How to Protect Active Directory Against Ransomware Attacks

Ransomware attacks every type of organization from every angle and Active Directory remains the common target. Stop privilege escalation by fixing these key AD and group policy misconfigurations.

Ransomware has struck every type of organization around the world. It's changed dramatically, too, entering the enterprise from nearly every angle, with attackers leveraging stolen data by posting it on the internet to force victims to pay. In most cases (see SolarWinds and XingLocker), Active Directory (AD) is targeted so the attacker can easily distribute the ransomware after obtaining domain privileges. There are, however, ways to help secure Active Directory to prevent ransomware from succeeding.

Distinct areas within Active Directory can be secured, which will increase the overall security of the enterprise and reduce the security risk at the same time. Specifically, the following settings around AD objects can be secured. Here's how:

• Misconfigurations of user attributes need to be fixed
• Misconfigurations of groups need to be fixed
• Privileged groups need to be cleaned up
• AD processes need to have correct configurations (e.g. SDProp)
• Service principal names (SPNs) need to be secured (shown in Figure 1)
• Trust relationships need to be correct and secured
• SidHistory attribute needs to be cleaned up for users

Figure 1. User account with Service Principal Name (SPN)

In addition, AD itself and group policy can be secured to ensure the attacker can't leverage misconfigurations and areas where privilege escalation can be achieved. Here's how:

• AD trusts need to be verified and secured (shown in Figure 2)
• AD delegations need to be cleaned up
• Group policy delegations need to be cleaned up
• Group policy structural components need to be secured
• Security settings deployed by group policy objects need to be enabled

Figure 2. Mergers and acquisitions can orphan trusts; in addition, required trusts need to be secured.

Finally, attackers want to gain privileges. Once privileges are obtained, they want to create backdoors. Being able to detect these types of AD attacks is essential. Below are some of the actions AD admins and security pros can take to disrupt attack paths:

• Ensure privileged group membership is monitored
• Detect DCShadow and DCSync attacks
• Golden Ticket attacks (illustrated in Figure 3)
• Detect lateral movement attacks
• Detect dangerous SIDHistory and PrimaryGroupID settings

Figure 3. Tenable.ad can detect advanced attacks on Active Directory, in real time, with no agent or privilege.

Technology is available to continuously and automatically analyze and detect AD security and attack paths. To find out more about how Tenable.ad can help, view this webinar: Introducing Tenable.ad — Secure Active Directory and Disrupt Attack Paths

Learn More

• View the webinar: Introducing Tenable.ad — Secure Active Directory and Disrupt Attack Paths
• Download the E-book: A King's Ransom: How to Stop Ransomware Spreading via AD
• Read the Active Directory blog posts

Derek Melber

Derek Melber is a leading technical instructor, author and consultant who comes to Tenable by way of the Alsid acquisition. He is a 16-time Microsoft MVP with deep knowledge of Group Policy, Active Directory, desktop management and Windows security. As a public speaker and technology evangelist, he has educated AD administrators in over 30 countries about how to efficiently and effectively secure Active Directory and Azure AD. He has published a broad range of educational content, including books, articles and videos, that demystify the most complex and technical subjects in an energetic and understandable style.