Should you use Active Directory Domain Controllers? The answer is simple.
It depends.
Wait, the answer isnโt simple, at all!ย
As a result of the Crowdstrike/Microsoft outage, weโve been doing some rethinking of domain controllers. Domain controllers provide a hugely important IT function (access control) and are extremely vulnerable to incidents from accidental misconfigurations to purposeful compromise.
Domain controllers require a great level of care to maintain and operate effectively and securely. They are very widespread in-use since they used to be nigh-on required for on-premises Microsoft Windows environments. (i.e. nearly every single company with in-house IT running since the 1990s).
However, the advent of the cloud has created some useful alternatives that your organization should consider, if you are unable or unwilling to maintain your own domain controllers.
But first, what is a MS Windows Domain Controller?
A domain controller (DC) is a server responsible for granting and controlling access and authorization to resources within a Windows domain. It handles authentication and enforces security policies to ensure only authorized users and endpoints are permitted to access the proper content and services or functions.
Domain controllers are commonly associated with Windows environments. Active Directory is the Microsoft service that provides DC functionality, though there are Linux and MacOS-based domain controllers too. Domain controllers are run on server hardware that (should be) exclusively dedicated to the task.
If you arenโt an Active Directory professional, hereโs another way to look at it: many recently-started businesses operate entirely within Google Workspace. Google Workspace provides user authentication and access control functions. Domain controllers are how on-premises/mixed Microsoft environments handle access control functionality.
An Active Directory server is a lynchpin in user access control efficiency. You can quickly provision a user, add or remove access, and all other functions necessary to manage an IT infrastructure. Without it, youโd have to touch each and every IT component and configure them individually.
Because a networkโs domain controller centralizes access control and user administration, they are critical components of a network environment. They can also be frightening, single-point of failure items if their unique risks are not properly managed.
Domain Controllers are Mission Critical
If you were thinking โhey, access control functionality is pretty important,โ youโre right!
Domain Controllers handle access to email (whether managed on-premises or Microsoft 365), shared storage and files (SharePoint), and really any computing/IT functionality that an organization may use.
Most healthcare companies store patient records in servers managed by Active Directory. Many financial institutions authenticate transactions on servers managed by Active Directory. Many governmentsโ internal networks are managed by Active Directory.
You get the idea โ Active Directory controls a lot of important data and functionality!
So what happens when it goes down?
Everything stops.
Entire organizations can be locked out of accessing their email, remote files, and any other important IT functionality. Automated systems and processes that are authenticated via domain controllers can also be stopped!
Domain controller outages are a โhighโ risk item that special care must be taken to manage, especially because of how easy it is to mess them up.
Domain Controllers are Easy to Mess Up
Active Directory and other domain controllers have extensive, extremely complex setup options. The management of these servers and their settings is a challenging task usually entrusted to senior sysadmins โ for good reason.
Even experienced folks can mess something up too, because domain controllers are often old, very fragile systems.
Improper configuration can prevent users from accessing important systems and files, expose those important systems and files to the Internet, impair the ability for systems to automatically back themselves up, slow down logins, and create all other types of trouble!
If something does get messed up, it can create a five-alarm IT emergency as your entire company grinds to a halt.
A great example of Active Directoryโs impact and fragility was shared on Reddit; one sysadmin shared that his companyโs Active Directory server was broken for a day, locking users out, because they applied a patch to upgrade their encryption capabilities to AES128/AES256 for CIS compliance. He found that an old, very important administrative account did not support or recognize the modern encryption capabilities.
The user stated it took a team of over half a dozen people and an entire day to identify the issue and apply a fix.
While we donโt know all the particulars of this personโs company, we can make some assumptions to quantitatively assess how much damage could be done in the event of an Active Directory mess up like this.
Labor costs to remediate this would be cost single-digit thousands of dollars, not to mention the lost productivity from the rest of the company!
Domain Controllers are Vulnerable to Compromise
Microsoft provides its own incident response services, literally called โMicrosoft Incident Response.โ I donโt doubt their capabilities when it comes to resolving serious incidents in complex Microsoft environments.
Per Microsoftโs own team, Active Directory is frequently the target of serious cyber attacks:
โWhen Microsoft Incident Response (formerly DART/CRSP) is engaged during an incident, almost all environments include an on-premises Active Directory component. In most of these engagements, threat actors have taken full control of Active Directory โi.e., total domain compromise.โ
An attacker having complete control over your domain controller is a nightmare-level cyber attack! The importance of protecting Active Directory servers cannot be overstated.
Microsoftโs article that we pulled the above quote from has some excellent recommendations to start:
- Use strong passwords
- Donโt give out excessive permissionsย
- Store passwords with strong encryption
These might seem obvious, but even according to Microsoft weak passwords are a primary vulnerability exploited to compromise Active Directory: โIt is not uncommon for Microsoft Incident Response to engage with customers where accounts have weak or easy to guess credentials, including those of privileged users such as Domain Admins.โ
Some Specific Domain Controller Lessons from Crowdstrike
One of the reasons the Crowdstrike incident was so high-impact was that it affected many domain controllers, and their backups!
There are lessons to be learned in how to handle domain controllers and their backups to help protect against an outage like this.ย
Domain Controller Outage = Organization Shut Down
What do ransomware attacks and domain controller outages have in common?
The ability to bring your organizationโs operations to a complete standstill!
Just like you should have a strong and practiced incident response plan for handling a ransomware attack, so too should you have an incident response plan for a domain controller outage.
Work hard to implement strong redundancy.
Beyond that, there should be absolutely no extraneous software installed on a domain controller. What if the software, such as Crowdstrike, gets an update pushed that crashes the server?
The chance that it happens is slim but โ as weโve seen โ the consequences for outages are extreme and worth protecting against!
Backup Bitlocker Keys Elsewhere
Your domain controllers should be encrypted with Bitlocker.
Your Bitlocker recovery keys should be persisted in a secure, non-Windows environment – especially the ones for your domain controllers.ย
This way, in case there is an incident that affects all Windows machines your Bitlocker keys are still accessible.ย
Backup Domain Controllers Nightly
Domain controllers, like any important servers, should be backed up nightly. You do not want have to redo weeks or even months of changes in the event you lose one!
If your industry allows for it, consider cloud backups. Itโs good to have a backup thatโs not on-premises in the event all on-premises facilities are affected.
Limit Admins for Domain Controllers
Least privilege permissioning dictates that only users who actually need to make changes to domain controllers are given admin access. You do not want to give admin access out willy-nilly, as it increases your attack surface.
However, you could be in major trouble if all of your domain controller admins are out on vacation or sick at the same time! Create a policy that ensures at least one of them is working, or create a process that temporarily passes access on if theyโre all out of office.
Other Tips to Secure Active Directory
Operating Active Directory servers is a significant job function and there are a number of both first-party Microsoft and third-party resources and guides available.
Active Directory Domain Controller Alternatives in 2024
While no system can truly be a 1:1 replacement, there are alternatives to using Active Directory.
Assuming that your organization is largely a Microsoft shop, Entra ID (formerly Azure Active Directory) takes the underlying maintenance aspect of Active Directory out of your hands. There are pluses and minuses to not having the servers on site. The most obvious one is if your access to Azure is disrupted, then your domain controller function may also be disrupted.
If you use AWS, it offers a number of cloud-based domain controller solutions that integrate with or run Active Directory to interface with Microsoft products.
While Active Directory is a significant part of legacy IT departments, domain controllers are basically foreign to some young companies that forwent any on-premises IT!
As stated previously, if your IT needs are light, Google Workspace handles access control on your behalf.
Similarly, a company that solely uses Microsoft 365โs cloud-based email and office-suite isnโt likely to need it either.
Lastly, a mixture of tools may be sufficient for small businesses: a cloud office suite as mentioned above, mobile device management (MDM) for server and endpoint provisioning, and Identity tools such as Okta to provide access control.
Conclusion
10 years ago, it would have been unwise to use a cloud-based domain controller. Today, that has changed. There are a number of solutions available to manage your access control function that offer a number of benefits over on-premises domain controllers.
Domain controllers are extremely vulnerable to mismanagement, misconfiguration, and hostile cyber attacks. If there is an outage or attack that affects your domain controller, it will likely be your biggest incident of the year!
Take the time to secure your domain controllers and plan to restore them quickly if needed. If your business is unable to properly care for these delicate servers in-house or on-premises, donโt be afraid to look elsewhere for help!ย
We recommend replacing Active Directory IF it is not actively managed by your organization. It is not the sort of tool to set and forget.
Want to get great cybersecurity content delivered to your inbox?ย Click hereย to sign up for our monthly newsletter, Tales from the Click.
