Active Directory (AD)
What is Active Directory?
Active Directory (AD) is a proprietary directory service developed by Microsoft® to manage the authentication and authorization of users and machines on a Windows domain network. Active Directory was first released in 2000 and runs on Windows Server.
Since 2000, it has become the umbrella brand for a broad assortment of directory-based identity services from Microsoft. The main component of Active Directory is Active Directory Domain Services (AD DS), which verifies access when a user logs in to a system or tries to connect to one over the network, as well as assigns and enforces security policies. A server running Active Directory Domain Services is a Domain Controller. Other Active Directory services include Lightweight Directory Services (AD LDS), Federation Services (AD FS), Rights Management Services (AD RMS), and Certificate Services (AD CS).
In December 2016, Microsoft released Azure AD Connect to join an on-premises Active Directory system with Azure Active Directory (Azure AD) to enable Single Sign-On (SSO) for Microsoft’s cloud services, such as Microsoft Office 365.
Data is stored in Active Directory as objects and organized by name and attributes. A group of objects that share the same Active Directory database is called a domain. One or more domains with a common schema and configuration constitute what is known as a tree. The top tier of Active Directory’s logical structure is a forest, which is made up of a group of trees. A forest constitutes Active Directory’s security boundary.
Active Directory as a target for attackers
For attackers, Active Directory is the keeper of the crown jewels. When threat actors compromise a network, they typically try to elevate their privileges so they can move to more critical systems, access sensitive data, and gain a broader foothold in the environment to maintain persistence. As a result, attacking Active Directory and obtaining administrator-level access is one of the attackers’ chief goals.
This is typically done by using tools such as BloodHound, which is an open-source application used for analyzing the security of Active Directory domains and revealing the potential for escalating access entitlements. Once the cyber-attackers have uncovered hidden or complex attack paths that can potentially compromise the security of the network, they then use tools such as Mimikatz to steal the necessary credentials.
The targeting of Active Directory by attackers makes Privileged Access Management (PAM) a vital part of enterprise security. PAM tools fall into three categories: Privileged Account and Session Management (PASM), Privilege Elevation and Delegation Management (PEDM), and secrets management software. Ideally, these capabilities should be fully integrated into an underlying platform to avoid the silos that come from point solutions.
With Privileged Access Management, organizations can use session monitoring, granular access controls, and password vaulting to provide an extra layer of protection for privileged accounts. These protections should be part of a layered approach to security that also involves continuous monitoring of Active Directory for suspicious activity.
Other directory services on the market that provide similar functionality to Active Directory, and attract the same attention of cyber adversaries, include IBM Red Hat Directory Server, Apache Directory, and OpenLDAP.
More AD Resources:
Blogs
Active Directory Security and Hardening: An Ethical Hacker’s Guide to Reducing AD Risks
Securing Active Directory to Reduce Ransomware Attacks: A Quick Primer
AD Bridging: If you're only using it for authentication, you're missing a ton of value
Whitepapers
Active Directory Security and Hardening
Advanced Active Directory Bridging