Securing Active Directory and Azure AD

The issues and paths to transformationA Microsoft/Wavestone white paper

Since its launch more than 20 years ago, the Active Directory service has become a market standard that is present in almost all the information systems of organizations. In recent years, two significant trends have brought it back into the spotlight.

The first is the result of the high exposure of this component to cyber threats. Since the Active Directory is the cornerstone of the information system in terms of rights and privileged accounts, it is a top-priority target for hackers, who are looking to break into the information system and gain broad access. In this way, they can use it to deploy malware or to access, and then divulge, information. In recent years, many organizations have launched major remediation projects to face up to this threat.

The second trend is due to the rise in the use of collaborative services, which has increased sharply with the spike in home working. To enable all the new usages in the modern workplace, user management has extended its scope of action to include the cloud, thanks to Azure AD. Most cases do not consist of a switch from full on-premises to full cloud, but more of an extension of the existing configuration in the form of hybrid architectures. This shift must take into account the security considerations to avoid exposing the organization.

Microsoft and Wavestone teamed up to analyze the trends observed in the field, to list the necessary considerations and to provide a few keys and best practices to be adopted when making structural changes.

Which architectures and what level of cyber security maturity ?

There are three main types of architecture: On-premises AD architecture, Hybrid AD/Azure AD architecture, 100% Azure AD architecture. The underlying trend of moving to the cloud brings new security challenges.

Arnaud Jumelet

National Security Officer
Microsoft France

Only 25% of authentications still take place on-premises.

Azure AD manages more than 345 million active users every month, with an average of 30 billion authentication requests per day.

Whether we are talking about on-premises AD or Azure AD, the level of security is still largely insufficient.

“32/100 the average Secure Score, 34.6 is the highest score in the technology sector,24 is the score when creating an Office 365 E3 subscription”

“In 80% of the audits, the IS was breached in less than 24 hours”Wavestone, 2020 AD audits

Besides, CERT Wavestone’s observations from the field show that Active Directory infrastructures are still very often targeted by attackers, inducing major cybersecurity incidents.

In the current context of an explosion of attacks exploiting AD weaknesses, it is not uncommon to see the Executive Committee question the CIO or the CISO about the level of AD security and to approve budgets of several hundred thousand or even millions of euros to carry out redesign and security projects.

“53% of major corporations are running projects to make AD secure”CESIN, 2021 Barometer

Numerous security plans already underway in organizations following the journey to the cloud

The new Enterprise Access Model developed by Microsoft was created for hybrid organizations that have on-premises and multi-cloud applications that apply the Zero Trust security principles.
In this new model, security is not exclusively controlled using Active Directory, but also by Azure Active Directory.

On the on-premises perimeter, the absolute priority is to secure Tier 0 and to reduce the possibility of compromise as much as possible by integrating the most critical assets and by imposing the use of the right administration accounts to connect to them.

To do this, some assets need to be integrated into the Tier 0 perimeter, based on our observations in the field:

Obviously, this is only part of the remediation, as there are many other unavoidable topics to address in the security plan.

Here is a summary on how to secure Tier 0:

Rationalize and decommission
Focus efforts on the long-term scopes and decommission the rest.
Implement tier 0

Partition Active Directory against the risk of breach.

Keep the components in a secure condition

Install security patches and harden the configurations.

Back up and run restore tests

Put the backups out of reach and be prepared to rebuild.

Supervise the actions and manage change

Oversee and rigorously deploy this action plan.

Centralize the log files and implement detection

Monitor and detect weak signals in order to respond rapidly.

On the cloud perimeter, we can start with the Identity Security Score as a quick assessment to identify the first quick wins to implement. Beyond this indicator, complementary actions must be carried out in all areas, precisely on:

Administrators, internal users, and guest users, by identifying their rights and authentication methods (e.g., multi-factor authentication).
Applications and conditional access, by managing owners and secrets, and by implementing access policies.
Devices, by enforcing device compliance against a defined and accepted standard.

For this purpose, Microsoft provides security mechanisms depending on the license level. For example, Security Defaults are available in the free license:

This white paper contains numerous focus points which deal with a given topic in detail. Here is an example for Security Defaults:

Finally, depending on the organization’s transformation strategy, the question of the journey to the cloud and therefore to Azure AD will have to be addressed, by integrating security requirements and removing the last obstacles:

Migrating NTLM-based applications to modern protocols, such as Kerberos or OpenID Connect,
The application of security measures via a MDM, instead of GPOs,
Replacing AD join with Azure AD join.

Preparing for a cyberattack

Beyond securing its AD/Azure AD environment, it is necessary to anticipate an eventual Active Directory reconstruction to better anticipate the crisis. Two methods of AD reconstruction can be implemented following a compromise:

A rebuild of the domain controllers and the directory from scratch,
A rebuild of the domain controllers but replicating the existing directory.

Rebuilding an SI in the wake of a cyberattack is a sprint that requires everyone to be onboard. A risk could be to think everything is already over. If so, it is frequent to be targeted by another attack only a few months or years later.

Etienne Lafore

Senior Manager
Wavestone

On average, it takes at least one week to rebuild the AD core without any preparations

To be able to reduce the time required to rebuild the AD infrastructure, here are a set of measures to be anticipated:

Cybereason

80% of the companies that paid a ransom have been victims of a second cyber attack

Crisis management is to be seen as the first part of the race that leads the company to a better safety. It becomes necessary to define a transformation program for the SI to deal with the hackers and to change the security model to redesign it according to the business’ needs. It is a huge marathon to run!

This whitepaper “Securing Active Directory and Azure AD, the issues and paths to transformation” reviews various trends and provides a set of suitable practices to adopt.

Discover the white paper associated

This publication was produced by Arnaud JUMELET (National Security Officer, Microsoft France), Pierre AUDONNET (Principal Customer Engineer, Microsoft Canada), Florent BENOIT (Partner Technology Strategist, Microsoft France), Rémi ESCOURROU (Manager, Wavestone), Jean-Yves GRASSET (Chief Security Advisor, Microsoft France), Benoit MARION (Senior Manager, Wavestone), Gregory SCHIRO (Compromise Recovery Security Practice, Microsoft) and Julien ROUSSON (Manager, Wavestone)