www.semperis.com
Open in
urlscan Pro
75.2.46.245
Public Scan
Submitted URL: https://email.semperis.com/MjM5LUNQTi04NTEAAAGRBAzBP9tokTsLaYDME3NEQQOCDgu_pV7L_uLYUp4oYwbac5tE3bZZjYaa0KtIT2T70QnulWA=
Effective URL: https://www.semperis.com/blog/nsa-top-ten-cybersecurity-misconfigurations/?mkt_tok=MjM5LUNQTi04NTEAAAGRBAzBPymydxs5SdKJA6...
Submission: On February 03 via api from US — Scanned from US
Effective URL: https://www.semperis.com/blog/nsa-top-ten-cybersecurity-misconfigurations/?mkt_tok=MjM5LUNQTi04NTEAAAGRBAzBPymydxs5SdKJA6...
Submission: On February 03 via api from US — Scanned from US
Form analysis
5 forms found in the DOM/
<form action="/" __bizdiag="115" __biza="WJ__">
<div class="input-holder">
<input type="text" name="s" placeholder="Search" value="">
</div>
<button>
<svg width="14" height="14" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg">
<path
d="M10.0057 8.80503H9.37336L9.14923 8.58891C9.93368 7.67639 10.4059 6.49171 10.4059 5.20297C10.4059 2.32933 8.07662 0 5.20297 0C2.32933 0 0 2.32933 0 5.20297C0 8.07662 2.32933 10.4059 5.20297 10.4059C6.49171 10.4059 7.67639 9.93368 8.58891 9.14923L8.80503 9.37336V10.0057L12.8073 14L14 12.8073L10.0057 8.80503ZM5.20297 8.80503C3.20983 8.80503 1.60091 7.19611 1.60091 5.20297C1.60091 3.20983 3.20983 1.60091 5.20297 1.60091C7.19611 1.60091 8.80503 3.20983 8.80503 5.20297C8.80503 7.19611 7.19611 8.80503 5.20297 8.80503Z"
fill="#7B7A7A"></path>
</svg>
</button>
</form>
<form id="mktoForm_1164" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); width: 265px;" __bizdiag="2048253403" __biza="WJ__">
<style type="text/css">
.mktoForm .mktoButtonWrap.mktoInset .mktoButton {
color: #000;
background: #fff;
border: 1px solid #aeb0b6;
padding: 0.4em 1em;
font-size: 1em;
box-shadow: 1px 1px 6px 1px #ccc;
background-color: #f5f5f5;
background-image: -webkit-gradient(linear, left top, left bottom, from(#f5f5f5), to(#dfdfdf));
background-image: -webkit-linear-gradient(top, #f5f5f5, #dfdfdf);
background-image: -moz-linear-gradient(top, #f5f5f5, #dfdfdf);
background-image: linear-gradient(to bottom, #f5f5f5, #dfdfdf);
}
.mktoForm .mktoButtonWrap.mktoInset .mktoButton:hover {
border: 1px solid #999;
}
.mktoForm .mktoButtonWrap.mktoInset .mktoButton:focus {
outline: none;
border: 1px solid #999;
}
.mktoForm .mktoButtonWrap.mktoInset .mktoButton:active {
box-shadow: inset 1px 1px 6px 1px #ccc;
background-color: #dfdfdf;
background-image: -webkit-gradient(linear, left top, left bottom, from(#dfdfdf), to(#f5f5f5));
background-image: -webkit-linear-gradient(top, #dfdfdf, #f5f5f5);
background-image: -moz-linear-gradient(top, #dfdfdf, #f5f5f5);
background-image: linear-gradient(to bottom, #dfdfdf, #f5f5f5);
}
</style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
<div class="mktoOffset" style="width: 10px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 82px;">
<div class="mktoAsterix">*</div>Business Email
</label>
<div class="mktoGutter mktoHasWidth" style="width: 10px;"></div><input id="Email" name="Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email" class="mktoField mktoEmailField mktoHasWidth mktoRequired"
aria-required="true" style="width: 150px;" placeholder="Email Address"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFormCol" style="margin-bottom: 10px;">
<div class="mktoOffset mktoHasWidth" style="width: 10px;"></div>
<div class="mktoFieldWrap">
<div class="mktoHtmlText mktoHasWidth" style="width: 260px;"><span style="color: #808080; font-size: 10px;">By submitting, you agree that Semperis may use and process your personal information to send you information regarding its products
and services in accordance with the Semperis <a href="https://www.semperis.com/privacy-policy/" target="_blank" id="" style="color: #808080;">Privacy Policy</a>. You can opt out at any time.</span></div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<script src="https://www.google.com/recaptcha/api.js?onload=captchaCallback" type="text/javascript" async="async" defer="defer"></script>
<div>
<script type="text/javascript">
var formId = 1164;
var captchaCallback = function(a) {
var b = document.getElementsByClassName("grecaptcha-badge");
if (b.length > 0)
for (var c = 0; c < b.length; c++) b[c].style.visibility = "hidden";
if (a) {
var d = this.MktoForms2.getForm(formId);
d && d.setCaptchaValue(a)
}
};
</script>
</div>
<div id="captcha" class="g-recaptcha" data-callback="captchaCallback" data-expired-callback="captchaExpired" data-sitekey="6LcMmSEnAAAAAJo5LvnKfpW3sC9NbOOvVXI0yOPY" data-size="invisible">
<div class="grecaptcha-badge" data-style="bottomright"
style="width: 256px; height: 60px; display: block; transition: right 0.3s ease 0s; position: fixed; bottom: 14px; right: -186px; box-shadow: gray 0px 0px 5px; border-radius: 2px; overflow: hidden; visibility: hidden;">
<div class="grecaptcha-logo"><iframe title="reCAPTCHA" width="256" height="60" role="presentation" name="a-h0dzs36uu055" frameborder="0" scrolling="no"
sandbox="allow-forms allow-popups allow-same-origin allow-scripts allow-top-navigation allow-modals allow-popups-to-escape-sandbox allow-storage-access-by-user-activation"
src="https://www.google.com/recaptcha/api2/anchor?ar=1&k=6LcMmSEnAAAAAJo5LvnKfpW3sC9NbOOvVXI0yOPY&co=aHR0cHM6Ly93d3cuc2VtcGVyaXMuY29tOjQ0Mw..&hl=en&v=MHBiAvbtvk5Wb2eTZHoP1dUd&size=invisible&cb=ulyttjbn48z5"></iframe>
</div>
<div class="grecaptcha-error"></div><textarea id="g-recaptcha-response" name="g-recaptcha-response" class="g-recaptcha-response"
style="width: 250px; height: 40px; border: 1px solid rgb(193, 193, 193); margin: 10px 25px; padding: 0px; resize: none; display: none;"></textarea>
</div>
</div>
<div class="mktoCaptchaDisclaimer">This site is protected by reCAPTCHA and the Google <a href="https://policies.google.com/privacy" target="_blank">Privacy Policy</a> and
<a href="https://policies.google.com/terms" target="_blank">Terms of Service</a> apply.</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoInset" style="margin-left: 120px;"><button type="submit" class="mktoButton button"><span data-label="Submit"><span>Submit</span></span></button></span></div><input type="hidden"
name="formid" class="mktoField mktoFieldDescriptor" value="1164"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="239-CPN-851">
</form>
<form id="mktoForm_1039" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); width: 265px;" __bizdiag="2048253403" __biza="WJ__">
<style type="text/css">
.mktoForm .mktoButtonWrap.mktoInset .mktoButton {
color: #000;
background: #fff;
border: 1px solid #aeb0b6;
padding: 0.4em 1em;
font-size: 1em;
box-shadow: 1px 1px 6px 1px #ccc;
background-color: #f5f5f5;
background-image: -webkit-gradient(linear, left top, left bottom, from(#f5f5f5), to(#dfdfdf));
background-image: -webkit-linear-gradient(top, #f5f5f5, #dfdfdf);
background-image: -moz-linear-gradient(top, #f5f5f5, #dfdfdf);
background-image: linear-gradient(to bottom, #f5f5f5, #dfdfdf);
}
.mktoForm .mktoButtonWrap.mktoInset .mktoButton:hover {
border: 1px solid #999;
}
.mktoForm .mktoButtonWrap.mktoInset .mktoButton:focus {
outline: none;
border: 1px solid #999;
}
.mktoForm .mktoButtonWrap.mktoInset .mktoButton:active {
box-shadow: inset 1px 1px 6px 1px #ccc;
background-color: #dfdfdf;
background-image: -webkit-gradient(linear, left top, left bottom, from(#dfdfdf), to(#f5f5f5));
background-image: -webkit-linear-gradient(top, #dfdfdf, #f5f5f5);
background-image: -moz-linear-gradient(top, #dfdfdf, #f5f5f5);
background-image: linear-gradient(to bottom, #dfdfdf, #f5f5f5);
}
</style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
<div class="mktoOffset" style="width: 10px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 82px;">
<div class="mktoAsterix">*</div>Business Email
</label>
<div class="mktoGutter mktoHasWidth" style="width: 10px;"></div><input id="Email" name="Email" placeholder="Business Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFormCol" style="margin-bottom: 10px;">
<div class="mktoOffset mktoHasWidth" style="width: 10px;"></div>
<div class="mktoFieldWrap">
<div class="mktoHtmlText mktoHasWidth" style="width: 260px;"><span style="color: #808080; font-size: 10px;">By submitting, you agree that Semperis may use and process your personal information to send you information regarding its products
and services in accordance with the Semperis <a href="https://www.semperis.com/privacy-policy/" target="_blank" id="" style="color: #808080;">Privacy Policy</a>. You can opt out at any time.</span></div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<script src="https://www.google.com/recaptcha/api.js?onload=captchaCallback" type="text/javascript" async="async" defer="defer"></script>
<div>
<script type="text/javascript">
var formId = 1039;
var captchaCallback = function(a) {
var b = document.getElementsByClassName("grecaptcha-badge");
if (b.length > 0)
for (var c = 0; c < b.length; c++) b[c].style.visibility = "hidden";
if (a) {
var d = this.MktoForms2.getForm(formId);
d && d.setCaptchaValue(a)
}
};
</script>
</div>
<div id="captcha" class="g-recaptcha" data-callback="captchaCallback" data-expired-callback="captchaExpired" data-sitekey="6LcMmSEnAAAAAJo5LvnKfpW3sC9NbOOvVXI0yOPY" data-size="invisible">
<div class="grecaptcha-badge" data-style="none" style="width: 256px; height: 60px; position: fixed; visibility: hidden;">
<div class="grecaptcha-logo"><iframe title="reCAPTCHA" width="256" height="60" role="presentation" name="a-1siuoar1zoo6" frameborder="0" scrolling="no"
sandbox="allow-forms allow-popups allow-same-origin allow-scripts allow-top-navigation allow-modals allow-popups-to-escape-sandbox allow-storage-access-by-user-activation"
src="https://www.google.com/recaptcha/api2/anchor?ar=1&k=6LcMmSEnAAAAAJo5LvnKfpW3sC9NbOOvVXI0yOPY&co=aHR0cHM6Ly93d3cuc2VtcGVyaXMuY29tOjQ0Mw..&hl=en&v=MHBiAvbtvk5Wb2eTZHoP1dUd&size=invisible&cb=338j09n7l8c2"></iframe>
</div>
<div class="grecaptcha-error"></div><textarea id="g-recaptcha-response-1" name="g-recaptcha-response" class="g-recaptcha-response"
style="width: 250px; height: 40px; border: 1px solid rgb(193, 193, 193); margin: 10px 25px; padding: 0px; resize: none; display: none;"></textarea>
</div><iframe style="display: none;"></iframe>
</div>
<div class="mktoCaptchaDisclaimer">This site is protected by reCAPTCHA and the Google <a href="https://policies.google.com/privacy" target="_blank">Privacy Policy</a> and
<a href="https://policies.google.com/terms" target="_blank">Terms of Service</a> apply.</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoInset" style="margin-left: 120px;"><button type="submit" class="mktoButton button"><span data-label="Submit"><span>Submit</span></span></button></span></div><input type="hidden"
name="formid" class="mktoField mktoFieldDescriptor" value="1039"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="239-CPN-851">
</form>
<form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"
__bizdiag="1580885786" __biza="WJ__"></form>
<form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"
__bizdiag="1580885786" __biza="WJ__"></form>
Text Content
Press Alt+1 for screen-reader mode, Alt+0 to cancelAccessibility Screen-Reader Guide, Feedback, and Issue Reporting Semperis Named to Fortune Magazine’s Cyber 60 List of Fastest Growing Cybersecurity Startups * Why Semperis WHY SEMPERIS * Tour the Identity Resilience PlatformHybrid AD attack prevention, detection, response, and recovery * Our CustomersLearn why industry-leading organizations trust Semperis * Our Unrivaled AD Security ExpertiseNo other vendor can outmatch Semperis’ collective Microsoft MVP experience in Directory Services and Group Policy * Purple Knight ArsenalCheck out our free community tools built by and for AD security pros * Hybrid Identity Protection (HIP) ConferenceAttend the award-winning conference series for identity-first security practitioners INDUSTRY Verticals * Critical Infrastructure * Financial services * Healthcare * Insurance * Retail * Public Sector * Transportation SEMPERIS MAKES THE DELOITTE TECH FAST 500 LIST THREE YEARS IN A ROW Semperis ranks in the top 15% with three-year revenue growth of over 2,800% Read the news Back * Identity Resilience Platform PLATFORM PRODUCTS * Directory Services ProtectorHybrid AD threat prevention, detection, and response * Active Directory Forest RecoveryCyber-first AD disaster recovery * Migrator for ADSecurity-first AD migration and consolidation * Disaster Recovery for Entra TenantBackup and recovery for Entra ID resources * Purple KnightCommunity tool: Hybrid AD security assessment * Forest DruidTier 0 attack path discovery SOLUTIONS * AD Migration & Consolidation * AD Attack Surface Reduction * Tier 0 Attack Path Analysis * AD Threat Detection & Response * AD Change Auditing & Rollback * AD Backup & Recovery * Active Directory Breach Forensics * Breach Preparedness & Response Services SEMPERIS RANKS TOP FIVE FASTEST GROWING CYBERSECURITY COMPANIES IN AMERICA Semperis named to the INC. 500 list for the second consecutive year Tour our platform products Back * Partners PARTNER WITH SEMPERIS * Partner OverviewLearn about Semperis' 100% channel sales approach, guaranteed margins, and free security assessment tools for partners * Find a PartnerSearch our vast partner network * Partner Portal * Become a Partner * Request access to Purple Knight post-breach partner edition SEMPERIS WINS CRN’S PRESTIGIOUS PARTNER PROGRAM GUIDE TWO CONSECUTIVE YEARS Designation highlights Semperis’ innovative alliances with global solution providers that help organizations protect hybrid identity environments from cyberattacks Partner Overview Back * Resources Resource hub * AD Security Glossary * Blog * Case Studies * Reports * Videos * Webinars * White Papers * Purple Knight Docs THE CISO'S TAKE ON IDENTITY-FIRST SECURITY FEATURING SIMON HODGKINSON Watch now * Visit our video channel * Tune in to our HIP Podcast Back * Company * About Us * Awards * Careers * Contact Us * Events * FAQ * In the News * Life at Semperis * Newsroom * Press Releases * Open positions * Request a demo SEMPERIS NAMED TO FORTUNE MAGAZINE'S 2023 CYBER 60 LIST' Find out more Back REQUEST A DEMO EXPERIENCING A BREACH? * Blog * Contact Us * Support * English * Deutsch * Español * Français * Italiano * Português REQUEST A DEMO EXPERIENCING A BREACH? Back to all news NSA TOP TEN CYBERSECURITY MISCONFIGURATIONS: AN ACTIVE DIRECTORY PERSPECTIVE * Active Directory Security * Jan 09, 2024 * Read 6 MIN * What is the list? * Why focus on Active Directory? * How to address AD misconfigurations * Misconfiguration 1: Default configurations * Misconfiguration 2: Improper privilege separation * Misconfiguration 3: Lack of internal monitoring * Audit your AD security stance Daniel Petri Late last year, the United States National Security Agency’s (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) released a list of the most common vulnerabilities in large computer networks. This list of CISA and NSA top ten cybersecurity misconfigurations reveals systemic weaknesses, particularly in (though not limited to) Microsoft Windows and Microsoft Active Directory environments. SCAN YOUR HYBRID ACTIVE DIRECTORY ENVIRONMENT: DOWNLOAD PURPLE KNIGHT Whether your environment relies on Active Directory alone or in combination with other identity systems, like Entra ID or Okta, addressing these vulnerabilities should be a top priority. WHAT IS THE CISA AND NSA TOP TEN CYBERSECURITY MISCONFIGURATIONS LIST? Based on Red and Blue team assessments conducted by the NSA’s Defensive Network Operations (DNO) and CISA’s Vulnerability Management (VM) and Hunt and Incident Response teams, the CISA and NSA top ten cybersecurity misconfigurations list spans both government and private sectors. The advisory also discusses the tactics, techniques, and procedures (TTPs) that malicious actors deploy to exploit the detailed vulnerabilities. Network owners and operators, regardless of their specific software environments, are advised to rigorously scrutinize their systems for these misconfigurations. WHY SHOULD YOU FOCUS ON ACTIVE DIRECTORY? Not every issue on the CISA/NSA list directly involves Active Directory—but many do. The most recent Microsoft Digital Defense Report (MDDR, 2023) backs up the urgency of addressing Active Directory security. The MDDR noted that nearly half the customers involved in Microsoft Incident Response engagement have insecure Active Directory configurations. Furthermore, the report states: > The most prevalent gaps we found during reactive incident response engagements > were: > > * Lack of adequate protection for local administrative accounts. > * A broken security barrier between on-premises and cloud administration. > * Lack of adherence to the least privilege model. > * Legacy authentication protocols. > * Insecure Active Directory configurations. > > These gaps enable attacker tactics ranging from Initial Access to Lateral > Movement and Persistence. > > Microsoft Digital Defense Report 2023 Active Directory is the core identity system for most of today’s organizations, both public and private. This directory service is central to identity and access management. The age of the service—developed decades ago—and its critical role in managing access throughout the environment make it a key target for cyberattacks. Hybrid Active Directory environments (those that use Active Directory plus Entra ID or another identity system) increase the attack surface and can complicate security efforts. HOW CAN YOU ADDRESS ACTIVE DIRECTORY MISCONFIGURATIONS? At Semperis, our Research team maintains a library of security indicators to help you assess your security posture, close attack paths, and spot nefarious behavior. Indicators of exposure (IOEs) flag vulnerabilities that cyberattackers can (and often do) exploit. Indicators of compromise (IOCs) alert you to patterns that are associated with suspicious behaviors—often the sign of a breach, backdoor accounts, and other active threats. Our Active Directory audit tools, Directory Services Protector and the free Purple Knight community tool, use these indicators when scanning your Active Directory infrastructure. The results provide a comprehensive picture of your Active Directory security posture, with prioritized guidance on mitigating the identified issues or, in the case of Directory Services Protector, automated remediation options. Semperis has reviewed the CISA and NSA top ten cybersecurity misconfigurations from an Active Directory perspective. This post—the first of a three-part series—will give you: * A quick explanation of each vulnerability as it relates to a hybrid Active Directory identity environment * Associated identity security risks * Indicators to watch for in Purple Knight or Directory Services Protector I’ll cover the first three items in this post, then address the remaining misconfigurations over the next two parts in the series. 1. DEFAULT CONFIGURATIONS IN SOFTWARE AND APPLICATIONS Out-of-the-box settings can be a significant security concern. This is primarily because they are well-known and often insufficiently secure for production environments. Default settings are typically designed for ease of deployment and user experience rather than security. They might include: * Simple passwords * Unnecessary open ports * Enabled guest accounts * Excessive permissions These shortcomings are particularly dangerous when it comes to network infrastructure and mission-critical applications such as Active Directory and Entra ID. IDENTITY SECURITY RISKS Active Directory is the repository for all network resources, including user accounts, group policies, and access controls. If compromised, it can provide an attacker the “keys to the kingdom.” Entra ID, which extends these functionalities to cloud resources, can also be a lucrative target. If either directory service is compromised, the effects can be catastrophic, leading to data breaches and unauthorized access to sensitive resources. The use of default configurations can lead to several security risks, including: * Unauthorized access * Privilege escalation * Lateral movement within the network * Data exfiltration In the context of Active Directory, an attacker might exploit default settings to gain an initial foothold by compromising weak default credentials. INDICATORS OF EXPOSURE AND INDICATORS OF COMPROMISE In Purple Knight and Directory Services Protector, the following indicators can alert you to the existence or exploitation of default configurations: * Print spooler service is enabled on a DC. Several critical flaws have been found in Windows Print Spooler services. These flaws directly affect print spoolers that are installed on domain controllers, enabling remote code execution. * Unprivileged users can add computer accounts to domain. Kerberos-based attacks can abuse this capability. * Anonymous access to Active Directory enabled. Anonymous access can enable unauthenticated users to query Active Directory. * NTFRS SYSVOL replication. NTFRS is an older protocol that has been replaced by DFSR. Attackers can manipulate NTFRS vulnerabilities to compromise SYSVOL and potentially change GPOs and logon scripts to propagate malware and move laterally across the environment. * Unsecured DNS configuration. Attackers can leverage this type of configuration to add a new DSN record or replace an existing DNS record to spoof a management interface. They can then wait for incoming connections and steal credentials. * Non-admin users can create tenants in Entra ID. Badly configured tenants that are linked to users from the parent (organization) tenant are easier to compromise. Such tenants are not properly monitored or secured. 2. IMPROPER SEPARATION OF USER/ADMINISTRATOR PRIVILEGE Inadequate privilege separation is a pervasive issue in many IT environments. This practice often leads to the granting of administrative rights to users who do not require them for daily tasks—a violation of the principle of least privilege. Users are typically granted administrative privileges by being placed in privileged groups (like Domain Admins in Active Directory) or by being granted local administrator access on their workstations. The culprits vary: * Legacy access models * Convenience * Poor access controls * Oversight The issue is exacerbated by granting persistent privileges rather than granting privileges conditionally, as needed. IDENTITY SECURITY RISKS This misconfiguration makes the entire network vulnerable. Users with administrative privileges can make broad changes to Active Directory, affecting group policies, security settings, and other critical infrastructure components. Entra ID faces similar risks. In addition, integrated SaaS applications and cloud-based resources could be compromised. INDICATORS OF EXPOSURE AND INDICATORS OF COMPROMISE In Purple Knight and Directory Services Protector, the following indicators can alert you to improper separation of privileges: * Built-in domain Administrator account used within the last two weeks. Pay careful attention to this indicator, as it might flag a compromised user. * Changes to privileged group membership in the last 7 days. This indicator can flag an attempt to escalate privilege. * Computer accounts in privileged groups. If a computer account is a member of the domain privileged group, anyone that compromises the computer account can act as a member of that group. * Enabled admin accounts that are inactive. Attackers that compromise these accounts can then operate unnoticed. * Ephemeral Admins. Such short-lived accounts might indicate malicious activity. 3. INSUFFICIENT INTERNAL NETWORK MONITORING This misconfiguration is a critical oversight. It can leave your organization vulnerable to undetected intrusions, insider threats, and malicious activities. Insufficient internal network monitoring can stem from several issues: * A lack of proper tools * Insufficient coverage of network traffic * Inadequate alerting mechanisms * An absence of a dedicated team to analyze monitoring data Many organizations focus on perimeter defense. But internal traffic is often neglected, on the assumption that the internal network is secure. This oversight is problematic. Once an attacker breaches the perimeter, they can often move laterally with little resistance or detection. Specifically, critical internal assets such as Active Directory, which acts as the backbone for authentication and authorization in Windows-based environments, are high-value targets. A lack of robust Active Directory monitoring can leave your organization blind to internal anomalies that signal a breach or unauthorized activities. IDENTITY SECURITY RISKS In an Active Directory context, this misconfiguration can lead to missed indicators of compromise, including: * Unusual login attempts * Changes to group policies * The creation of privileged accounts In Entra ID, insufficient monitoring can lead to the failure to catch: * Abnormal sign-in activities * Unauthorized access to cloud resources * Irregular usage patterns These risks can lead to data breaches, disruption of services, and significant operational and reputational damage. INDICATORS OF EXPOSURE AND INDICATORS OF COMPROMISE Semperis focuses on evaluating and enhancing the security posture of on-premises Active Directory and Entra ID, rather than on monitoring network traffic. Our core objective is to provide insights into the dynamics within a hybrid Active Directory environment, identifying: * Which modifications are being made * Who is initiating changes * The nature of user activities Purple Knight conducts a point-in-time assessment of the hybrid Active Directory environment. The tool then provides a prioritized list of security indicators and actionable remediation guidance. Directory Services Protector conducts ongoing surveillance of critical identity components such as Group Policy Objects (GPO) and access permissions. By continuously monitoring your Active Directory security stance, you can ascertain whether your security posture is improving or degrading. You can also configure automated rollback of suspicious changes as well as custom triggers and alerts. DON’T DELAY—AUDIT ACTIVE DIRECTORY TODAY That’s it for this post. The next post in this series covers the Active Directory implications of the next four items in the CISA and NSA top ten cybersecurity misconfigurations list. In the meantime, why not download Purple Knight—it’s free—and see whether your organization is at risk from the indicators discussed this week. READ MORE * NSA Top Ten Cybersecurity Misconfigurations: An Active Directory Perspective, Part 2 * NSA Top Ten Cybersecurity Misconfigurations: An Active Directory Perspective, Part 3 SIGN UP FOR THE LATEST SEMPERIS NEWS * Business Email By submitting, you agree that Semperis may use and process your personal information to send you information regarding its products and services in accordance with the Semperis Privacy Policy. You can opt out at any time. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply. Submit * AD threat detection & response Directory Services Protector * Cyber-first AD disaster recovery Active Directory Forest Recovery * Security-first AD migration and consolidation Migrator for Active Directory * Backup and recovery for Entra ID resources Disaster Recovery for Entra Tenant * Hybrid AD security assessment Purple Knight * Tier 0 attack path discovery Forest Druid * Why Semperis * Tour the Platform * Our Customers * Solutions * AD Migration & Consolidation * AD Attack Surface Reduction * Tier 0 Attack Path Analysis * AD Threat Detection & Response * AD Backup & Recovery * AD Change Auditing & Rollback * Breach Preparedness & Response Services * Active Directory Breach Forensics * Resources * Blog * Case Studies * Reports * Videos * White Papers * Industry * Critical Infrastructure * Financial Services * Healthcare * Insurance * Public Sector * Retail * Transportation * Partners * Partner Overview * Find a Partner * Become a Partner * Company * About Us * Careers * Events * Life at Semperis * FAQ * Support * Newsroom * Awards * Press Releases * In the News * Request a Demo * Experiencing a Breach? * Active Directory Security Stay Current with Semperis Sign up for updates. * Business Email By submitting, you agree that Semperis may use and process your personal information to send you information regarding its products and services in accordance with the Semperis Privacy Policy. You can opt out at any time. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply. Submit * * © 2024 Semperis. All Rights Reserved. * Privacy policy * Terms of use By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. For more information, see our Privacy Policy. Cookies Settings Options Accept All Cookies Your Opt Out Preference Signal is Honored PRIVACY PREFERENCE CENTER When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer. More information User ID: 6f09aec1-0b75-4024-aec1-af1073482611 Allow All MANAGE CONSENT PREFERENCES FUNCTIONAL COOKIES Functional Cookies These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. STRICTLY NECESSARY COOKIES Always Active These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information. TARGETING COOKIES Targeting Cookies These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising. PERFORMANCE COOKIES Performance Cookies These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance. Back Button COOKIE LIST Search Icon Filter Icon Clear checkbox label label Apply Cancel Consent Leg.Interest checkbox label label checkbox label label checkbox label label Reject All Confirm My Choices