Active directory is currently the most popular directory because it is proprietary to Microsoft operating systems, but its days may be numbered for many reasons. In this interview, Tim O'Connor, Manager of Knowledge Services at Cadre and an expert in directory systems, gives us the low-down on Active Directory and some tips for proactively using it.
What is Active Directory
Let’s begin by defining the X.500 standards. This is simply a series of international standards for things to communicate on a wide area network. X.500 standards allow interoperability between things built by different vendors that are located in different places. That's become much more important now that so many of our processes depend on the cloud, and we are connecting things through greater distances than we ever have before.
But X.500 contains way too many syllables for technical geeks – we don't play that. We made a slang term for any wide area network operating system built to these standards. We call them directories, such as Novell Directory Services, Open Directory or Active Directory.
Active Directory is the most popular directory right now.
Why is Active Directory So Popular
The principle strength of Active Directory is its use with Microsoft operating systems. There's a lot of proprietary technology inside of Active Directory that's made to work with Microsoft's own products, such as Windows operating systems and Windows servers.
It’s essentially its own network security ecosystem. So, organizations that have Microsoft operating systems and servers go to Active Directory because they want to be able to control that ecosystem with a wide area network operating system.
Here are some of the key capabilities of Active Directory:
- Active Directory authentication system, aka Kerberos. This system confirms the user’s identity, controls rights and permissions, and grants access to resources. From a nontechnical person's perspective, it mostly has to do with them logging in and being able to use resources.
- Group policy objects features allow you to push out updates to machines, install software, and reconfigure machines. It allows you to query what's on your network, control the flow of information, and replicate information from one place to another.
- It also assists in disaster recovery, among hundreds of other things.
While Active Directory is the most popular directory, and it can do hundreds of things, it’s also losing ground for a number of reasons.
A Waning Network Security Ecosystem
From a competitive standpoint, Microsoft is at a disadvantage because it isn’t a player in the mobile market for operating systems. This is critical because mobile devices are now more popular than desktop computers. Competitors such as Macintosh and Unix are using Open Directory, while other alternatives popup in the cloud monthly.
From a security standpoint, there are many reasons why Active Directory may see its doom in the future. Some of the principal issues with Active Directory are actually Microsoft's fault. For instance:
- Kerberos was poorly designed and implemented in Active Directory’s authentication system. Microsoft restricted Kerberos’ capabilities from the beginning by implementing its features poorly. So out of the box, Active Directory has flaws and misconfigurations that are causing us lots of problems.
- Microsoft has been slow to reengineer Active Directory for a cloud and mobile environment, whereas the new directories are almost made from the ground up with the cloud in mind. The new directories also better support the X.500 standards, and are more open to say iOS, Android, Macintosh and Unix.
- But what is most frightening, and perhaps a CISO nightmare, would be the golden ticket attack, where the attacker literally takes over your entire network and, once the attack is done, you'd have almost no way of stopping it.
Unfortunately, SIEM and Active Directory monitoring solutions don’t prevent attacks upfront. They're reactionary tools that tell you after something has happened. It's merely an alarm bell that goes off, but it's up to you to react quick enough to prevent any significant damage, and sometimes that can't be done.
Surviving Active Directory
Although these disadvantages may be indicative of the darker days ahead of Active Directory, there are many ways to proactively forestall attacks and protect your information security.
Here are 7 tips for proactively using Active Directory:
- The number one thing that you want to do to keep yourself safe using Active Directory is to check your Active Directory settings against a compliance framework, such as the NIST or MITRE frameworks.
- Implement the NIST 800 password recommendations that were recently published. They focus not on rotating and changing passwords, or having super complex passwords, but using passwords that are easier for your users to manage.
- Train staff on security awareness. Make sure that security awareness training and your end user protocols have been set to meet the new NIST 800 password compliance framework.
- Lock your doors with endpoint products. These tools work on the workstations and the servers themselves, and they potentially stop malicious attacks before they even get to Active Directory.
- Contact a trusted advisor to install Active Directory software, or to fix known problems in Active Directory. Consider a vCISO service that can help ensure your installations and fixes align with a compliance framework.
- Use third party tools to do assessments and make sure that your Active Directory holes have been patched. Don’t use only Microsoft tools.
- Leverage an assessment service that is equipped with a whole battery of different tools that it can use to evaluate Active Directory from an outside perspective.
The foreseeable state of Active Directory is unknown. It has many misconfigurations and flaws out of the box, and its security weaknesses aren’t likely to improve.
But there is hope for companies that can’t simply replace this proprietary directory.
A trusted advisor can help guide you through the best way to protect yourself.
For questions please contact Tim.firstname.lastname@example.org or 513-762-2026.