Centralized management is a great way to consolidate systems and it’s easy to set up. It seems practical to have one server holding all systems and services, but what does this mean from a security perspective? Here are six risks you should be aware of.
Risk 1: Using Default Usernames
You might have all the fancy cybersecurity tools installed on your servers and workstations like antivirus, DLP, EDR, XDR, and firewall, but many administrators are still using the same old and popular method of signing in: They use the default username “Administrator” for all IT admin personnel.
On top of that, some organizations install applications on the servers while using the administrator user and profile without knowing this is a potential high-risk backdoor. A hacker can manipulate those weaknesses, access the whole server’s sensitive data, and move on to other servers on the network. The attacker can also exploit the open ports, which were left open to the internet for software like the employee reporting system (attendance system).
Risk 2: Issues with Attendance Systems
Some software, such as an attendance system, may have a scheduled task which is using a telnet/WinSCP/FTP or other vulnerable services in the vendor’s SaaS-based systems.
Indeed, it’s necessary to have an attendance system, but who said that this software must be installed on a Windows server platform? This server might even be in the server’s segment, allowing access between servers, which is a worse situation from a cybersecurity perspective.
It is better to have those systems in a designated environment, separated from the servers and workstation segment, and installed on minimal OS (Sometimes it’s not a must to have Windows Server OS). Also, create a service account with minimal permissions and avoid giving this user account- a local administrators membership.
Risk 3: Issues with Azure AD
Another backdoor and vulnerability in an organization may be correlated to the Azure AD. Sometimes system administrators define some settings in Azure AD, which allows other third-party applications that integrate with it to have a so-called SSO (Single Sign On), which intends to automate user logins as much as possible for all company applications.
But why must we grant default “Global Administrator” permissions to those third-party applications? Sometimes, we are in a hurry and don’t pay that much attention to the consequences, the negative impact, and the potential threat and future damage by doing that.
The IT manager plays a key role here, as the one in charge of centralizing all the systems. Therefore, the cyber team and the IT team should always work together to define permissions and integrate third-party apps in Azure AD. The IT manager is responsible for applying and setting up all the permissions defined by the cyber team and the CISO.
Risk 4: Lack of an Adequate Firewall
It is quite easy to define and open all ports to the local domain controller (Active Directory) server. Doing that, however, allows any kind of threat to access the domain controller and may put it at high risk.
Ports such as SMB and RDP should always be blocked to those servers from the Internet and from unrestricted servers and workstations in the network. These kinds of ports may open a backdoor to malicious attacks by having a remote control on the server and can even lead to the injection of malicious files and stolen data. For this reason, it’s important to avoid defining ports as “Any to Any” (opening all channels) and instead define the minimal ports needed by the server, system, or services to operate.
Risk 5: Unsecured Server Documents and Network Diagrams
Often, IT and network personnel keep schemas of network topology in VISIO files. They also keep information about access points, switches, firewalls, and servers organized on Excel sheets, including the server’s name, IP address, and sometimes even user names and passwords.
This obviously presents a major risk. These highly sensitive TLP files should always be encrypted and contained in a secure place. The password for these encrypted files should be kept in a separate place, rather than as a regular text file on the network.
Risk 6: Vulnerable Printer Server Role
One last tip from me to you: Never install the printer server role on your local “domain controllers,” as it will become more vulnerable by opening the spooler mechanism and protocols to attackers.
Beware, as attackers may try to access your data through these methods.
To sum up, avoid integrating third-party apps with Azure AD using your administrator user or a high-privilege user. Set permissions as low as possible, always double-check your settings and your environment, and follow this guide.
Want to learn how you can outsmart hackers? Download our guide.
