Active Directory (AD) holds the enterprise’s crown jewels, granting privileges to users that determine what data they can access and what level of control they have over the IT environment. It’s such a vital system that when AD goes down, business operations often go with it. Even worse, if attackers are able to compromise AD, they possess the keys to the corporate kingdom.
AD is a high-priority target for cyber criminals because compromising it enables them to:
- Distribute malware and/or ransomware on a massive number of endpoints: Hackers can achieve such a large footprint on end-user devices and internal systems that recovery at scale becomes impossible.
- Steal intellectual property: Controlling or subverting AD enables attackers to hop from system to system to find, extract, and then destroy product designs, source code, and other valuable, irreplaceable IP. Using open-source tools that analyze the security of AD, criminal organizations can identify promising attack paths to comprise it.
- Cripple AD: Ransomware and other attacks that target AD with the goal of bringing it down can drive business operations to its knees.
Given how vital AD is to IT and business operations, organizations should place a high priority on protecting it from attack. Privileged Access Management (PAM) is a category of security tools that manage and protect accounts that grant access beyond that given to ordinary business users, such as the rights that system administrators possess to the critical systems they manage. Privileged accounts rely on secrets such as passwords, keys, and certificates to control access to critical systems. PAM secures these secrets by storing and managing them in a secure vault.
PAM also protects AD by reducing the attack surface, because it strictly controls access to privileged accounts and protects systems at different layers, such as Tier 0 domain controllers, which provide direct control over identities and privileges in the IT environment. Additionally, PAM prevents unauthorized access by enforcing least privilege and multi-factor authentication and by only provisioning elevated permissions temporarily.
Through PAM, IT and security personnel gain increased visibility and control with forensic-level auditing and session recording at the host system. AI tools can rapidly detect anomalous behavior, which enables IT to respond quickly — in many cases, AI can automatically address the issue.
PAM also addresses the well-known issue of giving too many privileges to individual users. Instead, with PAM, access requests and approval workflows grant just-enough elevated access and permissions just-in-time, and these permissions exist for only a limited amount of time.
To adequately protect AD, PAM should vault and limit access to the AD domain administrator accounts and rotate them on regular basis. PAM should vault away all accounts that are members of the Domain Administrators group and establish a checkout/check-in process for them. Beyond vaulting, make sure privilege control is enabled for servers on all domain controllers to protect logins and to establish session recordings for any interactive sessions on these super-sensitive Tier 0 servers.
Then, remove all privileges from domain administrator accounts, granting access only to individual assets instead of the entire domain, and do so with least privilege access on a just-in-time basis.
Delinea provides PAM solutions that have consistently been recognized as leaders by top analysts firms, protecting privileged access in well-known organizations such as Saab, BP, BAE Systems, and the USDA.
Read More from This Article: Using Privileged Access Management to protect Active Directory
Source: News