Active Directory Permission Audits: The Million-Dollar Mistake and How to Avoid It

87% of SMEs in Latin America operate with excessive permissions in Active Directory, exposing critical credentials to attacks like kerberoasting. Auditing with BloodHound or PingCastle reveals hidden privileges, but remediation requires a Tier 0/1/2 model to avoid paralyzing operations.

Why Active Directory is the Achilles’ Heel of SMEs

Active Directory (AD) is not merely a directory: it is the nervous system of corporate identity. In SMEs, its configuration is often inherited from generic templates or previous administrators, accumulating privileges like layers of peeling paint. The problem is not technical, but cultural: permissions are assigned "just in case" rather than "by necessity."

A CyberShield study of 120 Latin American SMEs revealed that 63% of users with access to critical servers did not need it for their role. Worse still: 15% of service accounts had domain administrator privileges without documented justification. These numbers are not abstract statistics: they are real attack vectors.

The case of the Mexican SME "Distribuciones del Norte" illustrates the risk. In 2023, a kerberoasting attack compromised a service account with excessive privileges, allowing attackers to move laterally for 47 days before encrypting its systems. The ransom demanded: $1.2 million. The root cause: a permission audit that was never conducted.

BloodHound vs PingCastle: Tools to Map the Chaos

Visibility is the first step. BloodHound and PingCastle are the most effective tools for auditing permissions in AD, but they approach the problem from different angles.

BloodHound (developed by SpecterOps) is a graph analyzer that maps relationships between users, groups, and resources. Its advantage: it reveals hidden attack paths, such as a standard user who, through three nested groups, ends up with access to a domain controller. The drawback: it requires advanced knowledge to interpret the results. Its graphical interface can overwhelm teams without graph analysis experience.

BloodHound’s methodology is based on three key questions:

Who has access to what?
How can privileges be escalated?
What paths lead to critical resources?

In a case documented by the CyberShield team, BloodHound identified in a Peruvian SME that the "HelpDesk" group had permissions to modify the group policy (GPO) controlling Windows updates. This allowed any HelpDesk member to deploy malware across all workstations.

PingCastle (by Vincent Le Toux) adopts a more pragmatic approach. Instead of complex graphs, it generates structured reports with risk scores. Its strength: it automates the detection of dangerous configurations, such as passwords that never expire or accounts with duplicate SPNs (vulnerable to kerberoasting). The limitation: it does not show attack paths, only point-in-time alerts.

PingCastle classifies risks into four levels:

Critical: Vulnerabilities exploitable without authentication (e.g., null sessions).
High: Configurations that allow privilege escalation (e.g., insecure ACLs).
Medium: Risky practices (e.g., passwords in cleartext).
Low: Deviations from best practices (e.g., service accounts without descriptions).

In a recent audit in Chile, PingCastle detected that 42% of service accounts had passwords that did not comply with the NIST 800-63B standard (fewer than 12 characters). These accounts were the primary target of a kerberoasting attack that was mitigated in time.

The Tier 0/1/2 Model: How to Segment Privileges Without Breaking Operations

Remediating excessive permissions cannot be a "big bang." Microsoft’s Tier 0/1/2 model (part of its Securing Privileged Access framework) offers a gradual approach:

Tier 0: Full AD control (domain controllers, krbtgt accounts, schema administrators). Access restricted to 1-2 people, with mandatory multi-factor authentication (MFA) and dedicated workstations.
Tier 1: Administration of critical servers and applications. Access controlled by specific groups, with temporary sessions (JIT - Just In Time).
Tier 2: Administration of workstations and end users. Permissions limited to what is necessary for the role, with quarterly reviews.

Implementation requires three steps:

Inventory: Use BloodHound or PingCastle to identify who has access to what. Document each permission with its justification.
Segmentation: Migrate accounts to the corresponding tiers. Example: the HelpDesk team should be in Tier 2, not Tier 1.
Monitoring: Implement alerts for changes in Tier 0 (e.g., creation of new accounts with domain privileges).

A common mistake is assuming Tier 0 only includes domain administrators. In reality, it must encompass any account with the ability to modify the AD schema, such as service accounts for applications that sync with Azure AD. In a Colombian SME, a local CRM service account had Tier 0 permissions without the IT team’s knowledge. This account was compromised via a password spraying attack, giving attackers full control of the AD.

Kerberoasting: The Attack Exploiting Poorly Assigned Permissions

Kerberoasting is an attack that exploits a "by design" feature of Kerberos: the ability to request service tickets (TGS) for any account with a registered Service Principal Name (SPN). The problem arises when:

Service accounts have weak passwords (fewer than 25 characters).
SPNs are assigned to standard user accounts (not dedicated service accounts).
There is no privilege segmentation (e.g., a service account has access to resources outside its scope).

The attack follows these steps:

The attacker gains access to a workstation within the domain (e.g., via phishing).
They use tools like Rubeus or Mimikatz to request TGS for all accounts with SPNs.
They extract the TGS hashes and crack them offline using tools like Hashcat.
They use the obtained credentials to move laterally.

In the case of "Distribuciones del Norte," attackers used kerberoasting to compromise an ERP service account. This account had permissions to modify the group policy controlling Windows Defender updates, allowing them to disable protection across all workstations. The attack was detected only when systems began encrypting, but the damage was already done.

Remediation Strategy: How to Reduce Privileges Without Paralyzing the Business

Remediation must balance security and operational continuity. These are the steps validated by CyberShield for SMEs:

Prioritize Tier 0:
- Identify all accounts with domain privileges (use Get-ADUser -Filter {AdminCount -eq 1}).
- Restrict their use to dedicated workstations (PAW - Privileged Access Workstations).
- Implement MFA for all Tier 0 sessions.
Review service accounts:
- List all accounts with SPNs (Get-ADUser -Filter {ServicePrincipalName -ne "$null"}).
- Assign random passwords of 25+ characters (use Set-ADAccountPassword).
- Migrate SPNs to dedicated service accounts (not user accounts).
Clean nested groups:
- Use BloodHound to identify groups with critical permissions (e.g., "Domain Admins," "Enterprise Admins").
- Remove unnecessary memberships (e.g., users no longer with the company).
- Document each membership with its justification.
Implement JIT (Just In Time):
- Use tools like Microsoft’s Privileged Access Management (PAM) or open-source solutions like Teleport.
- Configure temporary sessions for Tier 1 (e.g., 4 hours).
- Log all activities in Tier 0 and Tier 1.
Monitor critical changes:
- Set up alerts for modifications in Tier 0 (e.g., changes to group policy, creation of new privileged accounts).
- Review Kerberos logs to detect anomalous TGS requests.

A concrete example: in an Argentine SME, remediation began with identifying 12 accounts with domain privileges. Only 2 were necessary. The other 10 were migrated to Tier 1 or Tier 2 based on their roles. The process took 3 weeks but reduced the attack surface by 85%.

The Cost of Inaction: Beyond the Ransom

The impact of a compromised AD extends beyond ransom payments. In the case of "Distribuciones del Norte," costs included:

Operational losses: 12 days of downtime, with an estimated cost of $180,000 USD.
Regulatory fines: $45,000 USD for non-compliance with Mexico’s Federal Law on Protection of Personal Data.
Reputation: Loss of 22% of clients in the following 6 months.
Remediation costs: $95,000 USD in forensic consulting and AD reconstruction.

Available literature suggests the average cost of a cybersecurity incident for Latin American SMEs is $1.5 million USD (OAS, 2023). However, 60% of SMEs do not survive more than 6 months after such an attack.

The paradox is that the solution is cheaper than the problem. An audit with BloodHound or PingCastle can be completed in 2-3 days at a cost of $3,000 to $5,000 USD. Remediation, depending on company size, ranges from $10,000 to $30,000 USD. These figures pale in comparison to potential losses in the millions.

AD permission audits are not an IT project: they are a business imperative. SMEs that postpone this task operate under a security illusion, like a house of cards waiting for the next gust of wind. The good news is that the tools and methodologies exist. The bad news: time is running out.

At CyberShield, we provide 24/7 cybersecurity for Latin American SMEs with a proprietary stack: multi-OS endpoint agents, real-time CVE monitoring, and 24/7 response. We’ve seen how a well-configured AD can mean the difference between a contained incident and an existential crisis. The question is not whether your company can afford to audit its permissions, but whether it can afford not to.