As former Microsoft Program Manager for Active Directory Security, I cannot over-emphasize the need for adequately protecting your organization's foundational Active Directory deployment.
This is a vital IT security issue, and we ordinarily do not shed light on it in the public domain, but rather to choose inform our global customer base privately. However, if the U.S. government is willing to shed light on it in the public domain (which I don't think it should), I suppose it would be okay if I too shared a thought.
The Inspector General of Homeland Security recently published the findings of a security audit that covered the implementation of Active Directory at the U.S. Department of Homeland Security, and I highly recommend reading it.
Here's a snippet from the Executive Summary -
- The Department of Homeland Security uses Microsoft Windows Active Directory services to manage users, groups of users, computer systems, and services on its headquarters network. We reviewed the security of the Active Directory collection of resources and services used by components across the department through trusted connections. These resources and services provide department-wide access to data that supports department missions but require measures to ensure their confidentiality, integrity, and availability. The servers that host these resources must maintain the level of security mandated by department policy. Systems within the headquarters’ enterprise Active Directory domain are not fully compliant with the department’s security guidelines, and no mechanism is in place to ensure their level of security. These systems were added to the headquarters domain, from trusted components, before their security configurations were validated. Allowing systems with existing security vulnerabilities into the headquarters domain puts department data at risk of unauthorized access, removal, or destruction.
The fact of the matter is that virtually the entire U.S. government actually runs on Active Directory, and I would not be surprised if the foundational Active Directory deployments of other departments in the U.S government may also be inadequately protected (; though I seriously hope that is not the case.)
Comprehensive protection of an organization's foundational Active Directory deployment requires a first-hand understanding of the attack surface, of the various components involved, and the of the risks associated with each of these components, and the knowledge to know which risks to mitigate, and which ones to manage, and how so.
It does NOT involve the mere deployment of fancy security applications, but in fact requires the deployment of a well thought out and well integrated set of security controls involving security policies, practices and tools/applications, which together provide trustworthy protection.
Formally speaking, it requires that an organization first perform a formal risk assessment of its Active Directory and then based on its findings, assess and deploy an adequate set of risk mitigation measures.
While at Microsoft, I had the privilege of having performed an Active Directory Security Risk Assessment of Microsoft global Active Directory infrastructure, so this is second nature to some of what we do now at Paramount Defenses Inc. (While I will not divulge any details, suffice it to say that it took a 90 page report to document cursory findings, which was delivered to the highest offices at Microsoft.)
If your organization is running on Active Directory, I encourage you to please take a serious look at its security, and if needed, please enact appropriate risk mitigation measures to ensure its adequate protection.
As I sign off, I'll leave with you a simple mantra - Your Microsoft Windows Server based IT infrastructure is only as secure as is its foundational Active Directory. (Please) Protect it.
PS: Link to the official report - Stronger Controls Needed on Active Directory Systems.