5 Security Mistakes You’re Probably Making with Microsoft Active Directory

philipp katzenberger iIJrUoeRoCQ unsplash

If your organization is like most, you probably use Active Directory (AD), Microsoft’s directory service. It runs on Windows Server and allows admins to manage permissions for their network resources. 

It’s probably also misconfigured in some way. That’s understandable, since Microsoft’s directory services tool is nearly thirty years old and the world it was designed for no longer exists. Yet somehow, the solution has become so ubiquitous that this hardly seems to matter.  

According to Forbes Magazine, roughly 90% of large organizations use Active Directory as their primary identity store, even those that have long since transitioned to the cloud. Unsurprisingly, per a report by Enterprise Management Associates, half of these companies experienced a cyberattack directly targeting Active Directory between 2019 and 2021—and 40% of those attacks were successful. 

If you want to ensure that your organization doesn’t become yet another statistic, it’s time to assess your Active Directory deployment. Cyber criminals tend not to be as sophisticated or advanced as the media would have you believe—like most of us, they’re creatures of habit. And, like many of us, they almost always prefer the path of least resistance. 

What this means is that by addressing the most common Active Directory mistakes and misconfigurations, you can protect yourself from the vast majority of attacks. 

Here are five security mistakes you’re probably making with Active Directory—and how to address them. 

1) Leaving NTLM Enabled

Saying that New Technology Lan Manager (NTLM) is an authentication protocol is like saying a door with no lock can stop intruders. Sure, it technically serves that purpose, but in reality it’s a massive hole in your security.

Per AD security specialist Semperis, NTLM is essentially the “root of all evil” in Active Directory, responsible for a great many of the directory service’s worst vulnerabilities. Disabling it is in your best interest. 

2) Not Using Multi-Factor Authentication

Ask any security expert for their most important piece of advice to protect your systems from unauthorized access, and the majority of them will refer to multi-factor authentication (MFA), sometimes referred to as two-factor authentication (2FA). It’s essentially an extra layer of protection for your user accounts, and a critical safeguard against compromised passwords. 

3) Overdoing It with Permissions

Within Active Directory, it’s in your best interests to apply the principle of least privilege. That means your users should have access exclusively to the permissions they need to do their job. Otherwise, you’re essentially leaving the keys to your organization sitting in the lock. 

4) Relying on Active Directory for Business Continuity

Disaster recovery and business continuity are a cornerstone of cyber resilience. Unfortunately, many organizations make a critical blunder in their planning—the tools they use for disaster recovery are connected to Active Directory. In other words, if AD goes down, their incident response process goes with it. Your business continuity tools need to be completely separate from your Active Directory deployment. 

5) Using Snapshots for Active Directory Backups

If you’re using virtualized domain controllers, you’re likely also backing them up with snapshots. That’s a mistake. An attacker could spend months in a system doing damage before they’re discovered. Restoring a snapshot taken at any point during that time frame means you’re also restoring whatever malware or configuration changes the attacker introduced. 

Take a More Active Role in Securing Active Directory

Active Directory likely isn’t going anywhere anytime soon. It’s going to remain a fixture in the business world for years to come. With that in mind, your best course of action is to avoid making the same mistakes as everyone else. Now you know how to do so.