How do we protect the Achilles’ heel of Microsoft Active Directory? Managing non-personal user accounts
Why is it important to secure Microsoft Active Directory, including the maintenance and review of non-personal accounts, and what are the industrial best practices in this topic? To answer this question, we first clarify the definitions.
What is Active Directory?
Active Directory, AD for short, is the collective name for Microsoft's network services. The Active Directory consists of the database and the Active Directory service that runs it. Its main purpose is to provide authentication and authorisation services for computers running Windows, allowing centralised administration of all published resources on the network (files, shares, peripherals, connections, databases, users, groups, etc.) - or decentralised control of resources by delegating administrator rights.
In most global companies, the local area network is based on Microsoft products, which is why there is Active Directory, whose security is particularly important. In this article, we focus on non-personalised user IDs, one of the many security issues associated with Active Directory.
What type of non-personal users exist?
There are different account types that can be created in Active Directory based on their functionality and usage, two of which we highlight:
Generic Account (GA) is an account type with a generic name that can be accessed by multiple users. For example: [email protected], or [email protected]. In the short term, it seems advantageous to create an account that can be used by more than one user, especially when sub-tasks are shared between several users. In the long term, however, the lack of accountability of such an account can be a huge source of risk.
A Service Account (SA) is an account type associated with a service. They are given the least privilege as possible to perform their tasks. For example: [email protected] is a service account set up to manage printers and should be configured to manage printers only. One of the key benefits of this setup is that, if an unauthorized user were to access the account set up to manage printers, the impact of damage caused by this user would be minimal, not extending to the entire company's assets.
What could be the problem?
Like any systematizing solution, AD requires proper maintenance. Lack of thorough and scheduled account remediations can result in an account being left with a password that is too weak, which can be easily exploited by unauthorised parties. It is also possible that a GA may be used by multiple users, making it difficult to identify the responsible user. Furthermore, in the case of employees leaving or changing roles, failure to change passwords or lock the account is also a high risk.
In summary, the general root cause of most Active Directory problems is that if there is not any appropriate review process, unmanaged accounts can become overgrown. Furthermore, by not performing regular reviews, organizational knowledge of who owns the account and what its purpose will be lost.
As a result, the control over non-personal identifiers is inadequate, thus malicious external or internal attackers can quite easily take control of them without any special technical skills and use them to gain access to valuable corporate resources and data.
What can we do?
The question rightly arises: what can be done to improve Active Directory’s security in this respect? The first step in this case is:
Identify the risks and implement good practices
Mapping risks and implementing good practices go hand in hand, because having a well-established practice for creating and managing accounts makes it easier to assess risks and to review accounts regularly.
Whilst creating accounts, proper and thorough documentation is important to document as good practice, for example: the physical location and date of creation, the name of the first owner. It is also worth recording the name of the owner's supervisor at the time of account creation. This can of course also be done with a well-designed request form that initiates the creation.
A preliminary mapping of the operation of the accounts
During the remediation, it is essential for the organization to have the right experts in place who can extract the details of AD users and their activities. Once the report has been completed, we need to check whether we know all the non-personal accounts in detail, e.g.: what they do, who "owns" them and who is responsible for them?
In addition, we can categorise them by the strength of their passwords using a password cracking software. Direct communication with the account owners with inappropriate password strengths should be treated as a high priority and given special attention during the process.
For accounts that are more difficult to identify, it is worth starting with the analysis of log files, - i.e., the records of events and changes in operating systems and software.
While setting up your log management you may consider the followings:
- Do we know what the account is doing?
- Do we have a technical solution to capture and understand more detailed activity beyond logging in and out - which is indicative of the user's activity?
- Is it possible that the user of the account logged in a long time ago, but the account is still active? E.g.: the last login of the account for measuring devices may have been a long time ago, but since then the user activity has been ongoing.
Managing the risks
To make the risk management process transparent, it is divided into two parts:
- The general objectives determine the fate of the accounts after the process. Hence the question arises: what should be done with those?
- Under the remediation process, we detail the steps of it.
The definition of the objectives is not necessarily separated in time from the other steps of the process. Practice shows that as the process progresses, the list of targets can grow in line with the knowledge acquired from the accounts. Not surprisingly, from the perspective of the exercise, the two processes can be iterative in nature.
General objectives for managing risks
- For all account types it is true that: it is important to find the account owner.
- Account passwords, and the enforcement of password changes, should be aligned with the current information security policy.
- Also, replace account information along the lines of the good practices mentioned above.
- Redundant, unused accounts should be terminated.
Generic Account
Generic Accounts (GA) should not be created. It is worth understanding the purpose of GAs that have already been created. For example: accountants may collect certain invoices into a GA. Previously, it could happen that external auditors received the data they had requested through a GA. But it could also be the case that members of the company leisure club, which was set up 10 years ago, still communicate with each other via a GA.
Fortunately, unlike the examples described above, more efficient, and more secure communication channels already exist. Accountants and leisure club accounts can be converted into shared mailboxes. And with auditors, it makes sense to share the requested material on other, more secure platforms.
As a rule of thumb, it is best not to use GAs.
Service Account
Some useful tips for managing SAs:
- Set password parameters according to the information security policy for each user group.
- For non-human users, frequent password changes are not always feasible, in such cases it is recommended to set much stronger password requirements.
- It is recommended to disable external access to service accounts – do not use internal network access with these unless it is necessary.
- It may be worth considering disabling on-screen logins (Interactive Logon) for remote and even local users.
- We should consider implementing more detailed logging and continuous monitoring. Especially if the account is used for other purposes than the one for which it was created. In such cases, the system should also send a log to the team responsible for security operations (the SOC Team, if there is one), with whose involvement a decision should be taken on the timing and the roles of responsibility for the log review.
Optional proposals for the implementation of other applications
AD security can be enhanced by the usage of other software, such as:
- MFA: Although less feasible in practice, it is recommended to implement a Multi-Factor Authentication (MFA) application for Service Accounts. MFAs use multiple factors, typically a password and an additional code sent to mobile phones, to help identify users more securely. This helps to secure the device, company data and the network.
- For any organisation that is subject to stricter legal requirements, the implementation of an identity and access management software is also recommended for consideration.
Crucial steps in the remediation process
Identification and assignment of accounts to owners is a crucial step in the process. The next step is to communicate with the account owners who have already been identified, as they are best placed to tell you what the account is used for. The information gathered in this way can then be used to determine the fate of the accounts.
Even after gathering preliminary information, it is possible that an owner may not remember all the functions of their account. Thus, as a result of the review, it is worth grouping the changes to be made by purpose, and timing the changes so that if problems arise, they can be addressed in a timely manner.
A key to the effectiveness of the process is regular communication not only to the account owners but also to the relevant managers. Stakeholders should be informed in a way that gives them a better understanding of the added value of the process. In such a way, we can ensure that management members can support the whole process with their organisational knowledge. Simultaneously with the overall process, it is worthwhile to maintain constant contact with the stakeholders involved in the current step.
Hint: It is recommended that the company should have a plan for the on-going succession of accounts of leaving employees.
If you are interested in our Active Directory security service, do not hesitate to contact us!
Date: 6. March 2023 | Topic: IT securityIT security
The above summary is provided for information purposes only. We recommend that you consult our experts before making any decision based on this information.
Nexia International is a network combining the expertise and experience of nearly 320 independent tax consulting and audit firms from over 100 countries worldwide and is ranked as the 10th largest such network in the world.