Active Directory, part of Windows Server since Windows 2000, is the foundation for many, many businesses. It allows firms to authenticate and authorize all users and computers in a Windows domain. Group Policy provides centralized management and configuration of operating systems, applications, and users’ settings in an Active Directory environment. It allows administrators to set many security policies and settings to enforce certain actions and preferences.
In other words, it allows firms to set standards in an organization. It also allows attackers to identify patterns in a network as well as use the Group Policy features to gain more rights. I often joke that attackers know how to better manage and maintain our networks than we do ourselves.
I recently interviewed Darren Mar-Elia, vice president at Semperis, whom I’ve known for many years as the guru of Group Policy. Initially, his focus was ensuring that IT professionals used and understood the power of Active Directory (AD) and Group Policy. Over time he’s realized that attackers are understanding the power of Group Policy and silently gaining more rights into the network.
We assume that attackers launch a phishing attack and immediately take control of a network. Often, they lay in wait and investigate the network, taking the time to understand the organizational structure and relationships before they launch attacks. Attackers also target administrators and those with control over key assets. The public attack on Twitter is evidence of attackers targeting administrators and roles that had control over certain tasks. They then ensured that they were able to take over those duties and functions.