Active Directory is a proprietary directory service developed by Microsoft® to provide secure access to corporate networks. Active Directory stores information related to user accounts, computer objects, groups, policies and other resources on the network. It also provides an efficient way for administrators to manage the security settings of their organization's IT infrastructure.
AD was developed to manage the authentication and authorization of users and machines on a Windows domain network.
With Active Directory, administrators can easily control who has access to what resources on the network. They can also set up automated processes for managing user and computer permissions across multiple systems with ease.
Active Directory was first released in 2000 and runs on Windows Server. Since then, it has become the umbrella brand for a broad assortment of directory-based identity services from Microsoft.
Microsoft introduced Azure AD to support cloud-hosted infrastructures. Azure AD Connect was then introduced to help bridge the on-prem AD with cloud-hosted Azure AD.
Note: Active Directory and Azure AD are not the same. This glossary page is on Active Directory.
These are the six main components of AD: Active Directory Domain Services, Domain Controller, Lightweight Directory Services, Federation Services, Rights Management Services, and Certificate Services.
Data is stored in Active Directory as objects and organized by name and attributes. A group of objects that share the same Active Directory database is called a domain. One or more domains with a common schema and configuration constitute what is known as a tree. The top tier of Active Directory’s logical structure is a forest, which is made up of a group of trees. A forest constitutes Active Directory’s security boundary.
By employing these data structures, Active Directory effectively organizes and manages network user data, resource information, and administrative policies within a hierarchical framework.
For attackers, Active Directory is the keeper of the crown jewels. When threat actors compromise a network, they typically try to elevate their privileges so they can move to more critical systems, access sensitive data, and gain a broader foothold in the environment to maintain persistence. As a result, attacking Active Directory and obtaining administrator-level access is one of the attackers’ chief goals.
Attacks are usually commenced by using tools such as BloodHound, which is an open-source application used for analyzing the security of Active Directory domains and revealing the potential for escalating access entitlements. Once the cyber attackers have uncovered hidden or complex attack paths that can potentially compromise the security of the network, they then use tools like Mimikatz to steal the necessary credentials.
The targeting of Active Directory by attackers makes Privileged Access Management (PAM) a vital part of enterprise security.
PAM tools fall into three categories:
Ideally, these capabilities should be fully integrated into an underlying platform to avoid the silos that come from point solutions.
Active Directory, on its own, cannot be considered a PAM tool. While it enables administrators to manage permissions and control access to network resources, a comprehensive PAM strategy requires additional support.
However, with the right tool, it is possible to integrate Active Directory with privileged systems, which allows for the streamlining of access management within an organization. So, while Active Directory alone does not fulfill the role of a PAM tool, it can be combined with other tools to enhance PAM capabilities.
With Privileged Access Management, organizations can use a suite of tools to provide an extra layer of protection for privileged accounts. These protections should be part of a layered approach to security that also involves continuous monitoring of Active Directory for suspicious activity.
Privileged Access Management tools include:
Session monitoring: Session monitoring for PAM helps organizations secure their systems and networks by providing visibility into user activities. It allows administrators to monitor, detect, and respond to suspicious activity associated with privileged accounts. Session monitoring provides an audit trail of all activities performed using privileged accounts.
Granular access controls: Granular access controls for PAM provides fine-grained control over which users have access to what resources. It allows administrators to set up different levels of permissions according to the sensitivity and importance of each resource, ensuring that only authorized personnel can make changes or view data.
Password vaulting: Within the context of enterprise IT and critical infrastructure, password vaulting refers to taking highly-privileged, administrative accounts and passwords out of the direct control of IT staff, and storing them securely in a software vault. The vault then controls who is allowed access, when, and for how long. This reduces the risk of such passwords being abused by internal or external threat actors.
The passwords are protected in the vault with access controlled via a role-based access control mechanism. The vault may include additional security features, such as scheduled password rotation and a workflow-based access request and approval mechanism to support a Just-in-Time access control model.
IBM Red Hat Directory Server: IBM’s Red Hat Directory Server is a network-based registry that functions independently of operating systems, enabling administrators to store application and user identity data. Red Hat DS provides a centralized location for IT administrators to manage profiles and user credentials.
Apache Directory: ApacheDS™ is an extensible and embeddable directory server entirely written in Java. Apache directory has been certified LDAPv3 compatible by the Open Group.
Lightweight Directory Access Protocol: LDAP is a software protocol designed to allow individuals to easily locate information about various resources in a network, including organizations, individuals, files, and devices. It can be used on both public Internet and private intranet networks
LDAP is efficient and uses less code compared to other protocols. LDAP also functions as an Identity and Access Management (IAM) solution supporting Single Sign-On (SSO), Secure Sockets Layer (SSL), Kerberos, and Simple Authentication Security Layer (SASL).
More AD Resources:
Blogs
Active Directory Security and Hardening: An Ethical Hacker’s Guide to Reducing AD Risks
Securing Active Directory to Reduce Ransomware Attacks: A Quick Primer
AD Bridging: If you're only using it for authentication, you're missing a ton of value
How to Keep Active Directory Active in a Hybrid IT World
Protect Active Directory from Cyberattacks with Server PAM
Whitepapers
Active Directory Security and Hardening
Advanced Active Directory Bridging
Tools
Weak Password Finder Tool for Active Directory
Service Account Discovery Tool for Windows Active Directory
Product: Secret Server
Discover Local and Active Directory Privileged Accounts