Active Directory Penetration Testing

In recent years, we have had very good experience with remote penetration tests in the area of Active Directory. Such an approach has the decisive advantage for you of eliminating any travel costs and time. All you need to do is host virtual machines (VM) – whose images we can provide you with – for our testers to carry out the penetration test. Remote access to these is also required (e.g. VPN). Experience shows that this additional effort is minimal, as both requirements are part of everyday administration in most companies. However, if you would like an on-site test, our testers will of course be happy to come to the test location of your choice.

Our testers must be able to access all systems to be tested from their test VMs (whether Limes VMs or those provided by you), unless otherwise agreed in advance. This may require additional firewall activations. In addition, at least two standard users are required in the domain who have the same rights as an average user in your company. If you are testing from VMs provided by you, we also ask that the test users on these are local administrators.

This question can hardly be answered in general terms. Usually, a very individual test focus can be derived from the combination of existing systems/technologies in your Active Directory, their criticality, your threat profile and the available time budget. We will be happy to assist you with this in advance in a separate scoping meeting. In general, however, we place a special focus on the rights assigned to users and groups, important hardening settings in AD and critical technologies such as AD CS, the AD-integrated PKI solution.

A basic distinction must be made between domains and forests. Starting from a domain that has been taken over, all other domains in the same forest can usually be taken over without much effort. There are also numerous misconfigurations across forest boundaries that enable compromise. A check of all domains/forests is therefore definitely recommended from a security perspective. However, as the number of domains/forests increases, the time budget required also increases, which is why it may be more suitable for you to divide the penetration test into several sub-areas. We will be happy to help you find the package that best suits your individual needs.

Our testers proceed as carefully as possible to avoid any disruption to day-to-day operations as far as possible. Nevertheless, brief availability problems can occur in rare cases. However, attacks with an increased risk of this are always discussed with you in advance and only carried out after your approval. We are also happy to exclude particularly sensitive systems from the test or parts of it after consultation. Thanks to these precautionary measures, there have never been any major failures during our AD penetration tests.

The answer to this question is a clear “Yes!”. In our practice, we have seen time and again that the main reason for misconfigurations and vulnerabilities is the great complexity of larger AD environments in particular. Especially when such an environment has been in place for a long time, errors creep in over time, for example temporary authorizations are not deleted, which means that certain users permanently have more rights than they should. A regular retest is therefore highly recommended, especially after conversions and major configuration changes. Existing test results also enable a test focus based on them, whereby measures already implemented to rectify the weaknesses found are checked for their effectiveness and a more in-depth test scope can be defined. For example, aspects such as cross-domain attacks (i.e. attacks across domain boundaries) can be examined in greater depth in such a test.

The patch level of the systems in your AD is a very important component in the overall security concept for an AD. You have therefore already taken a very important step! However, there are numerous legitimate functions in AD whose exploitation opens up many avenues of attack and which cannot be remedied via updates. More complex attack paths in particular, which combine the authorizations of different users, often exist despite the latest patch level. For this very reason, efforts made to date should not be undermined by overlooking such attack possibilities. Our customized penetration tests are the ideal aid for this.

Perimeter protection is undisputedly important. However, practice shows that this is repeatedly breached. Whether it’s a malware infection on an Office client or an Azure identity stolen via phishing – “Assume the Breach” is unfortunately now a reality. To make it as difficult as possible for attackers to achieve their goals, a “defense in depth” approach is a good idea. Similar to a castle with several castle walls, overcoming a single line of defense is not enough. Even if an attacker makes it into your Active Directory, he should not have a free hand there – on the contrary, the hard part should be in front of him. Perimeter protection and a high internal security level: not a contradiction, but two sides of the same coin.

Choosing the right package depends on the size and complexity of your environment, your objectives and your budget. You can use the following rule of thumb as a guide: For small to medium-sized AD environments (up to approx. 500 users and 100 servers) where a penetration test has never been carried out, an Essential Test is a good choice. For environments that are larger or have already been tested, we recommend at least an Advanced Test. Large environments, especially if several domains and forests are to be considered, benefit from a Comprehensive Test. Especially for SMEs, we offer a dedicated SME package that covers the most important configurations and most serious vulnerabilities. Are you unsure which package suits your environment? Simply write to us using our contact form.