alert you to issues. Instead, it uses your raw AD replication stream to find problems before a successful breach.

In this white paper, learn more about other common Active Directory security challenges and find out how Tenable Identity Exposure can help you conquer them, including:

  • How attacks use misconfigurations for privileged access
  • How you can discover misconfigurations in your Active Directory
  • How to employ proactive solutions that work across all of your Active Directory installations

Download Now

A Global Threat to Enterprises: The Impact of Active Directory Attacks

Active Directory, in its very nature, is a single point of failure, and we’re seeing the number of Active Directory attacks around the globe increase in both volume and severity. Active Directory attacks are a threat to all global enterprises, regardless of industry.

In this white paper, take a closer look at some of today’s most common Active Directory risks and the potentially catastrophic impacts they can have on organizations, including a closer look at 15 significant corporate breaches and best practices to protect your Active Directory from similar attacks.

You can also explore five high-level risks that your organization should make a priority to address, including the impact of Active Directory attacks on business continuity, brand damage and customer trust, and competitive loss and IP threats. This white paper also offers practical tips to help your organization implement effective Active Directory security, including the adoption of automation tools and real-time event monitoring.

A Global Threat to Enterprises: The Impact of Active Directory Attacks

Read More

A King's Ransom: How to Stop Ransomware Spreading via Active Directory

Read More

A King's Ransom: How to Stop Ransomware Spreading via Active Directory

Security breaches are expensive and cost businesses as much as $170 bullion every year. In 2019 alone, hacking cost the U.S. about $3.5 billion. Attackers know Active Directory holds the keys to your kingdom, so they’re continuously looking for ways to infiltrate your systems through AD and laterally move unnoticed.

One of attackers’ favorite methods is ransomware deployment through Active Directory, where organizations, on average, pay about $84,000 in ransom following a successful breach. But your Active Directory doesn’t have to be vulnerable to these attacks. In this white paper, you can take a deeper dive into how you can prevent ransomware spread through your Active Directory with six quick tips to protect access to your privileged Active Directory accounts.

Tenable Connect community: Your go-to resource for active directory security

Do you have questions about Active Directory security? Do you need help building Active Directory security into your existing cybersecurity program? Tenable Connect is a great place to connect with others interested in Active Directory security. Join them and explore some common challenges and great solutions for today’s pressing Active Directory security needs.

Join our community

Here are some sample conversations happening now:

LDAP searches returning only 1000 result

When performing Active Directory/LDAP searches for assets or users in Tenable Security Center, you may encounter situations where there is only a maximum of 1000 results returned regardless of the actual number of users/assets that match the query in LDAP/Active Directory.

Read More

Login Type Shown as (authentication: password) When Failing to Login with an LDAP User Account

If you set up an LDAP user account and then change the case of the username, that will break the Tenable Security Center connection to that Active Directory user account. When that user attempts to login, it will fail.

Read More

Which mobile technology is supported by Tenable?

Integrations are available with the following MDM systems: Exchange 2010 or later (via Active Directory); Apple Profile Manager as shipped with Mac OS X 10.7 server; MobileIron; AirWatch; and Good for Enterprise.

Read More



Back to Top

Frequently Asked Questions about Active Directory Security

Are you new to active directory security? Do you have questions about active directory vulnerabilities and risks but not sure where to start? This FAQ is a great place to begin:

What is Active Directory?

Active Directory is a directory service from Microsoft Windows that enables your organization to effectively manage all of your users, credentials, systems, application, and data across your network. It's often used for identity and access management to control who has access to what within your network.

What is Active Directory used for?

Organizations use Active Directory to manage permissions, credentials, and access controls for data, systems, and applications across a network.

What is Active Directory security?

Active Directory Security encompasses all of the processes and tools your organization uses to protect your Active Directory environment, including finding vulnerabilities, misconfigurations, and other security issues, and prioritizing them for remediation to proactively prevent attackers from gaining access to your Active Directory and making lateral moves and escalating privileges to take full control of your domains. You can use Active Directory security to protect all of your users, including credentials, as well as all of your organization's data, systems and applications.

What is an Active Directory object?

An Active Directory object is a group of assets that make up the resources within your Active Directory domain. There are a variety of object types such as users, folders, groups, printers, computers, etc. All objects within your Active Directory should have a unique security identifier (SID) your administrators can use to set permissions to access or deny access to your objects.

What are the three main components of Active Directory security?

There are three main components for Active Directory: domains, trees, and forests.

What is an Active Directory domain?

In Active Directory, a domain is a way you can organize areas of your network based on a single-authentication database. Think of it as the way you group your objects (users, computers, folders, etc.) together in a way that makes sense logically. Once you establish your Active Directory domain, your administrators can use to establish boundaries within your network.

What is an Active Directory tree?

An Active Directory tree is a collection of domains within your AD environment. If you were to graph it, your domains would serve as a parent at the top of your chart with a tree structure below it. Your Active Directory trees then sprout outward to your Active Directory forest.

What is an Active Directory forest?

An Active Directory forest is a collection of Active Directory trees. Your forest is built on trust relationships so you can communicate across your network. Your Active Directory forest is your highest level and the top-layer adds to your Active Directory security. Your organization may employ either a single forest or multi-forest design within your AD.

What are the five roles in Active Directory?

In Active Directory, there are five main responsibilities for domain controllers that together make up your Active Directory environment referred to as the Flexible Single Master Operation (FSMO). The five FSMO are: schema master, and you should have one per forest; domain naming master, also one per forest; relative ID (RID) master, which is one per domain; primary domain controller (PDC) emulator, also one per domain; and then infrastructure master, also one per domain.

What does an Active Directory schema master do?

In Active Directory, the schema master manages your read and write functions within your schema.

What does an Active Directory domain naming master do?

In Active Directory, your domain naming master manages domain naming so you don't accidentally create a domain in a forest where you already have a domain with that same name.

What does the Active Directory RID master do?

In Active Directory, the RID master is responsible for security identifies (SIDs) for your domain controllers as they create new objects.

What does a PDC emulator do in Active Directory?

In Active Directory, your domain controller that is set as a PDC emulator will have top control of your domain, that includes dealing with password changes, group policy objects, and other authentication tasks.

What does an Active Directory infrastructure master do?

The Active Directory infrastructure master is responsible for translation of services between your domains such as distinguished names and globally unique identifiers.

What types of groups are in Active Directory security?

There are two primary groups in Active Directory security: security groups and distribution groups. Distributions groups are for one-way notifications through your central controller. Security groups are related to user access for data modification

Why do I need Active Directory security?

You need Active Directory security to identify, prioritize, and remediate security weaknesses within your Active Directory. Active Directory security is often overlooked by many organizations. Attackers know this and that’s why they keep Active Directory in their toolbox of tricks. If an attacker can successfully access your Active Directory, they can move laterally throughout your network, escalate privileges, and take control of your domain. The average attacker can dominate total domain control in less than 20 minutes. Active Directory security gives you insight into areas attackers may exploit so you can proactively eliminate attack paths and respond to events in real time.

What are common services in Active Directory?

Active Directory Domain Services enables you to store data and make that data available through your network. This can include information about your users including passwords, names, and more.

What is identity and access management?

Identity and Access Management (IAM) consists of the policies, procedures, and tools your organization uses to manage identities within your Active Directory environments so you can effectively control which users can access what data within your network.

Is Active Directory a tool?

Yes. Active Directory is a tool your organization can use to manage your network.

What are some benefits of Active Directory security?

There are a number of benefits of employing Active Directory security as part of your overall cybersecurity program. Here are a few: vulnerability and misconfiguration discovery for remediation; real-time insight into attack attempts as they happen; visibility into your Active Directory environment; ability to proactively prevent attackers from gaining access to your network; making lateral movements and escalating privileges to take over your domain; gives you front-end control of your cyber kill chain; and centralized configuration control.


Back to Top

Understanding the Active Directory Security Attack Path

In the early years of Active Directory, most organizations only had a handful of objects that could control your domains. For Active Directory security, all you had to do was isolate and monitor those objects. But a lot has changed for Active Directory in the past two decades. Today, most Active Directory environments consist of a complex sea of objects, all with varying degrees of control of your domains and with an expanding list of privilege interdependencies.

As a result, modern Active Directories often have overlooked or unknown misconfigurations, vulnerabilities, or other interdependencies that attackers know they can exploit, escalate privileges and laterally move throughout your network unnoticed. Once in, they can take over complete control of your domains.

From initial foothold into your Active Directory, for example, through a successful phishing attempt or vulnerability exploitation, attackers can move to total domain domination in about 17 minutes. The attack pathway commonly looks like this:

Initial Foothold

via phishing or vulnerability

The Attack Path

Elevate

Gain privileged access

Evade

Hide forensic footprints

Establish

Install code for permanence

Exfiltrate

Exfiltrate data or hold target to ransom

Explore

Lateral movement across the target environment

Blog

How Vulnerability Scanning Is Used for Penetration Testing

Disrupting the Pervasive Attacks Against Active Directory and Identities

If you want to prevent attackers from being able to move laterally within your network and escalate privileges, then you should include Active Directory security into your risk-based approach to cybersecurity. If an attacker successfully gets access into your Active Directory, they’re likely to seek out high-level privileges so they can get access to more information and move deeper into your systems, creating backdoor access that is often unnoticed. Tenable Identity Exposure, however, shines a light on these hidden pathways, giving your organization opportunities to stop attacks before they happen including insight into new admin account creation, permission changes, new trust relationships, and more.

Read More

Security Teams and Vulnerability Response

Securing Active Directory: 3 Ways to Close the No-Password Loophole

Active Directory has a number of security issues attackers can exploit, including negating password requirements with a simple command, something commonly missed during routine security reviews and audits. This blog explores three simple ways you can secure accounts including creating a saved query in Active Directory with a custom LDAP, using the PowerShell module, continuously monitoring all users to ensure none are set up to not require a password.

Read More

How to Run Your First Vulnerability Scan with Nessus

Securing Active Directory: How to Prevent the SDProp and adminSDHolder Attack

Did you know that attackers can get access to your Active Directory by using the SDProp process and then gain privileges through your adminSDHolder object? Attackers know that if they have a rogue user or group to adminSDHolder ACL, when your SDProp process runs, they can get access to every privileged user and group automatically, sometimes even adding them back 60 minutes after being discovered and having the user or group removed. Who has time for that much manual monitoring though? The good news is Tenable Identity Exposure can handle it for you, constantly evaluating your attack pathways and alerting you when there’s a new one.

Read More

How to Run Your First Vulnerability Scan with Nessus

The Top 10 Active Directory Security Questions CISOs Must Ask

Although it’s been around for more than 20 years, Active Directory has been adaptable to meeting changing business needs, which is visible in its increased adoption and usage. But unfortunately, many organizations using Active Directory don’t know how to properly secure it, and many don’t know what they need when they’re looking for an Active Directory security solution. This blog takes a deeper dive into the top 10 questions every CISO should ask before finalizing your short-list for a new Active Directory security solution. With careful planning, you can ensure your organization selects a solution that is both resilient and can scale with you over time.

Read More



Back to Top

Tenable Identity Exposure

Weak and misconfigured settings are a gateway for attackers wanting to get access into your Active Directory so they can make lateral movements and escalate privileges, often without you knowing they’re there. You can prevent and detect Active Directory attacks simply, with automation, with Tenable Identity Exposure.

Comprehensive Assessment

Visibility

NGet unparalleled visibility into your Active Directory environment so you can discover all your vulnerabilities, misconfigurations, and security issues.

Predictive Prioritization

Prioritization

Understand which Active Directory security risks should get your attention first and follow a step-by-step guide for remediation

Dynamic Asset Tracking

Reduce Cyber Exposure

Reduce your Active Directory exposures in real time with continuous and automated new attack pathway detection

Real-Time Detection

Real-Time Detection

Discover and defend against attacks in real time without needing agents or privileges



Back to Top

See Tenable Identity Exposure in Action

Continuously detect and respond to Active Directory attacks in real time. No agents. No privileges. Stop lateral movement. Prevent privilege escalation. On-prem and cloud-based options available.

Request a Demo



Back to Top

  • Tenable Identity Exposure
Try for free Buy now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose your subscription option:

Buy Now
Try for free Buy now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose your subscription option:

Buy Now
Try for free Buy now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose your subscription option:

Buy Now
Try for free Buy now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Request a demo

Tenable Security Center

Identify and prioritize vulnerabilities based on risk to your business. Managed on premises.

Request a demo

Tenable OT Security

Close OT exposure with the unified security solution for converged OT/IT environments.

Request a demo

Tenable Identity Exposure

Close identity exposure with the essential solution for the identity-intelligent enterprise.

Request a demo

Tenable Cloud Security

Close cloud exposure with the actionable cloud security platform.

Request a demo

Tenable One

The world’s leading AI-powered exposure management platform.

Request a demo

Tenable AI Exposure

See, secure, and manage how your teams use AI platforms.

Request a demo

Tenable Attack Surface Management

Gain visibility into your internet-connected assets to eliminate blind spots and unknown sources of risk.

Request a demo

Tenable Enclave Security

Know, expose and close IT and container vulnerabilities.

Try for free Buy now

Try Tenable Nessus Professional free

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

Fill out the form below to continue with a Nessus Pro trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select your license

Buy a multi-year license and save.

Add support and training
Buy Now
Renew an existing license Find a reseller
Try for free Buy now

Try Tenable Nessus Professional free

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

Fill out the form below to continue with a Nessus Pro trial.

Buy Nessus Pro

Adopt the gold standard in vulnerability assessment to find and fix security gaps across your IT environment.

1 year license
$4,390
Buy now
Renew a license Find a reseller or distributor
  • Real-time vulnerability updates
  • Unlimited vulnerability scanning
  • Pre-built policies for configuration & compliance audits
  • Vulnerability scoring for prioritization
  • Configurable reports
  • Flexible deployment
Choose multi-year license and save
Save
with 2 years
$8,560.50
Buy now
Save
with 3 years
$12,511.50
Buy now
Try for free Buy now

Try Tenable Nessus Expert free

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select your license

Buy a multi-year license and save more.

Add support and training
Buy Now
Renew an existing license Find a reseller
Try for free Buy now

Try Tenable Nessus Expert free

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Nessus Expert

Expand your vulnerability assessment with advanced functionality that includes web app scanning and external attack surface discovery scanning.

1 year license
$6,390
Buy now
Renew a license Find a reseller or distributor
  • Real-time vulnerability updates
  • Unlimited vulnerability scanning
  • Web app scanning (5 FQDNs)
  • External attack surface discovery scanning (5 domains)
  • Pre-built policies for configuration & compliance audits
  • Vulnerability scoring for prioritization
  • Configurable reports
  • Flexible deployment
Choose multi-year license and save
Save
with 2 years
$12,460.50
Buy now
Save
with 3 years
$18,211.50
Buy now
Request a demo

Tenable Patch Management

Streamline security and IT collaboration and shorten the mean time to remediate with automation.