Active Directory has long been a go-to platform for many organizations for centralized user account information. Because of its wide adoption, it has become a high value target for attackers – often attempting to steal credentials and elevate their privileges for access to the most sensitive data.
As per a recent Forrester report on the State of Microsoft Active Directory 2018, there are a few key areas in which Active Directory will evolve over the course of the year, including a major shift towards cloud-based services.
So, in this blog we will take a look at some of the key trends that Forrester predict for AD in 2018 and see how you can gear your organization up to be prepared for them.
Cloud-Based Active Directory is in High Demand
Every year, cloud-based solutions continue to transform the working environment into a more collaborative, powerful and innovative place. I don’t think there are many organizations that doubt the effectiveness of the cloud anymore, and it is only a matter of time before yours makes the move.
Forrester reports that 40% of enterprise applications are cloud-based in the respondents to the survey. This is because Cloud-based apps (SaaS) and cloud platforms simplify administration, configuration and reduce running costs in most cases.
The challenges that many organizations are facing with this new trend is that, as more and more SaaS apps are configured to an on-premises AD, often through an encrypted SSL tunnel, reliability and security can be compromised. If you are thinking about integrating SaaS apps into your on-premise AD environment, you need to consider these potential risks and think about potentially moving your AD to the cloud. Moving to Azure AD, for example, can help to better integrate your SaaS apps with the directory and make management easier.
Active Directory is Used for More Than Just Employee Data
Once upon a time, Active Directory was simply a method of employee authentication through the storage and management of login data. Nowadays, organizations operate in more complex environments, where AD is used to authenticate external parties; including partners and customers. This has increased the potential value of AD as you now need to look outside the boundaries of your employees.
In fact, according to Forrester, the organizations surveyed said that only 56% of their AD accounts were for their employees. The remaining percentage was made up of partners, resellers, distributers and network devices.
At Lepide, we strongly suggest that you conduct an inventory of your AD accounts and categorize them accordingly. This should help you uncover cases where you have provided permissions to third-parties that no longer require them (believe me, it happens a lot). Inventories can be an essential part of cleaning up unused AD accounts and ensuring that security policies are applied evenly across all accounts.
Passwords are Still as Important as Ever
Active Directory stores all employee, partner and third-party identities and passwords for authentication purposes, and this makes it a prime target for hackers. Research suggests that hackers target weak AD passwords in an attempt to get access to active, privileged accounts and move laterally through the network to escalate privileges and steal data.
The most common password configurations for AD are 8-10 characters long with at least one number and one upper-case letter. In good AD security practice, most respondents required their users to change their AD password once every 90 days.
What are your AD password policies looking like at the moment? Are you in the majority of organizations that require users to use complex, regularly updated passwords? Or are you in need of a rethink? Don’t think that 8-10 characters is a safe password length. Consider using lengthier passwords to drastically minimize the risk of an attack. Look into multi-factor authentication as a way of doubly securing your most privileged administrative accounts.
Domains and Their Controllers Are Unpredictable
Once often asked and frequently Googled question is regarding the best number of domains and domain controllers to have in your organization. Unfortunately, the Forrester report couldn’t really shed any light on this, as responses varied wildly. Forrester reported receiving a response from a 100,000-employee firm that only had two domains, whereas an equally large retailed in the USA had one for every physical location (approximately 200).
Whilst on average, respondents used 18 domains and 68 domain controllers, the number you will use will likely come down to the structure of your organization. Generally the more you use, the more difficult it is to manage. Simplifying your AD infrastructure by minimalizing the number of AD domains you have can help you ensure a more consistent security policy across your enterprise-wide structure.
Visibility Will Be the Key to Security
As the Active Directory continues to be a high-profile target for hackers in 2018 onwards, the question becomes; how do I defend against potential attacks? Sure, you can have the strictest password policies in place, but that won’t stop a rogue admin moving laterally through your network, going unnoticed as they copy sensitive information. How can you combat this?
Visibility could be the answer. What I mean here is a way of monitoring what your users are doing and what changes are taking place inside your AD environment. You can do this using an Active Directory auditing tool or solution. One such Active Directory auditing solution is LepideAuditor. It gives you the ability to instantly when changes are being made to configurations and permissions. You can also get visibility into the activities of your most privileged accounts, audit user account lockouts and logon/logoff events.
Deploying a third-party Active Directory auditing solution will enable you to maintain the security of your IT infrastructure and pass compliance audits quicker. For more information on Lepide’s Active Directory Auditor, click here.