Active Directory: How to protect the key to your organisation?

Author: Minh Trusiak

14 April 2022

Active Directory (AD) and its cloud counterpart Azure Active Directory (AAD) are extremely important systems in organizations. They act as databases and sets of services connecting users to network resources. They also enable employees to work smoothly and efficiently on a daily basis. The challenge, however, is that, as the primary authentication and authorization methods, they contain a wealth of critical information about a given environment – from the number of users and computers to information on permissions – making them often the first ports in cyber attacks. Targeting AD provides attackers with detailed information needed to gain access to sensitive data, implement ransomware, and other nefarious activities. So how to effectively protect our AD against cyber attacks? You will find the answer in the article below.



Microsoft Active Directory



The security of Active Directory is critical


Active Directory is a directory service developed by Microsoft for Windows domain networks. It is a powerful tool for organizing and managing access to the company’s IT resources. It is a perfect solution for companies around the world (including most of the Fortune 500 companies). As a catalog service, it allows IT administrators, among others for central management of the configuration of workstations, user accounts and authorizations, remote installation of application software, as well as integration with other external systems based on it.

Therefore, it is very important to realize that the installation and implementation of Active Directory in the default configuration is just the beginning of the way to a secure infrastructure based on this solution, and leaving the service in such a state is an open gate for cybercriminals’ activities. Businesses need to be aware of security vulnerabilities and take steps to defend their AD. Steps such as using security tools or applying best practices to protect their networks from cyber attacks.



Active Directory vs. Azure Active Directory


Azure Active Directory


The growing interest of organizations to build their infrastructure in the cloud and move to a hybrid environment prompted Microsoft to develop Azure Active Directory, which provides users with a centralized directory for all cloud applications and servers. And while AAD plays a similar role to Active Directory, it doesn’t understand legacy Windows Authentication Protocols. Therefore, it cannot be a direct replacement for local AD. Organizations that need to use both of these systems connect them using the Azure AD Connect. The tool synchronizes objects from on-prem to the cloud.

And when organizations connect AAD to AD, securing their cloud environment becomes even more important. Why? Because inadequately secured it is a straight path to the on-prem environment!



How to protect Active Directory?


Active Directory is the first port in cyberattacks in many cases. Microsoft estimates that about 90% of the attacks their team investigates are involving AD in some form. Whether it was the initial attack vector or intended to gain persistence or privileges. These numbers emphasize that strong AD security is essential in today’s modern enterprises. Fortunately, there are ways organizations can defend themselves to prevent malicious users from breaking into the network and causing harm.

We decided to take a look at a few activities that our team uses in a project for our client. A leading global IT software and service company providing IT and product engineering services with a strong Nordic heritage. These are the basic actions any organization can take to protect AD from cyber attacks.


Principle of least privilege

One of the basic elements from which we should start is the principle of least privilege. What is it about? Limiting the scope of rights for accounts to the smallest possible, allowing for the performance of necessary tasks. In addition, for tasks requiring administrative privileges (e.g. password changes, modification of privileges, data backup on the file server) we should use separate accounts and we should use them only when necessary. Organizations should also take into consideration the configuration of delegation for individual administrative accounts, where you can configure granularly the scope of operations that a given account can perform on objects (users, computers) located in a specific Organizational Unit (OU) of the AD structure.

In the case of AAD, it is also worth knowing tools such as Privileged Identity Management. It allows eligible users to request certain permissions when needed. A person who has Approver rights may in this case grant privileges for a specified period of time. And it’s a much safer account management option. Additionally, in PIM it is possible to introduce the so-called Access Reviews. It allows for generating periodic reports on users who have privileged roles and verifying whether the roles are still needed by them.


Implementation of good identity processes

Whether in small organizations or large multinationals, the process of creating user accounts and adding them to groups is simple. Removing inactive users who are no longer needed is another story altogether. Microsoft estimates that more than 10% of user accounts in AD have been inactive. They are posing a serious security risk as external attackers can use these accounts to infiltrate the organization. During the takeover of the project from the client, we also discovered many privileged accounts of employees who no longer work in the company. With tools like PowerShell, organizations can easily identify and remove inactive users and computers. Regularly checking confidential or privileged access will also help you manage administrative access.


Monitor for unusual activity

Continuous monitoring of AD for suspicious activity is a key component of preventing, detecting, and stopping malicious activity. Deploying a security information and event management (SIEM) solution with user and entity behavior analysis such as Azure Sentinel enables organizations to aggregate and analyze activity across their IT infrastructure, including any changes to privileged accounts and group membership.

Microsoft offers also different tools for monitoring, such as Defender for Cloud Apps or Azure Active Directory Identity Protection. The tools collect and aggregate logs and send alerts when, for example, atypical travel (logins from geographically distant locations), repeated unsuccessful attempts to log into the account, or download of large amounts of data from servers are detected.


Automation will pay off

Investing in comprehensive SIEM threat detection tools, such as Azure Sentinel, can be very profitable for an organization. It allows for partial reallocation of resources to other tasks. These tools can automatically monitor and process suspicious activity and reduce the time needed to resolve incidents.

At our client, the Security Team has programmed Azure Sentinel Logic App in such a way that, when a specific security incident occurs, it sends an e-mail to the person whose account is suspicious and the person can confirm the authenticity of this login. Thanks to this, there is no need to involve the Security Team in each alert.



Protect your Active Directory


Active Directory management and security is something many organizations still struggle with. These methods of securing AD, although they are only a fragment of possible solutions, allow to significantly improve the level of security in an organization based on this service, hindering attackers’ efforts to escalate privileges and allowing organizations to quickly, completely, and smoothly recover data in the event of an attack.

Organizations should also remember that taking care of security is not only the implementation of specific solutions. It is also everyday activities ensuring the maintenance of the environment in a safe state and allowing to react in time to detected security incidents. This is not only about regularly updating systems with the latest security patches but also about the current viewing of event logs (collecting, among others, information based on previously configured inspection rules), regular verification of domain accounts, group membership and control of data access lists on file servers. It is also about constantly expanding your knowledge about new threats and solutions that allow you to fight them effectively.



We can help!


Both when it comes to the described solutions and the constant maintenance of a high level of protection of IT infrastructure in the company, our specialists are happy to help in this area. Starting from an audit aimed at determining the current state of IT security in the organization, presenting and implementing specific solutions to increase the state of protection of the environment under study, ending with constant assistance in caring for a high level of security of IT systems, we will take care of your cybersecurity!


Get in touch!



Emil Jasiński




We wrote this article in cooperation with Emil Jasiński, NATEK Cloud Specialist, who provides comprehensive care in the field of Azure and uses Azure products to improve existing processes for NATEK clients.