What is Active Directory ?

Active Directory (AD) is a directory service developed by Microsoft to manage the authentication and authorization in on-prem domain networks. The server that runs AD service is called Domain Controller. 

Prominent uses of AD are the creation of user accounts’ names and passwords, organizing them in groups, and assigning their access privileges to various organizational resources. 

However, its most important functionality is managing the authentication process of users that attempt to access servers, workstations, on-prem applications, or any other resource within the domain network. Whenever a user provides their username and credentials, Active Directory would check the input and validate that the username and credentials indeed match. AD works mainly with two authentication protocols: NTLM and Kerberos.

Active Directory is the Standard Identity Provider for Most Organizations

Active Directory operates as the authentication infrastructure in practically almost every organizational network today. In the pre-cloud era, all the organizational resources resided exclusively on-prem, making AD effectively the sole identity provider. 

However, even at a time when organizations seek to transit workloads and applications to the cloud, AD is still present in more than 95% of organizational networks. This is mainly due to core resources being hard or impossible to migrate to the cloud.

Active Directory Attacks: Identity Threats

Identity threats are cyber attacks or distinct components within a larger-scale cyber operation that utilize compromised credentials for malicious resource access. These attacks typically:

  • Occur in the post-compromise lateral movement stage where attackers attempt to expand from an initial foothold to other machines in the targeted environment. 
  • Use either cleartext passwords or password hashes to perform an Active Directory authentication.
  • Get the credentials either by purchasing them in the dark web or by obtaining them throughout the attack from compromised machines (there are various open tools to accomplish that)  
  • Transform a local event of a single compromised machine into an organization-level incident that can put business operations at risk.

The Two Types of Active Directory Identity Threats:

1. Compromised Cleartext Passwords 

So whenever an attacker has managed to get hold of these and provides them to AD, AD considers them as legitimate authentication and allows access. In that manner, threat actors can use AD authentication infrastructure for malicious access without the need to employ malware, making this access hard to detect. 

2. Compromising the Authentication Mechanism 

When attackers cannot get hold of the plaintext password, they can still perform a full AD authentication utilizing the password hash. The actual implementation depends on the used protocol:

  • NTLM: NTLM uses hashes as a password equivalent, enabling attackers to launch a ‘Pass the Hash’ attack with a compromised hash.
  • Kerberos: Kerberos generates authentication tickets using the hash. Attackers can use the compromised hash to forge Kerberos ticket to perform a Kerberos authentication. 

Attackers’ Ultimate Goal: Active Directory Domain Dominance

Since AD can be regarded as the nerve center of the domain environment, it enables a logged-in admin user to perform any desired action – create users, elevate privileges and access any resource. 

This status is known as ‘domain dominance’ and it’s the main objective the attacker’s lateral movement strives to achieve. For example, once domain dominance is gained, an attacker can plant ransomware payload in multiple workstations and servers, or if the purpose of the attack.

Active Directory Cannot Detect or Prevent Identity Threats

AD cannot provide protection against these attacks since its protection capabilities are limited to checking the match between username and credentials. 

Since identity threats, by definition, are founded on compromising valid usernames and credentials they can easily bypass AD and impersonate their malicious authentication as a legitimate one. This creates a severe blind spot in organizations’ security architecture that gives rise to numerous variations of lateral movement attacks.

Active Directory and the Lack of MFA Support

AD itself doesn’t have a way to discern between legitimate authentication and malicious one (as long as valid usernames and credentials were provided). This security gap could theoretically be addressed by adding Multi-Factor Authentication (MFA) to the authentication process. Unfortunately, the authentication protocols AD uses – NTLM and Kerberos – don’t natively support MFA step-up. 

The result is that the vast majority of access methods in an AD environment cannot have real-time protection against an attack that employs compromised credentials. For example, frequently used  CMD and PowerShell remote access tools like PsExec or Enter-PSSession cannot be protected with MFA, enabling attackers to abuse them for malicious access.

Frequently Asked Questions

  • What are the 3 main functions of Active Directory?

    1. Authentication: Active Directory is used to authenticate users, computers, and other resources on a network. This means that AD verifies the identity of a user or device before allowing access to network resources.
    2. Authorization: Once a user or device has been authenticated, AD is used to authorize access to specific resources on the network. This is done by assigning permissions and rights to users and groups, which determine what they are allowed to do on the network.
    3. Directory Services: Active Directory is also a directory service, which means that it stores and organizes information about network resources, such as users, computers, and applications. This information can be used to manage and locate resources on the network.
  • What is the difference between a domain controller and Active Directory?

    Active Directory (AD) is a directory service and a database that stores information about network resources, such as users, computers, and applications. It authenticates and authorizes access to network resources.

    A domain controller is a server that runs Active Directory and is responsible for managing and enforcing AD policies and rules on a network. It authenticatesand authorizes users and computers, and it also replicates the AD database to other domain controllers in the network.

    In summary, Active Directory is the technology and database that stores the information and logic to manage the access and authorization of resources on a network, while a domain controller is a server that runs AD and is responsible for managing and enforcing AD policies and rules on a network.

  • What are the 4 types of Microsoft Active Directory?

    1. Active Directory Domain Services (AD DS): This is the most commonly used version of AD, and it is used to manage user and computer accounts, as well as other network resources, such as printers and servers. AD DS is typically deployed on Windows Server operating systems and it is the foundation for centralized authentication and authorization on Windows networks.
    2. Active Directory Lightweight Directory Services (AD LDS): This version of AD is designed for use in specific scenarios, such as when you need to provide directory services for an application without having to deploy an entire AD DS infrastructure. AD LDS runs on Windows Server, and it does not require the deployment of domain controllers.
    3. Active Directory Federation Services (AD FS): This version of AD is used to provide single sign-on (SSO) capability for users across multiple web applications and organizations. AD FS allows users to authenticate once and then access multiple web applications and services without having to re-enter their credentials.
    4. Active Directory Certificate Services (AD CS): This version of AD is used to issue and manage digital certificates, which can be used to secure network communications and authenticate users and devices. AD CS allows an organization to issue and manage its own digital certificates, rather than having to rely on a third-party certificate authority.

    All of these types of AD are built on the same core technology and share many of the same features, but they are optimized for different use cases.