How to make Active Directory a security strength, rather than a weakness

Most major organisations working with Microsoft systems will use Active Directory (AD) to centrally authenticate all resources on a network based on a central database. The solution, in theory, is a way to centrally manage user security, which sounds appealing to large organisations.

The reality, however, is that AD is not secure on its own and it opens businesses up to vulnerabilities. After all, it uses traditional passwords for authentication – a method we know to be rife with security risks. These security risks can reach a few places, for instance, maybe you have a security camera/alarm on your business property that links and uploads security videos to your servers to protect the property and employees, if this gets hacked then that is a breach of security online and offline that can put people in danger. This is why tight network security, as well as updated systems like Verisure Smart Alarms, is not only a necessity but is a safety issue that has to be stuck to.

Active Directory is described as:

“A directory service that centralises the management of users, computers and other objects within a network. Its primary function is to authenticate and authorise users and computers in a windows domain. For example, when a user signs in to a computer on the domain, it checks the username and password that was submitted to verify the account. If it is a valid username and password, the user is authenticated and logged into the computer.”

Active Directory Weaknesses

The password is a major risk factor when it comes to security, but this is not even the sole issue with AD. Over the years, numerous groups have reported on the weaknesses of the platform. These issues include:

  • Too many administrators
  • Delegating tasks to non-administrators
  • Leaving inactive accounts
  • Increasing open access
  • Losing track of who is logging in
  • Losing track of who has high-level access

Because AD is used across many large organisations, it can become difficult to monitor who has which credentials, and these gaps and unknowns can lead to security breaches. Combined with weak password policies, AD is not the secure system most organisations hope it will be.

Just last month (September 2019), for example, Danish hearing aid manufacturer, Demant, was hacked via their AD network which resulted in the company needing to shut down the entire system, causing weeks of damage control and losses up to £78 million.

When hackers gain access to corporate Active Directory, they have access to the entire organisation via its users. Basically, when AD is hacked, companies are immediately compromised.

How to Make Active Directory Secure

The good news is that Active Directory is not a lost cause. The system itself is of great value to businesses; it just lacks the controls to keep it tight and secure from breaches. Thankfully, there are Active Directory password protection solutions, which provide the authentication controls to keep AD tight and secure.

Whether you’ve been a victim to a breach yet, or not, all organisations pondering the security of their AD network, should carry out an Active Directory password security audit to learn how vulnerable their network is to password-based attacks, and quickly assess the risks and issues.

With this information in hand, businesses can then consider how best to safeguard against these risks.

Active Directory security – where to find out more

Authlogics provides multiple levels of password solutions, depending on the needs of each organisation. If passwords remain your primary authentication solution, for now, Authlogics Password Security Management can prevent users from ever choosing a known breached password. Furthermore, the Authlogics password advisor checks user’s passwords against our Cloud Breach Database in real-time to ensure optimum security and compliance, in order to minimise the use and reuse of weak passwords which are toxic to security.

If additional security is being considered, the Authlogics solutions can be scaled to introduce multi-factor authentication (MFA), whereby all user passwords would be saved in a secure Password Vault. Then, when users log onto a Windows desktop, they simply enter a Multi-factor One Time Code (OTC). Event log data can then report on how users are logging in so that you can gain better oversight into where your potential weaknesses exist.

To book in for an Active Directory audit or a complete Active Directory security overhaul, please get in touch with the team at Authlogics.