Assaults on identity infrastructure are the hallmarks of modern, sophisticated cyber attacks. As we have noted before here at QOMPLX, theft and misuse of Critical Control Infrastructure such as identity stores and directories make lateral movement possible. We’ve seen many examples of this. Techniques such as Kerberoasting—offline cracking of stolen password hashes—played an important role in the recently disclosed attack on U.S. Government agencies following the initial compromise of the network management vendor SolarWinds. And, as we’ve noted, a range of commodity malware has added the ability to drop privilege escalation tools like Mimikatz in compromised environments to accelerate lateral movement, after initial compromises.
There are many reasons for the increase in attacks on identity infrastructure. First, many organizations have been slow to address known security risks in their identity infrastructure. We have noted, for example, that the continued support within enterprises for NTLM, a legacy protocol that is vulnerable to attack, contributes to sophisticated human-directed ransomware campaigns.
Another, less obvious factor is the complexity of Active Directory deployments within organizations. In QOMPLX’s work with our customers, we’ve seen how overly complex Active Directory architectures involving interactions between multiple AD domains and “forests'' create security and visibility gaps that let attackers in and allow them to move undetected. This is particularly true in companies that have undertaken multiple mergers or acquisitions.
Regardless of the cause, the effect is the same: by elevating their permissions within a compromised network from user to local administrator to domain administrator, attackers essentially disappear into the background of normal network activity, allowing them to move laterally from low-value points of access to higher value IT assets.
Transparency Key In Greenfield AD Deployments
For new or “greenfield” deployments of Active Directory, Microsoft provides an overabundance of documentation and guidance on how to design Active Directory forests and domains. The general idea animating these documents is that the data model for an Active Directory deployment should establish and enforce a “least privilege” policy. Job requirements (rather than role or title) should govern access permissions; users should be able to perform the work they need to do their job, and nothing more. Accounts with elevated privileges should be used only when necessary and their use should be monitored and audited. Microsoft’s guidance also urges customers to structure Active Directory environments with access policies that are both transparent and comprehensible, thereby making it easier to audit and modify permissions as needed.
The Pros and Cons of Active Directory Consolidation
Unfortunately, most companies do not have the luxury of building greenfield environments. And, for non-greenfield environments, the situation is quite different. Legacy Active Directory architectures may be both complex and confusing. Over time, even organizations of modest size can develop intricate webs of permissions consisting of grants to individual users, permissions attached to standard user roles and groups of users, and permissions conferred by trusts between AD forests. The complexity of these overlapping permissions sets can make deciphering the actual permission grant for an individual account impossible and open the door to compromise. Just as important: these architectures may have long ago ceased to support core business processes, hindering rather than boosting productivity.
Many organizations should consider consolidating or collapsing their Active Directory environments. Doing so simplifies AD policies, and allows better focus on segmentation, user isolation and reduction of privileges.
Nine Reasons to Consolidate your AD Forests
Of course, modifying Active Directory architectures is not easy. The risk of disrupting critical business services and functions is high. So when should Active Directory consolidation be considered? Here are nine circumstances in which QOMPLX believes the benefits of AD consolidation outweigh the risks.
You’ve migrated all mailboxes to Office 365
Many organizations with legacy Active Directory installations currently operate hybrid cloud environments. In hybrid environments, most email accounts have migrated to Microsoft’s Office 365 hosted platform, but some users and resources continue to be managed locally from on-premises Exchange servers. For such environments, Microsoft advocates the use of an Exchange Resource Forests model in which organizations maintain an account forest containing all user and regular service accounts. Exchange runs from a separate Active Directory resource forest. In such deployments, users effectively have two, linked mailboxes: their active mailbox in Office 365 account forest and an inactive, linked mailbox in the resource forest.
However, once all mailboxes have been migrated to Office 365, the need for the separate, empty resource forest disappears. Consolidation of forests via decommissioning of the resource forest makes sense in this situation. You can find more information on the process for consolidating resource and account forests here.
You have trusts between identical AD forests
Creating trust bridges between Active Directory forests is common, especially following events like mergers and acquisitions, in which access to resources in both entities must be extended. However, a more elegant solution may be to simply collapse the two Active Directory forests into one, especially in cases where all trusts are two-way transitive between the forests. In such situations, a single forest or domain will give very similar levels of access while greatly simplifying management and increasing transparency.
Active Directory has not been managed well
Active Directory was first introduced in 1999. Like any technology that’s more than two decades old, Active Directory has acquired significant technical debt during its more than two decade run. That technical debt can also accumulate in legacy AD deployments, where feature limitations or ill considered policies made years or decades earlier are tying the hands of present day IT teams.
If this sounds like your environment, or if your AD environment simply has not been well managed, starting over by setting up an Active Directory environment from scratch and then consolidating users in as few forests as possible may be the shortest path to a smoothly functioning and transparent identity infrastructure.
Your created AD forests to enforce password policies
Historically, new Active Directory forests would be created when two or more organizations who wished to interact had differing password policies. Today, however, improved password management features offer organizations the ability to support multiple, fine-grained password policies within the same Active Directory domain, obviating the need for separate forests just to segregate accounts according to password policy. These forests can easily be consolidated without altering the password requirements for any set of users within the merged forest. We recommend doing so!
You completed a merger, acquisition or divestiture
Historically, mergers, acquisitions and divestitures were a driver for Active Directory forest creation, as organizations looked to extend access to (or revoke access from) large populations of users, IT assets and applications across multiple domains. But these events can also be an occasion for collapsing Active Directory forests. While AD collapse initiatives require more planning than merely extending trust between two existing forests, the payoff of consolidation can be considerable.
You want to consolidate your IT team
As Active Directory infrastructure grows and becomes more complex, many organizations have had to hire additional IT resources to manage multiple forests and domains. Consolidating your AD forests can work in the opposite direction: freeing up IT resources from AD management to focus on other tasks. If your organization is under pressure to consolidate its IT operation, Active Directory forest consolidation is one initiative that can have a quick pay-off in efficiency and reduced staffing demands.
Your AD forests have become unwieldy
A common reason to consider Active Directory consolidation is simply to ease the management overhead of your Active Directory environment. It goes without saying that fewer AD domains and forests are easier to manage than more of them.
Consolidation can help trim redundant group policies and helps to make account and object cleanup efforts simpler. Similarly, forest consolidation may allow you to eliminate domain controllers altogether, reducing the attack surface of your environment. Beyond that, Active Directory forests are essentially silos for policies, accounts and assets within your organization. Smashing those silos and centralizing control and management carries significant cost and security benefits.
You created your production AD domain as a child domain
Microsoft’s initial guidance on Active Directory deployments recommended the creation of an empty root domain to serve as a security perimeter under which production “child” domains sat. That guidance soon changed, as customers and Microsoft realized that the administrative overhead and complexity of this outweighed its utility.
Domain and forest consolidation, rather than proliferation, is now the recommended approach to Active Directory management. Organizations that have adopted such an architecture should consider consolidating the forest root domain with any child domains into a single domain.
(In fact, Microsoft’s most recent guidance is to abandon on-premise Active Directory altogether in favor of Azure Active Directory. Read our CISO Andy Jaquith’s take on that announcement here.)
You want to manage on-premises and IaaS identities centrally
Keeping all on-premises or IaaS-based identities under one roof can be helpful for customers that need to synchronize identities to Microsoft’s cloud-based Azure Active Directory. If it's possible to get down to one forest with one domain, there are fewer identity synchronizations that need to occur to get accounts into one central place before synchronizing them once more to Azure AD.
QOMPLX Knowledge: Detecting Lateral Movement Using Windows Event Logs
QOMPLX Knowledge: Golden Ticket Attacks Explained
QOMPLX Knowledge: Silver Ticket Attacks Explained
QOMPLX Knowledge: Pass the Ticket Attacks Explained
QOMPLX Knowledge: Kerberoasting Attacks Explained
QOMPLX Knowledge: DCShadow Attacks Explained
How Active Directory Attacks went Mainstream
QOMPLX: The Importance of Lateral Movement Detection
Detecting Forged Kerberos Ticket (Golden and Silver Ticket) Use In Active Directory
Mitigating Pass the Hash Attacks and Other Credential Theft V2 (PDF)