Your Active Directory is a 24/7 service. The Internet has erased the physical boundary that once existed between the office building and the outside world. IT systems that might once have only been accessible from an adjustable-height chair are now in-hand anywhere, anytime. Every service depends on Active Directory, the gatekeeper by which all interactions between devices, systems and users must pass; Active Directory must be running.
As with any other service, the key to maintaining your Active Directory lies in proper management with a continuous improvement lifecycle; design, transition, operate. In this blog post, I will discuss the service life cycle as it applies to Active Directory to help keep your environment running smoothly and to rapidly address service impacts.
Active Directory best practices have evolved since 2000. Newer features and improvements make it so that all but a few specific cases will require a simple single forest/domain model.
OU structure and object naming are the easy part, the challenge with Active Directory is security – continuous backwards compatibility is a gift and a curse. Even in 2022, a default installation of Active Directory is inviting malicious actors to get your administrator access:
- Your passwords may be traversing the network in clear text through LDAP simple binds. (2020 LDAP channel binding and LDAP signing requirements for Windows (microsoft.com)
- Administrator accounts being able to log onto any machine in the domain exposes you to Pass-the-Hash attacks (Download Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft, Version 1 and 2 from Official Microsoft Download Center)
- The print spooler service running on Domain Controllers has historically caused many vulnerabilities that can lead to credential escalation.
Once inside, malicious actors use Active Directory delivered ransomware and crypto-lockers to bring your company to a halt and steal your profits.
Should the worst happen, you must backup Active Directory, understand your Recovery Time Objectives and Recovery Point objectives and design and test your Active Directory restore processes to ensure you can meet them. If you haven’t tested your Active Directory Disaster Recovery plan, you don’t have a plan.
Active Directory is a robust directory service that has redundancy and resiliency built in. In my experience, most outages arise from administrator error. While it is impossible to eliminate this variable when managing your Active Directory, having processes in place to mitigate the risks of human fallibility is critical to ensuring a highly available Active Directory environment.
Change management protocols must exist for all Active Directory infrastructure, with changes well-communicated to dependent services, and all risks identified. For all but the most trivial changes, a tested and well-understood rollback plan should exist. For Active Directory schema changes, this means having a tested forest recovery process in place. Simply knowing what changes have occurred in the past 24 hours affords huge advantages if you find yourself in the middle of a critical incident.
Managing updates to Active Directory is very simple. Active Directory patches are included with operating system patches; all recommended and critical patches should be applied as soon as possible. In addition, your patching processes should allow for the deployment of any security patches released outside the normal patch cycle, because a security compromise in Active Directory will affect all your dependent systems.
Once patches are released, vulnerabilities rapidly give rise to attacks found in the wild. For example, January 2022 patches included two vulnerabilities CVE-2022-21857 and CVE-2022-21920 that allowed a normal user to obtain Domain Admin credentials in certain circumstances. To determine if the domain controller is vulnerable, the attackers check the server uptime. If your domain controllers have uptimes that are over one month, you aren’t patching often enough.
Finally, the day-to-day management of the Active Directory program itself is critically important to maintaining an available service. This is particularly true since targeted ransomware Active Directory attacks are skyrocketing.
Establish a single team that is accountable for the operation of your Active Directory, and only people on that team should be domain administrators. What’s more, these Active Directory experts must have a clear understanding and acceptance of the processes they need to follow for any nontrivial changes.
Ensure any problems and major incidents are reviewed for lessons learned. These exercises will often lead to suggestions for improvements to your monitoring systems, which should be followed up on.
In a dynamic security landscape, continuously assessing for security and having a strong AD disaster recovery plan in place is a must. At a minimum, regularly review the Microsoft security baselines (Security baselines guide – Windows security | Microsoft Docs), design to make it easy to patch, and consider subscribing to Microsoft Security Bulletins.
Maintaining Active Directory security in a healthy state requires that a range of activities function together. Although it is often overlooked while it is working effectively, Active Directory can fail catastrophically if it is not properly maintained. Since all your services are tied to its reliability, it is important to follow typical service management practices and to have an Active Directory backup solution to help prevent problems before they become significant.
Itergy has been monitoring and managing Active Directory in 65 countries, 24/7 on behalf of its customers for over 20 years. Some of our Active Directory services and AD managed services include health checks, strategic consulting, migrations, consolidations, M&A and divestitures, and Active Directory disaster recovery (AD backup and AD recovery).
We make Active Directory the agile, secure, mature business application it was intended to be—the one your enterprise needs to succeed throughout all your business