Strengthening the Cybersecurity of Active Directory to Mitigate Cyber-Risk

Strengthening the Cybersecurity of Active Directory to Mitigate CyberRisk-03

“Organizations must be able to manage their identity security in hybrid environments that use both on-premises Active Directory and Azure Active Directory services on a continual basis—not just at a point in time—while actively testing against the latest indicators for new attacks and threats,” says Guido Grillenmeier, Chief Technologist, Sempris.


ITSW Bureau: With hybrid environments gaining a strong foothold within enterprise business operations, what challenges do you think organizations can encounter associated with their Active Directory? 

Guido Grillenmeier: Windows’ directory service, Active Directory (AD), is an on-premises infrastructure component for 90% of businesses and remains a weak spot. 

As hybrid working becomes the norm, the potential attack surface expands for an adversary. It’s a relatively common scenario to see attacks start on-premises and move to the cloud or move from cloud to on-prem. 

AAD Connect is a synchronization engine that reads the account data from Active Directory while connecting with a corresponding service on the Azure side. It writes any necessary actions taken on-prem into Azure AD, from newly created accounts or changed passwords to altered group memberships. Or vice versa. 

In simple terms, it ensures that any change you make in your on-prem environment is replicated into your Azure environment or the other way around – something many companies are relying upon to sustain hybrid operating models. 

However, despite its benefits in supporting modern business operations and working patterns, AAD Connect is often a target of attacks due to the various permissions granted to the accounts used by the tool. Due to the nature of the tool, it has privileged access to both worlds, the on-prem AD and the AAD tenant in the cloud, making it a perfect target for attackers that are after cloud resources.  

ITSW Bureau: How can organizations protect their Active Directory while mitigating cyber risks? How does the Director Service Protector of Sempris help organizations to achieve this? 

Guido Grillenmeier: Organizations must be able to manage their identity security in hybrid environments that use both on-premises Active Directory and Azure Active Directory services on a continual basis—not just at a point in time—while actively testing against the latest indicators for new attacks and threats. 

Any company should perform at least periodic scans of their Active Directory, and then actively work on remediating the security issues found in their environment – before an intruder finds them and uses them to spread malware or do other damage to the business. 

Of course, performing a manual scan, say weekly, is much better than not doing those scans at all. But companies should also consider investing in proper security monitoring tools that are integrated with their Security Information and Event Management (SIEM) to allow immediate warning when a new vulnerability exposes their AD again. 

Semperis’ Directory Services Protector (DSP) addresses the challenges organizations face in combating the rise in attacks that enter organizations through on-premises AD, then move to the cloud—or vice versa. 

In particular, the DSP Intelligence module provides automated security assessments of Microsoft Active Directory (AD). It is designed to provide a larger range of security indicators and advance pre-attack tests to harden AD against new adversary TTP and spot weaknesses before an attacker does.  

A growing number of breaches involve the exploitation of suboptimal AD configurations to allow attackers to gain a foothold within target networks, access sensitive resources, and deploy malware. DSP Intelligence continuously queries an organization’s AD environment and performs a comprehensive set of tests to get ahead of attackers. The threat hunting capabilities have also proven to be extremely helpful for organizations in post-breach scenarios to understand how attackers broke in and how to close backdoors for good. 

ITSW Bureau: In the event of a security incident, how can organizations quickly recover their business operations? 

Guido Grillenmeier: AD disaster recovery is a highly difficult undertaking, however, it’s possible to prepare for it in a variety of ways. Often, companies only realize they don’t have valid backups until it’s too late. Ultimately, your recovery data is going to be critical data – your users, your groups, your customers’ personal information. To be completely safe, it is wise to regularly check backups and ensure that these are entirely separated and disconnected from your environment.  

Equally, it is imperative that you have quick and easy access to that data in the case of failure. Should Azure not be available and you need quick access to critical data, is that possible? Organizations should ensure they always have access. When it comes to recovery, a series of transparent protocols should be implemented that are reviewed on a regular basis – perhaps quarterly – to ensure that they continue to work overtime. 

Here, a playbook can be useful, ensuring continuity of action should key staff members leave or be absent in crisis moments. What is clear is that such preparations are needed now more than ever before, and the current threat landscape will only continue to worsen through 2022 and beyond.  

ITSW Bureau: What trends do you expect to see in the security of active directory services? What advice do you have for IT and Security leaders to keep up with them? 

Guido Grillenmeier: AD didn’t use to be attacked all that often because it was difficult. However, today, you don’t need to be an expert to do so. With ransomware-as-a-service, unsophisticated attackers are now able to execute sophisticated attacks. 

Furthermore, there are always new risks and vulnerabilities appearing. It’s only when Microsoft announces a new fix that these gaps are plugged in, but before this is rolled out, it is often the case that it’s already been leveraged by several hackers. 

Therefore, more than ever, companies need a means of ensuring that the entire network isn’t lost. The core security of the Active Directory service is nothing that Microsoft will fix for you – the risks lie in the various configuration choices you’ve put into your AD to integrate your business apps with it. There are many helpful tools out there to evaluate your own AD security posture and fix the gaps before they are used against you. 

Guido Grillenmeier is Chief Technologist with Semperis. Based in Germany, Guido has been a Microsoft MVP for Directory Services for 12 years. He spent 20+ years at HP/HPE as Chief Engineer. A frequent presenter at technology conferences and contributor to technical journals, Guido is the co-author of Microsoft Windows Security Fundamentals. He’s helped various customers secure their Active Directory environments, and supported their transition to Windows 10/m365 and Azure cloud services.