How does WALLIX Bastion secure the Active Directory?

By WALLIX's Security Lab

In the last few years, there has been an increase in cyber-attacks targeting the Active Directory (AD). This is due to the obsolescence of the Active Directory architecture deployed by most large companies more than 10 years ago. At that time, concerns around cybersecurity were not the same as today and, as a result, the current architecture is extremely vulnerable to cyberattacks. It is worth noting that the architecture is based solely on the DIT (Directory Information Tree), which is the management delegation model and application logic for GPOs. Over the years, the Active Directory has undergone multiple modifications. For example, Microsoft recommended various changes to the architecture –without taking into account security– and over time these have led to configuration problems, thus multiplying vulnerabilities. In addition, bad cybersecurity practices, such as the use of weak or identical passwords for several applications, have further exposed the Active Directory.

Securing the Active Directory is therefore becoming a true brainteaser for companies that have simply “given up” when faced with the size of the task. However, the Active Directory is the nerve center of a company’s IS. The AD lists all Windows workstations and their users and provides the necessary mechanisms for their identification and authentication. It is thus easy to understand why the AD is a prime target for hackers. If a malicious person manages to take control of user accounts, and particularly those of system administrators (root users) who have full privileges, by stealing usernames and passwords, this person will have access to all company’s data, including the most sensitive one, and will be able to launch a ransomware attack, for example.

The NIST (the US National Institute Standards and Technology) has been raising awareness since 2017 among companies through recommendations to secure the AD. However, there has been an increase in cyber-attacks against the Active Directory, such as the attack to the University Hospital of Rouen (France) in 2019. A ransomware, which had been spread by an elevation of privileges through the hospital’s AD accounts, paralyzed the IS for several days.

How to protect the Active Directory?

To effectively secure the AD, the NIST and Microsoft recommend that the company’s IS administrators have a specific account in the AD, different from their ”normal” administrator account. Thus, the administrator logs in with a unique identifier/password pair, on a workstation dedicated to administration and from which he/she can only manage the AD (no Internet connection and no other application). This drastically limits the credential and password theft and thus increases the level of security.

Then, to reinforce security, the optimal Active Directory architecture according to Microsoft is based on the creation of 3 management silos:

  • A silo called Tier-0 for the critical IS resources management (AD, update servers, administrator workstations, etc.).
  • A silo called Tier-1 for vital IS resources (mail servers, business servers, etc.).
  • A Tier-2 silo for non-vital resources (user workstations, printers, etc.).

With this architecture, when a user tries to connect to a workstation, the AD will check that he/she has the necessary rights to do so. Thus, a Tier-0 administrator will not be able to connect to a Tier-2 workstation.

Once this verification is done and validated, Windows will ask for the user’s password. This principle ensures the non-dissemination of passwords. They cannot be used outside the silo.

However, despite all this, the risk of identity theft has not yet been eliminated. The only answer is to implement a privileged account management solution that will provide an additional layer of security and ensure data protection.

This architecture fits on-premise infrastructures. Microsoft’s new model for securing privileged access, although more cloud-oriented, is compatible with this approach: It is just a fine-tuning.

WALLIX Bastion, to securely reinforce the Active Directory

WALLIX Bastion, the leading Privileged Account Management (PAM) solution in WALLIX’s portfolio of unified solutions protects the Active Directory of 1,300 organizations worldwide, including many OIVs, OSEs, and administrations.

Specifically, WALLIX Bastion reinforces the security of the AD by integrating into the silo architecture. It is possible to split the silos in two: IT resources on the one hand, and users (including administrators) on the other. WALLIX Bastion manages access to these IT resources, which means that the administrator does not connect directly to Active Directory but accesses it indirectly through the WALLIX Bastion. Only WALLIX Bastion has the necessary usernames and passwords for this connection: Not even the administrator knows them. Moreover, WALLIX Bastion records all the actions carried out, which allows full traceability of the actions performed on the AD (and more generally on the IS) and to intervene in the event of suspicious behavior.

To learn more: