Why the Microsoft Active Directory is Vulnerable to Attack

Active DirectoryA critical design flaw has been uncovered in Microsoft’s Active Directory. Microsoft insists that any issues with the Active Directory have been long known and that they are in the process of repairing any flaws. However, in a recent phone interview, Tal Be’ery, vice president of research at Aorato said that, “The dire consequences we are discussing – that an attacker can change the password – was definitely not known.”

Microsoft’s Active Directory is a widely used service. Some of its functions include:

  • Authenticating and authorizing all users and computers in a Windows domain type network
  • Assigning and enforcing security policies for all computers installing or updating software
  • Checking submitted passwords and determining whether the user is a system administrator or normal user.

So, what’s all the commotion about? Recently, the Israeli security firm called Aorato noted a major flaw allowing attackers to change passwords in Active Directory. The company’s research focuses on an authentication protocol called NTLM that Microsoft has used for years.

NTLM is a suite of Microsoft security protocols that provides to its users,

  • Authentication
  • Integrity
  • Confidentiality

However, NTLM is known to have vulnerabilities to an attack called “Pass-the-Hash” which can be performed on any server accepting NTLM authentication. The attacker can obtain login credentials and can then access other services or computers. Windows is not the only operating system at risk; any single sign-on system or SSO is also affected by this threat. A simple way to avoid this is to disable SSO, however through disabling SSO, users on a network must compromise for tedious reentering of their passwords.

Microsoft has attempted to patch the vulnerabilities, but Be’ery worries that these patches will deteriorate functionality and thinks Microsoft is not doing enough to protect the security of its users.

To learn more about the vulnerabilities and design flaws of Active Directory, contact us. You can reach us by phone or send us an email.