Token Integrates with Active Directory

We’re excited to announce the general availability of our integration with Microsoft Active Directory (AD). This new release addresses a critical challenge in non-human identity (NHI) security: discovering on-premises NHIs and achieving comprehensive visibility and lifecycle management of on-premises NHIs. While cloud environments are often the primary drivers of NHI proliferation, non-human accounts are also extensively used on-premises and typically managed alongside human accounts in the Active Directory. This makes deep AD integration one of our most important features, and we’re excited to offer a solution that AD users have long wanted and needed.

The Race to Compromise Active Directory: A Prime Target for Attackers

Attackers are increasingly targeting Active Directory (AD) infrastructure early in their campaigns, underscoring its critical role as a high-value asset. Sophos’ research revealed that the median time-to-AD for all attacks was just 0.68 days, or about 16 hours, highlighting the speed with which adversaries attempt lateral movement to compromise AD servers. In some cases, attackers accessed AD infrastructure even before the attack officially began, exploiting exposed servers or compromised accounts. Once inside, they can escalate privileges, disable legitimate accounts, and deploy malware from a trusted source, gaining control over the entire organization. Alarmingly, many AD servers are either poorly protected or rely solely on Microsoft Defender, which attackers are increasingly adept at disabling. As noted in the report, “We’ve seen a steady rise of this technique (T1562, Impair Defenses), from 24% in 2021 to 43% in the first half of 2023.” The combination of AD’s power and its frequent lack of robust protection makes it a prime target, emphasizing the need for advanced security measures and integration with tools designed to monitor and protect AD environments.

Integrating with Microsoft Active Directory is Key for Securing Service Accounts in On-premise Environments

Active Directory (AD) is a foundational element of identity and access management. It provides centralized control over users, machines, and services while simplifying authentication, authorization, and security policies. It plays a crucial role in managing both human and non-human identities, such as service accounts, which are vital for automation and integration. Security and Identity teams often struggle to answer simple questions when it comes to accounts managed by AD:

• What are all my identities? Which of them are service accounts?
• Where are their secrets stored?
• Do they have excessive or unnecessary permissions?
• Who has access to these accounts?
• What applications rely on them?
• Who is responsible for maintaining them?
• What risks do they pose?
• Are my service accounts or users involved in malicious activity? Are they behaving abnormally? Are they being used from malicious IPs?
• Do I have an insider threat within my organization?

Gathering this information often requires extensive manual effort, is difficult to achieve, and typically involves multiple teams. Furthermore, the data frequently changes, making the process even more challenging. This lack of visibility creates significant blind spots for the organization, leading to operational inefficiencies and unmanaged risks over time. Consequently, the organization’s attack surface expands, exposing it to substantial security vulnerabilities.

Secure Your Hybrid Environments

‍In hybrid organizations, Active Directory (AD) is a critical bridge between on-premises and cloud environments, providing centralized identity and access management. It enables secure authentication, single sign-on (SSO), and consistent policy enforcement across both environments. By integrating with tools like Entra Connect, AD users and service accounts are synchronized to Entra ID, ensuring seamless interconnectivity between cloud and on-premise while reducing administrative overhead. This allows organizations to leverage modern cloud technologies alongside legacy systems, creating a cohesive and secure infrastructure that supports scalability and digital transformation.

The Complexity of Active Directory Permissions

‍Active Directory takes a unique approach to permissions by assigning them directly to objects (such as files, folders, and accounts) through Access Control Lists (ACLs), rather than assigning them to individual users. An ACL specifies what actions principals (users or groups) are allowed to perform on an object. Typically, permissions are assigned to groups rather than directly to users, enabling scalable and centralized control. For example, to grant a user read access to a folder, the administrator would assign “Read” permissions to a group (e.g., “Finance Team”) in the folder’s ACL. Then, by adding the user to the “Finance Team” group, they inherit the required permissions without the need for direct configuration.However, this object-centric approach introduces complexity for security vendors trying to analyze permissions. Unlike systems where permissions can be reviewed at the user or server level, in Active Directory, analyzing permissions requires reviewing the ACLs of all objects. This includes tracking inheritance, group memberships (which can include nested groups), and the context of each object to understand who has access and what permissions they hold. The layered and interconnected nature of AD permissions demands sophisticated tools and methodologies to effectively map and analyze the full scope of access across an organization. This complexity, while offering flexibility and scalability, makes permissions management and analysis in AD significantly more challenging compared to traditional systems.

Token Security Integration with Active Directory

‍Token Security now integrates with AD to address the challenge of securing non-human and human AD identities, seamlessly and effortlessly. By integrating our solution with your Active Directory, you get the following covered:

• Discover service accounts and users, get visibility into gaps between AD and Entra.
• Identify Domain Admins and overly permissive access granted to principals.
• Get full context of who owns service accounts, who are the original provisioners, and who are the maintainers over time.
• Understand who’s using them and what’s their usage pattern..
• Identify abnormal activities associated with service accounts and users.
• Be aware of what steps are required to remediate security posture gaps.

Introducing our intuitive Identity Graph, designed to provide a comprehensive view of both the static and dynamic aspects of Active Directory users and service accounts. The following screenshots not only answer the critical questions mentioned earlier but also showcase the core strengths of our product:

• Complete and Unified Identity Visibility: Gain full visibility into all AD identities, including their permissions, associated risks, accessible servers and endpoints, and additional contextual information.
• Enhanced Security Posture: Identify and address risks such as stale AD identities, overly privileged accounts, long-standing or unrotated credentials, service accounts lacking proper network restrictions, and much more.
• Remediation and Lifecycle Management: Visualize the complete ownership and usage of AD users and service accounts, including which servers, users, or external services rely on their credentials and how they are used. This empowers you with the confidence to take remediation actions or leverage our automated remediation features effectively.

Our Identity Graph ensures you have the insights needed to enhance security, reduce risks, and simplify lifecycle management of your Active Directory identitiesIf you are curious to know more about NHI Security and how to make your Active Directory much safer, visit Token Security to learn more and contact us today!