Ransomware gangs often target Microsoft Active Directory to gain deeper access into an organization’s network, and 2024 will be no different. But more help for security teams is on the way, with Microsoft already shipping or planning major improvements in Active Directory security over the next year or so.
Active Directory will likely be leveraged by attackers and exploited in nearly all major ransomware cases in 2024. There are multiple reasons: Active Directory is hugely popular, and it holds the “keys to the kingdom,” so a successful Active Directory takeover can give attackers access to all domain-joined machines, thereby allowing them to conduct further reconnaissance, move laterally across the network, and install ransomware or other malware.
In addition, the surface area exposed by Active Directory and connected protocols like SMB, RPC, WSMAN and LDAP is vast, and these protocols are frequently leveraged and often exploited in ransomware attacks. Threat actors also take advantage of the complexity built into Active Directory, exploiting misconfigurations (including misconfigured permissions), unpatched systems, and weak passwords.
Due to these many challenges and vulnerabilities, Microsoft has begun work to better secure Active Directory. In late 2023, the company rolled out several updates in preview builds of Windows 11 and Windows Server, such as encrypting LDAP by default, adding encryption controls to SMBv3, and rolling out new features to help IT teams retire NTLM.
Although Active Directory will remain a top target for attackers before and after those fixes are released, IT administrators should aggressively move to adopt the new security features and controls from Microsoft to shrink their organization’s risk surface and make it harder for attackers to achieve their objectives.
New Encryption Options for SMB
The first security improvements target the Server Message Block (SMB) protocol, used for sharing access to files, printers, and other resources on an organization's network.
In an October preview build of Windows, Microsoft gave network administrators the option to require encryption of all outbound connections using SMB. With the change, network administrators can mandate that all destination servers support SMB 3.x and encryption. If servers are missing those capabilities, the client won’t connect.
Older versions of SMB have been exploited in several attacks, including WannaCry and Petya.
In mid-2023, Microsoft also introduced SMB over QUIC, an encrypted alternative to TCP, with availability initially between Windows 11 clients and Windows Server 2022 Datacenter: Azure Edition. SMB over QUIC is designed to provide secure and reliable connections to edge file servers over untrusted networks, such as the internet. It’s positioned as a VPN-like experience for remote workers, mobile device users, and organizations with rigorous security requirements.
In the October preview build, Microsoft added SMB over QUIC support for client access control. With the new option, administrators can restrict client access to SMB over QUIC servers by creating a list of trusted devices authorized to connect to a file server.
Additional Encryption for LDAP
In a second set of security improvements, Microsoft has made several security enhancements to Active Directory Domain Services (AD DS) and Active Directory Lightweight Domain Services (AD LDS) in a Windows Server preview build from October.
Two of those changes target the Lightweight Directory Access Protocol (LDAP), a protocol used in Active Directory to maintain distributed directory information and make it easy to query.
Ransomware groups and other threat actors can exploit LDAP to access Active Directory and discover all users and hosts on a network. Nearly all ransomware attackers use LDAP tools like AdFind or SharpHound to perform LDAP-based reconnaissance early in their campaigns.
Microsoft’s security additions to Windows Server include support for using TLS 1.3 for LDAP over TLS connections. TLS 1.3 enhances security over older versions, in part, by requiring forward secrecy, deprecating insecure cipher suites, and encrypting more of the TLS handshake.
A second security upgrade to LDAP adds even more encryption protection. All LDAP client communication after a Simple Authentication and Security Layer (SASL) authentication attempt will now default to encryption.
The End is Near(er) for NTLM
In a third Active Directory security push, Microsoft has taken a huge step toward killing off NTLM, an insecure Windows authentication protocol that Kerberos was meant to obsolete. While attacks on Kerberos are common, it is far more secure than NTLM.
NTLM is vulnerable to several types of exploits, perhaps the most concerning and recurring being NTLM relay attacks, which exploit the NTLM challenge-response mechanism to authenticate clients. NTLM relay attacks first appeared over 20 years ago, but saw a resurgence in recent years with new types of attacks discovered, and there’s likely no end in sight.
NTLM persists in Active Directory environments in part because it’s hard-coded into some software and configurations, and Microsoft alone cannot address this issue. NTLM has been used when Kerberos was not a good fit, including incompatibility with legacy clients and servers.
To address these shortcomings, Microsoft will allow for expanded use of Kerberos in Active Directory and other Windows environments, eliminating the need for authentication processes to fall back to, or require, NTLM. In coming versions of Windows 11, Microsoft will also expand NTLM management controls to give administrators greater flexibility in tracking and blocking NTLM use, the company said in October.
The ultimate goal is to disable NTLM in Windows 11, the company added. Microsoft is monitoring reductions in NTLM use to determine when it will be safe to disable. Given the risks with NTLM, users should respond to Microsoft’s efforts to discontinue NTLM by moving away from the protocol as quickly as possible.
Active Directory Visibility with Reveal(x)
In addition to the security improvements coming from Microsoft, organizations can turn to the ExtraHop Reveal(x) NDR platform to detect attacks on Active Directory. Reveal(x) gives security teams broad visibility into activity on their networks and into protocols used by Active Directory, including Kerberos, LDAP, SMB, RPC, and WSMAN.
Reveal(x) offers users unmatched decryption capabilities in the NDR marketplace, allowing security analysts to see malicious activity hiding in encrypted traffic, a tactic frequently used in Active Directory exploits. The decryption capabilities in Reveal(x) help security teams identify unauthorized or unusual access, reconnaissance, and privilege escalation attempts in Active Directory, and they provide visibility into advanced exploits such as Kerberos golden ticket attacks.
Reveal(x) is able to decrypt not only TLS traffic, but also protocols encrypted via Kerberos or NTLM, an unmatched capability in the NDR market.
Reveal(x) also enables security teams to capture full packets on their networks, allowing them to collect and analyze the data to hunt for threats, respond to incidents, and conduct forensic investigations. The packet capture capabilities also allow security teams to quickly identify suspicious activity.
Reveal(x) provides detections of exploits targeting known Microsoft vulnerabilities and attack techniques, and it also uses machine learning to model attack behaviors and identify new activity. Reveal(x) uses rule-based detection, peer group analysis, and deep learning to detect the full range of attack activity on Active Directory.
The robust decryption, packet capture, and protocol parsing features in Reveal(x) give users the visibility and detection capabilities they need to stop attacks on Active Directory before they cause major damage. In addition to Reveal(x), the new security push from Microsoft will make Active Directory more difficult to exploit, creating a less tempting target for attackers.
Do you have questions about securing Active Directory? Join the conversation on the ExtraHop customer community.