COI Report – Part VII
Page
368 of
425 45 RECOMMENDATION #10: DOMAIN CONTROLLERS MUST BE BETTER SECURED AGAINST ATTACK #PREVENTION VIGILANCE
1070. Protecting CII in a Windows network environment necessarily requires protection of other components of the network. Domain controllers in particular must be secured, as compromise of a domain controller can lead to extremely serious consequences for the entire network.
1071. Windows domain controllers host the Active
Directory Domain Services (“
AD DS”) database, in addition to providing the services and data that allow for effective management of servers,
workstations, users, and applications. If privileged access to a domain controller is obtained by a malicious user, he has full control over the entire Windows domain and servers. The malicious actor can then modify, corrupt, or
destroy the ADDS database and, by extension, all of the systems and accounts that are managed by active directory.
1072. An external consultant observed the following during the penetration test conducted on the H-Cloud in FY Domain Admin has full control on the servers in the network domain of the organization including creating administrator accounts in any local servers. By default, a Domain Admin account holder has complete unrestricted access to all resources in the entire network. By gaining Domain Admin
access in an organisation, the following damages could happen Install ransomware to lock down the data. Access, tamper, destroy organizational IT resources. Create any number of accounts and grant them admin access in the Active Directory, such as OUs, admin accounts/Groups,
etc. Place time-bombed malicious software on any domain-joined machine.
