Semperis publishes investigation on the Active Directory security situation
Organizations of all sizes and industries are failing to address Active Directory (AD) vulnerabilities that can make them vulnerable to cyberattacks, according to the results of a survey of IT and security managers who have deployed Purple Knight from Semperis. Companies scored an average of 68% in five Active Directory security categories – a mixed rating. Large organizations scored even worse – with an average score of 64% – indicating that the challenges of securing Active Directory with legacy applications and complex environments are increasing, especially in large organizations.
AD Security Vulnerabilities
Microsoft Active Directory (AD) was a revolutionary technology at the time of its launch, originally released with the Windows 2000 server operating system, which continues to support much of the hyperconnected world of work. Microsoft AD prevailed over all other directories for one main reason: it was open. Due to this openness and easy integration, AD is still a basic infrastructure for 90% of companies today. However, his greatest strength 21 years ago has now become his most worrying weakness.
If companies take into account that a hacker can use any non-privileged AD account to read almost all the attributes and objects in AD, including permissions, which allows him to find computer accounts in any domain of an AD forest configured with unlimited delegation, then it becomes clear why the standard AD openness has become a vulnerability.
Today, due to the disappearance of the network perimeter, identity has become the last line of defense against cyberattacks.
Researchers at Mandiant recently reported that 90 percent of the incidents they investigate involve AD in one form or another. Some of the biggest and most recent AD security breaches are SolarWinds, Hafnium, and the Colonial Pipeline attack, which made headlines due to their scale and disruption caused by the Microsoft AD outage.
Semperis is a pioneer in the management and protection of identity proofs in hybrid environments of companies and was specially developed for securing AD. Last year, it introduced a free AD security assessment tool, Purple Knight, and today publishes the results of data from 1000 IT and security leaders who have deployed Purple Knight.
Main summary of the results:
- Organizations averaged 68% overall in five Active Directory security categories; AD delegation, account security, AD infrastructure security, Group Policy security, and Kerberos security. This is barely passed.
- Large organizations performed even worse – with an average score of 64% – suggesting that the challenges of securing Active Directory with legacy applications and complex environments are increasing, especially in large organizations.
- Organizations reported the lowest scores for account security, which covers settings for individual accounts, such as privileged accounts with a password that never expires.
- Insurance companies reported the lowest overall scores (55%), followed by healthcare (63%) and transportation (64%).
- Transport companies reported completely inadequate results for group policies (36%) and account security (46%).
- Public infrastructure operators scored the highest overall score (71%), followed by government agencies (70%).
Respondents cited various catalysts for downloading the security assessment, ranging from an increase in attacks in their industries, organizational mandates, and security breach remediation. Many of the respondents said they were very surprised by the results of their Purple Knight reports.
In addition, the study also revealed the following
- Misconfigurations are increasing in organizations with outdated Active Directory implementations
- Organizations are struggling with a lack of Active Directory expertise
In a recent report by 451 Research, analyst Garrett Bekker says: “Directory services are at the heart of most companies’ IT strategies and as such have become mission-critical assets that can have serious consequences if compromised – as we learned from the now infamous SolarWinds supply chain attack and the Hafnium attack on Microsoft Exchange.“
About the report says Mickey Bresman, CEO of Semperis : “We have seen that many companies do not have a good understanding of the attacks on Active Directory that attackers can use against them. We wanted to offer security teams without extensive AD expertise a way to understand their AD security situation – and then close all existing gaps so that attackers do not use them against them.”