Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Active Directory. Show all posts
Zero Trust
Active Directory Authentication Compromised Passwords Cyber Security Cybersecurity Least Privilege Multi-factor authentication Network Security Password Security Security Zero Trust

Implementing Zero Trust Principles in Your Active Directory

 

In the past, many organizations relied on secure perimeters to trust users and devices. However, this approach is no longer viable with the geographical dispersion of workers and the need for access from various locations and devices. End-users now require access to corporate systems and cloud applications outside traditional work boundaries, expecting seamless and fast authentication processes.

Consequently, numerous organizations have adopted a zero-trust model to verify users accessing their data, recognizing Active Directory as a critical component of network authentication. Ensuring the security of credentials stored within Active Directory is paramount, prompting the question of how zero trust principles can be applied to maintain security.

The zero trust model, characterized by the principle of "never trust, always verify," requires authentication and authorization of every user, device, and network component before accessing resources or data. Implementing this model involves constructing a multi-layered security framework encompassing various technologies, processes, and policies.

One fundamental step in securing Active Directory environments is enforcing the principle of least privilege, which restricts privileges to the minimum necessary for individuals or entities to perform their tasks. This mitigates the risks associated with privileged accounts, reducing the potential impact of security breaches or insider threats.

Implementing a zero trust model also entails granting elevated privileges, such as admin rights, only when necessary and for limited durations. Techniques for achieving "just-in-time" privilege escalation include the ESAE (Red Forest) model and temporary admin accounts.

Additionally, employing multi-factor authentication (MFA) for password resets enhances security by adding extra layers of authentication beyond passwords. This mitigates vulnerabilities in password reset processes, which are often targeted by hackers through social engineering tactics.

Moreover, scanning for compromised passwords is crucial for enhancing password security. Despite the implementation of zero trust principles, passwords remain vulnerable to various attacks such as phishing and data breaches. Continuous scanning for compromised passwords and promptly blocking them in Active Directory helps prevent unauthorized access to sensitive data and systems.

Specops Password Policy offers a solution for scanning and blocking compromised passwords, ensuring network protection from real-world password attacks. By integrating such services, organizations can enhance their password security measures and adapt them to their specific needs.

Solutions like Specops Software provide valuable tools and support through demos or free trials for organisations seeking to bolster their Active Directory security and password policies.
Read more »
Vulnerabilities and Exploits
Active Directory Application Security Threat Intelligence User Privacy User Security Vulnerabilities and Exploits

Enterprise Attack Surface Widening Access Control Gap in Microsoft Active Directory

 

Users in Windows environments may be able to access domains other than those for which they are authenticated due to a security flaw in Microsoft's Active Directory (AD) service that IT administrators may not be aware of. 

The majority of Windows domain-type networks come pre-configured with AD, Microsoft's all-purpose identity management tool for authenticating computers, printers, users, and virtually anything else taking part in an IT environment. According to Frost & Sullivan, tens of thousands of businesses use the service, including 90% of the Global Fortune 1000 corporations.

By using AD to manage authentication across a domain, network administrators may ensure that only authorised users can access the resources that have been assigned to them. 

Nevertheless, Charlie Clark, a security researcher at Semperis, described how a user might circumvent AD's security measures and access domains for which they were not specifically given permission in a study released on March 14. He says that by doing so, an attacker's "attack surface" is greatly enlarged. Obviously, the larger the attack surface, the more likely it is that an attacker will discover an exploitable bug. 

The transitive property of mathematics states that if a = b and b = c, then a = c. In AD, if domain A connects to domain B and domain B links to domain C, domains A and C may or may not be able to access one another depending on whether they share a "transitive trust." According to Microsoft's website, "transitivity controls whether a trust can be extended outside of the two domains with which it was built." 

An external trust—a manually created, nontransitive form of trust in AD—could exist between two domains belonging to two different organisations. The problem, according to Clark, is that one firm can utilise external trust to access sister domains that are part of the same group (referred to by Microsoft as a "forest") as the second, even if no formal external trust has been established for those domains. 

"An authorised user from one domain would only be able to target the precise domain they've established a trust with," as per Clark, assuming what we believed about non-transitive trusts were accurate. They wouldn't be able to go to other domains outside of the forest." 

As opposed to this, "every account within the trusted domain will be able to authenticate against any domain throughout the whole forest in which the trusting domain resides," he stated in his research. 

A malicious user who learns how to move about a forest at will can gain access to things like accounts and data that they shouldn't be able to find.

Clark claims that because it is so simple to take control of one domain inside a forest, it "allows an attacker to have a significantly bigger attack surface from any low-privileged user on a trusted domain." 

On May 4, 2022, Clark informed Microsoft of his initial findings. In an email on September 29, Microsoft stated that "According to our assessment, this submission does not constitute a security issue for servicing. This research doesn't seem to point out any flaws in Microsoft products or services that could allow an attacker to compromise their integrity, accessibility, or confidentiality." The business then concluded the investigation. 

Trust: Why it matters 

Clark spent more than 15 years working as a systems administrator and six years as a pen tester. Every medium-sized to major infrastructure or business I've worked with has had external trusts, he asserts. He claims that if extra safeguards aren't in place, the majority of AD's clients are most likely at risk right now. 

Clark advises administrators to delete all external trusts in order to safeguard against this type of access control misuse in addition to Microsoft's suggestions. The next best thing is to keep track of which users are accessing what if this is not achievable. 

Awareness is ultimately the most crucial factor. A false sense of security could otherwise cause administrators to make mistakes. People can tell that the risk is larger for a trustworthy domain. So they might put more security in place for that domain, Clark says, but they might not put the same level of security in place for the other domains in the forest even though the risk is identical. 

"I think the main thing is to make system admins aware that this is possible," Clark concluded. By knowing this, "they can harden the rest of the domain sufficiently."
Read more »
User Safety
Active Directory cyber attack Data Privacy malware null User Safety

Evil Colon Attacks: A Quick Guide

 

The high-tech era has made the emergence of new cyber attacks more common than social media trends. One such case of a rapidly evolving threat is the Evil-Colon attack, which shares similarities with Poison-NULL-byte attacks. Despite the fact that poison-NULL-Byte attacks are now non-functioning, it has been suggested that they could have led to new versions of hacking and malware on your systems in case of inappropriate handling. 

In one of his articles, Leon Juranic, a security researcher at Mend, detailed his encounter with the Evil-colon attack. He mentioned that during auditing a source code he discovered a case where an Evil-Colon could be used to evade the path sanitization process. By using novel strategies, the threat actors were able to exploit the vulnerabilities in applications running on Windows operating systems. The analysis concluded that as Evil-Colon is a specific issue in windows-based services, it is more likely to affect any Windows servers. 

When applications or servers use path-based operations, such as using user input when forming the file path, the information stored in that file can be modified by external code flows, which can cause severe security issues like arbitrary data injection, etc. Leon illustrated the working of Evil-Colon with the example of the Java application WriterFile.jsp source code. 

He stated that the working of Evil-Colon includes creating a file in the directory whereas, with sanitization, the new files will append .txt. After passing a colon character at the end of the user’s input, the file gets created as an Altered Data Stream with an arbitrary file extension. 

Later the file is again created in the directory, but as a colon character was added at the end of the filename and it stripped off the rest of the filename string into Alternate Data Stream, the file is recreated with the .jsp extension. 

He furthermore described how the possibility of altering the files that are created earlier in the applicating workflow can lead to serious security threats. When malicious actors can edit the existing files later in code, it will also allow them to modify the .jsp file content into anything they want. On further searching of the modified file in-depth, you will find a string named EVIL-CONTENT. 

Leon concluded his example by warning that, in real-world scenarios, JSP webshell scripts can allow threat actors to remotely execute codes on vulnerable servers or applications. 

To protect your files and data from the Evil-Colon attacks, it is important to remove colon characters from any possible path operations. The elimination of colon characters can be done by using filters, string check operations, etc.
Read more »
User Sceurity
Active Directory Cyber Security password hack Password Manager User Sceurity

New Specops Password Policy Detects and Blocks in User's Active Directory

 

Specops Software, a password manager, and authentication solutions vendor published a new report this week explaining how the company’s breached password protection policy can spot over 2 billion known breached passwords in users' Active Directory. 

Specops Breached Password Protection offers a service that scans a user’s Active Directory passwords against a dynamically updated list of vulnerable passwords. The list contains over 2 billion passwords from known data leak incidents as well as passwords used in real assaults happening currently. 

Specops also restrict users from designing passwords vulnerable to dictionary assaults by blocking commonly employed passwords. During a password change, the password scanner blocks any passwords identified in the database with a dynamic response for end-users. Additionally, it designs a custom dictionary containing potential passwords relevant to users work place, including firm names, locations, services, and relevant acronyms. 

According to security analysts at Specops, password attacks work because users set predictable passwords. When asked to set a complex password, users employ familiar steps that attackers can easily crack. For example, starting with a common word, followed by a number and/or special character. The length of the password is also very defensive. 

Specops scanned over 800 million known exploited passwords, up to 83% of passwords were present in vulnerable password databases meaning they were unable to meet regulatory password standards. To finalize the result, security analysts compared the construction rules of 5 different standards against a dataset of 800 million exploited passwords. 

“You can install Specops Password Auditor on any workstation that’s joined to your Active Directory. From the outset, you can download a database from us, which is updated every three months, based on the biggest leaks that have happened in that three-month period, plus the most common hits against our master database, Darren James, password and authentication analyst from Specops explained.

The database downloaded by the user consists of over 800 million of the most commonly breached and leaked password hashes, while our master database, updated daily, contains 2.6 billion hashes. You can export reports showing the results into a script or document to send to members of your organization. From here, Password Policy helps to solve the problem by eliminating breaches and weak passwords and ensuring that passwords are compliant.” 
Read more »
Misconfigurations
Active Directory Cyber Security Microsoft Misconfigurations

Seven Common Microsoft Active Directory Misconfigurations

 

The modern IT association has a wide assortment of responsibilities and competing priorities. Therefore, cybersecurity is regularly ignored for projects that quickly affect business operations. Sadly, this working model unavoidably prompts unaddressed vulnerabilities and security misconfigurations in services and Active Directory. Seven of the most common system and Active Directory misconfigurations are:

Misconfiguration 1: Administrative Privileges 
When an attacker has gotten initial access inside an environment, the adversary will endeavor to lift privileges inside the network. Adversaries ordinarily have the objective of getting Active Directory Domain Administrator privileges, or, in simple words, complete control over the Active Directory domain.  

Misconfiguration 2: Network Shares
Network shares give plentiful freedom to an assailant to elevate privileges within a network. For instance, in a past red team assessment, CrowdStrike recognized an unprotected network share that contained a writable IIS webroot. This permitted CrowdStrike to write a web shell to the webroot as a standard domain user and along these lines acquire code execution as the IIS process proprietor on the webserver. 

Misconfiguration 3: Service Accounts with Weak Passwords 
Adversaries will hope to elevate their privileges inside a network by compromising the credentials of privileged accounts. It is normal for service accounts to be conceded administrative privileges to different hosts in an Active Directory environment. Kerberoasting is an assault technique that endeavors to acquire plaintext passwords from service account Kerberos tickets. One approach to assign service accounts is through an attribute called a service principal name (SPN), which attaches a service to a user account. 

Misconfiguration 4: Services Running on Hosts with Multiple Admins 
Although plaintext and hashed credentials might be stored inside the memory of processes like LSASS, most current endpoint detection and response (EDR) solutions intensely monitor and forestall credential access through these processes. An alternative method for credential access exists when services are arranged to run under a client account. Passwords for these accounts can be extracted by any local administrator. 

Misconfiguration 5: Aged Accounts 
As an attacker, aged accounts or accounts with no password expiration policy make ideal targets for adversaries hoping to keep up long haul admittance to an environment. Aged accounts infer to an attacker that password rotation for the client account is either very troublesome or not executed for a specific explanation, for example, shared access among multiple users. 

Misconfiguration 6: Passwords, Passwords, Passwords 
While other misconfigurations permit adversaries to acquire unapproved admittance to network resources and hosts utilizing a solitary compromised account, credential related assaults compromise additional accounts that might be utilized to further an adversary’s actions on objectives. Three routes normally utilized by attackers are distinguishing plaintext passwords, frail passwords with deficient lockout periods, and password reuse. 

Misconfiguration 7: Legacy Systems 
Assailants target legacy systems because of the unpatched critical vulnerabilities that affect them. EternalBlue (MS17-010) and BlueKeep (CVE-2019-0708) are favorite vulnerabilities that are focused on legacy systems as successful exploitation brings about code execution with regards to the system account, giving the assailant complete control of the vulnerable system.
Read more »
Subscribe to: Posts (Atom)