Wednesday, April 13, 2022

Updating best practices for Domain Controllers

Most organizations using directory services are moving towards using a cloud-based identity platform, like Azure Active Directory, to take advantage of newer authentication methods like passwordless authentication, use conditional access to enforce zero-trust methodologies, and aspire to reduce their infrastructure footprint by phasing out Active Directory.


However, we realize that customers are on a journey and hybrid will be an important state for many customers for a long time. Domain Controllers still act as a pivotal piece of infrastructure for many organizations, and the identities that Active Directory holds are often the target for attackers.


Protecting DCs from attack has always been a priority for administrators. Some examples of ways organizations keep their DCs secure include:

  • Limit the use of Domain Admin privileges
  • Use jump boxes for RDP access or MMC access.
  • Do not install 3rd party applications on DCs
  • Restrict internet access to DCs

Given the challenges that a modern security team is faced with, there’s potential to revisit these best practices to see where improvements can be made.


As a leader in the security space, Microsoft has an obligation to provide the highest levels of protection possible to its customers. Cloud-powered security products are the best form of defense against modern threats. Cloud-powered security eliminates any restrictions around compute, capacity and scale. It’s no longer about considering connecting to a cloud service for the best in security, it’s about needing to.


That’s why today, we have updated the best practices around securing domain controllers against attack. Microsoft is no longer recommending that DCs should have no internet access under any circumstances. Instead, we’ve made recommendations that align with the changing security landscape. To be clear from the outset, Microsoft still advocates for DCs to not have unfiltered internet access and using the internet via a browser from these servers should still be prohibited. Instead of completely isolating DCs from internet access and assuming they will never be breached, we recommend a defense in depth approach including modern threat protection to always monitor for breaches. 


Defender for Identity detects identity-based threats and compromised users in on-premises environments and helps customers reduce the attack surface to prevent compromises and lateral movement. Such is the effectiveness of Defender for Identity, that when Microsoft’s Detection and Response Team (DART) are engaged to help organizations with security incidents, Defender for Identity is one of the prerequisites of the engagement taking place. Defender for Identity is currently protecting tens of millions of Active Directory entities and so it’s clear our best practice guidance needed to be updated based on your usage across the globe. 


The change to the published best practice recognizes the cloud journey most organizations are on. We continue to recommend the use of Azure Active Directory as the sole identity and access management tool in your organization if possible.


To support the hybrid state, Microsoft recommends cloud-powered protection for on-premises Active Directory using Defender for Identity. This can be achieved securely by configuring the Defender for Identity sensor installed on DCs and AD FS servers to communicate to the cloud service through an encrypted, one-way connection, via a web proxy, to nominated endpoint names. If this is done via the command line options described over on the Defender for Identity docs pages, it also limits this access only to the Defender for Identity process being used by the sensor.


Finally, for those organizations that are in completely air-gapped environments for legal or regulatory reasons, the suggestion is to maintain the status quo and completely restrict domain controllers from any internet access, both via technical and policy-based controls.


Of course, identity is just one element in a threat protection approach. We recommend you consider XDR technologies that protect identities, endpoints, applications, and cloud infrastructure including the full Microsoft 365 Defender product line. 


Microsoft will always strive to keep its customers and partners as safe and secure as possible. By removing deployment blockers, we can empower organizations to take advantage of the best protections Microsoft has to offer as simply as possible.

Posted at