Identity Security Part 2 – Active Directory Hardening and Identity Hygiene

The “Identity Security Part 1 – Why It’s Essential” blog examined why identity security is a key component of any cybersecurity strategy. This post will cover what you can do to protect your digital identities.

Minimize The Attack Surface

Understanding Active Directory (AD) entitlements is key to keeping your identities secure. To reduce the risk of compromise and minimize the ability to move laterally, delegated AD security should be implemented through the separation of duties and based on the principle of least privilege. This should result in users only having the necessary rights on only the data that they need to do their jobs. Reducing the number of accounts that have unrestricted or too broad access minimizes the surface attack area.

Find High-Risk Permissions

Organizations also need to look for and fix high-risk permissions. These include items identified in MITRE ATT&CK mitigation configurations and MITRE D3FEND countermeasures for AD. In addition to these or other security frameworks, you must also look for common mistakenly set permissions like the group “everyone” with full control permissions. Also, you need to validate sensitive AD operations such as modify Domain Controllers, and FSMO role changes among others. These permissions should be restricted to Tier 0 accounts.

Identity and Entitlement Hygiene

Regular examination of identities and entitlements needs to be done to ensure that the principle of least privilege PoLP, separations of duties, and hardening of permissions are current. Group membership is especially important as groups are used to assign resource permissions. This is not a one-and-done process and needs to be performed on an ongoing basis to keep your identities secure.

Cygna Labs Entitlement and Security for Active Directory

Cygna Labs Entitlement and Security for Active Directory (ESAD) provides the ability to gather and report on AD entitlements and group membership. Search and report on the latest or historical point in time collections. ESAD shows you where a user or group has rights in the environment to:

• Verify appropriate permissions for the user’s role

• Ensure permissions have been revoked when moving roles or leaving the organization

• See the “blast radius” of where an impacted user or group has permissions if they were or could be compromised

ESAD also allows you to examine and report on groups to:

• See who is a direct and/or nested member of the group based on most recent or historical values

See high-risk permissions such as:

• Principals that can modify Domain Controllers

• Principals that can perform a DCSync attack

• Group everyone with full control permissions

Show the permissions set on an object:

• Display permissions in a simplified matrix or drill down to see details

• See the true effective permissions on AD objects

Entitlement and Security for Active Directory increases your identity security by providing the information to harden AD and to do entitlement hygiene. See it for yourself in a demo or evaluate it in a POC, please contact sales@cygnalabs.com today.