If you work in enterprise IT, or even better, on an enterprise IT security team, you know your organization probably has an ocean of end users, accounts, and groups. With the rising prevalence of cyberattacks leveraging identity in the form of open access, excessive access, and toxic access combinations to penetrate your organization’s defenses, it pays to understand where the risks reside, so they can be mitigated.
Generally, an Enterprise IT environment is an environment of constant change. As headcounts fluctuate, projects start and end, teams restructure, and more, accounts and groups change with them. Many times, the original owner has moved on to another role or has left the company altogether. Maybe everyone on the team had access, but some of them no longer need it. It’s possible that nobody in the group needs access anymore!
Each of these possible scenarios generates a potential access point for a would-be attacker, whether they are a disgruntled employee, a state-sponsored actor, or somewhere in between. We are going to cover six of the most common, but usually hidden, risks found in enterprise Microsoft Active Directory (AD) environments and offer an example of what each might look like in a real environment.
1. Missing Owners
The term “missing owner” refers to AD groups that no team or human is responsible for or owns. When AD groups do not have an owner, this opens the potential for groups being mismanaged, misused, forgotten, or misconfigured.
A user could request access to a group, the approving party may approve the request without further thought or investigation since an owner isn’t assigned, granting additional access to someone who may not need it. Not to mention, the general lack of accountability associated with an unowned group/account exposes that asset to unauthorized access and even insider threat activity.¹
2. Stale Groups
A group is considered “stale” when its membership and/or permissions are not adjusted and may no longer be necessary or appropriate for the current state of the organization. Stale groups can accumulate excessive permissions over time, making them an increasingly valuable target.
If a member of a group leaves the line of business but is not removed from the group, they could still have access to sensitive resources. Additionally, if permissions are not recorded, regularly reviewed, and adjusted, stale groups can accumulate excessive permissions over time, making them an increasingly valuable target. This poses yet another threat by increasing an organization’s attack surface.
3. Empty Groups
Empty groups no longer have any members and could indicate issues in the governance of an organization’s AD. Also, they may have access to critical assets that could impact operations. Some organizations don’t monitor empty groups as closely as groups with members in them allowing an attacker to slip into a group without notice.
These groups may have been used to provide access to software that is now deprecated, a project that is no longer active, or a business process that isn’t used anymore. They could also serve as a Role-Based Access Control (RBAC)² structure to a Privileged Access Management (PAM)³ solution since most PAM solutions rely on AD group assignment for provisioning access to privileged accounts instead of app local groups or individual users.
4. Heavily Nested Groups
Group Nesting is when one group is a member of another group. This can make it increasingly difficult to manage entitlements as each group inherits the collective privileges of all groups above itself in addition to its own.
If permissions aren’t closely tracked, administrators can very easily give someone access to a system, share, or application simply by adding them to a nested group. On the surface, the nested group doesn’t appear to have the extra access but a group that it’s nested into does have the extra access. Attackers can exploit group nesting to gain access to sensitive resources that they would not otherwise have access to. This is particularly true when groups are nested in a way that is not consistent with the principle of least privilege.
5. Circular Membership
Circular Membership (or Circular Nesting) is when a nested group structure contains a group that is added as a member of the original group creating a loop.
This can have many negative side effects, particularly from the operational side. Problems can include issues like applications crashing, scripts may error out, and more.
6. Excessive Membership
Excessive Membership refers to groups that have an excessively large number of members. These groups will be populated with either unique direct membership or members in subgroups which could result in members being listed multiple times from nested membership.
Excessively large groups can become increasingly difficult to manage and can result in mismanagement by failing to remove members that should no longer be in the group, or provisioning the group with access that not every member in that group should have.
How Can You Reduce Your AD Risk?
Any one of these issues presents risk to an enterprise organization. However, most large organizations are likely to be exposed to all six of these simultaneously, exponentially increasing risk.
Organizations that want to mitigate these risks will need to do more than to simply deploy an Identity and Access Management (IAM)⁴ or Privileged Access Management (PAM) platform. Traditionally and up to today, remediation of these issues largely remains a manual process that is lengthy and slow. Luckily, automated discovery and remediation software exists that makes this process much faster and without the enormous drain on resources the traditional method requires.
Sometimes referred to as “Identity Hygiene” or “Cyber Hygiene”, the overarching strategy is taking an identity-first approach when considering how risk can impact the business. By ensuring that identities are only permissioned where they should be, the concept of “least privileged” can be well executed. By carefully controlling access and creating relevant hygienic processes, a security team can support a Zero Trust Model.⁵
This approach has been productized and automated to increase the scalability, speed, and effectiveness of organizations’ access management programs. The beauty of an automated least privileged program is that these otherwise benign tasks can be remediated in real time, while your team is focusing on more critical issues, resulting in a win for everyone!
¹ https://www.cisa.gov/topics/physical-security/insider-threat-mitigation/defining-insider-threats
² https://csrc.nist.gov/glossary/term/role_based_access_control
³ https://www.techtarget.com/searchsecurity/definition/privileged-access-management-PAM
⁴ https://www.techtarget.com/searchsecurity/definition/identity-access-management-IAM-system
⁵ https://www.cisa.gov/zero-trust-maturity-model
About the Author
Chris Nicol serves as the IAM Security Strategist at SPHERE with nearly two decades of IT experience ranging from NOC support, network and system administration, security engineering and architecture, to multiple director-level leadership roles. Chris has provided cybersecurity advisory-level services for multiple Fortune 500 companies. Chris is based in north central Ohio.
