Skip to content

Update Avenues-to-Compromise.md #7985

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+5 −5
Open

Update Avenues-to-Compromise.md #7985

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions ...ServerDocs/identity/ad-ds/plan/security-best-practices/Avenues-to-Compromise.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,14 +40,14 @@ This section of this document focuses on describing the mechanisms that attacker
## Initial Breach Targets
Nobody intentionally builds an IT infrastructure that exposes the organization to compromise. When an Active Directory forest is first constructed, it's usually pristine and current. As years pass and new operating systems and applications are acquired, they're added to the forest. As the manageability benefits that Active Directory provides are recognized, more and more content is added to the directory, more people integrate their computers or applications with AD DS, and domains are upgraded to support new functionality offered by the most current versions of the Windows operating system. What also happens over time, however, is that even as a new infrastructure is being added, other parts of the infrastructure might not be maintained as well as they initially were, systems and applications are functioning properly and therefore aren't receiving attention, and organizations begin to forget that they haven't eliminated their legacy infrastructure. Based on what we see in assessing compromised infrastructures, the older, larger, and more complex the environment, the more likely it is that there are numerous instances of commonly exploited vulnerabilities.

Regardless of the motivation of the attacker, most information security breaches start with the compromise of one or two systems at a time. These initial events, or entry points into the network, often leverage vulnerabilities that could have been fixed, but weren't. The [2012 Data Breach Investigations Report (DBIR)](http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf), which is an annual study produced by the Verizon RISK Team in cooperation with a number of national security agencies and other companies, states that 96 percent of attacks were "not highly difficult," and that "97 percent of breaches were avoidable through simple or intermediate controls." These findings may be a direct consequence of the commonly exploited vulnerabilities that follow.
Regardless of the motivation of the attacker, most information security breaches start with the compromise of one or two systems at a time. These initial events, or entry points into the network, often leverage vulnerabilities that could have been fixed, but weren't. The [2012 Data Breach Investigations Report (DBIR)](https://www.verizon.com/business/resources/reports/dbir/), which is an annual study produced by the Verizon RISK Team in cooperation with a number of national security agencies and other companies, states that 96 percent of attacks were "not highly difficult," and that "97 percent of breaches were avoidable through simple or intermediate controls." These findings may be a direct consequence of the commonly exploited vulnerabilities that follow.

### Gaps in Antivirus and Antimalware Deployments
*Law Number Eight: An out-of-date malware scanner is only marginally better than no scanner at all.* - [Ten Immutable Laws of Security (Version 2.0)](https://www.microsoft.com/en-us/msrc?rtc=1)
*Law Number Eight: An out-of-date malware scanner is only marginally better than no scanner at all.* - [Ten Immutable Laws of Security (Version 2.0)](https://learn.microsoft.com/en-us/security/zero-trust/ten-laws-of-security#immutable-laws-of-security-v2)

Analysis of organizations' antivirus and antimalware deployments often reveals an environment in which most workstations are configured with antivirus and antimalware software that is enabled and current. Exceptions are usually workstations that connect infrequently to the corporate environment or employee devices for which antivirus and antimalware software can be difficult to deploy, configure, and update.

Server populations, however, tend to be less consistently protected in many compromised environments. As reported in the [2012 Data Breach Investigations](http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf), 94 percent of all data compromises involved servers, which represents an 18 percent increase over the previous year, and 69 percent of attacks incorporated malware. In server populations, it isn't uncommon to find that antivirus and antimalware installations are inconsistently configured, outdated, misconfigured, or even disabled. In some cases, the antivirus and antimalware software is disabled by administrative staff, but in other cases, attackers disable the software after compromising a server via other vulnerabilities. When the antivirus and antimalware software is disabled, the attackers then plant malware on the server and focus on propagating compromise across the server population.
Server populations, however, tend to be less consistently protected in many compromised environments. As reported in the [2012 Data Breach Investigations](https://www.verizon.com/business/resources/reports/dbir/), 94 percent of all data compromises involved servers, which represents an 18 percent increase over the previous year, and 69 percent of attacks incorporated malware. In server populations, it isn't uncommon to find that antivirus and antimalware installations are inconsistently configured, outdated, misconfigured, or even disabled. In some cases, the antivirus and antimalware software is disabled by administrative staff, but in other cases, attackers disable the software after compromising a server via other vulnerabilities. When the antivirus and antimalware software is disabled, the attackers then plant malware on the server and focus on propagating compromise across the server population.

It's important not only to ensure that your systems are protected with current, comprehensive malware protection, but also to monitor systems for disabling or removal of antivirus and antimalware software and to automatically restart protection when it's manually disabled. Although no antivirus and antimalware software can guarantee prevention and detection of all infections, a properly configured and deployed antivirus and antimalware implementation can reduce the likelihood of infection.

Expand Down Expand Up @@ -93,7 +93,7 @@ When we extract the Internet Explorer configuration settings on domain controlle
Domain controllers should be treated as critical infrastructure components, secured more stringently and configured more rigidly than file, print, and application servers. Domain controllers shouldn't run any software that isn't required for the domain controller to function or doesn't protect the domain controller against attacks. Domain controllers shouldn't be permitted to access the Internet, and security settings should be configured and enforced by Group Policy Objects (GPOs). Detailed recommendations for the secure installation, configuration, and management of domain controllers are provided in [Securing Domain Controllers Against Attack](./Securing-Domain-Controllers-Against-Attack.md).

#### Within the Operating System
*Law Number Two: If a bad guy can alter the operating system on your computer, it's not your computer anymore.* - [Ten Immutable Laws of Security (Version 2.0)](https://www.microsoft.com/en-us/msrc?rtc=1)
*Law Number Two: If a bad guy can alter the operating system on your computer, it's not your computer anymore.* - [Ten Immutable Laws of Security (Version 2.0)](https://learn.microsoft.com/en-us/security/zero-trust/ten-laws-of-security#immutable-laws-of-security-v2)

Although some organizations create baseline configurations for servers of different types and allow limited customization of the operating system after it's installed, analysis of compromised environments often uncovers large numbers of servers deployed in an ad hoc fashion, and configured manually and independently. Configurations between two servers performing the same function may be completely different, where neither server is configured securely. Conversely, server configuration baselines may be consistently enforced, but also consistently misconfigured; that is, servers are configured in a manner that creates the same vulnerability on all servers of a given type. Misconfiguration includes practices such as disabling of security features, granting excessive rights and permissions to accounts (particularly service accounts), use of identical local credentials across systems, and permitting installation of unauthorized applications and utilities that create vulnerabilities of their own.

Expand Down Expand Up @@ -123,7 +123,7 @@ As long as another computer has a local account with the same user name and pass
> Some organizations have intentionally configured local Administrator accounts to be enabled in the belief that this provides a "failsafe" in case all other privileged accounts are locked out of a system. However, even if the local Administrator account is disabled and there are no other accounts available that can enable the account or log on to the system with Administrator privileges, the system can be booted into safe mode and the built-in local Administrator account can be re-enabled, as described in [Microsoft Support article 814777](https://support.microsoft.com/kb/814777). Additionally, if the system still successfully applies GPOs, a GPO can be modified to (temporarily) re-enable the Administrator account, or Restricted Groups can be configured to add a domain-based account to the local Administrators group. Repairs can be performed and the Administrator account can again be disabled. To effectively prevent a lateral compromise that uses built-in local Administrator account credentials, unique user names and passwords must be configured for local Administrator accounts. To deploy unique passwords for local Administrator accounts via a GPO, see [Solution for management of built-in Administrator account's password via GPO](/previous-versions/mt227395(v=msdn.10)) on technet.  

##### Permitting Installation of Unauthorized Applications
*Law Number One: If a bad guy can persuade you to run his program on your computer, it's not solely your computer anymore.* - [Ten Immutable Laws of Security (Version 2.0)](https://www.microsoft.com/en-us/msrc?rtc=1)
*Law Number One: If a bad guy can persuade you to run his program on your computer, it's not solely your computer anymore.* - [Ten Immutable Laws of Security (Version 2.0)](https://learn.microsoft.com/en-us/security/zero-trust/ten-laws-of-security#immutable-laws-of-security-v2)

Whether an organization deploys consistent baseline settings across servers, the installation of applications that aren't part of a server's defined role shouldn't be permitted. By allowing software to be installed that isn't part of a server's designated functionality, servers are exposed to inadvertent or malicious installation of software that increases the server's attack surface, introduces application vulnerabilities, or causes system instability.

Expand Down