Active Directory and Entra ID (formerly Azure AD) assessments

Almost all companies that use Microsoft products or services on-premises use Active Directory as their identity provider. Additionally, companies using Microsoft 365 or Azure-based services use Microsoft Entra as an identity platform, often in a hybrid configuration with their on-premises network. Since these products are a common component in many enterprises, threat actors have focused on understanding and abusing common insecurities in Active Directory and Entra ID. During an assessment, Outsider Security investigates the state of security of the parts of the infrastructure in scope and provides actionable advice to improve the security posture. Outsider Security can scope an assessment to only Active Directory or Entra ID, or assess it as a complete hybrid configuration.

Active Directory assessment

An organization's Active Directory domain(s) are often many years old, containing configuration changes accumulated over the years. Since Active Directory is notoriously difficult to configure fully securely, in almost every test, Outsider Security identifies issues that can be exploited from any workstation in the organization. Unfortunately, these are often the same issues that threat actors abuse. These actors include ransomware operators that try to gain high privileges from where they can roll out their ransomware and extort the organization for data recovery.

During an Active Directory assessment, Outsider Security uses open source and private tooling to analyze the AD domains in the organization. Privileges are mapped and explored to identify if administration is performed securely and if resources in the network are sufficiently protected. If the Active Directory structure is more complex, for example, due to the use of multiple domains, forests, and trusts, these are mapped and taken into account for the analysis. While each test is unique and is tailored to the specific needs of the organization and their use of Active Directory, the following components are often analyzed: privilege delegation model, admin account protection and separation, least privilege configuration, group policy settings, PKI configuration (Active Directory Certificate Services), Kerberos configuration.

An Active Directory assessment can be conducted either as a penetration test or as a review. If the assessment is performed as a review, Outsider Security will be provided with a highly privileged user so that the analysis is performed without actually exploiting any vulnerabilities or misconfigurations. If performed as a penetration test, Outsider Security will start with a low-privilege user and find vulnerabilities to escalate privileges in the domains in scope while documenting the technical findings that make this path possible. Both approaches will give insight into how attackers could abuse the identified vulnerabilities and how to remediate them.

Microsoft Entra (Azure AD) assessment

A typical Entra ID configuration consists of organizations using Microsoft 365 with Microsoft Entra ID as an identity platform at its core. Entra ID may be integrated with the on-premises Active Directory in a hybrid setup or used as a standalone service. Since Entra ID is the identity provider for not only Microsoft 365 but also an organization's Azure resources and potential third-party applications, it is a vital component in the security strategy.

Outsider Security offers Entra ID assessments, during which we will review the Entra ID configuration for potential weaknesses and misconfigurations. An Entra ID assessment gives insight into the risks associated with the current usage of Entra ID, and which improvements can be made to minimize this risk. Example areas that are investigated are Administrator roles usage, MFA adoption and enforcement, Conditional Access configuration, Application security and configuration, tenant configuration, and hardening. An Entra ID assessment can also cover Intune for device management, hybrid setups with on-premises Active Directory, and identity usage in Azure RBAC rights.

An Entra ID assessment is performed as a review. Outsider Security is provided with a read-only administrator account to analyze the configuration using different in-house developed and open source tools.

Other services

Outsider Security specializes in the security of Microsoft products related to Windows, Active Directory, or Azure. However, if you are looking for a security test on a topic outside of these areas, feel free to get in touch. Throughout the years of working as a penetration tester, Outsider Security has performed many assessments in different areas, such as Red/Purple teaming, mobile and web application tests, and assessments of non-Microsoft environments.