Photo by Samantha Sophia on Unsplash
Designing a secure Active Directory
Toughen Up!
Active Directory (AD) does not have a good reputation among many IT security specialists, and more than one admin thinks it should be removed as soon as possible. Of course, survivorship bias plays a role in such thoughts – infrastructures that require high-caliber specialists to rescue the day are ultimately those where the greatest discrepancy between lure for attackers and the degree of hardening exists. In this article, I use the term "hardening" to refer both to IT infrastructures themselves and to the people and processes involved in managing them.
Active Directory can be run in a pretty much secure way if the organization involved is at least prepared to drop old habits and invest in a secure, state-of-the-art design instead of just in third-party tools. This way might not sound as sexy in the annual report as the latest extended detection and response (XDR), managed detection and response (MDR), or identity threat detection and response (ITDR) strategies, but it is likely to offer greater benefits.
When AD Is Not AD
To get the ball rolling, the term "insecure AD" typically means Active Directory Domain Services (ADDS) – that is, a directory service tied to Kerberos authentication and group policies. In some cases, the Active Directory Certificate Services (ADCS), Microsoft's implementation of a public key infrastructure (PKI), deals the final death blow to the security of the environment.
However, three other ADs belong to the Windows server family. First is the Active Directory Rights Management Service (ADRMS), a cryptography tool for protecting digital content such as documents, email, etc. The service is very rarely used in local environments but provides the technology basis for Azure Information Protection, which evolved into Microsoft Information Protection and finally Microsoft Purview Information Protection
...
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
New administration options on Windows Server 2016
Redmond is set to launch the next-generation Windows Server 2016. Microsoft promises to make administration more secure, which is a good enough reason to take a closer look at the new Privileged Access Management feature. -
Secure Active Directory with the rapid modernization plan
The rapid modernization plan by Microsoft is a practical guide to securing Active Directory, so criminals cannot gain access to privileged user accounts. -
Just-in-time administration in Active Directory
Just-in-time administration affords admins the ways and means of enforcing the validity period for extended privileges. -
Focusing on security in Active Directory
To prevent an intruder attack in Active Directory, Windows Server's security features along with freeware monitoring can save the day. -
Recovering from a cyberattack in a hybrid environment
Restoring identity is an important part of disaster recovery, since it lays the foundation for restoring normality and regular operations. We look into contingency measures for hybrid directory services with Entra ID, the Graph API, and its PowerShell implementation.
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
