In the past, many organizations chose to trust users and devices within their secure perimeters. This is no longer possible, with workers spread out geographically and needing access from multiple locations and devices. End-users need access to corporate systems and cloud applications beyond traditional work boundaries and they expect seamless, fast authentication.
These pressures have meant many organizations turned to a zero trust model to verify the users accessing their data. As the backbone of network authentication, Active Directory is a key consideration in any access security strategy.
It’s vital the credentials stored within are kept secure – so how can we apply zero trust principles towards keeping our Active Directory secure?
Applying a zero trust model
You’ve no doubt heard of the zero trust model: it’s a cybersecurity approach that assumes no trust in any user or system, regardless of their location or network. It operates on the principle of "never trust, always verify."
In a zero trust model, every user, device, and network component must be authenticated and authorized before accessing any resources or data.
It sounds simple, however there’s no definitive checklist for achieving zero trust. Implementing any security model goes beyond adopting a few best practices or deploying a single software solution. It involves constructing a multi-layered security framework that encompasses various technologies, processes, and policies.
We’ve suggested some ideas to get started, but keep in mind that applying zero trust principles to your Active Directory security is an ongoing journey.
Enforce the principle of least privilege
Having accounts with significant privileges inherently poses a risk. There’s the risk of administrators accidentally or maliciously abusing their rights in ways that a normal end user couldn’t. Moreover, if a malicious actor successfully compromises a privileged account, the potential for serious harm is multiplied.
This makes enforcing the least privilege principle an essential step for protecting Active Directory environments.
The principle of least privilege states that individuals or entities should only have the minimum level of access necessary to perform their tasks or functions. This aims to limit potential damage or unauthorized access by restricting privileges to only what is essential.
By implementing the principle of least privilege, organizations ensure each user or system component has only the necessary permissions, minimizing the potential impact of a security breach or insider threat.
Implementing a zero trust model would mean granting elevated privileges even to admins only when necessary and for a limited duration. Methods for achieving "just-in-time" privilege escalation in Active Directory include the ESAE (Red Forest) model, temporary group membership with synchronized ticket expiration, and temporary admin accounts with disabled status until needed.
Interested to know whether you have stale or inactive admin accounts? Run a free read-only scan of your Active Directory.
Use MFA for password resets
Password reset processes are often a point of vulnerability in an organization's Active Directory security, especially when they involve sending a reset link or code to the user's email or phone.
However, if an attacker gains unauthorized access to the user's email account or intercepts the reset code, they can still reset the password. Without proper authentication procedures, unauthorized individuals may be able to use them to gain access to sensitive data and systems.
Hackers targets helpdesks with social engineering to try and take advantage of password reset processes. They’ll pretend to have lost their device and try to get a reset link sent to an attacker-controlled device instead. This is dangerous as an attacker can now take over a legitimate account and launch further attacks.
The risk was clearly highlighted in the recent MGM Resorts ransomware attack, where hackers called the service desk and managed to get hold of login credentials before deploying ransomware.
MFA is a key part of a zero trust strategy, as it adds additional layers of authentication beyond the password. Solutions such as Specops uReset add MFA to the self-service password reset process to ensure only authenticated end users are able to reset their passwords.
This allows organizations to choose from a variety of authentication methods such as biometric verification, SMS authentication, email verification, and third-party authenticators like Google Authenticator.
Scanning for compromised passwords
Why not move away from passwords entirely? For most organizations, it’s simply not feasible. Even if their number can be reduced, passwords will be an element of most cybersecurity strategies, so we need to make them as secure as possible.
Having zero trust principles in place certainly helps, but it’s not a silver bullet for password security.
It’s common for even strong passwords to become compromised through phishing attacks, data breaches, and password reuse. And unfortunately, hackers have multiple methods for bypassing MFA.
It’s therefore key that organizations have a way to check for passwords that have become compromised – otherwise a hacker can relatively simply bypass the zero trust processes you have in place.
Specops Password Policy lets you continuously scan for passwords that have become compromised. Our research team’s attack monitoring data collection systems update the service daily and ensure networks are protected from real world password attacks happening right now.
The Breached Password Protection service blocks these breached passwords in Active Directory and notifies end users to immediately change to a new and secure password.
Have questions on how you could adapt Specops Password Policy for your needs? Contact Specops Software to see how it works with a demo or free trial.
Sponsored and written by Specops Software.