Q&A

Q&A with Derek Melber on the Horrors of Active Directory Security

Your Active Directory isn't secure. Learn what to do to protect your users and be ready for the next attack.

• By Chris Paoli
• 05/26/2022

If not properly deployed, Active Directory can be a ticking time bomb. It's not if attackers will take advantage of your organization's lax attention but when.

Derek Melber, chief technology and security strategist at security firm Tenable, will be sharing the scary side of Active Directory and give advice on what organizations can do today to secure their environment during a special session at the upcoming TechMentor conference, taking place Aug. 8-12 in Microsoft's Redmond, Wash., headquarters. Titled "The Silent Scream of Every Network: The Horror that is Active Directory Security," Melber will get you prepared to identify and manage attacks aimed at shortcomings in your Active Directory.

Ahead of his talk on Aug. 9, Melber sat down with Redmond to break down why Active Directory should not be taken for granted and what you can do to keep it secure.

Redmond: How has managing users changed in an era of a growing remote workforce? Have there been any shortcomings to Active Directory's security protections that have come from an increasing remote workforce?
Melber: Remote users now need to use some type of connection from their home environment to the office. This can lead to more exposure and even issues with bring-your-own devices, which can leave basic security wide open. 

The shortcomings that are related to Active Directory really have little bearing on if someone is sitting next to the datacenter or remote working 10,000 miles away. The issues are plentiful and not secured in so many cases. 

What's the top insider threat, whether deliberate or accidental, that you see still occurring even with Active Directory security features deployed?
The fact that all AD users have read access to Active Directory is a major issue. With this, simple queries can expose exploitable settings and accounts, which can lead to near-immediate privilege escalation. 

How are IT shops incorrectly or underutilizing Active Directory and what is the No. 1 step they should take today?
It is not that Active Directory is underutilized, but rather well-utilized. With this, there is not enough attention given to basic and advanced settings or configurations within Active Directory, which can lead to privilege escalation. The No. 1 step is to secure Active Directory now and then ensure there is no drift. Not only with basic (audit type settings), but in the "nooks and crannies" of Active Directory.

Is Microsoft dropping the ball when it comes to Active Directory capabilities? And, if so, what is your top feature or tweak you would like to see made?
Microsoft has literally stopped working on AD at all. If it was up to Microsoft, it would convert everyone over to Azure AD and negate all on-premises Active Directory. So, there are too many areas that need attention. Mostly, around security.

Microsoft has never provided good reporting of anything, so security is "shot gunned" all over Active Directory, where it is so difficult to see what you have. The company needs a better assessment solution, combined with tools that provide real-time, agentless and automatic analysis of every change to determine if the change has a security issue related to it. Microsoft does have some solutions, but they are SaaS only and limited in scope. 

Can you share a memorable Active Directory horror story that should be taken as a cautionary tale?
I see organizations try to lock down Active Directory permissions (Active Directory delegations). I see over and over Active Directory breaking due to overzealous admins that want to remove too much, thus removing admins and other key privileged accounts from accessing AD. "I can break Active Directory in one permission" is not a good thing to have occur to you!