How to Avoid a Catastrophic Active Directory Breach


A 2017 study by the University of Maryland’s Clark School of Engineering found that, on average, there’s a hacker attack on Internet-connected computers every 39 seconds. Many of these are brute-force attacks that attempt to gain access using common, weak credentials. If one of these attacks were to breach a corporate user’s machine, the hacker could potentially gain higher-level credentials and access sensitive systems and data.

Imagine what might happen if your Active Directory service were breached.

More than 90 percent of organizations use Active Directory as their primary vehicle for user authentication and access control. On top of that, organizations that have adopted Microsoft Office leverage Azure Active Directory for authentication. Many organizations integrate the two services to provide a common user authentication and authorization mechanism for all resources, on-premises and in the cloud.

In other words, Active Directory holds the keys to the kingdom. If a hacker were to gain access, the potential fallout would extend to virtually every on-premises system, as well as cloud-based applications and data. What’s more, an attacker who gets inside Active Directory can remain undetected for months with virtually unlimited power. The attacker will likely know if the breach is detected and can cripple the organization by collapsing the Active Directory domain or forest.

There are no statistics on successful Active Directory attacks. However, a 2017 report found that many organizations failed to adequately protect Active Directory. More than half allowed administrators to use a common account to access Microsoft domain-level resources, including Active Directory, and fewer than 25 percent of organizations had implemented multifactor authentication for administrator accounts. Very few organizations followed best practices by severely limiting the systems that are permitted to change Active Directory configurations.

A Microsoft assessment of organizations that suffered a catastrophic breach found that, in nearly every environment, both local and domain accounts had been granted excess privileges. Hackers exploited gaps in Active Directory administration to escalate privileges to fully compromise the Active Directory forest. They didn’t need to start with admin credentials because most hackers can leverage low-level credentials to gain administrator access in fewer than 72 hours.

Securing Active Directory isn’t easy, but it starts with privileged account management best practices. As a first step, Microsoft recommends implementing a least-privilege access policy. This includes the privileges granted to applications that have access to Active Directory and other domain-level services.

Organizations should also implement and enforce robust password policies and take steps to protect administrator-level credentials from theft and misuse. Privileged access should be continually monitored and logged to detect and alert on potentially malicious activity.

The CyberArk Core Privileged Access Security platform can boost the security of your privileged accounts, including administrator credentials for Active Directory infrastructure. The Enterprise Password Vault secures passwords and other secrets while Privileged Session Manager enables real-time monitoring and risk-based review of privileged sessions. CyberArk Privileged Threat Analytics enables you to analyze network traffic to better detect indications of an attack early in its life cycle, including credential theft, lateral movement, and privilege escalation.

Active Directory’s importance means it’s a tempting target for hackers. Clango’s CyberArk Certified Delivery Engineers can help you reduce the risk of a potentially catastrophic Active Directory breach.


For more information about Active Directory breaches and CyberArk’s Core Privileged Access platform, please send us an email at (

Comments Closed.