What CPAs Should Know About Active Directory

By Susan Firriolo, CPA, CISA, Pet Rescue 990 Project  – July 27, 2022
What CPAs Should Know About Active Directory

Active directory (AD) is a database in every Microsoft server that stores infor­mation about devices, users, applications, shared files, permissions and other things on a network. AD is very complicated; some IT professionals do not entirely understand it. So why do CPAs need to know about it? Because it’s another point of vulnerability for a cyber attack.

AD is used to manage a network and is the most significant part of securing the network. A good way for CPAs to get acquainted with AD is to think about when a user signs into a computer. AD checks the username and password against the database. If the credentials match what is in the database, AD allows the user login to the computer. A cyber attack on AD can reveal confidential client data, personal records of employees, bank information and every­thing else on the network.

Information in AD is organized in groups called objects. Objects in AD make it easy for administrators and users to find out information about the network. Records in objects can be usernames, passwords, computers, printers, shared resources and anything else that needs to be validated.

Methods of Attack

In an attack using AD, the intruder finds an entry point into a network in several ways, such as an illegitimate email, a security vulnerability, or hardware or software that is not configured correctly.

The most common way an attacker gets an entry point into a network has been by phishing. A phishing attack involves an email that appears to be from an associate, client or friend. The email contains a link to an invoice, document, software update or something that seems important to the recipient. When the recipient clicks on the link, the attacker obtains an entry point and can install malicious software that gives them access to that computer.

Recently, ransomware attackers have been using weaknesses in applications, insufficient security procedures, internal control deficiencies or other vulnerabilities to access AD. Vulnerabilities in a network can be caused by a programming mistake, web exploit or another weakness. Because there will always be vulnerabilities, it important to download Microsoft updates (patches) when prompted to do so. Patches always seem to come at the wrong time and take so long to complete, but they are vital to helping avoid attacks caused by vulnerabilities.

Attackers also exploit misconfigurations. Misconfigurations lead to vulnerabilities and occur in different ways. A misconfig­uration can happen when hardware and software are not set up correctly or default passwords in software are not changed.

Potential Damage

Once the attacker gains an entry point to the network, they have established local privileges. Local privileges give the attacker access to all the information on that computer and a path to AD. Individual users with local privileges have read-only access to AD, so the attack does not end yet. After local privileges are captured, the attacker can install malicious software, disable security applications, move across the network (lateral movement) and take other actions to access AD. 

Lateral movement is a technique used by cyber criminals to move through a network. Most of these moves are executed by taking advantage of misconfigured devices and vulnerabilities. As the attacker makes lateral moves across the system, they can attack passwords and get more privileges in a process called mining credentials. Ultimately, the attacker is mining for domain administrator rights. When domain administrator rights are compro­mised, the attacker is able to take over the network. Since most networks contain highly confidential information about clients, employees and the firm, an attack of this nature can cause significant damage.

Next Steps

While a network can never be completely protected, CPAs can reduce the risk of attacks on their networks by talking to their IT administrators about securing AD. Recommended actions include the following:

  • Review password policies
  • Disable idle computers
  • Ensure restricted access
  • Delete old credentials
  • Remove past versions of Windows
  • Check default configurations
  • Educate users
  • Ensure patches are up to date
  • Change default passwords
  • Evaluate privileged access
  • Backup the AD configuration regularly

This article appeared in the Summer 2022 issue of New Jersey CPA magazine. Read the full issue.