Skip to content
 

AD Bridging: If you're only using it for authentication, you're missing a ton of value

  

There's no way around it—enterprise networks today are hybrid with Windows, Linux, and UNIX systems in multiple clouds, leaving IT and IT Sec teams with the daunting task of managing access. For many years, Active Directory Bridging has helped by enabling users to log in to non-Windows systems with their enterprise Active Directory (AD) account.

However, Active Directory Bridging's value can go far beyond this. By joining a non-Windows system to Active Directory, it can be a first-class citizen. Leveraging more Active Directory capabilities than basic bridging, you can better manage access and prevent lateral movement.

Armed with the knowledge that Active Directory Bridging can be so much more, let's explore what it means to IT and IT Security teams.

Active Directory Bridging and Authentication

Nine times out of ten, when I ask the question "what is Active Directory Bridging" the responses are similar:

    • It's a Privileged Access Management (PAM) capability.
    • It enables administrators to log in to Linux machines using their Active Directory account.
    • It allows us to leverage Active Directory groups when defining PAM roles.

All true. For an Active Directory shop with *NIX servers, your administrators benefit from using their Active Directory credential to log in anywhere and leverage Active Directory Kerberos for single sign-on. With centralized management in Active Directory, you reduce operational overhead, avoid security gaps, and minimize access governance and control inconsistencies. You can also eliminate the many local privileged accounts admins use to log in to *NIX systems, relying instead on a single Active Directory account, thus reducing your attack surface.

Active Directory Bridging is so much more than simply validation of Active Directory IDs and passwords

These benefits broadly map to identifying a user by ID and password during login, also known as the Authentication portion of the AAA (Authentication, Authorization, and Accounting) framework. For most vendors, this is where AD Bridging stops.

Let's explore how more advanced AD Bridging incorporates Authorization and Accounting.

Active Directory Bridging, Authorization, and Accounting

Using authentication to identify the user is not enough. We must then use permissions to control what the user can do and keep tabs on that activity if we need to investigate or prove compliance. These are the Authorization and Accounting portions of the AAA framework; we'll explore these now.

Authorization

Managing what users can do on *NIX systems is a combination of native OS controls and "sudo" rights. Native OS controls are limited – read/write/execute permission for users and groups – no fine-grained control.

A regular *NIX user has limited rights, unable to run privileged system commands. The native sudo program enables controlled elevation of permissions, obtaining its instructions from a local /etc/sudoers file you must configure and manage on each system. This model doesn't scale when you have dozens or hundreds of systems (we have customers with thousands). It increases administrative overhead and introduces the risk of toxic combinations, security gaps, over-privileged users, and failed audits.

With AD Bridging, a local client allows you to join *NIX servers to Active Directory, like joining a Windows server to the domain. We eliminate dependence on the local /etc/sudoer files, enabling you to manage policies for privilege elevation ("Authorization") centrally in Active Directory. This centralized management also extends to policies for login ("Authentication") and multi-factor authentication (MFA)—with the client enforcing them locally on each system.

To avoid upsetting your organization's Windows team, you can isolate these *NIX policies from other Windows-centric Active Directory policies and configurations.

Accounting

Imagine the scene—there is a potential breach in progress. You must log in to several *NIX systems and trawl through their local log files in a hurry. Much noise contaminates the logs and sifting through thousands of unrelated events is laborious and error-prone. You see lots of privileged activity attributed to "root." But who was logged in as root? There's no accountability. Repeat this for each system, and by the time you find valuable intel, the cyber attacker has left the building—with your data.

AD Bridging supports restrictive, fine-grained policies to align permissions to the task better. Logged privileged activity is distinct, non-cryptic, and easy to analyze through a centralized interface. Enforcing the Principle of Least Privilege, AD Bridging ties activity to a unique Active Directory user for accountability. With session recordings, you can replay privileged activity for any user on any machine in any time range. You can also search across recordings for applications run or commands typed at the keyboard.

Deeper Active Directory Integration for More Advanced AD Bridging

We've discussed the benefits of basic AD Bridging around user Authentication plus additional benefits tied to Authorization and Auditing. The benefits don't stop there, however. With advanced AD Bridging, you can drive down the risk of a data breach or ransomware attack, improve your compliance posture, reduce cost, and increase operational efficiency even further.

Below is a list of additional benefits of Delinea PAM and its advanced AD Bridging capabilities. If you want to learn more, download our whitepaper that goes into the details on each one.

  • Complex multi-forest Active Directory architectures
  • Hierarchical zoning for simplified management
  • Multi-directory brokering
  • VMs and containers in IaaS
  • Extending Kerberos to *NIX
  • Rapidly securing Hadoop with Kerberos
  • Leveraging Active Directory-DNS (Domain Name Services)
  • Leveraging Active Directory-CS (Certificate Services)
  • Extending Active Directory Group Policy to *NIX
  • Smart card login to Linux
  • Centralizing local account and group management
  • Authentication for databases and apps
  • Delinea LDAP Proxy

Active Directory Bridging is so much more than simply validation of Active Directory IDs and passwords. It's a fantastic suite of PAM capabilities that simplifies IT professionals' work and boosts security and compliance.

More resources on Delinea's Server PAM solutions and advanced Active Directory Bridging:

Advanced AD Bridging Whitepaper

Delinea Server Suite

Multi-Directory Brokering Solution Brief (PDF)

Glossary:

Active Directory

Active Directory Authentication

Active Directory Security

Active Directory Security and Hardening

FREE WHITEPAPER
Active Directory Security and Hardening

An ethical hacker’s guide to reducing AD risks