Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs of each program we employ. As luck would have it, our days are often spent with other important tasks, leaving us unable to thumb through 300-page guides.
To help Active Directory administrators understand Microsoft’s latest guidance, Skyport Systems hosted a webinar last week that detailed the high-level action items needed to secure Active Directory (AD) in its most recent update.
The main issues they see in companies mitigating AD security issues are threefold: operations, complexity, and cost. Not only are there so many teams involved in managing and securing active directory, but the complex application has many ports of connection, raising cost to implement best practices and install programs built to specifically secure this infrastructure.
And why is AD security so important? Easy—AD systems are the central point of authentication for most companies, Bhavik Shah, CISSP at Skyport Systems explained. Cloud based services, internal operations tools, external platforms, all tie back to AD. So if a hacker gains access to AD, they have access to so much more than simple credentials. This is why the system is so heavily targeted. If a hacker owns AD, they own the entire network.
Skyport Systems understands this problem and so does Microsoft. Microsoft has even tried to close the gaps by releasing new tools proven to work.
“But the problem with implementation is there are vague guidelines,” said Shah. “It takes money, expertise, and other programs to successfully secure Active Directory.”
So Skyport took Microsoft's 300 pages and broke it down into something consumable—a phased approach, broken out into buckets of focus into the modern security framework.
Active Directory Hygiene
Shah recommends looking into existing complexity of hygiene protocols, like whether you’re checking domains frequently enough. He compares this level of security to having a bunch of locks on a door, and that it isn’t a matter of whether or not the hackers will get in, but how long until they do.
“Hackers will get in quickly if this is the only area of focus,” Shah advised.
Secure Admin Workstation
“This is the biggest gap that I’ve seen as far as what Microsoft is telling you to do and what people are actually doing,” said Shah.
In this gap, there will be no jump server set up between a laptop and its domain controller, meaning credentials are cached locally on the device, sitting in the memory of the laptop. If not addresses, credentials can easily leak into the user environment.
Protect Domain Controller
In this level of security protection, administrators need to only allow ports AD needs to perform its job, protected by a firewall and shielded from the internet. In some cases, administrators may completely wipe AD’s connections and start from scratch to gain the level of protection they desire.
As the final bucket of the security process, this step requires an effort to segregate credentials into separate forests, with users in different locations than admin credentials and so forth. Shah mentioned this step is usually reserved for large enterprises.
For more detailed information on how to implement these steps of security and how Skyport System’s SkySecure product includes hardware and software components to deliver a secure virtualization environment for Active Directory, check out the webinar!