Security Planning Through Threat Analysis

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2

This guide concentrates primarily on recommendations for minimizing known security threats to Active Directory. However, the following sections provide a short summary of how threat analysis can be used to create an overall security plan, based on the security features in Windows Server 2003.

Making Active Directory deployment and administration secure encompasses planning for both mitigation (proactive security) and contingency (reactive security). The proactive portion of the plan protects assets by alleviating any threats to the system that might be caused by user mistakes and by attacks that are based on known threats. The reactive portion of the plan provides contingency plans to implement under the following conditions:

• Threat analysis fails to anticipate a threat.

• It is not possible to completely mitigate a threat.

• Security recommendations cannot be implemented.

The following figure illustrates how threat analysis fits into an overall security plan.

Identifying Types of Threats

In their attempts to breach a system’s security, all threats exploit weaknesses in the operating system, applications, network design, security policies, or administrative practices. In addition, social engineering phenomena pose a threat to Active Directory.

Threats are commonly categorized according to the goal of the attack. This type of threat analysis is referred to by the acronym STRIDE, which is derived from the first letter of each category of threat, plus the added category of social engineering, as described in the following sections.

Spoofing

The goal of a spoofing attack is illicit access to network resources by unauthorized users. Spoofing involves forging the identity of a valid system user or resource to gain access to the system, thereby compromising system security. Spoofing attacks include:

• Changing the identity that is associated with an Active Directory object.

• Subverting a secure logon mechanism.

• Using false credentials.

Tampering with Data

The goal of a data-tampering attack is to cause unauthorized modification of data, resulting in a loss of data integrity. This type of attack modifies system or user data, with or without detection, resulting in an unauthorized change to network information, network packets in a communication, sensitive files, or the formatting of a hard disk. Data-tampering attacks include:

• Modifying data that should not be accessible.

• Causing a trusted entity to modify data improperly.

• Creating an elevation-of-privilege attack that allows a user to tamper with data.

Repudiation

The goal of a repudiation attack is to perform an authorized or unauthorized action and to eliminate any evidence that could prove the identity of the attacker. Repudiation attacks are associated with users who can deny wrongdoing, without any way to prove otherwise. Repudiation attacks include:

• Circumventing the logging of security events.

• Tampering with the security log to conceal the identity of an attacker.

Information Disclosure

An information-disclosure risk exists if a user can gain access to data, intentionally or otherwise, that the user is not authorized to see, resulting in the loss of data privacy or confidentiality or both. Information disclosure attacks include:

• Gaining access to data that is considered private and protected.

• Sniffing data on a network while in transit.

• Using social engineering to improperly reveal user identity or passwords.

Denial of Service

The goal of a denial-of-service attack is the loss of access by legitimate users to a server or to services. Generally speaking, denial-of-service attacks occur when a malicious user either disables critical services on a computer or consumes so many resources on a system that no resources are available for legitimate users. The resources that can be exhausted might include CPU cycles, disk space, memory, server connections, or network bandwidth, among others. Denial-of-service attacks include:

• Consuming CPU cycles by infinite or very long programmatic looping.

• Consuming excessive memory or file quotas to block legitimate use.

• Causing a crash, restart, or error mechanism to interfere with normal use.

Elevation of Privilege

The goal of an elevation-of-privilege attack is illicit access to network resources or services by unauthorized users. The most severe form of an elevation-of-privilege attack is a situation in which an attacker effectively penetrates all system defenses. The attacker then becomes part of the trusted system itself and can completely compromise or destroy the system. Elevation-of-privilege attacks include:

• Improperly gaining unrestricted rights.

• Running untrusted data as native code in a trusted process.

• Spoofing a more privileged identity to gain elevated privileges.

Social Engineering

Social engineering is any type of behavior that can inadvertently or deliberately aid an attacker in gaining access to a user’s password. For example, someone in an organization might:

• Write their password and place it in a location where a coworker could find it.

• Coax a fellow worker into revealing their password.

• Befriend a janitor or other worker who has physical access to domain controllers.

Identifying Sources of Threats

Identification of the various sources of threats to Active Directory provides a basis for understanding and creating an effective security plan. Active Directory defines groups of users, and, by default, it installs policies that limit user access to network resources and services. Therefore, each user group represents a different source of potential threat, as indicated in Table 1.

Table 1 Sources of Potential Threat to Active Directory