活动目录安全现状：2026年需监控的关键风险

This report has been compiled using acombination of publicly available data and data The State of Active Key Risks to Monitor for2026 Introduction About this report Thethreatsorganizationsfacein2026havechangedconsiderablyfromevenacoupleofyearsago.ActiveDirectory(AD)hasandstillis,oneofthemostoverlookedareasofcybersecurity.ADisthecentralpartofidentityandaccessmanagementwhereusersareauthenticatedand The goal of this report is to help identify ten important, measurableindicators in Active Directory, which are closely linked to risk, forexample, inactive users, admin accounts, permission changes, andfailed logins. Using public data and our customers' experience, we Inthisreport,wewilldiscussthecurrentstateofADsecurityandpointoutthetoprisksorganizationswillneedtoaddressintheupcomingyear inordertoavoidmakingtheheadlines.Wewillexplore10riskfactorsrelatedtoADsecuritysuchasadminusers,inactiveaccounts,permission In this report, we will go through: 1.User accounts 2.Admin users AstheCEOofLepide,acompanycommittedtohelpingorganizationssecuretheirmostvaluabledigitalassets,Ibelievethatunderstanding andproactively addressing the security gaps in Active Directory isessentialformaintainingtheintegrityofyourITenvironment.Theinsights 3.Inactive users 4.Users with passwords set to never expire 5.Permission changes 6.Password policy changes 7.Failed logons 8.Account lockouts 9.Activity outside of business hours 10.User/computer status changes Executive Summary 79% of organizations have users with excessive permissions, significantlyincreasing the attack surface and making it easier for threat actors to •Business and compliance impact: Poor AD hygiene not only increases the likelihood of a successful breach but also raises the risk of regulatory non-compliance underGDPR, HIPAA, SOX, and PCI DSS. Organizations are facing financiallosses (over £4million reported in the last two years from incidents Improper permissions or unauthorized changes account for25% of alldata breaches, underscoring Active Directory (AD) mismanagement as a Active Directory remains the backbone of identity and access managementforthe vast majority oforganizations, yet it is also one of the most poorly Business and compliance impact: Poor AD hygiene not only increases the likelihood of a successful breachbut also raises the risk of regulatory non-compliance under GDPR, HIPAA, Key findings from the2025assessment include: Recommended actions: •Orphaned and inactive accountsmake up as much as30% of AD usersin some organizations, providing unmonitored entry points for Enforceleast privilegeand regularly audit all permissions.Automateuser lifecycle managementto promptly remove inactive or orphaned accounts.Strengthen password policies and enforceMulti-Factor •Weak password practicespersist, with23% of organizations allowingpasswords that never expire and45% operating with outdated orinsufficient password policies.•Failed logon activityis a key breach indicator, with nearly40% ofexternal actor breaches linked to repeated failed login attempts.•Account lockoutsremain a major operational issue, with43% oforganizations experiencing frequent lockouts that disrupt productivity.•Suspicious activity outside business hoursis on the rise, with one-thirdof such incidents tied to insider threats. Addressing these AD weaknesses should be a top2025security priority.Without immediate action, organizations risk remaining exposed to The Hidden Cost of Inaction: Inside the AD Mismanagement CrisisPlaguing DataSecurity AnewlyreleasedstudyofActiveDirectoryandidentitymanagementbehaviorssuggestsadeeplyconcerningpatternofnegligence,inefficiencies,andriskfor 79% of organizations have users with“excessive permissions”, •Excessivepermissionsareafactoflife:79%oforganizationshaveuserswithexcessiveprivileges,creatingunnecessarysurfacesforattack. Proliferation of admin accounts has led to £4million worth ofdisruption to businesses in the last two yearsdue to incidents •Orphaned&inactiveaccountsareoutofcontrol:Upto30%ofcorporateaccountsareinactiveororphanedaccounts--smalltickingtimebombsof 21% of Active Directory accountswithin organizations were •Passwordpracticesareactivelydangerous:45%oforganizationshaveoutdatedorweakpasswordpoliciesinplace,while23%haveuserswith Improper permission settings or unauthorized permissionchanges were responsible for25% of data breaches. •45% of organizationsare found to haveoutdated or weakpassword policies, which could leave them vulnerable to •Accesschaosleadstobreachesanddowntime:Unauthorizedchanges,as wellasuserswithimproperpermissions,accountfor25%ofbreaches,while 43%oforganizationsexperiencefrequentaccountlockouts. Failed logon attemptsare linked to nearly40% of data breachesinvolving external actors. InsidersandAfter-HoursActivityAreFormsofSeriousRisk:Insideraccessisresponsiblefor33%ofincidentsoutsideofbusinesshours,while25%of 43% of organizationsreportfrequent account lockouts,leading to substantial down