Systems, a leading secure, hyperconverged infrastructure provider for
the hybrid enterprise, has found that many enterprises overly expose
Active Directory (AD) administrators' credentials, leaving companies
vulnerable to security breaches. Skyport reached this conclusion after
conducting comprehensive AD security assessments for enterprises over
the past year.
AD security assessments are based on a 100-point investigation into an
organization's current AD implementation, enabling scoring of the
overall health of the organization's AD infrastructure. The findings
from each assessment highlight key lessons learned, benchmarks, and
operational implications for reducing risk within the organization.
know that over 90 percent of all organizations use Active Directory to
control policies for users and services," said Russell Rice, senior
director, product management, Skyport Systems. "Successful attacks
against AD or admin credentials can be devastating because the blast
radius reaches nearly every system in the enterprise. The data we
collected and analyzed shows that organizations need to pay more close
attention to their AD infrastructure and use a modern approach to
securing AD since many attack tools are widely available, effective and
free," said Rice.
Security experts recommend the following four pillars to protect against cyberattacks:
- Implement AD hygiene by limiting domain admin privileges, configuring secure password policies, and frequent patching.
- Make admin workstations secure to prevent credential theft and misuse.
- Protect Domain Controllers (DCs) against insider and outsider threats.
- Build an isolated admin forest for large or complex enterprises.
these measures, there are many ways organizations' defenses break down,
according to key findings from Skyport's Active Directory security
assessments. These key findings include:
50 percent of the organizations assessed allow administrators to use
the same account to configure AD as they use for everything else.
recommends implementing secure administrative workstations (SAWs) for
management of AD. However, less than 10 percent of the organizations
Skyport Systems assessed have implemented a SAW.
- Fewer than 25 percent of the organizations use multi-factor authentication (MFA) for AD administrator accounts.
is a best practice to severely limit the systems that are permitted to
alter the AD configuration. However, almost none of the organizations
assessed implemented host-based firewalls for the DCs, and less than 15
percent use administrative whitelists.
has recommendations for building an Enhanced Security Administrative
Environment (ESAE), but virtually no mid-market enterprises appear to be
aware of, or effectively implement these guidelines.
Obtain a full copy of the AD Assessment Findings here.