For most companies, Microsoft Active Directory (AD) is the cornerstone of operational success in the digital era.
One of the world’s most popular corporate access management tools, it is said that roughly 90% of organizations globally rely on AD as a centralized user and rights management platform.
AD is fundamental to our daily working lives, enabling companies to define who can do what in a network, managing resources, users and devices as well as their access to endpoints, tools and systems. However, in many ways, that dependence on a fairly old solution is a strange concept.
Technologies have evolved at an incredible speed in recent years. It’s hard to really quantify this , but the Independent’s analysis does a pretty good job when it asked: could an iPhone fly me to the moon? Of course, you would (obviously) need a spacecraft… but from a computing perspective, it’s interesting to think about.
Today’s smartphones are exponentially more powerful than the guidance computer that NASA used for its famous Apollo 11 mission in 1969. While the latter had a peak performance of 12,250 floating point operations per second (FLOPS), an Apple iPhone 12 (which in smartphone terms is now somewhat dated) delivers 11 trillion FLOPS, making it approximately 900 million times faster.
The point, within this context, is that it’s incredible to think that one of the cornerstones of enterprise-level networks today is a technology that was built almost a quarter of a century ago. Officially launched in 2000, AD was introduced when the concepts of remote working and cloud computing services were almost alien to the world of corporate networks.
Area VP, UK & Ireland, Semperis.
Why does AD continue to be so important today?
To understand exactly why AD has defied the odds and remains so integral today, it’s important to consider how it came to be.
Before AD's launch, Microsoft's IT directory servers didn’t scale adequately to support the needs of medium and large enterprises, necessitating multiple servers. For instance, a tech-centric company with around 1,000 employees might have needed as many as 200 different servers.
This posed a significant challenge for companies. Managing these numerous disparate servers was a difficult and fiddly endeavor, each requiring unique login credentials. Further, file sharing was problematic and cumbersome due to the lack of seamless communication between servers.
AD was a revelation in that it solved these challenges for companies. Integrating easily with applications and providing single sign-on capabilities across an entire business environment, it transformed the network experience, quickly becoming ubiquitous.
In the two decades since, AD’s prevalence has only continued to grow. Instead of becoming obsolete like many other technologies over the years, AD has grown to be even more vital, serving as the foundation for most cloud identity systems used by enterprises worldwide.
Indeed, AD continues to be the central managing point of authentication and authorization for most on-premises applications and data, extending these functions to cloud applications and resources through synchronization and federation with Entra ID, Okta, or other cloud identity providers.
Unfortunately, AD is now a considerable security liability
Consequently, AD has become the foundation of computing success. However, while it remains indispensable for many organizations, it has also become a considerable security liability.
Serving as a centralized platform that allows administrators to manage permissions and control access to network resources, AD effectively holds the "keys to the kingdom" for companies. As a result, it has become a prime target for cyber attackers – if they are able to compromise AD, they are likely to be granted access to nearly all the systems, applications, and resources within an organization.
Microsoft itself outlines the predicament effectively, explaining that “because Active Directory provides rich identity and access management capabilities for users, servers, workstations, and applications, it's invariably targeted by attackers. If an attacker gains highly privileged access to an Active Directory domain or domain controller, that access can be leveraged to access, control, or even destroy the entire Active Directory Forest.”
While AD is commonly associated with on-premises environments, the impact of its compromise extends beyond such boundaries. In hybrid on-premises and cloud scenarios that for many have become the norm, breaching AD means gaining access to the organization's cloud resources as well. In fact, attackers often find it easier and more effective to compromise AD, using those credentials to access multiple cloud applications rather than targeting each cloud application individually.
Repeatedly, we've witnessed AD-related threat scenarios unfold, with numerous high-profile cyber-attacks continuing to make headlines year after year.
Some of the most renowned events include the 2017 NotPetya attack. Here, AD was encrypted as part of an attack sequence, leaving affected organizations scrambling and often failing to restore their environments given that AD provides access to all systems, often including those concerning recovery.
Fast forward to 2020, and the highly sophisticated cyberattack targeting SolarWinds made global news after the company’s IT management and network monitoring software was compromised, with a malicious backdoor being distributed to the firm’s customers in a routine update. Here, AD systems were a prevalent target in the supply chain attack, providing a pathway to access critical systems and data within the affected organizations.
Years of configuration drift and lax, outdated security practices have introduced numerous vulnerabilities for many companies, with many facing significant security challenges from managing a complex web of multi-forest environments.
Where to begin in reducing your attack surface
Naturally, the most effective strategies for modernizing Active Directory (AD) often involve consolidating multiple forests into a single, unified environment. By reducing the number of forests, organizations can streamline management, lessen complexity, and minimize opportunities for attackers to exploit the trust relationships inherent between forests.
By consolidating forests, organizations can centralize the enforcement of security policies using tools such as Group Policy Objects (GPOs), Intune, or System Centre Configuration Manager (SCCM). This centralization enhances security, simplifies management tasks, and lowers operational overhead. Successful AD consolidation projects include:
1. Migrating users, groups, computers, and applications from one AD domain or forest to another. This process requires a systematic and comprehensive approach that considers every aspect of the migration.
2. Giving careful attention to applications, security configurations, and the unique sensitivities within organizational environments.
3. Planning for challenges and key components of AD migration is essential to ensure a successful migration that aligns with business, IT, and security requirements. Adhering to best practices is crucial.
4. Conducting a thorough inventory of all resources and creating a detailed migration plan. Equally important is testing and validating the destination environment and providing comprehensive training and support to end users and IT staff.
Without a doubt, modernising AD in this manner is critical for reducing security risks associated with trust abuse and minimising the attack surface of the environment. Simplifying AD architecture not only boosts security but also improves operational efficiency, enhancing the overall cybersecurity posture and lowering IT management costs.
We've listed the best identity management software.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
