Often the Active Directory ‘break glass’ account, also called the root account (‘Administrator’) in the Active Directory, is used on services located on local servers. Why, would you ask? Because this root account has all permissions on the domain and in addition to that the service always works with this account.
The main disadvantages of using the Administrator account are:
- Actions are untraceable to the user (non-repudiation)
- The account has full permissions in the Active Directory Domain (Forest)
- The password is ‘never’ changed
Password change is complex in nature if the account is used on services on local servers because if the password is changed, the service will stop working as it can no longer authenticate.
One option to verify which servers are using the domain administrator account is Microsoft Azure ATP (Advanced Threat Protection). One not very well-known option is to verify the use of the domain administrator account; admins should always use their named account (which is traceable and for which the password should be changed regularly).
Azure ATP
The feature we will use here is the Honeytoken feature. We assume that Azure ATP has been installed (with a service account created in Active Directory and the sensor installed on all domain controllers).
To configure the Honeytoken account, please follow these steps:
- Go to configuration in the Azure ATP (portal)
- Select Entity tags
- In Honeytoken accounts search for the ‘break glass’ account of the Active Directory and check whether the name is ‘Administrator’ and if it can be changed to a different named (advisable) account, e.g. ‘admin’ in the example below
- Add the name and click on Save
After a short period the following alert will appear if the account is used (via a user or via a service).
Upon solving the (mis)use of the Administrator account, the admins will be using their named admin account (separate from their user account) and the services will be running with a dedicated service account with least privilege. The Administrator password can be changed in a very complex password and stored in a safe place such as a physical vault or a digital vault, like Azure Key Vault. Keep monitoring the account.
Microsoft Cloud App Security (MCAS)
MCAS will be the interface for all identity related alerts (Azure AD Identity Protection, Azure ATP and MCAS Threats) called the Unified SecOps portal. The Azure ATP configuration interface will still be the Azure ATP portal for now (this will be changed in the future), but the alert page is advised to use the MCAS Unified SecOps portal.