Active Directory and Azure AD assessments

Almost all companies that use Microsoft products or services on-premises use Active Directory as their identity provider. Additionally, companies using Microsoft 365 or Azure-based services use Azure AD as an identity platform, often in a hybrid configuration with their on-premises network. Since these products are a common component in many enterprises, threat actors have focused on understanding and abusing common insecurities in Active Directory and Azure AD. During an assessment, Outsider Security investigates the state of security of the parts of the infrastructure in scope and provides actionable advice to improve the security posture. Outsider Security can scope an assessment to only Active Directory or Azure AD, or assess it as a complete hybrid configuration.

Active Directory assessment

An organization's Active Directory domain(s) are often many years old, containing configuration changes accumulated over the years. Since Active Directory is notoriously difficult to configure fully securely, in almost every test, Outsider Security identifies issues that can be exploited from any workstation in the organization. Unfortunately, these are often the same issues that threat actors abuse. These actors include ransomware operators that try to gain high privileges from where they can roll out their ransomware and extort the organization for data recovery.

During an Active Directory assessment, Outsider Security uses open source and private tooling to analyze the AD domains in the organization. Privileges are mapped and explored to identify if administration is performed securely and if resources in the network are sufficiently protected. If the Active Directory structure is more complex, for example, due to the use of multiple domains, forests, and trusts, these are mapped and taken into account for the analysis. While each test is unique and is tailored to the specific needs of the organization and their use of Active Directory, the following components are often analyzed: privilege delegation model, admin account protection and separation, least privilege configuration, group policy settings, PKI configuration (Active Directory Certificate Services), Kerberos configuration.

An Active Directory assessment can be conducted either as a penetration test or as a review. If the assessment is performed as a review, Outsider Security will be provided with a highly privileged user so that the analysis is performed without actually exploiting any vulnerabilities or misconfigurations. If performed as a penetration test, Outsider Security will start with a low-privilege user and find vulnerabilities to escalate privileges in the domains in scope while documenting the technical findings that make this path possible. Both approaches will give insight into how attackers could abuse the identified vulnerabilities and how to remediate them.

Azure AD assessment

A typical Azure AD configuration consists of organizations using Microsoft 365 with Azure AD as an identity platform at its core. Azure AD may be integrated with the on-premises Active Directory in a hybrid setup or used as a standalone service. Since Azure AD is the identity provider for not only Microsoft 365 but also an organization's Azure Resource manager resources and potential third-party applications, it is a vital component in the security strategy.

Outsider Security offers Azure AD assessments, during which we will review the Azure AD configuration for potential weaknesses and misconfigurations. An Azure AD assessment gives insight into the risks associated with the current usage of Azure AD, and which improvements can be made to minimize this risk. Example areas that are investigated are Administrator roles usage, MFA adoption and enforcement, Conditional Access configuration, Application security and configuration, tenant configuration, and hardening. An Azure AD assessment can also cover Intune for device management, hybrid setups with on-premises Active Directory, and integrations with Azure Resource Manager.

An Azure AD assessment is performed as a review. Outsider Security is provided with a read-only administrator account to analyze the configuration using different in-house developed and open source tools.

Other services

Outsider Security specializes in the security of Microsoft products related to Windows, Active Directory, or Azure. However, if you are looking for a security test on a topic outside of these areas, feel free to get in touch. Throughout the years of working as a penetration tester, Outsider Security has performed many assessments in different areas, such as Red/Purple teaming, mobile and web application tests, and assessments of non-Microsoft environments.