The Achilles’ heel of enterprise security: How moving on from Microsoft Active Directory strengthens your security posture

3 months ago 21
News Banner

Looking for an Interim or Fractional CTO to support your business?

Read more

About the Author

By | 5th September 2024

Director of product management, devices at JumpCloud


High-profile, wide-ranging cybersecurity breaches—the SolarWinds supply chain attack, the Colonial Pipeline ransomware incident, Russian hacking of Microsoft—have brutally exposed the consequences of having inadequate identity security controls. Stolen or mishandled credentials, lateral movement by hackers looking for sensitive data across a compromised network, and privilege escalation (in which a hacker gains unauthorised access) remain the go-to tactics for today’s cybercriminals. Despite massive investments to combat these threats with new security tools and technologies, a fundamental weakness in identity and access management (IAM) continues to vex enterprises of all sizes.

Though IAM ostensibly ensures that access to networks and apps is limited to authorised users, the reality is that weak IAM approaches mean organisations are breached far too easily and often. A weak IAM approach can include:

  • A lack of multi-factor authentication (MFA) that makes phishing or brute attacks more likely,
  • Granting excessive access privileges around sensitive company data,
  • Ignoring poor password management by employees and risking credential theft,
  • A failure to fully monitor access activities or having inadequate controls around access,
  • Security gaps created by cobbling together point solutions, and
  • Making it easier for compromised accounts to move laterally within a system. 

As the threat landscape intensifies, businesses can no longer afford to treat identity management as an afterthought. Across industries, security and IT leaders are grappling with the harsh reality that their organisation’s Achilles’ heel—the weakness that threatens organisational failure—may lie in the very systems they rely on to authenticate and authorise access: Microsoft Active Directory (AD). 

The history of AD

If you’re an IT admin, you’ve run into Active Directory at some point. AD has been the backbone of identity management for over two decades, for good or for ill. Developed by Microsoft for Microsoft-dominated IT infrastructures, AD has become the de facto standard for authentication and access control for many organisations. Its widespread adoption is due to the deep integration of AD with the Windows operating system and the robust set of management tools and features it provides. 

Despite its prevalence, keeping AD secure is no easy feat. As security requirements become more stringent, cloud computing accelerates, and organisations adopt more heterogeneous device environments (i.e. a mix of managed and BYOD devices running on macOS, Windows, Linux, Android, etc.), the AD approach to IAM carries too many risks. Because it’s designed for on-premise use, AD has no native method for connecting agents to the cloud. This makes it incredibly difficult to secure access for remote workers and cloud resources, not to mention those outside of the Windows environment.  

Because AD only supports on-premise environments, many users hoped that Microsoft’s Entra ID (formerly Azure ID) would be a cloud-based alternative with the same functionality. But Entra ID isn’t a lift-and-shift replacement for Microsoft AD; it’s a separate platform that locks customers into a new Microsoft ecosystem. It doesn’t manage on-premise systems or non-Windows endpoints and requires integrations with domain controllers or add-on services to access network resources. Older, locally-operated and -managed applications can’t support the multi-factor authentication methods Entra ID requires to confirm identity, namely FIDO2 security keys, OAuth tokens, or the Microsoft Authenticator app. Entra ID may be a cloud directory, but you can’t replace Microsoft AD—or rid yourself of its associated challenges— just by adopting it.

The problems with securing Microsoft AD

Despite its widespread use, AD presents several significant security challenges:

  • Outdated and vulnerable service accounts: Many organisations have legacy service accounts with excessive privileges and lax security policies, leaving them vulnerable to potential compromise. As AD environments grow over time, legacy service accounts accumulate and can remain enabled with excessive permissions, even if no longer actively used. 
  • Lack of consistent security policy enforcement: AD implementations are often left to follow a “live and let live” approach to enforcing security policies. Without enforcement, this can lead to weak password requirements, lack of password expiration, and insufficient auditing of service account activities within AD. 
  • Complexity and cost: Frequently AD configurations require multiple and complex forest configurations to establish logical separation of administrators, which can be daunting for organisations to manage and secure effectively. When you add budget for licensing, hardware, implementation and migration, training and staffing, and infrastructure and operational needs, many organisations using AD find themselves tethered to an ageing legacy system that lacks the flexibility, scalability, and cost-savings potential of more modern solutions.

Modernising AD

Despite these issues, many organisations will continue to use AD. When we polled admins during a recent webinar, while 50% of IT teams said they plan to migrate away from AD completely, 34% said they’ll be simply minimising their AD footprint and maintaining it for critical applications. 16% said they’ll keep AD as-is and extend it to the cloud. Some business-critical or legacy applications only work with AD as the backend and some teams may not be in a position to eliminate resources like Windows file servers or print servers. These are optimally designed for AD, or they may work in a highly regulated environment that requires authentication stores to remain on-premises. Others may be in an in-between state as they transition to the cloud. For the many organisations who want to bridge some part of AD’s functionality without introducing security vulnerabilities, modernising AD is critical. 

Here are a few tips to get started, no matter where you are on your AD modernisation journey. 

Extend AD to the cloud:

  • Integrate AD with a cloud-based identity and access management (IAM) solution to extend user access to cloud resources, such as SaaS applications, VPNs, Wi-Fi, and non-Windows devices.
  • Synchronise AD users, groups, and credentials to the cloud IAM solution, enabling centralised management and authentication.

Minimise the AD footprint:

  • Maintain AD only for mission-critical Windows servers or applications that cannot be migrated or decommissioned.
  • Reduce the number of domain controllers and their locations, as fewer users and devices rely on AD authentication.
  • Migrate end-user Windows computers from AD to the cloud IAM solution, eliminating the need for direct AD connectivity for these devices.

Manage AD from the cloud:

  • Utilise the cloud IAM solution to create, suspend, and manage user accounts and security group memberships, with changes propagated to AD in real-time.
  • Minimise the need to directly log into AD servers for user and group management.

Migrate away from AD:

  • Provision access to cloud resources (SaaS apps, LDAP, RADIUS) for users managed in the cloud IAM solution and migrate Windows devices.
  • Replace Windows file servers with cloud storage solutions or network-attached storage (NAS) systems that support LDAP authentication.
  • Migrate legacy applications to cloud-based alternatives or solutions that support modern authentication protocols.
  • Migrate networking hardware and services to support LDAP and RADIUS authentication from the cloud IAM solution.
  • Decommission and retire the remaining AD infrastructure once all dependencies have been migrated or replaced.

Modernise, don’t make do

Whether you’re looking to leave AD behind entirely or find a way to co-exist, simply keeping antiquated AD implementations as-is creates an unacceptable risk posture in today’s hostile cybersecurity landscape. Organisations that choose to keep AD, even temporarily, must prioritise securing and modernising their AD environments through robust access controls, consistent security policy enforcement, and integration with cloud IAM solutions. AD modernisation is an essential bridge to a more secure future, reducing risk while positioning the business for an eventual full transition to modern, cloud-native identity management.

Robust identity management has never been more critical. The delta between the flexibility and agility of a cloud-forward approach and the complicated, expensive, and antiquated on-premises approach is only growing. Embracing an AD modernisation strategy developed around evolving identity needs enables organisations of all sizes to protect identities, safeguard critical assets, and strengthen points of organisational weakness.

Read Entire Article