5 Riskiest AD Service Account Misconfigurations

EM360 TECH

Published on
Thu, 06/30/2022 - 09:50

Article contributed by Alexandra Weaver, Solutions Architect, Semperis 

Security gaps in Active Directory can lurk in many areas, but service account misconfigurations are among the riskiest. Be on the lookout for these five troublemakers, all of which relate to Active Directory service accounts—user accounts set up to run particular applications or services on Windows devices. 

1. Weak service account passwords 

 In Active Directory, admins can set up different types of user accounts with the necessary permissions, access, and roles

For service accounts, its usually the case that everybody knows the password, or nobody knows the password … because the person who set up the account has left the company. Adding insult to injury, when admins reset a service account password, they do so with a mediocre-strength password. 

The risk here is Kerberoasting: one of the most pervasive and effective attacks against Active Directory. Bad actors use this attack method to crack a Kerberos hash using brute-force techniques. 

In the right circumstances, the attacker can get the service account’s password hash because account hygiene is poor, take it offline, and crack it, giving the attacker the rights to sign in as that service account. From there, the attacker can further infiltrate the environment. 

It takes just one time and just one account, and it all comes back to weak passwords. Strong passwords are the first line of defense. That’s why Semperis’ Director of Services, Sean Deuby, says that for service accounts, it’s critical to generate “really crazy, hairy, long, highly entropic passwords” that hackers will likely never be able to crack. 

2. Admin service accounts with old passwords 

Active Directory administrator passwords that are not changed frequently leave organisations open to brute-force attacks. 

Administrators need a change in mindset as administrators when we start talking and thinking about service accounts. We are constantly saying, “Well, it’s a known risk, but it’s a big deal to change those passwords.”  

That is an issue because your entire IT department knows your password. People who have left your company know your password. It’s an easy target. So right there, you are accepting a risk—and that’s a dangerous mindset. 

The fact is, 80 percent of attacks happen because of password-associated security breaches. Therefore, Active Directory admins need to step up their game. To keep your environment secure, you need to implement planned and scheduled outages to change service account passwords. How can you get buy-in for this action?  

“You say to the application owner, ‘Would you rather have some scheduled downtime of half an hour to take care of this, or would you rather have unscheduled down time of several weeks . . . and coverage in the Wall Street Journal?’“ Deuby suggests. 

3. Inadequate password policies  

Password policies are some of the most treasured relics in IT. They have been around forever, and they have been set more or less the same forever. Deuby points out that it’s important to research the updated guidance for password policies that Microsoft and the National Institute of Standards and Technology released a few years ago. He also says that organisations need to follow this guidance and ban the use of common passwords to reduce their susceptibility to brute-force password attacks and password spray attacks. 

“A password spray attack is a brute-force attack that’s turned on its head,” he notes. With this attack, “a threat actor [takes] a common password, and then will attempt that password against many, many different user accounts over a period of hours or a period of days [until the bad actor finds a victim]. It’s very successful.” 

Password spray works for cybercriminals precisely because of lax or outdated Active Directory password practices. 

Active Directory is 20 years old, and some of the techniques available to us now were not back then. Now, we have the capability and tools, all the fine-grained passwords, the password managers, privilege access management solutions, all of which can help us keep our environment safe. Most importantly, we can’t keep accepting risk. 

4. Unlimited privileged accounts 

This risk crops up in Active Directory environments where an overallocation of permission sets exist. 

It’s something we were all taught: Keep your elevated permissions limited to a small number of groups. We still walk into environments, however, and see many domain or enterprise admins. Those practices can certainly be tightened up. 

To avoid this risk, limit the number of privileged accounts in your environment. Anytime an app owner starts a request with, “I need domain admin permissions…”—my answer is already a hard no.  

We need to take that stance and work with app owners to determine which permissions they actually need. I’m definitely willing to give them more than standard user permissions, but I will not give them domain admin permission. 

5. Unsecured SID History attributes 

SID History is an Active Directory attribute designed to make domain migrations easier. As Deuby explains, the purpose is to enable you to “migrate from one [domain] to another and still have the ability to access resources in your previous domain.” 

However, accounts that are configured with an unsecure SID History attribute can leave the door unlocked for malicious actors. The risk with SID History is that threat actors can inject privileged security identifiers (SIDs) into a regular user’s SID History attribute, thereby giving them elevated rights in the domain that don’t show up in any of the regular groups.  

Fight risky misconfigurations with Purple Knight 

Finding the flaws in your AD configuration can be a nightmare. Free security assessment tools such as Purple Knight are available for organisations to understand where trouble lies so that they’re better equipped to put a stop to it. 

About the author:

Alexandra has worked in the Active Directory space at Nike, a small fintech company, and Intel over the past decade. Her experience has included merger & acquisition projects involving migrating newly acquired companies into an existing Active Directory infrastructure, an Identity and Access Management implementation & migration project, upgrading domain controllers and associated downstream dependent applications and providing Active Directory support. Active Directory is Alexandra’s first tech passion and enjoys deep diving into it as associated technologies continue to evolve.