Security Issues Associated with Deployment of Active Directory in Cloud infrastructure

(1)

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459, ISO 9001:2008 Certified Journal, Volume 9, Issue 10, October 2019)

217

Security Issues Associated with Deployment of Active

Directory in Cloud infrastructure

Yash Bharadwaj

1

, Satyam Dubey

2

Department of Computer Science & Engineering, Lakshmi Narain College of Technology, Bhopal, Madhya Pradesh, India

Abstract-- The paper is dedicated to shed light upon security issues associated with Active Directory deployment in cloud environment. As enterprises are managing their resources with Active Directory, it is now also merged with the Cloud technology to provide on-demand & real time solutions to the users. However before the introduction and integration of latest technologies, the security aspect must also be focused upon. Active Directory is used to manage a large pool of users & resources of an organisation, it uses centralised architecture to manage their resources as the entities are treated as objects used to store information and makes it easily available to the users and admins. Active Directory has many benefits but not limited to Scalability, Maintaining and accessing Global Catalog, Systematic synchronization, Remote Administration of computers in the domain, Light-weight Directory Access Protocol (LDAP) etc. The main focus is on understanding cloud security with the inner working & weakness in Active Directory environment.

Keywords-- Cloud Security, Active Directory, Kerberos, Light-Weight Directory Access Protocol.

I. INTRODUCTION

(2)

International Journal of Emerging Technology and Advanced Engineering

218

Source:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc780036 (v=ws.10)

Objects in AD are entities like User, Group or any resource which can be accessed by a privileged user like Administrator. Objects can be classified as Containers and Non-Containers. A Container can contain objects within themselves. However the Non-Containers acts as an end node in a structural hierarchical structure.

II. SECURITY ISSUES IN CLOUD INFRASTRUCTURE

Customers are trusting cloud vendors for customer’s super sensitive data for providing on-demand solution to clients. Cloud service providing vendors like Amazon & Microsoft Azure also deal with some great security issue which leads the Advanced attackers to gain an initial foothold in the cloud environment. Specifically, if we talk about Amazon AWS which provides service as a product to its customers has various serious security issues which can motivate an attacker to enter into the cloud environment.

Improper ACL configuration when hosting websites in Amazon AWS S3 buckets can expose sensitive data like allowed entries, restricted pages etc publically. Attackers can then read data from the bucket listings or an improper misconfiguration can also lead to read, write access in the bucket. One can visualize the risk level when a company resource managing capabilities is dedicated to cloud service provider. Some of the cloud related issues specific to AWS as discussed below :-

 Globally Accessible resources of AWS S3 buckets.

 Overtaking Identity and Access Management [IAM] roles through RCE or SSRF in an EC2 instance.

 Compromised Token keys leaked to Open Source platform like Github etc.

(3)

International Journal of Emerging Technology and Advanced Engineering

219

Figure: Accessing Websites hosted in S3 bucket

Attackers are now thinking of AWS as a moving target in terms of privileges present for resource management.

According to the official documentation

[https://docs.aws.amazon.com/IAM/latest/UserGuide/list_a

mazonec2.html] , there are 5985 AWS resource privileges,

in which 2505 privileges have no condition restrictions possible means exposing them over various entities of the environment can lead to compromise of the enterprise infrastructure. And EC2 is one of the worst in terms of exposing privileges 259/338 that cannot be restricted beyond access.

For example - The permission

‘ModifyInstanceAttribute’ can be used to backdoor

the existing EC2 instances

[https://threadreaderapp.com/thread/106560070413447577

6.html]. However, the cloud instance needs to be stopped before setting the user-data attribute via

‘ModifyInstanceAttribute’API and once it is configured to

(4)

International Journal of Emerging Technology and Advanced Engineering

220

Figure: Initial Access on EC2 instance via Cloud-Init

AWS Identity Access and Management [IAM] provides access to the cloud resources and services with properly defining permissions for users, groups having access to the environment. It provides access to resources like Storage, computing, database and Application services which are a valuable asset for any enterprise. Using IAM, an administrator can apply a set of policies to manage and define permissions on entities like users, groups etc. For Example: Accessing a particular service, performing actions on an instance etc. With more than 5985 AWS resource privileges, the administrator needs to be well-versed with the privileges implemented on various assets as a small misconfiguration in ACL policy can compromise the whole cloud environment giving access to valuable company assets.

Leaked credential to open source platform like GitHub can be used to access AWS account. The account can then be used to start an EC2 instance in various regions for performing various tasks. Therefore it becomes important to securely store access tokens when such a valuable data of customers is at stake. Some common misconfigurations can be identified and removed by just performing best security practices like disabling root API access keys and secret keys. One such thing is running automated security checks in the environment for each and different sections.

(5)

International Journal of Emerging Technology and Advanced Engineering

[image:5.612.47.554.150.746.2]

221 Table 1:

Factors

Description

1) MFA for privileged users Multi-Factor Authentication must be enabled for the root AWS account.

2) Limited access to database ports The following TCP ports (but not limited to) should be given limited access to users: -

● 1433 [MSSQL Server] ● 1434 [MSSQL Monitor] ● 3306 [MySQL]

● 1521 [Oracle] ● 5432 [PostgreSQL]

3) Securely configuring IAM Identity Access and Management [IAM] must be

properly configured to ensure proper access control of AWS resources.

4) Limited access to common ports The following ports must be properly monitored: -

● 23 [Telnet] ● 21 [FTP] ● 22 [SSH]

● 3389 [Remote Desktop Protocol] ● 5500 [VNC]

5) Rotating Tokens Rotating Access keys of resources

6) Protecting sensitive files “.pem”files on user machines must be password protected.

7) Following standards methodology Standards like National Institute of Standards Technology [NIST], International Organization for Standardization [ISO] etc, methodologies must be followed.

(6)

International Journal of Emerging Technology and Advanced Engineering

222 III. ACTIVE DIRECTORY ATTACKS

Through any of the above discussed best practices if any of the misconfiguration is identified an attacker can access the resources. As of now enterprises are deploying AD environment in Cloud, the attacker can now access the Active Directory resources. Access to a domain joined machine can be a valuable asset for the attacker in the environment. Various exploitation methodologies exist to access the valuable information stored in the Domain Controller depending on the enterprise architecture. We will be discussing some of the attacks under the AD environment. For example: -

1) Using PowerView1 and MicrosoftAD Module2 for enumerating the environment.

2) Finding misconfiguration in the environment. 3) Identifying privileged user and group accounts. 4) Escalating privileges.

5) Moving laterally in the environment. 6) Compromising the Domain Controller. 7) Cross-Domain exploitation.

8) Cross-Forest exploitation.

The above mentioned methods can be used to takeover an enterprise just through a simple loophole in Cloud infrastructure. However with the need of on-demand and scalable solution does end here but various security solutions must also be focused upon. Also it is better to deploy resources at cloud rather than physically at the premises as it does not satisfy the scalability and on-demand issues. In-built utilities are now being used as one of the main sources of exploitation resource for attackers as they are not detectable by various Anti-Virus solutions and legitimate. These types of attacks can be classified as fileless attacks as they can be used for weaponizing an attacker methodology.

IV. CONCLUSION AND FUTURE DIRECTIONS

In this paper, we have focused upon security issues in Cloud environment and the aftermath of deploying AD in an insecure cloud infrastructure. Not performing best security practices will not only lead to full compromise of the enterprise but to the individual identity of the clients as well. A proposed attacker path after compromising the first boundary is also discussed in this paper.

The authors aim to provide more best security practices for securing the cloud and Active Directory environment and updating about various latest methodologies used by the advanced attackers for exploiting the environment.

REFERENCES

[1] Cloud security : https://aws.amazon.com/security/introduction-to-cloud-security/

[2] AWS Security : https://www.blackalps.ch/ba-18/files/talks/BlackAlps18-Scott_Piper.pdf

[3] AD Resources : https://adsecurity.org/?page_id=41

[4] Active Directory Attack and Defense : https://adsecurity .org/?page_id=4031

[5] Powershell Based AD attacks : https://adsecurity.org/?cat=7

[6] AWS EC2 instance :

https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2. html

[7] AWS Exploitation Framework :

https://rhinosecuritylabs.com/aws/pacu-open-source-aws-exploitation-framework/

1"PowerTools/PowerView at master ·

PowerShellEmpire/PowerTools ...."

https://github.com/PowerShellEmpire/PowerTools/tree/mas ter/PowerView. Accessed 26 Aug. 2019. 2 "ActiveDirectory - Microsoft Docs."