2023: Time to Secure Active Directory and Azure AD

Posted by: Menachem Shafran
December 11, 2022
Getting your Trinity Audio player ready...

Four key action items to harden AD and Azure AD in 2023

First introduced in 1999 as Microsoft Active Directory Domain Services for Windows 2000 (!), Active Directory (AD) has been the default identity and access management service in Windows networks for over two decades. Simply put, AD’s role in the network is to authenticate and authorize users and computers – assigning and enforcing security policies for all network endpoints.

Azure Active Directory (Azure AD) is a cloud-based version of AD that extends the AD paradigm to provide organizations with an Identity as a Service (IDaaS) solution across both the cloud and on-prem apps. With Azure AD, admins can manage multiple cloud and on-prem infrastructure components and systems with a single identity per user.

Clearly, both AD and Azure AD are highly central to the functioning of on-prem, cloud-based and hybrid ecosystems. They are not only critical for productivity – they are a key to uptime and arguably to business continuity itself. And that’s why it’s important for security stakeholders and executives alike to ask themselves: how secure is our AD/Azure AD, and what more should we be doing in the coming year to make it more secure?

AD and Azure AD – Not as Secure as You’d Think

Even a cursory web search will find no shortage of security horror stories or poor security report card scores for Azure AD and AD implementations. This begs the question, how can such a popular tool be so poorly secured in today’s hyper-vigilant cybersecurity climate?

One reason is simply the maturity of the utility. Because Azure AD and AD are so veteran and such common fixtures in networks, even security teams tend to simply accept that they’re inherently secure…until they find out the hard way that they’re not. It’s kind of like the way we intuitively accept that an old favorite piece of furniture will be in the same place…until it gets moved and we try to sit down on it out of sheer force of habit.

Another prominent reason for AD and Azure AD insecurity is that compliance regimes gloss over them. While regulations tend to be very specific about vulnerabilities, in their attempts to be vendor agnostic most frequently don’t address AD or Azure AD in a specific, actionable way. Most regulatory regimes will demand protection of identity management – but not specify what exactly needs to be done to ensure the security of AD or Azure AD implementations.

Finally, enterprise cybersecurity is highly focused on SOCs, detection and response, incident response and the more glitzy aspects of security. Today’s security teams are simply less focused on hardening core environments like AD and Azure AD.

Four Key Action Items to Harden AD and Azure AD

Luckily, none of the issues that currently leave Azure AD and AD less protected are irreparable. To ensure the security of your organization’s identity and access management, follow some basic Active Directory and Azure Active Directory security best practices. For starters, make sure that you:

  1. Don’t Use Overly Complex Passwords

Complex passwords are highly secure, no doubt. But they are also nearly impossible to remember – leading to users and admins alike writing them down where they are easily discovered. Instead, use a good passphrase generator that allows users to start with 3-4 words that are inherently memorable, then generate a passphrase that they can actually remember.

  1. Don’t Let Employees Have Admin Accounts 

Most cyberattacks originate at an endpoint – a workstation or device. That means if endpoints have admin privileges, hackers get them, too. Most users do not need admin privileges to – for example – install additional software. So, cancel all local admin privileges, ensure the role-based access rights are updated and appropriately compartmentalized, and let users ask if they need greater privileges.

  1. Practice Good Hygiene

AD and Azure AD are complex environments with multiple moving parts to manage over time. This inevitably leads to stale objects – defunct groups, users that are no longer actually employed, decommissioned endpoints, and even just infrequently used objects. These stale objects clutter up security efforts and expand the attack surface measurably. Practicing good AD hygiene will not only improve security, it will streamline compliance reviews and audits, too.

  1. Nix Permanent Security Group Memberships

Attackers just love Domain Admin, Enterprise Admin and Schema Admin security groups. Once they access one of these groups, they basically own your AD. So, if organization admins have permanent membership in these groups, a smart hacker will attack personal admin accounts to gain membership, too. To avoid this, make membership in security groups temporary. Most Enterprise Admin and Schema Admin privileges aren’t frequently used anyhow. For the more frequently used Domain Admin group, create a system of granting temporary membership ad hoc. You can also make domain credentials less powerful by restricting their permissions. To do so, remove unnecessary users from the built-in administrator group.

The Bottom Line

In 2023, Active Directory and Azure Active Directory security need to be brought to the forefront of security leader mindshare. These core identity and access management solutions are mission critical in enterprises of all sizes. Security stakeholders would be well-advised to take serious steps to harden them before hackers notice how just vulnerable your implementations of them actually are.

Menachem Shafran

Menachem Shafran is a product leader with more than 15 years of experience in product management and cybersecurity. Mr. Shafran has managed complex product ranging from cybersecurity, homeland security, DevOps automation to mobile applications. His strength in creating a product vision, aligning R&D efforts with sales and marketing has been demonstrated over the years during his tenure at Quali, NowForce, now part of Verint (VRNT), and Radware (RDWR). Prior to his roles in product management, Mr. Shafran served for 5 years in the IDF’s Elite Intelligence Unit 8200, where he served both as a researcher and as a team leader. Mr. Shafran holds a B.Sc in mathematics from the Hebrew University and B.Mus in percussion.

Find and fix the exposures that put your critical assets at risk with ultra-efficient remediation.

See what attackers see, so you can stop them from doing what attackers do.