Active Directory is the gatekeeper to critical applications and data in 90% of organizations worldwide. As such, it is a prime target for attackers and extremely complex to secure. Increasingly, stealth attacks take advantage of built-in protocols in the Windows operating system -- and Active Directory (AD) itself -- to avoid detection. Since AD is rarely safeguarded effectively, attackers have come to depend on weak configurations to identify attack paths, access privileged credentials, and get a foothold into target networks.
Even 23 years after its release, organizations of all sizes and across industries fail to address Active Directory security gaps that can expose them to cyberattacks. According to a recent report from Semperis, organizations scored an average of 68% across five AD security categories -- a barely passing grade. Large organizations fared even worse in the assessment, reporting an average score of 64%, which indicates AD security becomes more challenging with legacy applications and complex environments.
The report surveyed 1,000 IT and security leaders who deployed Purple Knight, an AD security assessment tool. The tool is designed to query AD environments and perform a set of tests against aspects of AD’s security posture, including AD delegation, account security, AD infrastructure security, Group Policy security, and Kerberos security. The survey asked respondents that included IT practitioners, CTOs/CIOs, SOC engineers, and CISOs about their Purple Knight deployments and the results of their AD security environment assessments.
Among the five AD security indicator categories that Purple Knight assesses, organizations reported the lowest scores for Account Security (57% average score). Account security covers settings on individual accounts such as privileged accounts with a password that never expires.
The second weakest-scoring category was Group Policy, which scored an average of 62%. Large organizations with 5,000 or more employees reported lower average scores than smaller companies.
Most organizations scored the highest (77%) in the category of Account Infrastructure. However, several respondents said they were surprised to uncover the Zerologon vulnerability. That was especially true in a few cases where respondents said they were running other security assessment tools, including AD-specific commercial products.
Although most category scores were similar among companies across industries, insurance (55%) and healthcare companies (63%) reported the lowest overall scores, at 55% and 63%, respectively. This correlates to the high incidence of breaches in these industries. Public infrastructure and government agencies reported the highest scores, at 71% and 70%, respectively.
Despite the varying scores, the report notes that organizations across all industries have opportunities to improve AD security, which ultimately can improve overall security posture.