Active Directory: The legacy we didn’t ask for
September 24, 2024
Microsoft Active Directory (AD) was first introduced in 1999.
To put this in context, if AD was a person, they could legally drink, drive a car and own property.
Active Directory has become the bane of our collective existence, supporting and enabling attackers to escalate privileges and move laterally throughout enterprise networks with ease.
The main reason for this, is nearly every modern enterprise has AD at the core of their infrastructure, with the obvious exception of recent startups and small organisations.
Cloud services have added to this, with many requiring sync agents that link AD objects to the cloud, exposing these services and data to additional risk, enabling attackers to move laterally from on-premises to cloud simply by modifying permissions of objects.
After nearly 25 years, it’s time to part ways with AD; not just because there is nothing ‘active’ about the platform, it’s the tremendous number of attack paths that leverage fundamental architectural and design weaknesses.
Given the sensitivity of data stored with AD, it’s an attractive target for adversaries. Hardening and protecting AD is also a challenge. Many enterprises have built up serious amounts of technical debt in the form of excessive permissions, unused groups, stale accounts and objects.
The MITRE ATT&CK Framework documents over 15 enterprise techniques for leveraging AD by moving through a network using minor and major misconfiguration.
As Microsoft begins to signal AD as a legacy platform, the myriad of bolt on technology required to secure it just isn’t cutting it anymore.
We need to adopt zero trust principles and modernise identity security capabilities - it’s time to move on.
Unpicking AD can be a tough mission. It acts as the central authentication platform (LDAP, NTLM, Kerberos) and directory for most enterprises, and it’s fundamental to most organisations as they transition and adopt modern cloud services.
Establishing a plan to progressively migrate functionality, without significantly impairing the service is key.
Where do you start? What processes/changes do you need to accelerate?
We’ve worked with many CISOs and cyber teams to start reducing reliance on AD, and it’s no easy task. Whilst for most enterprises it’s not possible (yet) to completely retire the service, some have made meaningful progress and the benefits are clear.
We’ve collated five of our top tips for getting started:
1. Audit and Remediate Services
Understand what is still reliant on your Active Directory infrastructure by performing an audit of the services configured and dependencies. Security tooling like SIEM can help a lot with this in the first instance. When searching authentication logs, DNS and DHCP service logs can determine what is accessing services.
Target removal of services like NTLMv1/2 authentication. These are insecure and legacy anyway, and removal will yield a significant security benefit. You may be surprised to find there are only a few dependencies remaining.
Clean-up stale and unused accounts and objects; there are great tools on the market that help with this process. Simply looking at last login information on accounts and other objects will be valuable.
Don’t allow sync of admin users from AD to Entra or other similar cloud services. This starts to split the management of cloud from on-premise and reduces potential lateral movement paths from on-premise into cloud.
Break down the activities required, and start removing and retiring services. Remember that progress, not perfection is the name of the game here, just removing services over time can have a huge positive impact.
2. Extend Identity Protection Capabilities
AD has limited identity protection capabilities. There is no native detection or alert for simple high risk operations such as adding a user to ‘Domain Admins’ or a login to a dormant account.
In addition, it’s very difficult to implement multi-factor authentication out of the box, given it is not well known or documented.
Consider tooling to provide these services and extend AD in the interim, which will improve posture and reduce the potential for lateral movement.
3. Migrate to Modern Authentication & Provisioning
Undertake an audit of your enterprise applications. Most cloud applications support single sign on, therefore most enterprises have integrated these with Entra ID or another IdP like Okta.
Microsoft now support an architecture to allow provisioning from cloud to on-premises, permitting mastering of groups and other data from Entra ID. Moving to this model guarantees that operations typically undertaken manually on-premise are flipped to cloud. This allows you to apply more modern controls and restrictions to on-premise and remove permissions to on-premise AD.
4. Migrate Key Services
Many services provided by Active Directory can be easily adapted. Certificate Authority is one such common dependency. It’s important to look at cloud alternatives for this, depending on your security requirements.
Group Policies also need consideration as most enterprises are still dependent on GPO’s to push configuration to end user devices and servers.
To reduce this dependence, audit policies and plan migration to Microsoft Endpoint Manager (InTune) for end user devices (and servers with Azure ARC). This assures devices get updates regardless of network location and provides a greater number of configuration options.
Once you have commenced using InTune, migrate endpoints and servers to the platform. This removes dependence from your on premise AD domain and decreases attack surface. It also enables you to utilise Windows Hello for Business with Cloud Kerberos trust for expanded authentication options and improved user experience.
This can be disruptive, but if timed with an operating system migration such as Windows 11, the impact can be greatly reduced.
5. Limit Network Access to AD
Once you have made meaningful progress migrating key services and dependencies, you can commence isolation of network access to AD domain controllers.
Due to the familiarity of Active Directory, IT teams tend to be drawn back into using the service, performing manual actions such as adding users to groups.
Removing administrative access to AD is critical to eliminate the temptation for users to make changes, and reduce attack surface. By automating user onboarding/offboarding and other processes, it’s possible to reduce permissions to AD.
Removal of administration access reduces the impact. For instance, if a compromise of a Service Desk Operator’s account were to occur, the impact of such a breach would be minimised, limiting an attacker's ability to move laterally.
Whilst AD isn’t going anytime soon, making meaningful steps towards removing dependency, mastering identity operations from the cloud and removing legacy authentication are great starting points with significant benefits.
If you are in the early stages of your journey away from AD or already well into reducing access, our team can help you. Get in touch today.