Co-founder of Semperis. Leads the company’s overall strategic vision and implementation.
In the highly distributed, cloud-based computing environments that are increasingly common today, threat actors primarily target identities to gain access to organizational resources. As such, Active Directory (AD) and Azure AD (now Entra ID) identity systems, used in more than 90% of enterprises worldwide, have become a major target for bad actors.
As the directory service for network users and resources, AD is tightly integrated into most organizations and is essential to all operations. A survey from my company reveals that 77% of business leaders (download required) and their security and IT ops teams would experience a severe or catastrophic impact if AD was down. Unfortunately, the original AD architecture in most organizations wasn’t built to handle cloud and modern infrastructures. As a leader in offering AD migration solutions, and considering AD’s position as a prime target for attackers, I’d like to share why AD modernization is critical to ensuring security in the modern enterprise.
AD Complexity Increases The Attack Surface
With the proliferation of cloud systems, the traditional idea of a network perimeter has effectively vanished. Most attack strategies focus on compromising identities via phishing and other means. Accordingly, security strategies increasingly focus on identity management and control.
Yet many of AD’s original security and architecture recommendations are inadequate to meet the needs of the modern enterprise. When AD was introduced with Windows Server 2000 at the tail end of the last millennium, networks were a different environment. The design of AD domains was heavily influenced by bandwidth limitations and NT replication concerns.
These constraints, combined with object limits and migration challenges from legacy Windows NT 4 domains, resulted in the adoption of multiple AD domains within the forest structure. These complicated designs, along with decades of configuration drift, have created complexities and misconfigurations that increase the AD attack surface.
The Case For Modernization
Modernizing AD can enable organizations to resolve decades’ worth of technical debt accrued by multi-forest environments and years of ineffective or outdated security practices. Modernization can enable teams to implement robust authorization controls for identity management and fully centralize control over their networks.
Modernization also reduces overall management costs by simplifying the environment and supporting compliance and regulatory demands.
AD Security And Migration Complexity
Despite the many advantages that modernization brings, organizations need to plan carefully when setting out to modify AD. The process can be a big effort with many challenges.
Users, groups, applications and computers must all be migrated into a new domain or forest. And any undetected vulnerabilities that exist in the old environment can be carried forward. The migration process can also introduce new vulnerabilities that might not be detected unless continuous monitoring and assessment are in place during the process.
It’s unlikely that everything will be moved at once. Migrating resources such as applications, file servers and databases is more complex than moving users and groups and so might temporarily stay behind in the old environment. Attackers love to take advantage of unsettled environments, so ensuring security during the transition period is paramount.
Steps To A Successful And Secure Migration
To manage an AD migration with minimal disruption, organizations need to take a security-first approach. That starts with a detailed migration plan that ensures that the destination domain is designed with security best practices in mind.
Best practices include assessing the environment before the migration, to identify gaps such as compromised accounts and vulnerable system misconfigurations, and creating a test environment that mirrors the production AD to test the migration process. You also must be sure that user permissions and access rights are moved in line with the overall policy, that passwords are synchronized, and that accounts, authentication protocols and encryption algorithms are compatible with the new environment.
Likewise, organizations need to apply the same precautions to the more complex tasks of migrating applications, resources and multitier architectures, which often require special configurations. And be sure to update hard-coded usernames, distinguished names and server names. If the destination AD environment uses different user or server names, users might not be authenticated or resources might be inaccessible.
Before activating the destination AD environment, it’s essential to test and validate to be sure the environment is working properly. Continuous monitoring—for unauthorized access, permission changes and anomalous behavior—is also vital once the migration is complete. Administrators should also conduct regular security audits and penetration testing.
Finally, implement training for end users, IT staff and management. And thoroughly document the new domain structure, user and group procedures, and all security policies.
The Time Is Now
Some organizations might balk at the complexity of modernizing AD, preferring to rely on existing security measures and AD’s own security features. However, those approaches are insufficient protection against current threats, which focus on compromising identities and exploiting the type of vulnerabilities that develop in AD over time. Securing AD via a thoroughly planned, well-executed modernization is essential to keeping both critical systems and their users secure in today’s environment.
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?
Read the full article here