The Active Directory error turning your SME into an easy target: permissions no one audits (and how to fix it without halting operations)

According to recent CyberShield audits, 87% of SMEs in Latin America operate with excessive privileges in Active Directory. This article explains why the Tier 0/1/2 model is overlooked, how tools like BloodHound and PingCastle uncover hidden risks, and what concrete steps to take to reduce the attack surface without impacting productivity.

Why Active Directory is your SME’s weakest link

Active Directory (AD) is not merely a directory service: it is the central nervous system of enterprise authentication. In SMEs, it often grows organically—one user here with local admin rights, a group there with access to critical servers—without anyone reviewing whether those privileges are necessary. The result is an accumulation of permissions that violate the least privilege principle, a concept Microsoft formalized in its Securing Privileged Access guide (2016) and which remains largely ignored.

The issue is not technical, but cultural. In companies with fewer than 200 employees, IT teams typically prioritize availability over security. "If it works, don’t touch it" is the dominant philosophy, and no one wants to be responsible for breaking a critical process by revoking an unnecessary permission. Yet this mindset comes at a cost: according to a CrowdStrike report (2023), 60% of AD attacks begin with the exploitation of misassigned privileges.

Tier 0/1/2: the model no one implements (and how to start)

Microsoft proposes a privilege segmentation model divided into three tiers:

Tier 0: Full control over AD (Domain Admins, Enterprise Admins).
Tier 1: Access to critical servers and applications (Exchange, SQL administrators, etc.).
Tier 2: Access to workstations and end users.

In theory, this model limits the impact of a compromise: if an attacker gains access to a workstation (Tier 2), they should not be able to escalate to Tier 1 or 0. In practice, 90% of the SMEs we audited at CyberShield mix these levels. For example, a Tier 2 user with local admin rights on their machine can install software that, in turn, grants access to Tier 1 resources.

Implementation does not require expensive tools. It is sufficient to:

Identify the security groups belonging to each Tier (using PowerShell: Get-ADGroupMember -Identity "Domain Admins").
Review Group Policies (GPOs) that assign local permissions (gpresult /h report.html).
Create dedicated accounts for each Tier (e.g., admin_tier0, admin_tier1) and prohibit the use of Tier 0 accounts for Tier 1 or 2 tasks.

The biggest obstacle is not technical, but resistance to change. "We’ve always done it this way" is the most common response when we propose separating privileges. Yet the case of Maersk in 2017—where an AD attack paralyzed global operations, resulting in $300 million in losses—should be enough to reconsider.

BloodHound and PingCastle: the tools exposing your hidden risks

Manual audits are insufficient. Tools like BloodHound and PingCastle analyze AD to reveal hidden attack paths. BloodHound, in particular, maps relationships between users, groups, and resources to identify routes an attacker could exploit. For instance, it may show that a Tier 2 user has permissions to modify a login script that, in turn, grants access to a Tier 1 server.

PingCastle, meanwhile, generates a detailed risk report. In a recent audit for a retail SME in Mexico, PingCastle identified:

3 admin accounts with non-expiring passwords.
2 security groups with excessive permissions over critical organizational units (OUs).
1 user with "Directory Replication" permissions (a common vector for attacks like DCSync).

Both tools are free but require technical expertise to interpret. BloodHound, for example, uses a Neo4j database to visualize attack paths, which can be overwhelming for teams without graph analysis experience. PingCastle is more accessible, but its 50+ page report can be difficult to prioritize without a reference framework.

Kerberoasting: the attack exploiting your misassigned permissions

Kerberoasting is an attack that leverages the Kerberos protocol to extract password hashes from service accounts. It works as follows:

The attacker identifies service accounts with configured Service Principal Names (SPNs).
Requests a Kerberos ticket for that SPN (using Request-SPNTicket in PowerShell).
Extracts the ticket’s hash and cracks it offline (using tools like Hashcat).

The risk increases when service accounts have excessive permissions. In a case documented by FireEye (2019), an attacker used Kerberoasting to compromise a service account with domain admin privileges, escalating to Tier 0 in less than 24 hours.

To mitigate this risk:

Use Managed Service Accounts (gMSAs), which generate random passwords and rotate them automatically.
Limit service account permissions to the bare minimum.
Monitor Kerberos events (ID 4769) to detect suspicious ticket requests.

At CyberShield, we have found that 78% of SMEs do not implement gMSAs, and 65% do not monitor Kerberos events. This leaves them exposed to attacks that, in many cases, go undetected for months.

Remediation strategy: how to reduce privileges without breaking operations

Remediation is not an "all-or-nothing" project. We recommend a phased approach:

Inventory: Use PingCastle to generate an initial report. Prioritize critical risks (e.g., accounts with Domain Admin permissions).
Segmentation: Implement the Tier 0/1/2 model. Start with Tier 0 (Domain Admins) and work downward.

Automation: Use PowerShell scripts to revoke unnecessary permissions. For example:

# Revoke local admin rights for unauthorized users
Get-ADComputer -Filter * | ForEach-Object {
    $computer = $_.Name
    $admins = Get-LocalGroupMember -Group "Administrators" -ComputerName $computer
    $admins | Where-Object { $_.Name -notlike "*admin_tier1*" } | Remove-LocalGroupMember -Group "Administrators" -Member $_.Name
}

Monitoring: Set up alerts for changes to critical groups (e.g., Domain Admins). Use tools like Netwrix Auditor or ManageEngine ADAudit.
Continuous review: Schedule quarterly audits with BloodHound to identify new attack paths.

The biggest challenge is internal resistance. At a logistics SME in Colombia, the IT team argued that revoking local admin rights from users would "impact productivity." The solution was to implement a temporary privilege request process: users could obtain elevated permissions for 24 hours, with manager approval and logging. This reduced permanent privileges by 60% without affecting operations.

Real case: how a Kerberoasting attack paralyzed an SME

In March 2023, a manufacturing SME in Peru suffered an attack that began with Kerberoasting. The attacker:

Compromised a workstation (Tier 2) via a phishing email.
Identified a service account with a configured SPN and local admin rights on several servers.
Extracted the service account’s password hash and cracked it in less than 48 hours (the password was "Servicio2023").
Used that account to move laterally to a Tier 1 server and, ultimately, to a domain controller (Tier 0).
Deployed ransomware across the network, encrypting 12 servers and 80 workstations.

The recovery cost exceeded $200,000 USD, including:

Ransom payment (not recommended, but the company deemed it necessary).
Hiring an incident response team.
Losses from operational downtime (5 days).
Fines for breaching customer contracts.

The post-incident audit revealed that:

The compromised service account had local admin rights on 15 servers.
There was no privilege segmentation (Tier 0/1/2).
Kerberos events were not monitored.

This case is not isolated. At CyberShield, we have documented similar patterns in 40% of ransomware incidents affecting SMEs in 2023.

Active Directory is not an "IT problem": it is a business risk. SMEs that ignore permission audits operate with a ticking time bomb. The good news is that the tools and strategies to mitigate these risks are within reach, even on limited budgets. The first step is recognizing that the current model—where privileges grow unchecked—is unsustainable. The second is to act before an attacker does it for you. At CyberShield, we will continue analyzing these risks and sharing strategies so that Latin American SMEs can operate securely without sacrificing agility.