|
Architecture:
Tested &
recommended by Microsoft
versus
overloading
Domain
Controllers
|
|
|
|
Lightweight AD adapter co-developed with Microsoft results in minimal consumption
of Domain Controller resources.
|
|
|
|
|
Heavy agents perform all processing on the Domain Controllers, often
causing downtime & requiring
significant increase of DC hardware
resources (~30% or higher).
|
|
|
|
|
Native integration with Conditional Access and the entire Microsoft security stack including Entra ID, Entra MFA, & Defender
suite. Keep up with evolving security
requirements, such as stronger MFA
with number matching.
|
|
|
|
|
Limited integration with Microsoft which supports push MFA
for Microsoft Authenticator and number matching.
|
|
|
|
|
No modification of AD software, scheme, or OS. No password info sent to the cloud.
|
|
|
|
|
Intrusive architecture that acts as a wrapper to sync AD password hashes to CrowdStrike’s cloud. Requires connecting DC directly to the internet, as well as DC restart.
|
|
|
|
Approach:
Active prevention
versus
reactive detection
|
|
|
|
Protecting against identity threats in real-time by enforcing MFA protection on all authentications and access requests.
|
|
|
|
|
Generating additional alerts for detected threats while malicious activity is still live, acting as another ‘sensor’ for the XDR platform.
|
|
|
|
|
Extends MFA to all critical resources and interfaces, including PowerShell, PsExec, WMI, as well as legacy apps, file shares and more.
|
|
|
|
|
Offers reduced MFA capabilities that might work in a lab or small environment, but cause technical issues when deployed at scale.
|
|
|
|
|
Tested and proven protection capabilities against ransomware attacks and nation state operations in multiple customer environments.
|
|
|
|
|
Protection capabilities are in limited use, aligned with CrowdStrike’s detection-oriented product strategy.
|
|
|
|
Coverage
Comprehensive
protection
on-prem and
in the cloud
versus
AD-centric
|
|
|
|
Native integration with all leading on-prem and cloud identity providers (AD, ADFS, Entra ID, Okta, Ping, RADIUS, etc.).
|
|
|
|
|
AD-centric approach with only partial visibility to cloud access logs, and without active protection capabilities for Entra ID, Okta and other cloud IdPs.
|
|
|
|
|
Capable of protecting even air-gapped networks without any internet connectivity, including support for FIDO2 and other physical MFA tokens, as well as desktop MFA options.
|
|
|
|
|
Only works in environments where DCs can be connected directly to the internet.
|
|
|