Active Directory (AD) is a directory service developed by Microsoft to manage the authentication and authorization in on-prem domain networks. The server that runs AD service is called Domain Controller.
Prominent uses of AD are the creation of user accounts’ names and passwords, organizing them in groups, and assigning their access privileges to various organizational resources.
However, its most important functionality is managing the authentication process of users that attempt to access servers, workstations, on-prem applications, or any other resource within the domain network. Whenever a user provides their username and credentials, Active Directory would check the input and validate that the username and credentials indeed match. AD works mainly with two authentication protocols: NTLM and Kerberos.
Active Directory operates as the authentication infrastructure in practically almost every organizational network today. In the pre-cloud era, all the organizational resources resided exclusively on-prem, making AD effectively the sole identity provider.
However, even at a time when organizations seek to transit workloads and applications to the cloud, AD is still present in more than 95% of organizational networks. This is mainly due to core resources being hard or impossible to migrate to the cloud.
Identity threats are cyber attacks or distinct components within a larger-scale cyber operation that utilize compromised credentials for malicious resource access. These attacks typically:
So whenever an attacker has managed to get hold of these and provides them to AD, AD considers them as legitimate authentication and allows access. In that manner, threat actors can use AD authentication infrastructure for malicious access without the need to employ malware, making this access hard to detect.
When attackers cannot get hold of the plaintext password, they can still perform a full AD authentication utilizing the password hash. The actual implementation depends on the used protocol:
Since AD can be regarded as the nerve center of the domain environment, it enables a logged-in admin user to perform any desired action – create users, elevate privileges and access any resource.
This status is known as ‘domain dominance’ and it’s the main objective the attacker’s lateral movement strives to achieve. For example, once domain dominance is gained, an attacker can plant ransomware payload in multiple workstations and servers, or if the purpose of the attack.
AD cannot provide protection against these attacks since its protection capabilities are limited to checking the match between username and credentials.
Since identity threats, by definition, are founded on compromising valid usernames and credentials they can easily bypass AD and impersonate their malicious authentication as a legitimate one. This creates a severe blind spot in organizations’ security architecture that gives rise to numerous variations of lateral movement attacks.
AD itself doesn’t have a way to discern between legitimate authentication and malicious one (as long as valid usernames and credentials were provided). This security gap could theoretically be addressed by adding Multi-Factor Authentication (MFA) to the authentication process. Unfortunately, the authentication protocols AD uses – NTLM and Kerberos – don’t natively support MFA step-up.
The result is that the vast majority of access methods in an AD environment cannot have real-time protection against an attack that employs compromised credentials. For example, frequently used CMD and PowerShell remote access tools like PsExec or Enter-PSSession cannot be protected with MFA, enabling attackers to abuse them for malicious access.
Active Directory (AD) is a directory service and a database that stores information about network resources, such as users, computers, and applications. It authenticates and authorizes access to network resources.
A domain controller is a server that runs Active Directory and is responsible for managing and enforcing AD policies and rules on a network. It authenticatesand authorizes users and computers, and it also replicates the AD database to other domain controllers in the network.
In summary, Active Directory is the technology and database that stores the information and logic to manage the access and authorization of resources on a network, while a domain controller is a server that runs AD and is responsible for managing and enforcing AD policies and rules on a network.
All of these types of AD are built on the same core technology and share many of the same features, but they are optimized for different use cases.