Veiled Vulnerability with AD
In this day, there are vulnerabilities throughout the environment. These are blatant with malicious websites and more camouflaged as with phishing and ransomware. With another unique view, these vulnerabilities may be external. There are attackers across the globe all with one singular mission to attack you and compromise your system. These persons are actively completing their reconnaissance and gauging the potential data to steal or analyzing the possibility of a success ransomware attack. The data having value may be the client list, employee listing, banking information, healthcare records, and many other sources of data. The internal version of this is from the business employees. The employees may click inadvertently or negligently on malicious websites or links. This may create the opportunity for ransomware or scareware to infect the system. From this door being opened by the unsuspecting employee, the attackers could abscond with trade secrets, CAD schematics, or new technology.
To alleviate these issues to some extent, there are ample well-utilized remediation techniques, including scanning for vulnerabilities and malware, log management, third parties conducting pentests and vulnerability assessments, SIEM apps, log acquisition and analysis tools (e.g. Splunk), and many other options. There is however one area that is also pertinent, however has not garnered the attention the other aspects and defensive measures have. This act of simply working with this is another tool to secure the enterprise.
Active Directory (AD)
AD is in use in one form or another is most medium- and larger-sized businesses. This application is exceptionally useful and functional. This may be used with employees, in combination of employees and hardware, for tracing and a number of other uses. If this is not fully used, the administrators are not actively using all of the capabilities.
With AD, the normal usage includes setting up the new employee or making adjustments to the employee’s record as needed. Each person’s role in the organization is different. This directly impacts the person’s responsibilities, as part of their job. As each person has a unique role in their group, the same set of rules should not be applied to everyone. Granted applying a boilerplate set of rules to everyone, or all employees except the C-level, is quicker and easier, however this would be mostly ill-advised. As much as reasonably possible, these rules should be narrowed per group in this instance. When this general rule is not applied, the administrator is allowing for the staff member to complete unauthorized tasks, escalation or privileges and a greater level of risk, by their own actions. There is not a need to make this more difficult than it already is.
People occasionally leave their position, either voluntarily or are provided the opportunity to seek other employment immediately. There are a number of high profile actions that tend to be effected directly thereafter, especially when the person is leaving of the business’ choice. This may include securing the ID card, access card, the corporate credit card, corporate issued phone, and corporate email. These may contain sensitive and confidential information that needs to be maintained as such. In a much more mundane scenario, the person may also just change their position. In this alternative use case, the employee may not need the same access. Adjusting these assists to the appropriate level assists with limiting data loss.
Often, regardless of the person’s underlying rationale for the position change, the person’s AD may not be thought of as a point to check and modify. There may not be a checklist or other template to remind the management and support staff to review all affected areas.
Leaving the prior employee’s set of access per AD also has other issues. The prior employee may have rights to services they should not have. The future staff members may review the AD file entry and believe through no fault of their own, this person is still an active employee. The business may also be examined or audited. This provides an issue when the current employee list from Human Resources is compared to the AD list, which shows the person’s last login was two years in the past, when they were actually an employee. The auditor may view this being indicative of a systemic issue, requiring further reviews.
The IT world is amply busy and complex on its own rights without adding more issues requiring time and resources to remediate. Not adjusting AD as employee changes are effected is not a great choice to make. This is a quick area to be mitigated and also can save a significant amount of time when implemented as needed.
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.