IT and security leaders barely earned passing grades, on average, in Semperis' security assessment tool for Microsoft's Active Directory. Pictured: A logo sits illuminated outside the Microsoft booth at the SK telecom booth of the GSMA Mobile World Congress on Feb. 28, 2022, in Barcelona, Spain. (Photo by David Ramos/Getty Images)

Semperis on Wednesday reported that of the 1,000 IT and security leaders who used their free security assessment tool, the average score across five Active Directory categories was 68% — barely a passing grade.

The research found that insurance and healthcare — at 55% and 63%, respectively — reported the lowest overall scores, followed by transportation, which came in at 64%.

Some of the report’s leading findings include the following:

  • Organizations are failing to adequately secure AD environments primarily because they lack visibility into risky configurations.
  • Large organizations fare the worst because of legacy applications and complex environments.
  • Lack of in-house AD expertise hampers AD hygiene efforts, particularly in small businesses or vertical markets with fewer resources.

It has been 23 years since Microsoft released Active Directory and, unfortunately for everyone, most organizations have not taken the necessary steps to assure the operational integrity of one of the most-important security controls in IT environments, said Aaron Turner, vice president of SaaS Posture at Vectra.

Turner said the Semperis findings in the insurance and healthcare industries are representative of the business pressures that IT operations and security teams face. Businesses in those verticals usually grow through acquisition and also have extremely long system lifecycles. Combine those two factors and Turner said it results in a “Frankenstein monster-like” directories that have all sorts of legacy security configurations. 

“Organizations need to have the operational discipline to eliminate the practice of just importing the settings from other directories into the production version of Active Directory and instead go about having minimum hygiene standards for how users, attributes and settings are configured,” Turner said. “Without that discipline, attackers will exploit legacy protocols and over-privileged user accounts to gain unauthorized access to systems that rely on AD for authentication and authorization.”

Windows AD has become well-known for its complexity, said Alex Ondrick, director of security operations at BreachQuest. Ondrick said AD has a reputation of being difficult to secure, and it’s increasingly targeted by attackers: Colonial Pipeline, Red Cross, Ukraine, and NOAA are prime examples.

“At the same time, many companies are also trying to adopt a zero-trust framework, thereby further-straining their already-overextended access/identity security initiatives,” Ondrick said. “If we consider that — on top of all of these changes — many companies are also migrating from on-premises to cloud, or have some type of hybrid AD environment, then one might argue that attackers are converging upon a ‘softer target’ in Active Directory.”