Setting Up Honey Pots for Active Directory 

The world of computing is replete with threats which, at any time, can compromise the security of your system. Unauthorized users may try to gain access to client machines and perform malicious activities using existing loopholes. A honey pot is a decoy network. It masquerades itself as a real or genuine network.

Honey Pots are used to trick intruders and give them the impression that they are attacking the right network. The activity of the attacker is then logged and studied. In a nutshell, a honeypot protects your system.

A Honey Pot is a computer system set up to lure would-be attackers and deflect their attempts to gain unauthorized access to the network. It is a system installed on a computer in order to simulate the behavior of the real system. The decoy system is isolated and monitored by system administrators.

Setting Up the Honey Pot Account

Securing an Active Directory is an important organizational policy that helps system auditors track relevant events and changes taking place in the network. Everyday threats are becoming more elusive which calls for the need to have several security measures to better handle threats, including those coming from insider attacks.

One way of implementing this is through the use of Honey Pot accounts to trick the attacker that they have full access to the system.

Within the Active Directory context, a Honey Pot administrator account can be set up because most attackers look for this account. The administrator account gives them the impression of having uncontrolled access to all resources of the Active Directory.

Advanced hackers may not fall for this trick, but using Honey Pots in your network is the best way of detecting malicious activity. System administrators need to realize that Honey Pots are not foolproof because some hackers will immediately know the legitimacy of the Honey Pot account. For the Honey Pot account to thwart the most sophisticated attacks, here is what the administrator needs to do:

  • Renaming the Built-in Administrator Account
    This account has to be renamed and the default decryption removed. Naming the account means creating a username that matches the Active Directory naming conventions.
  • Create Another User Account with Username “Administrator”
    The default description for this account should be “Built-in account for registering the computer/domain”. The idea is to create a proxy Administrator with a similar description to the default account.
  • Enable Auditing
    Auditing for activities such as failed and successful Logon Attempts for the account just created in step two above. The configuration of Auditing may be used alongside a tool that enables searches and alerts whenever this account is accessed. The Microsoft built-in tool may not give details of searches and alerts promptly. Therefore, downloading third-party tools such as the Active Directory Audit Plus can be helpful in monitoring, searching, analyzing, and giving live alerts when a login attempt is made at the Honey Pot account.
  • Monitor the Honey Pot Activities
    Using an appropriate account auditing solution, all live activities on the account should be logged and monitored.

The four steps above should enable the Honey Pot account. It is also a good idea to have logging and monitoring activities on the renamed administrator account. The organization’s security policy should be that the renamed account should not be used unless it is a case of an emergency.

Tracking all Logon activities of all users is important in keeping the system security tight. The two accounts should now give an immediate alert when a Login attempt is made and thus the network is deemed secure and prepared for external intrusions.

Decisions to be Made When Deploying a Honey Pot

Before any consideration is made to deploy a Honey Pot account, here are some of the critical decisions system administrators are faced with:

  1. Reason of the Account
    Two primary reasons determine whether deploying a Honey Pot account is necessary. One of the need for an early security warning, the second reason being for forensic analysis. Honey Pots address both reasons by giving out the information needed for immediate follow-up.
  2. What Needs Protecting
    The most valuable objects in an Active Directory will determine the type of fake account to be used as a Honey Pot. In most cases, Honey Pot accounts are used to mimic web servers, file servers, application servers, database servers, and Logon servers. There is an option of deploying a Honey Pot that mimics open ports or having several ports with each one dedicated to a particular server type.
  3. The Active Directory Interaction Levels
    Three levels of interactions define Honey Pot accounts thus:
  • Low level
  • Medium level
  • High level

The low-level accounts give early warning signs of malicious activities; the medium level accounts may have basic file structures to give the hacker a “true” reflection of the system content, while the high-level accounts may contain a complete copy of the server they emulate.

  1. The Location of the Honey Pot
    Location of the Honey Pot should be near the resources that they are trying to protect. For example, a web server decoy account should share the same IP address where the real server is located.
  2. Real or Emulation Software
    Using real systems is a good idea because it becomes difficult for the most advanced hacker to know if they are dealing with a Honey Pot or not. Using an emulation software means having access to built-in signature detection tool useful for monitoring.
  3. Monitoring and Alert Tools to Use
    A Honey Pot will only be of value when logging takes place. The tool used for monitoring should be able to report on all activities in a real time.
  4. How to Administer the Honey Pot
    Once a Honey Pot account is set up, it should continue running throughout the life of the services it is mimicking. At least one person (or more if necessary) should be given control of the decoy accounts. His responsibility will be the installation, planning, configuration, monitoring, and updating the Honey Pot.

All communications coming through a Honey Pot are considered hostile. Therefore, the system administrators should use all these activities as an insight into the level and types of threats the network is prone to. A Honey Pot account should be treated as an added security setup and not a replacement of security measures already in place.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *