Should you use Active Directory Domain Controllers? The answer is simple.
It depends.
Wait, the answer isn’t simple, at all!
As a result of the Crowdstrike/Microsoft outage, we’ve been doing some rethinking of domain controllers. Domain controllers provide a hugely important IT function (access control) and are extremely vulnerable to incidents from accidental misconfigurations to purposeful compromise.
Domain controllers require a great level of care to maintain and operate effectively and securely. They are very widespread in-use since they used to be nigh-on required for on-premises Microsoft Windows environments. (i.e. nearly every single company with in-house IT running since the 1990s).
However, the advent of the cloud has created some useful alternatives that your organization should consider, if you are unable or unwilling to maintain your own domain controllers.
But first, what is a MS Windows Domain Controller?
A domain controller (DC) is a server responsible for granting and controlling access and authorization to resources within a Windows domain. It handles authentication and enforces security policies to ensure only authorized users and endpoints are permitted to access the proper content and services or functions.
Domain controllers are commonly associated with Windows environments. Active Directory is the Microsoft service that provides DC functionality, though there are Linux and MacOS-based domain controllers too. Domain controllers are run on server hardware that (should be) exclusively dedicated to the task.
If you aren’t an Active Directory professional, here’s another way to look at it: many recently-started businesses operate entirely within Google Workspace. Google Workspace provides user authentication and access control functions. Domain controllers are how on-premises/mixed Microsoft environments handle access control functionality.
An Active Directory server is a lynchpin in user access control efficiency. You can quickly provision a user, add or remove access, and all other functions necessary to manage an IT infrastructure. Without it, you’d have to touch each and every IT component and configure them individually.
Because a network’s domain controller centralizes access control and user administration, they are critical components of a network environment. They can also be frightening, single-point of failure items if their unique risks are not properly managed.
Domain Controllers are Mission Critical
If you were thinking “hey, access control functionality is pretty important,” you’re right! Domain Controllers handle access to email (whether managed on-premises or Microsoft 365), shared storage and files (SharePoint), and really any computing/IT functionality that an organization may use.
Most healthcare companies store patient records in servers managed by Active Directory. Many financial institutions authenticate transactions on servers managed by Active Directory. Many governments’ internal networks are managed by Active Directory.
You get the idea – Active Directory controls a lot of important data and functionality! So what happens when it goes down?
Everything stops.
Entire organizations can be locked out of accessing their email, remote files, and any other important IT functionality. Automated systems and processes that are authenticated via domain controllers can also be stopped!
Domain controller outages are a “high” risk item that special care must be taken to manage, especially because of how easy it is to mess them up.
Domain Controllers are Easy to Mess Up
Active Directory and other domain controllers have extensive, extremely complex setup options. The management of these servers and their settings is a challenging task usually entrusted to senior sysadmins – for good reason. Even experienced folks can mess something up too, because domain controllers are often old, very fragile systems. Improper configuration can prevent users from accessing important systems and files, expose those important systems and files to the Internet, impair the ability for systems to automatically back themselves up, slow down logins, and create all other types of trouble!
If something does get messed up, it can create a five-alarm IT emergency as your entire company grinds to a halt.
A great example of Active Directory’s impact and fragility was shared on Reddit; one sysadmin shared that his company’s Active Directory server was broken for a day , locking users out, because they applied a patch to upgrade their encryption capabilities to AES128/AES256 for CIS compliance. He found that an old, very important administrative account did not support or recognize the modern encryption capabilities.
The user stated it took a team of over half a dozen people and an entire day to identify the issue and apply a fix.
While we don’t know all the particulars of this person’s company, we can make some assumptions to quantitatively assess how much damage could be done in the event of an Active Directory mess up like this.
Labor costs to remediate this would be cost single-digit thousands of dollars, not to mention the lost productivity from the rest of the company!
Domain Controllers are Vulnerable to Compromise
Microsoft provides its own incident response services, literally called “Microsoft Incident Response .” I don’t doubt their capabilities when it comes to resolving serious incidents in complex Microsoft environments.
Per Microsoft’s own team , Active Directory is frequently the target of serious cyber attacks: “When Microsoft Incident Response (formerly DART/CRSP) is engaged during an incident, almost all environments include an on-premises Active Directory component. In most of these engagements, threat actors have taken full control of Active Directory –i.e., total domain compromise. ”
An attacker having complete control over your domain controller is a nightmare-level cyber attack! The importance of protecting Active Directory servers cannot be overstated.
Microsoft’s article that we pulled the above quote from has some excellent recommendations to start:
Use strong passwords
Don’t give out excessive permissions
Store passwords with strong encryption
These might seem obvious, but even according to Microsoft weak passwords are a primary vulnerability exploited to compromise Active Directory: “It is not uncommon for Microsoft Incident Response to engage with customers where accounts have weak or easy to guess credentials, including those of privileged users such as Domain Admins. ”
Some Specific Domain Controller Lessons from Crowdstrike
One of the reasons the Crowdstrike incident was so high-impact was that it affected many domain controllers, and their backups!
There are lessons to be learned in how to handle domain controllers and their backups to help protect against an outage like this.
Domain Controller Outage = Organization Shut Down
What do ransomware attacks and domain controller outages have in common?
The ability to bring your organization’s operations to a complete standstill!
Just like you should have a strong and practiced incident response plan for handling a ransomware attack, so too should you have an incident response plan for a domain controller outage. Work hard to implement strong redundancy. Beyond that, there should be absolutely no extraneous software installed on a domain controller. What if the software, such as Crowdstrike, gets an update pushed that crashes the server? The chance that it happens is slim but – as we’ve seen – the consequences for outages are extreme and worth protecting against!
Backup Bitlocker Keys Elsewhere
Your domain controllers should be encrypted with Bitlocker.
Your Bitlocker recovery keys should be persisted in a secure, non-Windows environment – especially the ones for your domain controllers.
This way, in case there is an incident that affects all Windows machines your Bitlocker keys are still accessible.
Backup Domain Controllers Nightly
Domain controllers, like any important servers, should be backed up nightly. You do not want have to redo weeks or even months of changes in the event you lose one! If your industry allows for it, consider cloud backups. It’s good to have a backup that’s not on-premises in the event all on-premises facilities are affected.
Limit Admins for Domain Controllers
Least privilege permissioning dictates that only users who actually need to make changes to domain controllers are given admin access. You do not want to give admin access out willy-nilly, as it increases your attack surface. However, you could be in major trouble if all of your domain controller admins are out on vacation or sick at the same time! Create a policy that ensures at least one of them is working, or create a process that temporarily passes access on if they’re all out of office.
Other Tips to Secure Active Directory
Operating Active Directory servers is a significant job function and there are a number of both first-party Microsoft and third-party resources and guides available.
Active Directory Domain Controller Alternatives in 2024
While no system can truly be a 1:1 replacement, there are alternatives to using Active Directory.
Assuming that your organization is largely a Microsoft shop, Entra ID (formerly Azure Active Directory) takes the underlying maintenance aspect of Active Directory out of your hands. There are pluses and minuses to not having the servers on site. The most obvious one is if your access to Azure is disrupted, then your domain controller function may also be disrupted.
If you use AWS, it offers a number of cloud-based domain controller solutions that integrate with or run Active Directory to interface with Microsoft products.
While Active Directory is a significant part of legacy IT departments, domain controllers are basically foreign to some young companies that forwent any on-premises IT!
As stated previously, if your IT needs are light, Google Workspace handles access control on your behalf.
Similarly, a company that solely uses Microsoft 365’s cloud-based email and office-suite isn’t likely to need it either.
Lastly, a mixture of tools may be sufficient for small businesses: a cloud office suite as mentioned above, mobile device management (MDM) for server and endpoint provisioning, and Identity tools such as Okta to provide access control.
Conclusion
10 years ago, it would have been unwise to use a cloud-based domain controller. Today, that has changed. There are a number of solutions available to manage your access control function that offer a number of benefits over on-premises domain controllers. Domain controllers are extremely vulnerable to mismanagement, misconfiguration, and hostile cyber attacks. If there is an outage or attack that affects your domain controller, it will likely be your biggest incident of the year!
Take the time to secure your domain controllers and plan to restore them quickly if needed. If your business is unable to properly care for these delicate servers in-house or on-premises, don’t be afraid to look elsewhere for help!
We recommend replacing Active Directory IF it is not actively managed by your organization. It is not the sort of tool to set and forget.
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.