The risks and rewards of Active Directory modernization [Q&A]
Active Directory (AD) was introduced in the late 90's when corporate networking barely had virtualization and remote work, not to mention cloud services.
AD controls authentication and authorization to most of an organization's on-premises applications and data, and through synchronization and federation with Entra ID, Okta or other cloud identity provider (IDP) provides these same controls to cloud applications and resources.
Today, AD and Entra ID identity systems are used in more than 90 percent of networks worldwide. As AD is the default identity system this makes it the attacker's primary target. Modernizing AD therefore carries both risks and rewards, we spoke with Mickey Bresman, CEO of Semperis, to learn more
BN: Why is Active Directory modernization a security priority?
MB: At its core, AD is the component that enables users to securely access both on-prem line of business applications and cloud applications. In my conversations with customers with hybrid environments (which is most organizations today), we always conclude that it is much more effective for an attacker to breach AD and then login to a cloud application like Salesforce, as opposed to trying to breach one cloud application at a time.
At the same time, by effectively holding the 'keys to the kingdom,' AD is tightly integrated into most organizations and is essential to all IT operations. If attackers gain privileged access to AD, they gain access to and control of any resources in the organization that depend upon AD.
For these reasons, AD is a major target for threat actors looking to perform reconnaissance and elevate privileges in a compromised network.
In the last few years, there have been a host of high-profile cyberattacks involving AD. In the 2017 NotPetya attack, AD was in the crosshairs. Encrypting AD as part of the attack left organizations scrambling to bring their environments back, as AD provided access to all organizational systems, including the recovery software. A few years later, a highly sophisticated cyberattack compromised SolarWinds' widely used IT management and monitoring software, installing a malicious backdoor into the software's updates, which were then distributed to SolarWinds' customers. AD systems were among the targets in this supply chain attack, as they provided a pathway to access critical systems and data within affected organizations. Given that AD is an essential component for most organizations’ IT infrastructure, the number of attacks on AD is only going to continue to rise.
The primary reason for modernizing AD is to reduce its attack surface. When AD was introduced in the late nineties, networks looked vastly different than they do now. AD domains were designed with bandwidth limitations and replication concerns in mind, which made them over complicated. These complex designs, along with years of configuration drift and outdated security practices, have introduced many security vulnerabilities into the directory service. Furthermore, the original AD architecture in most organizations was not built to handle cloud and modern infrastructures, rendering its security recommendations inadequate to meet the needs of today’s enterprise.
When organizations look at the cybersecurity risk matrix now, AD is in the red. Modernization projects decrease the risk profile and complexity of AD, systematically reducing vulnerabilities that attackers rely on to compromise entire systems. In many organizations, lingering trusts that are put in place following a merger present additional risk through trust abuse. Modernization can enable teams to implement much stronger authorization controls for identity management and fully centralize control over their networks. Finally, by simplifying the environment through consolidation, modernization can also reduce overall management costs and improve user experience.
BN: There are a variety of AD challenges and misconceptions, particularly pertaining to forests. What about domains within AD environments?
MB: A forest is a collection of domains. Each domain comprises a logical group of objects (users, groups, computers, printers, and so on) that is managed by the same administrative team. When AD was first introduced, it was common for multiple domains to be adopted within a forest design. At the time, a common security misconception was that a domain defined the security boundary for independent units inside the organization.
Twenty years later, we now know that AD domains are not a security boundary. In an environment with multiple domains -- in which the default authentication systems of two domains are linked so that traffic can flow between them -- an attacker with admin access to a lower-trust-level domain can leverage the trust relationship to gain access to a higher-trust-level domain. Multiple domains also create many management challenges that result in unnecessary security exposures.
BN: Many organizations today have more than one forest environment. Why is forest consolidation critical to improving security?
MB: To enable users in one forest to log in and access resources in another, trust is established between the two, providing a seamless authentication and authorization experience across the forests.
Multi-forest environments are a major security exposure. Many organizations -- particularly large and complex organizations -- have acquired such environments over time, often through mergers and acquisitions. We can illustrate some of the weaknesses of multi-forest environments by considering trusts between forests. If the least secure AD forest is breached, attackers can use the trust to grant access to more sensitive environments.
It has been demonstrated, for example, that administrators from one forest can compromise resources from another forest that shares a two-way trust. If a forest trust exists between two AD forests and an attacker manages to compromise a machine with unconstrained delegation in one forest, they can then leverage that to compromise the other forest.
Collapsing as many forests as possible into a single forest reduces the attack surface of your AD environment and reduces the likelihood of trust abuse. Simplifying the environment also reduces complexity, further minimizing security and visibility gaps that enable attackers to move undetected within the environment. Beyond improving their security posture, organizations can benefit from decreased overall management costs by freeing up IT resources required in a more complex, distributed multi-forest environment.
BN: Multi-forest environments are often created through mergers and acquisitions. What management and security challenges does M&A activity create for IT and identity management teams?
MB: Historically, M&As have been catalysts for creating AD forest trusts, in which organizations sought to provide the merging companies an ability to easily share resources. As discussed, however, increasing the number of forests makes AD infrastructure more complex. With more complexity, more IT resources and staff are required to manage additional forests and domains, resulting in operational inefficiency and security risk.
In most cases, multi-forest environments will suffer from prolonged reduced efficiency. This comes in the form of redundant group policies, more complex account- and object-cleanup efforts, and siloed accounts and assets. It is also unfortunately common for migration projects to stall out, leaving users migrated but resources such as applications and databases left in the original forest -- therefore requiring that a risky trust between the forests be maintained indefinitely.
Security risks can also increase during the consolidation following an M&A, when an organization might connect to a less-secure AD environment, putting it in a more-exposed state. In some cases, acquisitions might also increase the risk of an insider attack. There is a lot of stress and uncertainty, along with potential layoffs, all during the time when the organization's security posture is reduced to accommodate the integration of the acquired company. If left undetected, attackers can gain access to the environment being merged by targeting the less-secure environment.
Continuous monitoring of the AD environment throughout the migration process is critical to ensure that it remains secure. Any unauthorized access attempts, changes to permissions, or any abnormal network activity should be promptly addressed.
BN: How can organizations modernize their AD environment without introducing new weaknesses?
MB: Throughout the migration process, security should serve as your north star. Each step you take in the migration process should place security as the top priority, always. The goal is to create a more secure and easier-to-manage environment.
Before migration commences, be sure to assess the security of your source AD environments and get guidance based on well-established security frameworks such as MITRE ATT&CK. Doing so can help you identify any security gaps, such as weak passwords or unsecured systems, and remediate vulnerabilities before moving any users, groups, applications, or computers to the destination environment. A variety of free AD security assessment tools, such as Purple Knight or Forest Druid, can help with this step. Along the same lines, you will want to identify and potentially remove privileges from any risky accounts before the migration.
During the migration, track changes in both your source and destination AD environments and quickly roll back unintended changes to objects or attributes. Unless continuous monitoring and assessment are in place, the migration process can introduce new vulnerabilities that might not be detected. Attackers love to take advantage of unsettled environments, so ensuring security during the transition period is paramount.
After completing the migration process, continue to monitor your destination environment to ensure it remains secure and flag any new vulnerabilities. Make sure to remove the unnecessary forests, after taking a backup of the environment prior to the decommission. On the same token, make sure to finish the migration process by removing the unnecessary SID history attribute as it presents a security risk in the environment. It is essential to ensure that you have an ability to restore that attribute in a swift manner if a need arises. Lastly, keep in mind that security is a process that should be top of mind and make sure to conduct regular security audits.
Image credit: Momius/depositphotos.com