Rapid Risk Assessment - Analysis of Active Directory Services

Rapid Risk Assessment

Analysis of Active Directory Services

Andrea Covello
by Andrea Covello
on February 16, 2017
time to read: 9 minutes

In my work as security consultant I’m involved in security architecture reviews and assessments. They are sometimes limited on single application other times it may involve the whole DMZ implementation or a complex framework. The goal is to evaluate the risks and propose strategies to mitigate them. But as in real life, seldom the analyzed assets are isolated from the environment. That’s why we need to define scopes to limit effort and costs, but sometimes it just doesn’t feel right. Imagine a security review/assessment of an application/service that is integrated within the Active Directory Services (ADS): How can I provide conclusive results without assessing the ADS architecture & concepts?

Role of Active Directory

Unless you’re not on a complete non-Windows environment, you have to deal with ADS – In my 20+ years of Cybersecurity services I’ve seen very few environments that didn’t. ADS is almost omnipresent and plays a central role not only in authentication. My first question on such assessment usually is: “What happens when the ADS is down?” Most people answer that the ADS is redundant and high-available and in turn I say: “Well, I didn’t speak of server disruption, I meant – what if the AD is malfunctioning, corrupted or just not available – How will your business process be affected?” Usually at this stage most people realize the impact. The network may be up and running, the storage services available and even the virtual or physical infrastructure (VDI, servers, workstations) working and still you may not be able to access your workstation, check for your email.

Rapid Risk Assessment

The ADS is a critical target, by now you’ll agree that that the Cybersecurity posture of the ADS will affect any application or solution that relies on it, therefore we always suggest to also reviewing the ADS implementation for cybersecurity risks. Still, there is an issue: Normally an ADS assessment would require at least 5 days effort. You see the problem on hitting the budget.

Therefore we came with a different approach: Adapting the NIST Cybersecurity Framework for our Risk Assessment. The CSF approach is explained in this picture:

NIST CSF Lifecycle

Security is a process: It starts with the identification of our critical assets and its related governance, going further to implementing controls to protect and detect cybersecurity events, and (to complete the cycle) you’ll need to have procedures and processes to respond during and recover after cybersecurity events. Our Rapid Risk Assessment is following this schema to establish information about the security controls available in each area and its maturity level.

To achieve the time-frame restriction the assessment is mainly based on interviews with ADS key stake holders and on automated information gathering (using scripted tools). Those steps should gave enough information to be analyzed and documented in 2 days.

ADS Security Categories

Following categories will be of interest when assessing the Active Directory Security Controls:

Category Subcategories CSF Area
Risk AssessmentBusiness Impact Analysis, Data Classification, Infrastructure Impact AnalysisIDENTIFY
Architecture DesignTopology, Forest, Domain, Site, DC, FSMO, DNS, ClientsIDENTIFY
Extended ServicesCertificate, Federation, Rights Management (DRM)IDENTIFY
IntegrationExchange, Skype (UC), Sharepoint, Hyper-VIDENTIFY
AuthenticationLocal, Remote, PrivilegedPROTECT
AdministrationLocal, Remote, Service ProvidersPROTECT
Group PoliciesDesign, Testing, OperationPROTECT
System HardeningBaseline, Firewall, Integrity CheckPROTECT
Client AccessLocal, Remote, Service ProvidersPROTECT
Protocol EncryptionLDAP, Global Catalog, Kerberos, SMB PROTECT
Life-CyclePatching, Change-Management, BackupPROTECT
Logging & AuditPolicies, Collection, Archiving, NormalizationDETECTION
MonitoringNetwork Monitoring, Intrusion Detection, Security Monitoring, Vulnerability Management DETECTION
Incident Response ManagementADS Process & ProceduresRESPONSE
ADS RecoveryObject Restore, Function Restore, CA Certificate Restore, ADS Disaster RecoveryRECOVER

The ADS assessment will analyze each category and report a risk level based of the information gathered during the process. Key effort of this approach is to understand the avenues for establishing a healthy ADS, implementing monitoring systems, reducing the attack surface and managing a resilient environment.

Execution and Deliverables

To give a rough figure of the required efforts, this table will give you a quick overview:

Effort What Note
3hInterview with key stakeholdersPlanned initial 2h interview – 1h as contingency and further clarification
1hRequest for ADS configuration & documentation Export GPO from DC & clients – Get available documentation
4hAutomated AD information gatheringRequires a windows workstation with read privileges to the AD and a running PowerShell environment, to run our scripts
4hData AnalysisWhere the magic happens… ;)
4hReportingFill the issues on a predefined Template

Now an overview on the deliverables, this is how the report may looks like in the overall survey matrix:

Rapid Security Assessment ADS Overview

And this is how a finding may look like:

Rapid Security Assessment ADS Finding

Conclusion

The Rapid Risk Assessment approach will not find all possible issues inside your ADS, but will surely point you in the right direction and highlight major gap that may harm your environment. Probably the final results would recommend investing more time in a specific category inspection, but at least you’ll spend precious time and resources in the most effective way.

About the Author

Andrea Covello

Andrea Covello has been working in information security since the 1990s. His strengths are in engineering, specializing in Windows security, firewalling and advanced virtualization.

Links

You want to test the security of your firewall?

Our experts will get in contact with you!

×
Password Leak Analysis

Password Leak Analysis

Marc Ruef

WebSockets

WebSockets

Michael Schneider

Online Tracking

Online Tracking

Ralph Meier

Deepfake Audio Text to Speech

Deepfake Audio Text to Speech

Andrea Hauser

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here