www.semperis.com Open in urlscan Pro
75.2.46.245  Public Scan

Submitted URL: https://email.semperis.com/MjM5LUNQTi04NTEAAAGRBAzBP9tokTsLaYDME3NEQQOCDgu_pV7L_uLYUp4oYwbac5tE3bZZjYaa0KtIT2T70QnulWA=
Effective URL: https://www.semperis.com/blog/nsa-top-ten-cybersecurity-misconfigurations/?mkt_tok=MjM5LUNQTi04NTEAAAGRBAzBPymydxs5SdKJA6...
Submission: On February 03 via api from US — Scanned from US

Form analysis 5 forms found in the DOM

/

<form action="/" __bizdiag="115" __biza="WJ__">
  <div class="input-holder">
    <input type="text" name="s" placeholder="Search" value="">
  </div>
  <button>
    <svg width="14" height="14" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg">
      <path
        d="M10.0057 8.80503H9.37336L9.14923 8.58891C9.93368 7.67639 10.4059 6.49171 10.4059 5.20297C10.4059 2.32933 8.07662 0 5.20297 0C2.32933 0 0 2.32933 0 5.20297C0 8.07662 2.32933 10.4059 5.20297 10.4059C6.49171 10.4059 7.67639 9.93368 8.58891 9.14923L8.80503 9.37336V10.0057L12.8073 14L14 12.8073L10.0057 8.80503ZM5.20297 8.80503C3.20983 8.80503 1.60091 7.19611 1.60091 5.20297C1.60091 3.20983 3.20983 1.60091 5.20297 1.60091C7.19611 1.60091 8.80503 3.20983 8.80503 5.20297C8.80503 7.19611 7.19611 8.80503 5.20297 8.80503Z"
        fill="#7B7A7A"></path>
    </svg>
  </button>
</form>

<form id="mktoForm_1164" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); width: 265px;" __bizdiag="2048253403" __biza="WJ__">
  <style type="text/css">
    .mktoForm .mktoButtonWrap.mktoInset .mktoButton {
      color: #000;
      background: #fff;
      border: 1px solid #aeb0b6;
      padding: 0.4em 1em;
      font-size: 1em;
      box-shadow: 1px 1px 6px 1px #ccc;
      background-color: #f5f5f5;
      background-image: -webkit-gradient(linear, left top, left bottom, from(#f5f5f5), to(#dfdfdf));
      background-image: -webkit-linear-gradient(top, #f5f5f5, #dfdfdf);
      background-image: -moz-linear-gradient(top, #f5f5f5, #dfdfdf);
      background-image: linear-gradient(to bottom, #f5f5f5, #dfdfdf);
    }

    .mktoForm .mktoButtonWrap.mktoInset .mktoButton:hover {
      border: 1px solid #999;
    }

    .mktoForm .mktoButtonWrap.mktoInset .mktoButton:focus {
      outline: none;
      border: 1px solid #999;
    }

    .mktoForm .mktoButtonWrap.mktoInset .mktoButton:active {
      box-shadow: inset 1px 1px 6px 1px #ccc;
      background-color: #dfdfdf;
      background-image: -webkit-gradient(linear, left top, left bottom, from(#dfdfdf), to(#f5f5f5));
      background-image: -webkit-linear-gradient(top, #dfdfdf, #f5f5f5);
      background-image: -moz-linear-gradient(top, #dfdfdf, #f5f5f5);
      background-image: linear-gradient(to bottom, #dfdfdf, #f5f5f5);
    }
  </style>
  <div class="mktoFormRow">
    <div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
      <div class="mktoOffset" style="width: 10px;"></div>
      <div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 82px;">
          <div class="mktoAsterix">*</div>Business Email
        </label>
        <div class="mktoGutter mktoHasWidth" style="width: 10px;"></div><input id="Email" name="Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email" class="mktoField mktoEmailField mktoHasWidth mktoRequired"
          aria-required="true" style="width: 150px;" placeholder="Email Address"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
        <div class="mktoClear"></div>
      </div>
      <div class="mktoClear"></div>
    </div>
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow">
    <div class="mktoFormCol" style="margin-bottom: 10px;">
      <div class="mktoOffset mktoHasWidth" style="width: 10px;"></div>
      <div class="mktoFieldWrap">
        <div class="mktoHtmlText mktoHasWidth" style="width: 260px;"><span style="color: #808080; font-size: 10px;">By submitting, you agree that Semperis may use and process your personal information to send you information regarding its products
            and services in accordance with the Semperis <a href="https://www.semperis.com/privacy-policy/" target="_blank" id="" style="color: #808080;">Privacy Policy</a>. You can opt out at any time.</span></div>
        <div class="mktoClear"></div>
      </div>
      <div class="mktoClear"></div>
    </div>
    <div class="mktoClear"></div>
  </div>
  <script src="https://www.google.com/recaptcha/api.js?onload=captchaCallback" type="text/javascript" async="async" defer="defer"></script>
  <div>
    <script type="text/javascript">
      var formId = 1164;
      var captchaCallback = function(a) {
        var b = document.getElementsByClassName("grecaptcha-badge");
        if (b.length > 0)
          for (var c = 0; c < b.length; c++) b[c].style.visibility = "hidden";
        if (a) {
          var d = this.MktoForms2.getForm(formId);
          d && d.setCaptchaValue(a)
        }
      };
    </script>
  </div>
  <div id="captcha" class="g-recaptcha" data-callback="captchaCallback" data-expired-callback="captchaExpired" data-sitekey="6LcMmSEnAAAAAJo5LvnKfpW3sC9NbOOvVXI0yOPY" data-size="invisible">
    <div class="grecaptcha-badge" data-style="bottomright"
      style="width: 256px; height: 60px; display: block; transition: right 0.3s ease 0s; position: fixed; bottom: 14px; right: -186px; box-shadow: gray 0px 0px 5px; border-radius: 2px; overflow: hidden; visibility: hidden;">
      <div class="grecaptcha-logo"><iframe title="reCAPTCHA" width="256" height="60" role="presentation" name="a-h0dzs36uu055" frameborder="0" scrolling="no"
          sandbox="allow-forms allow-popups allow-same-origin allow-scripts allow-top-navigation allow-modals allow-popups-to-escape-sandbox allow-storage-access-by-user-activation"
          src="https://www.google.com/recaptcha/api2/anchor?ar=1&amp;k=6LcMmSEnAAAAAJo5LvnKfpW3sC9NbOOvVXI0yOPY&amp;co=aHR0cHM6Ly93d3cuc2VtcGVyaXMuY29tOjQ0Mw..&amp;hl=en&amp;v=MHBiAvbtvk5Wb2eTZHoP1dUd&amp;size=invisible&amp;cb=ulyttjbn48z5"></iframe>
      </div>
      <div class="grecaptcha-error"></div><textarea id="g-recaptcha-response" name="g-recaptcha-response" class="g-recaptcha-response"
        style="width: 250px; height: 40px; border: 1px solid rgb(193, 193, 193); margin: 10px 25px; padding: 0px; resize: none; display: none;"></textarea>
    </div>
  </div>
  <div class="mktoCaptchaDisclaimer">This site is protected by reCAPTCHA and the Google <a href="https://policies.google.com/privacy" target="_blank">Privacy Policy</a> and
    <a href="https://policies.google.com/terms" target="_blank">Terms of Service</a> apply.</div>
  <div class="mktoButtonRow"><span class="mktoButtonWrap mktoInset" style="margin-left: 120px;"><button type="submit" class="mktoButton button"><span data-label="Submit"><span>Submit</span></span></button></span></div><input type="hidden"
    name="formid" class="mktoField mktoFieldDescriptor" value="1164"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="239-CPN-851">
</form>

<form id="mktoForm_1039" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); width: 265px;" __bizdiag="2048253403" __biza="WJ__">
  <style type="text/css">
    .mktoForm .mktoButtonWrap.mktoInset .mktoButton {
      color: #000;
      background: #fff;
      border: 1px solid #aeb0b6;
      padding: 0.4em 1em;
      font-size: 1em;
      box-shadow: 1px 1px 6px 1px #ccc;
      background-color: #f5f5f5;
      background-image: -webkit-gradient(linear, left top, left bottom, from(#f5f5f5), to(#dfdfdf));
      background-image: -webkit-linear-gradient(top, #f5f5f5, #dfdfdf);
      background-image: -moz-linear-gradient(top, #f5f5f5, #dfdfdf);
      background-image: linear-gradient(to bottom, #f5f5f5, #dfdfdf);
    }

    .mktoForm .mktoButtonWrap.mktoInset .mktoButton:hover {
      border: 1px solid #999;
    }

    .mktoForm .mktoButtonWrap.mktoInset .mktoButton:focus {
      outline: none;
      border: 1px solid #999;
    }

    .mktoForm .mktoButtonWrap.mktoInset .mktoButton:active {
      box-shadow: inset 1px 1px 6px 1px #ccc;
      background-color: #dfdfdf;
      background-image: -webkit-gradient(linear, left top, left bottom, from(#dfdfdf), to(#f5f5f5));
      background-image: -webkit-linear-gradient(top, #dfdfdf, #f5f5f5);
      background-image: -moz-linear-gradient(top, #dfdfdf, #f5f5f5);
      background-image: linear-gradient(to bottom, #dfdfdf, #f5f5f5);
    }
  </style>
  <div class="mktoFormRow">
    <div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
      <div class="mktoOffset" style="width: 10px;"></div>
      <div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 82px;">
          <div class="mktoAsterix">*</div>Business Email
        </label>
        <div class="mktoGutter mktoHasWidth" style="width: 10px;"></div><input id="Email" name="Email" placeholder="Business Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
          class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
        <div class="mktoClear"></div>
      </div>
      <div class="mktoClear"></div>
    </div>
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow">
    <div class="mktoFormCol" style="margin-bottom: 10px;">
      <div class="mktoOffset mktoHasWidth" style="width: 10px;"></div>
      <div class="mktoFieldWrap">
        <div class="mktoHtmlText mktoHasWidth" style="width: 260px;"><span style="color: #808080; font-size: 10px;">By submitting, you agree that Semperis may use and process your personal information to send you information regarding its products
            and services in accordance with the Semperis <a href="https://www.semperis.com/privacy-policy/" target="_blank" id="" style="color: #808080;">Privacy Policy</a>. You can opt out at any time.</span></div>
        <div class="mktoClear"></div>
      </div>
      <div class="mktoClear"></div>
    </div>
    <div class="mktoClear"></div>
  </div>
  <script src="https://www.google.com/recaptcha/api.js?onload=captchaCallback" type="text/javascript" async="async" defer="defer"></script>
  <div>
    <script type="text/javascript">
      var formId = 1039;
      var captchaCallback = function(a) {
        var b = document.getElementsByClassName("grecaptcha-badge");
        if (b.length > 0)
          for (var c = 0; c < b.length; c++) b[c].style.visibility = "hidden";
        if (a) {
          var d = this.MktoForms2.getForm(formId);
          d && d.setCaptchaValue(a)
        }
      };
    </script>
  </div>
  <div id="captcha" class="g-recaptcha" data-callback="captchaCallback" data-expired-callback="captchaExpired" data-sitekey="6LcMmSEnAAAAAJo5LvnKfpW3sC9NbOOvVXI0yOPY" data-size="invisible">
    <div class="grecaptcha-badge" data-style="none" style="width: 256px; height: 60px; position: fixed; visibility: hidden;">
      <div class="grecaptcha-logo"><iframe title="reCAPTCHA" width="256" height="60" role="presentation" name="a-1siuoar1zoo6" frameborder="0" scrolling="no"
          sandbox="allow-forms allow-popups allow-same-origin allow-scripts allow-top-navigation allow-modals allow-popups-to-escape-sandbox allow-storage-access-by-user-activation"
          src="https://www.google.com/recaptcha/api2/anchor?ar=1&amp;k=6LcMmSEnAAAAAJo5LvnKfpW3sC9NbOOvVXI0yOPY&amp;co=aHR0cHM6Ly93d3cuc2VtcGVyaXMuY29tOjQ0Mw..&amp;hl=en&amp;v=MHBiAvbtvk5Wb2eTZHoP1dUd&amp;size=invisible&amp;cb=338j09n7l8c2"></iframe>
      </div>
      <div class="grecaptcha-error"></div><textarea id="g-recaptcha-response-1" name="g-recaptcha-response" class="g-recaptcha-response"
        style="width: 250px; height: 40px; border: 1px solid rgb(193, 193, 193); margin: 10px 25px; padding: 0px; resize: none; display: none;"></textarea>
    </div><iframe style="display: none;"></iframe>
  </div>
  <div class="mktoCaptchaDisclaimer">This site is protected by reCAPTCHA and the Google <a href="https://policies.google.com/privacy" target="_blank">Privacy Policy</a> and
    <a href="https://policies.google.com/terms" target="_blank">Terms of Service</a> apply.</div>
  <div class="mktoButtonRow"><span class="mktoButtonWrap mktoInset" style="margin-left: 120px;"><button type="submit" class="mktoButton button"><span data-label="Submit"><span>Submit</span></span></button></span></div><input type="hidden"
    name="formid" class="mktoField mktoFieldDescriptor" value="1039"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="239-CPN-851">
</form>

<form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"
  __bizdiag="1580885786" __biza="WJ__"></form>

<form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"
  __bizdiag="1580885786" __biza="WJ__"></form>

Text Content

Press Alt+1 for screen-reader mode, Alt+0 to cancelAccessibility Screen-Reader
Guide, Feedback, and Issue Reporting
Semperis Named to Fortune Magazine’s Cyber 60 List of Fastest Growing
Cybersecurity Startups
 * Why Semperis
   WHY SEMPERIS
    * Tour the Identity Resilience PlatformHybrid AD attack prevention,
      detection, response, and recovery
    * Our CustomersLearn why industry-leading organizations trust Semperis
    * Our Unrivaled AD Security ExpertiseNo other vendor can outmatch Semperis’
      collective Microsoft MVP experience in Directory Services and Group Policy
    * Purple Knight ArsenalCheck out our free community tools built by and for
      AD security pros
    * Hybrid Identity Protection (HIP) ConferenceAttend the award-winning
      conference series for identity-first security practitioners
   
   INDUSTRY Verticals
    * Critical Infrastructure
    * Financial services
    * Healthcare
    * Insurance
    * Retail
    * Public Sector
    * Transportation
   
   SEMPERIS MAKES THE DELOITTE TECH FAST 500 LIST THREE YEARS IN A ROW
   
   Semperis ranks in the top 15% with three-year revenue growth of over 2,800%
   
   Read the news
   Back
 * Identity Resilience Platform
   PLATFORM PRODUCTS
    * Directory Services ProtectorHybrid AD threat prevention, detection, and
      response
    * Active Directory Forest RecoveryCyber-first AD disaster recovery
    * Migrator for ADSecurity-first AD migration and consolidation
    * Disaster Recovery for Entra TenantBackup and recovery for Entra ID
      resources
    * Purple KnightCommunity tool: Hybrid AD security assessment
    * Forest DruidTier 0 attack path discovery
   
   SOLUTIONS
    * AD Migration & Consolidation
    * AD Attack Surface Reduction
    * Tier 0 Attack Path Analysis
    * AD Threat Detection & Response
    * AD Change Auditing & Rollback
    * AD Backup & Recovery
    * Active Directory Breach Forensics
    * Breach Preparedness & Response Services
   
   SEMPERIS RANKS TOP FIVE FASTEST GROWING CYBERSECURITY COMPANIES IN AMERICA
   
   Semperis named to the INC. 500 list for the second consecutive year
   
   Tour our platform products
   Back
 * Partners
   PARTNER WITH SEMPERIS
    * Partner OverviewLearn about Semperis' 100% channel sales approach,
      guaranteed margins, and free security assessment tools for partners
    * Find a PartnerSearch our vast partner network
    * Partner Portal
    * Become a Partner
   
    * Request access to Purple Knight post-breach partner edition
   
   SEMPERIS WINS CRN’S PRESTIGIOUS PARTNER PROGRAM GUIDE TWO CONSECUTIVE YEARS
   
   Designation highlights Semperis’ innovative alliances with global solution
   providers that help organizations protect hybrid identity environments from
   cyberattacks
   
   Partner Overview
   Back
 * Resources
   Resource hub
    * AD Security Glossary
    * Blog
    * Case Studies
    * Reports
    * Videos
    * Webinars
    * White Papers
   
    * Purple Knight Docs
   
   THE CISO'S TAKE ON IDENTITY-FIRST SECURITY FEATURING SIMON HODGKINSON
   
   Watch now
    * Visit our video channel
    * Tune in to our HIP Podcast
   
   Back
 * Company
    * About Us
    * Awards
    * Careers
    * Contact Us
    * Events
    * FAQ
   
    * In the News
    * Life at Semperis
    * Newsroom
    * Press Releases
   
    * Open positions
    * Request a demo
   
   SEMPERIS NAMED TO FORTUNE MAGAZINE'S 2023 CYBER 60 LIST'
   
   Find out more
   Back

REQUEST A DEMO
EXPERIENCING A BREACH?

 * Blog
 * Contact Us
 * Support
 * English
    * Deutsch
    * Español
    * Français
    * Italiano
    * Português

REQUEST A DEMO
EXPERIENCING A BREACH?
Back to all news


NSA TOP TEN CYBERSECURITY MISCONFIGURATIONS: AN ACTIVE DIRECTORY PERSPECTIVE

 * Active Directory Security
 * Jan 09, 2024
 * Read 6 MIN

 * What is the list?
 * Why focus on Active Directory?
 * How to address AD misconfigurations
 * Misconfiguration 1: Default configurations
 * Misconfiguration 2: Improper privilege separation
 * Misconfiguration 3: Lack of internal monitoring
 * Audit your AD security stance

Daniel Petri

Late last year, the United States National Security Agency’s (NSA) and
Cybersecurity and Infrastructure Security Agency (CISA) released a list of the
most common vulnerabilities in large computer networks. This list of CISA and
NSA top ten cybersecurity misconfigurations reveals systemic weaknesses,
particularly in (though not limited to) Microsoft Windows and Microsoft Active
Directory environments.

SCAN YOUR HYBRID ACTIVE DIRECTORY ENVIRONMENT: DOWNLOAD PURPLE KNIGHT

Whether your environment relies on Active Directory alone or in combination with
other identity systems, like Entra ID or Okta, addressing these vulnerabilities
should be a top priority.


WHAT IS THE CISA AND NSA TOP TEN CYBERSECURITY MISCONFIGURATIONS LIST?

Based on Red and Blue team assessments conducted by the NSA’s Defensive Network
Operations (DNO) and CISA’s Vulnerability Management (VM) and Hunt and Incident
Response teams, the CISA and NSA top ten cybersecurity misconfigurations list
spans both government and private sectors. The advisory also discusses the
tactics, techniques, and procedures (TTPs) that malicious actors deploy to
exploit the detailed vulnerabilities. Network owners and operators, regardless
of their specific software environments, are advised to rigorously scrutinize
their systems for these misconfigurations.


WHY SHOULD YOU FOCUS ON ACTIVE DIRECTORY?

Not every issue on the CISA/NSA list directly involves Active Directory—but many
do. The most recent Microsoft Digital Defense Report (MDDR, 2023) backs up the
urgency of addressing Active Directory security.

The MDDR noted that nearly half the customers involved in Microsoft Incident
Response engagement have insecure Active Directory configurations. Furthermore,
the report states:

> The most prevalent gaps we found during reactive incident response engagements
> were:
> 
>  * Lack of adequate protection for local administrative accounts.
>  * A broken security barrier between on-premises and cloud administration.
>  * Lack of adherence to the least privilege model.
>  * Legacy authentication protocols.
>  * Insecure Active Directory configurations.
> 
> These gaps enable attacker tactics ranging from Initial Access to Lateral
> Movement and Persistence.
> 
> Microsoft Digital Defense Report 2023

Active Directory is the core identity system for most of today’s organizations,
both public and private. This directory service is central to identity and
access management. The age of the service—developed decades ago—and its critical
role in managing access throughout the environment make it a key target for
cyberattacks. Hybrid Active Directory environments (those that use Active
Directory plus Entra ID or another identity system) increase the attack surface
and can complicate security efforts.


HOW CAN YOU ADDRESS ACTIVE DIRECTORY MISCONFIGURATIONS?

At Semperis, our Research team maintains a library of security indicators to
help you assess your security posture, close attack paths, and spot nefarious
behavior. Indicators of exposure (IOEs) flag vulnerabilities that cyberattackers
can (and often do) exploit. Indicators of compromise (IOCs) alert you to
patterns that are associated with suspicious behaviors—often the sign of a
breach, backdoor accounts, and other active threats.

Our Active Directory audit tools, Directory Services Protector and the free
Purple Knight community tool, use these indicators when scanning your Active
Directory infrastructure. The results provide a comprehensive picture of your
Active Directory security posture, with prioritized guidance on mitigating the
identified issues or, in the case of Directory Services Protector, automated
remediation options.

Semperis has reviewed the CISA and NSA top ten cybersecurity misconfigurations
from an Active Directory perspective. This post—the first of a three-part
series—will give you:

 * A quick explanation of each vulnerability as it relates to a hybrid Active
   Directory identity environment
 * Associated identity security risks
 * Indicators to watch for in Purple Knight or Directory Services Protector

I’ll cover the first three items in this post, then address the remaining
misconfigurations over the next two parts in the series.


1. DEFAULT CONFIGURATIONS IN SOFTWARE AND APPLICATIONS

Out-of-the-box settings can be a significant security concern. This is primarily
because they are well-known and often insufficiently secure for production
environments.

Default settings are typically designed for ease of deployment and user
experience rather than security. They might include:

 * Simple passwords
 * Unnecessary open ports
 * Enabled guest accounts
 * Excessive permissions

These shortcomings are particularly dangerous when it comes to network
infrastructure and mission-critical applications such as Active Directory and
Entra ID.


IDENTITY SECURITY RISKS

Active Directory is the repository for all network resources, including user
accounts, group policies, and access controls. If compromised, it can provide an
attacker the “keys to the kingdom.” Entra ID, which extends these
functionalities to cloud resources, can also be a lucrative target. If either
directory service is compromised, the effects can be catastrophic, leading to
data breaches and unauthorized access to sensitive resources.

The use of default configurations can lead to several security risks, including:

 * Unauthorized access
 * Privilege escalation
 * Lateral movement within the network
 * Data exfiltration

In the context of Active Directory, an attacker might exploit default settings
to gain an initial foothold by compromising weak default credentials.


INDICATORS OF EXPOSURE AND INDICATORS OF COMPROMISE

In Purple Knight and Directory Services Protector, the following indicators can
alert you to the existence or exploitation of default configurations:

 * Print spooler service is enabled on a DC. Several critical flaws have been
   found in Windows Print Spooler services. These flaws directly affect print
   spoolers that are installed on domain controllers, enabling remote code
   execution.
 * Unprivileged users can add computer accounts to domain. Kerberos-based
   attacks can abuse this capability.
 * Anonymous access to Active Directory enabled. Anonymous access can enable
   unauthenticated users to query Active Directory.
 * NTFRS SYSVOL replication. NTFRS is an older protocol that has been replaced
   by DFSR. Attackers can manipulate NTFRS vulnerabilities to compromise SYSVOL
   and potentially change GPOs and logon scripts to propagate malware and move
   laterally across the environment.
 * Unsecured DNS configuration. Attackers can leverage this type of
   configuration to add a new DSN record or replace an existing DNS record to
   spoof a management interface. They can then wait for incoming connections and
   steal credentials.
 * Non-admin users can create tenants in Entra ID. Badly configured tenants that
   are linked to users from the parent (organization) tenant are easier to
   compromise. Such tenants are not properly monitored or secured.


2. IMPROPER SEPARATION OF USER/ADMINISTRATOR PRIVILEGE

Inadequate privilege separation is a pervasive issue in many IT environments.
This practice often leads to the granting of administrative rights to users who
do not require them for daily tasks—a violation of the principle of least
privilege.

Users are typically granted administrative privileges by being placed in
privileged groups (like Domain Admins in Active Directory) or by being granted
local administrator access on their workstations. The culprits vary:

 * Legacy access models
 * Convenience
 * Poor access controls
 * Oversight

The issue is exacerbated by granting persistent privileges rather than granting
privileges conditionally, as needed.


IDENTITY SECURITY RISKS

This misconfiguration makes the entire network vulnerable. Users with
administrative privileges can make broad changes to Active Directory, affecting
group policies, security settings, and other critical infrastructure components.

Entra ID faces similar risks. In addition, integrated SaaS applications and
cloud-based resources could be compromised.


INDICATORS OF EXPOSURE AND INDICATORS OF COMPROMISE

In Purple Knight and Directory Services Protector, the following indicators can
alert you to improper separation of privileges:

 * Built-in domain Administrator account used within the last two weeks. Pay
   careful attention to this indicator, as it might flag a compromised user.
 * Changes to privileged group membership in the last 7 days. This indicator can
   flag an attempt to escalate privilege.
 * Computer accounts in privileged groups. If a computer account is a member of
   the domain privileged group, anyone that compromises the computer account can
   act as a member of that group.
 * Enabled admin accounts that are inactive. Attackers that compromise these
   accounts can then operate unnoticed.
 * Ephemeral Admins. Such short-lived accounts might indicate malicious
   activity.


3. INSUFFICIENT INTERNAL NETWORK MONITORING

This misconfiguration is a critical oversight. It can leave your organization
vulnerable to undetected intrusions, insider threats, and malicious activities.

Insufficient internal network monitoring can stem from several issues:

 * A lack of proper tools
 * Insufficient coverage of network traffic
 * Inadequate alerting mechanisms
 * An absence of a dedicated team to analyze monitoring data

Many organizations focus on perimeter defense. But internal traffic is often
neglected, on the assumption that the internal network is secure. This oversight
is problematic. Once an attacker breaches the perimeter, they can often move
laterally with little resistance or detection.

Specifically, critical internal assets such as Active Directory, which acts as
the backbone for authentication and authorization in Windows-based environments,
are high-value targets. A lack of robust Active Directory monitoring can leave
your organization blind to internal anomalies that signal a breach or
unauthorized activities.


IDENTITY SECURITY RISKS

In an Active Directory context, this misconfiguration can lead to missed
indicators of compromise, including:

 * Unusual login attempts
 * Changes to group policies
 * The creation of privileged accounts

In Entra ID, insufficient monitoring can lead to the failure to catch:

 * Abnormal sign-in activities
 * Unauthorized access to cloud resources
 * Irregular usage patterns

These risks can lead to data breaches, disruption of services, and significant
operational and reputational damage.


INDICATORS OF EXPOSURE AND INDICATORS OF COMPROMISE

Semperis focuses on evaluating and enhancing the security posture of on-premises
Active Directory and Entra ID, rather than on monitoring network traffic. Our
core objective is to provide insights into the dynamics within a hybrid Active
Directory environment, identifying:

 * Which modifications are being made
 * Who is initiating changes
 * The nature of user activities

Purple Knight conducts a point-in-time assessment of the hybrid Active Directory
environment. The tool then provides a prioritized list of security indicators
and actionable remediation guidance.

Directory Services Protector conducts ongoing surveillance of critical identity
components such as Group Policy Objects (GPO) and access permissions. By
continuously monitoring your Active Directory security stance, you can ascertain
whether your security posture is improving or degrading. You can also configure
automated rollback of suspicious changes as well as custom triggers and alerts.


DON’T DELAY—AUDIT ACTIVE DIRECTORY TODAY

That’s it for this post. The next post in this series covers the Active
Directory implications of the next four items in the CISA and NSA top ten
cybersecurity misconfigurations list. In the meantime, why not download Purple
Knight—it’s free—and see whether your organization is at risk from the
indicators discussed this week.


READ MORE

 * NSA Top Ten Cybersecurity Misconfigurations: An Active Directory Perspective,
   Part 2
 * NSA Top Ten Cybersecurity Misconfigurations: An Active Directory Perspective,
   Part 3


SIGN UP FOR THE LATEST SEMPERIS NEWS

*
Business Email




By submitting, you agree that Semperis may use and process your personal
information to send you information regarding its products and services in
accordance with the Semperis Privacy Policy. You can opt out at any time.





This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of
Service apply.
Submit

 * AD threat detection & response
   
   Directory Services Protector

 * Cyber-first AD disaster recovery
   
   Active Directory Forest Recovery

 * Security-first AD migration and consolidation
   
   Migrator for Active Directory

 * Backup and recovery for Entra ID resources
   
   Disaster Recovery for Entra Tenant

 * Hybrid AD security assessment
   
   Purple Knight

 * Tier 0 attack path discovery
   
   Forest Druid

 * Why Semperis
   * Tour the Platform
   * Our Customers
 * Solutions
   * AD Migration & Consolidation
   * AD Attack Surface Reduction
   * Tier 0 Attack Path Analysis
   * AD Threat Detection & Response
   * AD Backup & Recovery
   * AD Change Auditing & Rollback
   * Breach Preparedness & Response Services
   * Active Directory Breach Forensics

 * Resources
   * Blog
   * Case Studies
   * Reports
   * Videos
   * White Papers
 * Industry
   * Critical Infrastructure
   * Financial Services
   * Healthcare
   * Insurance
   * Public Sector
   * Retail
   * Transportation
 * Partners
   * Partner Overview
   * Find a Partner
   * Become a Partner

 * Company
   * About Us
   * Careers
   * Events
   * Life at Semperis
   * FAQ
   * Support
 * Newsroom
   * Awards
   * Press Releases
   * In the News
 * Request a Demo
 * Experiencing a Breach?
 * Active Directory Security

Stay Current with Semperis

Sign up for updates.

*
Business Email




By submitting, you agree that Semperis may use and process your personal
information to send you information regarding its products and services in
accordance with the Semperis Privacy Policy. You can opt out at any time.





This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of
Service apply.
Submit
 * 
 * 

© 2024 Semperis. All Rights Reserved.

 * Privacy policy
 * Terms of use









By clicking “Accept All Cookies”, you agree to the storing of cookies on your
device to enhance site navigation, analyze site usage, and assist in our
marketing efforts. For more information, see our Privacy Policy.
Cookies Settings Options Accept All Cookies


Your Opt Out Preference Signal is Honored


PRIVACY PREFERENCE CENTER

When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
User ID: 6f09aec1-0b75-4024-aec1-af1073482611
Allow All


MANAGE CONSENT PREFERENCES

FUNCTIONAL COOKIES

Functional Cookies

These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.

STRICTLY NECESSARY COOKIES

Always Active

These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to block
or alert you about these cookies, but some parts of the site will not then work.
These cookies do not store any personally identifiable information.

TARGETING COOKIES

Targeting Cookies

These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.

PERFORMANCE COOKIES

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.

Back Button


COOKIE LIST



Search Icon
Filter Icon

Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label

Reject All Confirm My Choices