Active Directory: What Else Is It Good For?

Active Directory as a single point of access

We need to maintain Active Directory in order to run a Windows domain. Can we leverage that investment and get any other benefits from it? It turns out that we can. One of the best of these is the ability to disable access in a single place when someone leaves our organization or we learn that their account has been compromised.

When passwords are leaked

Consider this scenario: A popular social networking site announces that it has suffered a massive security breach, and a copy of the account names and passwords for all of its users is now floating around the internet. You happen to discuss this with one of your coworkers, who mentions that they’re a little worried because they use that site and they’ve used that same password on a number of work-related websites. How do you lock down access?

It’s hard to respond to an external breach like this if you don’t have a single place to turn off access. You’d have to work on (number of work-related websites) x (number of people in your organization) different accounts. This is probably too many accounts to track down. But if you had all access go through a single system, you could cut off all access there and work with each user affected by the external breach to reestablish access. Active Directory can be that single system.

When employees leave the company

Similarly, how do you disable access for employees who leave the company? If you have to wade through a large number of systems each time someone leaves the company, you leave the door open for user error that could leave accounts active long past the time when the employee left. In this case also, you’re much better off having access go through Active Directory.

Caveats

In both of these cases, we see problems that arise from having a single, highly valuable store of hashed passwords. If that store of hashed passwords is compromised, whether through direct access to the password hashes, password reuse, or the memory of a disgruntled former employee, you have a big problem on your hands. How can we decrease the value of these credentials? One approach is to introduce two-factor authorization. We talked briefly about 2FA back in the Crypto chapter. Let’s get into a little more detail here.

2FA

When you set up a system to use 2FA for access, you split access between a password that the user remembers and a second, very short-lived password that an external device such as a smartphone app can generate on-demand. Someone who only has one of these factors can’t access the system without the other. With a system like this in place, even if a user’s password is leaked due to password reuse with third-party systems, the attacker won’t be able to log in because they won’t have access to the 2FA app, which generates the other part of the login credentials.

What’s more, 2FA makes attempts to use stolen passwords much noisier and more noticeable. If an attacker attempts to log in with a valid username and password but doesn’t have the 2FA app, this should stand out in your logs. It is rare for a user to enter their credentials but not complete the login process by using their 2FA application. If you see this happen, especially if the attempt originates from an IP address that’s not typically used by the legitimate user, you have a very strong indication that the password has been compromised and should be rotated.

                                                 Q U I Z