Ensuring Active Directory Security in Hybrid Environments. Cloud services become more and more popular each day. As a result, many businesses need to use both on-premises and cloud solutions to be able to function properly. To manage identities properly in both environment, Hybrid Active Directory (AD) need to be implemented.
Deploying Hybrid Active Directory (AD) involves integrating your on-premises AD environment with Microsoft Entra ID, Microsoft’s cloud-based identity and access management service. This integration offers numerous benefits but also introduces additional security considerations. It expands the potential attack surface – attackers may target the on-premises AD to gain access to cloud resources, or vice versa.
Managing security across a hybrid environment is more complex than in a single domain. You need to ensure consistent security policies and practices across both environments. Discrepancies in configurations or policies create vulnerabilities, and it is important to understand that failure to secure one of the environments compromises both of them.
In case your company is a subject to various compliance and regulatory requirements, ensuring that both on-premises and cloud components comply with these requirements can be challenging. To address these concerns, organizations deploying Hybrid AD should implement a solid security strategy that covers all the aspects of the integration.
Infrastructure Preparation
Firstly, deploy Microsoft Entra Connect software, which is responsible for the synchronization of identities from on-premises to the cloud. Since Microsoft Entra Connect processes the identity, it should be considered as a part of the control plane in the Enterprise access model, therefore, servers running Connect must be treated accordingly.
Account Security
Start with account security planning:
- Separate privileged accounts must be used to access the Microsoft Entra Connect servers. Restrict them, only use for privileged access to infrastructure servers, no other activities (such as internet browsing) must be allowed to minimize the possibility of compromise. Increased security measure must be applied, such as multi-factor authentication, more frequent password change, etc. For more details refer to article Privileged access: Strategy.
- Remote connections must be allowed only from the secured workstations. To deploy such machines, use the recommendations described in Implementing Secure Administrative Hosts as a baseline.
- Principle of least privilege (PoLP) access and just-in-time (JIT) access must be applied, to reduce the case of account compromise:
- Deployment of Microsoft Entra Connect requires usage of an account that will be used to retrieve information from Active Directory (and write it, in case write back functionality is enabled). To follow the PoLP, you need to pre-create an AD account that only has the required permissions, without any extra privileges. The list is here: Microsoft Entra Connect: Configure AD DS Connector Account Permissions.
- Installation of Connect requires local administrator permissions on the server. To ensure JIT access, you should temporarily provide access to the account to perform installation, then revoke the permissions after completion.
Attack Surface Reduction
- Entra Connect servers must not contain any other software. Each component increases the opportunities for the potential attackers, therefore the deployment of single purpose server is required. No unnecessary roles and third-party applications must be installed.
- No extra ports must be allowed in the firewall. Servers must be able to contact both Active Directory Domain Controllers and Microsoft Entra ID, no other traffic is allowed. More details about recommended firewall configuration, see Hybrid Identity Required Ports and Protocols.
Try our Active Directory & Office 365 Reporting & Auditing Tools
Try us out for Free. 100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.
Server Security
Perform some server security enhancements:
- Configure servers to only allow secure authentication protocols. Restrict legacy authentication protocols using GPO. Detailed instruction are in Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers.
- Each member server of the domain can be administrated not only using domain admin account, but also using the local administrator account. Ensure every machine that runs Entra ID Connect have a unique local admin password( changed regularly).Automate it using Windows Local Administrator Password Solution. Additionally, the local administrator account must be renamed (either manually or using automation tools, such as GPO, Intune or System Center Configuration Manager).
- Configure the proper monitoring. In addition to the standard security monitoring, after the deployment of Active Directory Hybrid Environment, changes to federation configuration in Microsoft Entra ID must be kept an eye on. When you configure the synchronization of AD to the cloud, the trust relationship between on-premises and cloud identity infrastructure is established. This relationship can be exploited by the malicious actors and therefore must be carefully monitored. One of the possible approaches is to use Azure Monitor for this purpose. It audits logs to track the changes and notify the administrator in case alert is triggered. Instructions are here: Monitor changes to federation configuration in your Microsoft Entra ID.
- Operating system patches must be deployed regularly to mitigate the newly identified vulnerabilities.
Microsoft Entra Connect Deployment
During the deployment of Microsoft Entra Connect also consider cybersecurity protection measures. In the User sign-in page of the installation wizard you select the authentication method. The selection here depends on your organization’s needs – it can be password hash synchronization or pass-through authentication, if you want authentication process to be performed in the cloud, or federated authentication, if you want it to be processed on-premises.
In case you selected pass-through authentication or federated authentication, remember to enable hash synchronization on the Optional Features page.
This step is very important and even mentioned as a separate control in the Center for Internet Security benchmark. Password hash synchronization plays a critical role in detecting compromised credentials. When credentials are stolen and appear on the internet or dark web, Microsoft’s leaked credentials service spots and alerts you. In Active Directory domain services, user passwords are stored as password hashes, which are generated by a one-way mathematical function. This method is secure because it’s not feasible to convert the hash back into the original password text. When password hash synchronization is activated in Microsoft Entra Connect Sync, it retrieves these password hashes from the on-premises Active Directory and transfers them to the cloud, enhancing security by monitoring for potential credential leaks.
Dy default, Microsoft Entra ID and Active Directory use MsDs-ConsistencyGUID attribute of the user account for matching on-premises and cloud accounts. This approach is secured and called Hard-match (more details are here). When you configure Active Directory Hybrid Environment with the cloud tenant that already have cloud-only accounts, you have an option to use user principal name to match cloud and on-premises accounts. The feature is useful, but potentially unsecure, and should only be used for initial mapping and disabled after it.
Additional security risk is related to the hard match takeover capability. It allows overwrite the Microsoft Entra data under certain conditions, for example it can be used to alter the password hash. To mitigate both these vulnerabilities, use Update-MgDirectoryOnPremiseSynchronization PowerShell command:
Connect-MgGraph -Scopes “OnPremDirectorySynchronization.ReadWrite.All”
$DirectorySync = Get-MgDirectoryOnPremiseSynchronization
$SecurityImprove = @{BlockSoftMatchEnabled = “true” ; BlockCloudObjectTakeoverThroughHardMatchEnabled = “true”}
Update-MgDirectoryOnPremiseSynchronization -Features $SecurityImprove -OnPremisesDirectorySynchronizationId $DirectorySync.Id
Additional Considerations
Consider:
- Synchronization database. When you install Connect you need to select the database – either SQL Server Express or Microsoft SQL Server. Using Microsoft SQL Server requires a significant number of additional steps to ensure its security (there is a whole set of articles dedicated to this topic). Therefore, using of SQL Server Express should be considered as preferred, unless its restrictions make Microsoft SQL Server the only applicable option.
- Active Directory Federation Services. AD FS is one of the most commonly used authentication tools in the hybrid Active Directory deployment. It provides more customization capabilities than password hash synchronization or pass-through authentication, for example, it can be integrated with third-party MFA services. However, as per Microsoft roadmap, the service will be deprecated soon (it doesn’t receive any feature update since 2016), and it is recommended avoid its usage – each article related to AD FS in Microsoft documentation portal contains a recommendation to stop using this product.
Additionally, maintaining of AD FS server farm requires significant administrative effort and brings extra cybersecurity risks, which can be avoided by deploying other authentication mechanisms. If you have AD FS in your hybrid Active Directory deployment, you have 2 options – use other authentication method or use third-party federation tool.
- Active Directory Domain Services managed service. If you have some virtual machines or some other services that depend on Active Directory deployed in Azure – consider deployment of Microsoft Entra Domain Services managed service of Microsoft. It reduces the administrative effort of expanding AD DS to the cloud and considered as a more secure approach than deployment of Domain Controller on the cloud VM.
Ensuring Active Directory Security in Hybrid Environments Conclusion
In conclusion, ensuring Active Directory security in hybrid environments is a multifaceted challenge requiring careful planning and execution. Aspects of security strategy include stringent access control using principles like least privilege and just-in-time access, strict server security measures, and consistent security policy enforcement across both on-premises and cloud components. Organizations must also be mindful of regulatory compliance and the unique security challenges posed by syncing identity information between on-premises AD and Azure AD.
The role of Microsoft Entra Connect in this architecture is pivotal. Though it is designed to be secure, some additional configuration and enhancement may require. Furthermore, considerations like the choice of database for Connect, the impending obsolescence of AD FS, and the potential benefits of Microsoft Entra Domain Services illustrate the depth and breadth of factors influencing secure cloud integration in hybrid environments.
While the integration of AD in the cloud presents new challenges, with careful planning, informed decision-making, and adherence to best practices, organizations can successfully secure their hybrid environments. This ensures the protection of identities, which allows protection of their overall IT infrastructure.
Try InfraSOS for FREE
Try InfraSOS Active Directory, Azure AD & Office 365 Reporting & Auditing Tool
- Free 15-Days Trial
- SaaS AD Reporting & Auditing Solution
