Active Directory modernization is a hot topic, and for good reason. Active Directory (AD) is the core identity system for most organizations today, providing the essential authentication and authorization services required for users to do their jobs and for processes and services to run. However, AD is such a large and complex system that it can sprawl out of control in a very short period of time — and many AD environments have existed for years or even decades.
Active Directory modernization is the key to conquering that sprawl and regaining the control you need. In this article, we’ll explain how AD sprawl puts your organization at serious risk and how Active Directory modernization offers a path to strong Active Directory security and cyber resilience. Then we’ll explore four key use cases that can help you determine whether AD modernization should be a priority for your organization.
AD sprawl puts the organization at serious risk.
Active Directory sprawl puts an enormous strain on your limited IT resources, which in turn leads to more sprawl. For example, urgent issues get addressed with workarounds that are intended to be temporary — but end up calcifying in place as the IT team moves on the next fire that needs to be put out. This is especially true during merger and acquisition (M&A) deals. Plus M&As exacerbate the problem by multiplying the number of AD environments that need to be managed.
The resulting AD sprawl can certainly hurt user satisfaction and productivity, as well as increase software and hardware costs. But the most critical effect is often serious damage to the organization’s security and cyber resilience. Indeed, lack of insight into crucial IT assets and control over accounts, groups, and permissions spells one thing to threat actors: opportunity. They can take advantage of these security vulnerabilities to slip into the IT ecosystem, compromise credentials, and elevate their access rights to move laterally around the environment. As a result, they can reach sensitive data that they can steal or encrypt for ransom, or gain access to critical systems that they can sabotage to impair business operations.
AD modernization empowers stronger security and cyber resilience.
The answer to these issues is Active Directory modernization. Simply put, AD modernization is the process of getting your AD house in order and ensuring you can keep it that way. It involves consolidating your various AD environments through Active Directory migration, so that you end up with just a single forest with one domain to manage.
That migration is paired with the simultaneous honing of security. In fact, a migration is a great opportunity to review security across the entire environment, determine where the risks are and clean them up. It is also an opportunity to rationalize and update security to align with current business requirements. The result is an AD environment that is as secure and resilient as it possibly can be.
There are two additional key points to understand:
- AD modernization includes more than just AD. The migration project for modernizing your AD will impact not only AD servers, data and services, but also file and application servers, endpoints, applications, policies, processes, and non-AD data.
- Modernization doesn’t end after the migration. Remember those years of unmanaged changes that now require an AD modernization effort? To avoid creating a similar mess post-migration, there needs to be a plan for ongoing management, monitoring and protection of AD. This involves implementing security solutions that provide capabilities like Active Directory management, monitoring, reporting, and backup and recovery.
Four use cases for AD modernization
Now, let’s turn to four key use cases for Active Directory modernization:
- Identify and protect critical (Tier 0) assets.
- Understand and manage elevated access.
- Eliminate SID History risks.
- Address AD configuration sprawl.
Use case #1: Identify and protect Tier 0 assets.
One of the key casualties of Active Directory sprawl is visibility. As the environment becomes larger and more convoluted, IT teams lose insight into the assets within it. Who has access to what? Which services are critical to business operations and which servers do they run on? What are the effective Group Policy settings for each asset?
Identifying Tier 0 assets
Unfortunately, most organizations cannot even definitively list their most critical systems and data, collectively known as Tier 0. These assets are a top target of cyberattacks because an adversary who compromises one of them can gain full control of the organization’s IT infrastructure.
Key assets in Tier 0 include:
- Domain controllers (DCs) — As the name implies, a domain controller is the control center for an AD domain. Every AD domain must have at least one domain controller. Each DC stores a copy of the directory file, and any changes it makes to that file are replicated to all the other DCs in the domain. All domain controllers provide core services like authentication and authorization, and some DCs are assigned special roles that enable them to perform additional functions. Because of the vital role they play in controlling access and storing identity information, DCs are clearly Tier 0 assets.
- Other powerful servers — DCs are not the only servers that belong in the list of Tier 0 assets. Others include Public Key Infrastructure (PKI) servers, servers used by AD administrative solutions, the server hosting Microsoft Entra Connect in hybrid environments, and servers that host sessions for privileged accounts.
- Servers that host or provide access to critical data — Any server that provides access to content like intellectual property (IP), customer information or HR data is also a Tier 0 asset.
- Privileged accounts — Tier 0 also includes all accounts and security groups that have direct or indirect administrative control over your forest, domains or DCs. The most obvious examples are powerful built-in security groups like Domain Admins, Account Operators and Backup Operators, along with all user accounts that are members of those groups. Privileged accounts are discussed in more detail in use case #2 below.
- Group Policy objects (GPOs) and trusts — Group Policy is a powerful feature of Active Directory that helps administrators centrally manage users and computers across a domain. Trusts are used to enable users in multi-domain environments to access the resources they need to do their jobs. These critical Tier 0 assets are discussed in detail in use case #4.
Protecting Tier 0 assets
The process of Active Directory modernization empowers you to not only identify your Tier 0 assets, but to protect them as well. There are two key steps:
- Minimize the number of Tier 0 assets. By consolidating your AD forests and domains through migration, you immediately reduce the number of Tier 0 assets in the environment. Moreover, you are better positioned to further trim that list by removing unnecessary members from privileged groups, mitigating attack paths, cleaning up Group Policy, and so on.
- Minimize access to Tier 0 assets. Credentials from a Tier 0 account must not be exposed to systems that are not Tier 0, and assets that are not in Tier 0 should never be able to use services provided by Tier 0. In particular, privileged accounts must be able to log on TO trusted computers only and FROM trusted computers only. For example, administrators should never use their Domain Admin credentials to log on to business user workstations.
Use case #2: Understand and manage elevated access.
The next use case for Active Directory modernization zooms deeper into a critical aspect of the previous use case: accounts that have elevated access. Many organizations do not have a clear picture of exactly which accounts have elevated access rights in the environment, which increases the risk of adversaries gaining access to critical data and systems or even gaining full control over the environment.
Understanding elevated access
The first step is to get a thorough inventory of privileged accounts. They include the following:
- Members of powerful security groups — These groups include built-in groups Domain Admins, Enterprise Admins, Schema Admins, Account Operators and Backup Operators. It’s also crucial to look for any custom security groups that your organization has created over the years that have powerful access rights.
- Service accounts that have been granted elevated rights — A service account is a user account that is used by a service rather than a human. For example, Microsoft service accounts are used to run services like Exchange, SharePoint, SQL Server and Internet Information Services (IIS). In addition, service accounts are required for many line-of-business application and services that organizations use, from web applications to backup software to SaaS workloads. Service accounts are prime targets for attackers because their passwords are rarely changed, they tend to have more rights than needed and they are frequently configured with legacy setting that make them vulnerable to abuse.
- Accounts with access to sensitive data and applications — Regular business user accounts are often granted permissions to access sensitive data and critical workloads. Examples include members of the Finance department who can read or modify the organization’s financial records and executives who can access valuable IP. These accounts need to be added to the list.
- Accounts that could gain privileged access — Organizations also typically have huge numbers of accounts that do not presently have elevated access rights but that could easily gain them. Attackers often compromise these seemingly ordinary accounts and then escalate the account’s privileges by abusing concealed permissions, nested group membership and other vulnerabilities. There are open-source tools that will map out these attack paths in detail for adversaries, so it’s vital for defenders to proactively find and mitigate them.
Managing elevated access
Active Directory modernization is invaluable for managing elevated access. Consolidating AD domains helps you minimize elevated access; for example, you can more easily review and prune the membership of privileged security groups. Equally important, AD modernization enables you to manage elevated access moving forward by implementing processes to ensure that all changes to privileges are sanctioned and documented.
Use case #3: Eliminate SID History risks.
This use case for Active Directory modernization dives even deeper to uncover elevated access that often goes unnoticed. Did you know that a migration that your organization performed years ago might well be giving user accounts access to data, applications and systems that have nothing to do with their job? It’s true, and understanding why requires knowing just a couple of technical details.
Each user account in an Active Directory domain has a security identifier (SID). This unique, immutable string is generated when the account is created, stored in the security database, and used in key processes like authentication and authorization. In short, a user’s SID is vital for them to get their work done.
But AD environments are highly dynamic, and many of them have been around for years or decades. Events like mergers, acquisitions and restructuring often involve migrating users from one AD domain to another. However, most migrations cannot be completed all at once in a big-bang approach. Instead, they require a period of coexistence during which migrated user accounts still require access to non-migrated resources but cannot retain their old SIDs.
To enable this access, Active Directory provides an account attribute called SID History. When a user is migrated, the new user account created for them in the target domain is assigned a brand-new SID, and the previous SIDs can be carried along in the SID History attribute. To enable cross-domain access, you must also create and maintain a trust between the source and target domains.
While using SID History and trusts enables users to remain productive during and after migration, this approach comes with an alarming downside: It can provide users with excessive access rights that IT teams don’t even know exist, including access across domains. These rights can be misused by the account owner — or abused by an attacker who compromises the account.
Active Directory modernization enables you to eliminate SID History without jeopardizing productivity. Instead of relying on a covert SID History, you set up permissions in the target environment in alignment with your business needs, compliance requirements and other factors. Once the migration is complete, you can remove SID History from all user accounts and remove the trust, thereby wiping away all the associated risks.
Use case #4: Address AD configuration sprawl.
In the use case #1, we noted that Tier 0 includes not just critical servers and accounts, but two other key elements: Group Policy and trusts. These components of the AD environment can change the configuration of endpoints and servers, grant elevated access to user accounts, and even grant access across environments. Let’s see how Active Directory modernization can help you address these types of AD configuration sprawl.
Group Policy
Group Policy is a powerful feature of Active Directory that helps administrators centrally manage users and computers across a domain. Microsoft provides literally thousands of policies and settings that can enforce password policies, deploy software, run scripts at computer startup or shutdown, and much more.
Over the years, organizations often build up an enormous set of Group Policy objects (GPOs). They are created as new needs arise, but IT teams are reluctant to remove or revise old GPOs because doing so could break critical processes. Between the sheer volume of settings, the complexity of GPOs linkage and the complex rules about priority of settings, organizations soon lose all hope of understanding exactly what policies are being applied where. This complexity enables attackers to abuse Group Policy to achieve their goals.
Active Directory modernization enables you to clean up your Group Policy to ensure both security and productivity — and to keep it that way through effective change management and blocking any modification of critical GPOs, whether malicious or accidental.
One solution. Many workloads.
Trusts
When organizations have multiple Active Directory domains and forests, they usually establish trusts between them in order to enable users to access the resources they need to do their jobs. However, an AD forest is meant to be a clear security boundary, and trusts are essentially bridges over those boundaries. Those bridges can be used not only by employees with legitimate business needs but also by adversaries with nefarious intentions.
Unfortunately, trusts are often configured once and completely forgotten. As a result, an adversary who breaches the least-secure forest can move laterally to other forests. Through Active Directory modernization, you can consolidate down to a single domain in a single forest. Therefore, you eliminate the need for trusts, and all the complexity and risk that comes with them.
Conclusion
Nearly every AD environment that’s been around for a while suffers from at least one of the risks outlined above, whether it’s lack of insight into Tier 0 assets, insufficient control over elevated access, unknown access rights from lingering SID History, or increased attack surface due to AD configuration sprawl. Indeed, many organizations are likely to find that several of the use cases apply to their IT ecosystem.
Active Directory modernization offers an effective path forward. By consolidating your AD environment down to one forest with a single domain and performing a thorough cleanup, you can significantly strengthen your security and cyber resilience.