Enhancing AD Security Against Password Spraying Attacks

Active Directory (AD) Security has become essential for businesses utilizing Microsoft’s Active Directory (AD) to oversee their IT systems. AD’s role as a central authentication hub makes it an attractive target for attackers who can exploit it through Password Spraying Attacks and compromised credentials. This approach enables unauthorized access without the need for complex hacking, providing attackers with extensive visibility and control over the organization’s network and digital assets. In September, a report from Five Eyes and their respective information security bureaus was released for circulation, outlining the continued vulnerability of Microsoft’s Active Directory.

Understanding the Vulnerabilities of Microsoft Active Directory

Active Directory is a multi-faceted authentication and management program that is widely used among enterprise IT networks. Active Directory is a very appealing target for a few reasons: it has increased vulnerability to compromise because of its relaxed default settings, and its connections and support lead to a large attack surface. Once compromised, a bad actor can attain privileged access and visibility over all users and the systems that the organization’s AD manages.

Password Spraying Attacks in Active Directory

One common attack vector is password spraying, where an attacker attempts to log in as multiple users using a list of potentially valid passwords. These lists may be assembled from underground communities or derived from past breaches and targeted credential harvesting. This tactic is especially dangerous if users reuse passwords or create similar passwords across multiple domains. After gaining an initial foothold, attackers can scan the environment for more exposed credentials and continue to target domain controllers, often bypassing multifactor authentication (MFA) controls.

Five Eyes Recommendations to Mitigate Password Spraying Attacks

Five Eyes recommends the following controls to mitigate the risk of password spraying:

1. Strong Passwords: Create long (30-character minimum), unique, and unpredictable passwords for local administrator accounts, service accounts, and break glass accounts. Microsoft’s Local Administrator Password Solution (LAPS) can assist with managing these passwords.
2. Single-Factor Authentication: Use passwords for single-factor authentication that consist of at least four random words, totaling a minimum of 15 characters.
3. Account Lockout Policies: Lock out user accounts, except for break glass accounts, after a maximum of five failed login attempts. This reduces the potential attempts in password spraying.
4. Random Password Generation: Ensure that passwords for user accounts are randomly generated, especially when accounts are created or when users request a password reset. Attackers often target reused passwords.
5. Sensitive Account Configuration: Configure the built-in ‘Administrator’ domain account as sensitive to prevent delegation.
6. Network Scanning: Conduct monthly scans to identify credentials stored in cleartext. Malicious actors often look for these credentials to use in password spraying, so proactively locating and removing them mitigates this risk.
7. Disable NTLM Protocol: Disable the NTLM protocol, as it does not support MFA and can be exploited by attackers to bypass security measures.

Exploiting Valid Credentials: The Most Common Intrusion MethodWhile many attack vectors are described in the report, abusing valid credentials remains the most common intrusion method, accounting for approximately 40% of breaches, according to the Verizon DBIR. Implementing strong password policies, monitoring for breached credentials, and enforcing timely changes are highly effective strategies for managing an organization’s vulnerable assets.

The Growing Threat of Password Spraying Attacks

Password Spraying Attacks present a real and growing threat, allowing attackers to slip into networks without needing to break through complex defenses. Once inside, they can access a wealth of sensitive information and control critical parts of the organization’s infrastructure. By implementing the recommendations from the Five Eyes report—like using strong, unique passwords, setting up effective account lockout policies, and disabling outdated protocols—companies can significantly reduce their vulnerability. Additionally, organizations should implement guidelines from NIST, which recommend that organizations maintain a list of compromised passwords and ensure that newly created or reset passwords haven’t been previously compromised. Investing time and resources into these security measures not only protects your data but also ensures the overall integrity and trustworthiness of your organization’s IT environment.

AUTHOR

Amos Struthers

Amos is a member of the threat research team, dedicated to identifying and cultivating sources and actionable intelligence for Enzoic products. He enjoys learning about new attack vectors, exploits, and vulnerabilities, as well as those threat actors who are utilizing them in the wild. When not at work, Amos loves spending time with his family, cooking, lifting weights, and competing in various shooting sports.