Securing Identities: 10 recommendations for building a stronger identity security posture

Attack strategies are constantly evolving, your identity security posture should too. Microsoft Defender for Identity is a core part of Microsoft Defender XDR and is specifically focused on helping customers prevent, detect and ultimately respond to identity-based threats. As part of this mission, the Defender for Identity team continually augments and updates the identity security posture recommendations (ISPM’s) within the platform. These recommendations are designed to help customers implement current best practices by addressing known misconfigurations or other weak security elements within identity environments. 

Additionally, integrating Microsoft Exposure Management with Defender for Identity can provide a clear and unified view of your organization's exposure status. This solution leverages identity data and insights to help you proactively identify and mitigate potential risks before they are exploited by attackers. 

In this blog we will focus on some key things to consider for your Active Directory (AD) footprints. Active Directory is a critical element of user authentication, and its complexity leaves many opportunities for potential misconfigurations, making it a prime target for attackers.  To address these vulnerabilities, we’ve added 10 new recommendations aimed at strengthening your identity security posture and protecting against evolving threats. These recommendations fall into 4 main themes: 

1. Mitigating Escalation Risks with GPOs

One of the most common attack vectors is the ability to escalate privileges through misconfigured permissions. This can often be traced back to improper Group Policy Object (GPO) settings, which may inadvertently grant unprivileged users access to elevated roles. 

• GPO Assigns Unprivileged Identities to Local Groups with Elevated Privileges
  Using Group Policy Objects (GPO) to add membership to a local group can create a security risk if the target group has excessive permissions or rights. This recommendation outlines which non-privileged users have been granted elevated permissions through GPO’s so that security professionals can review each member and ensure they are authorized to have those permissions.
  
  
• GPO Can Be Modified by Unprivileged Accounts
  This recommendation aims to prevent potential security risks by ensuring that only authorized and privileged accounts can modify GPOs. The goal is to identify and fix any GPOs with abnormal modify permissions (Access Control Lists or ACLs) that attackers could use to gain elevated access, manipulate critical data, or compromise the security of the network.
  
  
• Reversible Passwords Found in GPOs
  This recommendation focuses on scanning and documenting all GPO’s within your environment that contain password data. In the past Group Policy Preferences (GPP’s) allowed administrators to embed credentials in domain policies and while updates have eliminated this practice the files containing those passwords could still be accessible and must be addressed. Reversible passwords found in Group Policy Objects (GPOs) pose a significant risk of credential theft. Attackers can crack these passwords, gaining access to critical systems or accounts, which could lead to further exploitation within the environment, including privilege escalation and unauthorized access to sensitive resources.

2. Strengthening Account Security

Attackers frequently target accounts with weak or outdated security settings. It is important to ensure that your accounts are properly secured to significantly reduce the risk of a breach.

• Accounts with Non-Default Primary Group ID
  This recommendation catalogs all AD users and computer accounts whose primaryGroupId is not set to the default value. The primaryGroupId attribute grants implicit membership to a group but does not appear in some interfaces allowing for attackers to potentially hide group membership or escalate privileges without triggering normal auditing for group member changes.
  
  
• Ensure Privileged Accounts Are Not Delegated
  Privileged accounts within AD should be configured with a setting that prohibits their access from being delegated to other users or accounts. This recommendation helps teams identify and remediate any accounts within their environment that meet these criteria.
  
  

3. Enforcing Regular Account Password Rotations

Old passwords are a common target for attackers, as they may not align with modern security standards and are more likely to have been leaked in breaches. Regularly updating passwords reduces the risk of compromise by ensuring they remain strong and secure against evolving threats.

• Change Password of krbtgt Account
  The krgtgt account is a special account used but the Kerberos Key Distribution Center (KDC) to encrypt and sign all Kerberos tickets within the domain. This recommendation highlights such accounts that have not had their password updated for an extended period of time and could be vulnerable. Changing the password of the krbtgt account is essential to prevent Kerberos ticket forging, also known as pass-the-ticket attacks. If attackers compromise this account, they can forge Kerberos tickets to impersonate legitimate users, escalate privileges, and gain unauthorized access to critical systems and resources within the domain.
  
  
• Change Password of Built-in Domain Administrator Account
  Changing the password of the built-in domain administrator account is crucial to prevent credential dumping attacks. If attackers gain access to this account, they can extract sensitive information, modify system configurations, and maintain control over the environment, enabling them to escalate privileges and further compromise the domain.
  Any domain admin accounts that have not had their password updated in an extended period of time will be presented in the report.
  
  
• Change Domain Controller Computer Account Old Password
  This recommendation identifies any domain controller computer accounts within AD whose passwords have not been updated for an extended period of time. By default domain controllers are configured to change their passwords automatically every 30 days so if this process is not occurring as expected it may indicate a potential issue that needs to be investigated.
  
  

4. Securing Access and Permissions

• Built-in Active Directory Guest Account is Enabled
  Guest accounts in AD are built-in, non-nominative accounts that permit access to the domain without requiring passwords. This recommendation identifies any such accounts so they can be disabled, limiting the potential of anonymous access to the domain.
  
  
• Unsafe Permissions on the DnsAdmins Group
  This recommendation scours the DnsAdmins group, highlighting any member that is not a privileged user. Excessive permissions granted via this group can be especially unsafe as group members have administrative control over the DNS server service within the domain.

Securing your identity infrastructure is an ongoing process that requires continued vigilance. The recommendations discussed above can be found within Microsoft Secure Score and the Recommendations catalog. Implementing these recommendations, and the others outlined within Microsoft Secure Score, you can address common vulnerabilities and strengthen your security posture. 

The Defender for Identity team is committed to continually expanding our recommendations to cover identities across your unique landscape, whether they are on-premises, in the cloud or hybrid. The team also regularly updates existing recommendations so it is important that you stay vigilant and check back regularly to ensure you have the latest protections in place. For instance, the report of "Modify unsecure Kerberos delegations to prevent impersonation" now includes indication of Kerberos Constrained Delegation with Protocol Transition to a privileged service.

Learn more about the new posture assessments in our documentation here and stay tuned for more updates and insights on how Defender for Identity continues to innovate in the realm of cybersecurity, ensuring that your organization remains secure in an ever-changing digital world, follow our What’s New documentation page.