Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Raz Rafaeli
Raz Rafaeli
Connect Directly
E-Mail vvv

Active Directory Needs an Update: Here's Why

AD is still the single point of authentication for most companies that use Windows. But it has some shortcomings that should be addressed.

Tried and true, Active Directory has been managing permissions and access to networked resources for decades. It's a system that has weathered storms — cyber, organizational, and competitive — and has remained the backbone of most IT environments.

AD remains the single point of authentication and authorization for most companies that use Windows networking products or operating systems. It controls access to all critical resources, and it's the linchpin for any major project or initiative. And that remains true even in an era when more companies are leveraging the cloud and supporting a mobile-first approach.

The Cloud, On-Premises, and the AD Identity Crisis
One of the secrets of AD's longevity has been its ability to evolve in response to new needs and challenges. As such, the topic of "the need for Active Directory modernization" has become a major point of IT industry discussion in recent years. AD has been accused by some of having an identity crisis (pun intended), although there are almost as many opinions on how to solve that crisis as there are users of AD.

With that, there are three issues that need to be addressed for AD to serve the next generation of computing:

Issue 1: User management in multiple environments. IT systems today are made up of a combination of environments and platforms, both on-premises and cloud-based, and users access them using a variety of methods, from desktops and laptops to mobile devices and virtual desktop infrastructure (VDI). To manage authentication across environments, organizations use the Azure Active Directory (AD) Connect management tool that connects on-premises identity infrastructure to Microsoft Azure Active Directory.

However, the security controls on Azure Active Directory are different from those of on-premises AD deployments; Azure AD, for example, supports multifactor authentication (MFA), while AD does not natively support MFA. So why not just switch to Azure AD? Because, as Microsoft says, "Azure Active Directory is not designed to be the cloud version of Active Directory. It is not a domain controller or a directory in the cloud that will provide the exact same capabilities with AD." Clearly, an update to AD is needed.          

Issue 2: Security. Azure AD has the right idea; MFA is more secure than the Kerberos-based single sign-on (SSO) authentication used by AD. AD users have the option to implement MFA — but not in hybrid environments, where SSO is in control and gives users access to online resources. With the threat landscape so vast — and increasingly lethal — today, the need for multiple authentication factors is a must both for cloud-based systems and on-premises systems.

Issue 3: Regulations. One major factor that demands an AD update is the increasing security requirements of regulatory bodies. Increasingly, regulators are requiring that online services utilize MFA. Previously, customers would ask about Active Directory modernization when they needed help with AD migration, consolidation, or restructuring. Today, with data breaches wreaking havoc, the push for AD modernization is converging with the need for strong cybersecurity.

The Drive for Digital Transformation Makes AD More Important
All these factors play into the need for AD modernization. The popularity of AD has become its own Achilles' heel; because companies relied so strongly on it during the on-premises computing era, they built their entire IT infrastructure around it. Now, as data, services, and activity move to the cloud, there is a "disconnect" between the authentication methods used by organizations and the authentication requirements for online services, whether they're required for the security of the service or by regulators.

Many AD infrastructures are 10 to15 years old and have grown significantly over time. Those relying on AD have learned that these early deployments are often ill-equipped to meet the needs of today's technologies and business demands; this is especially true for large organizations with complex infrastructures. Without proper cleanup and consolidation, organizations could face security and compliance risks once they get to the cloud.

Identity Management with Identity Crisis
The key to AD security is balancing the need to streamline user access to maximize productivity against the need to protect sensitive data and systems from both accidental and deliberate privilege abuse.

But AD authentication is limited to either passwords or smart cards, which carry respective drawbacks. Passwords, of course, can be lost, forgotten, and of course, hacked. [Editor's note: The author's company is one of a number that offer passwordless MFA.] If AD relies on a username and password for its efficient SSO that allows authenticated users access to everything, a hacker who steals, guesses, or tricks a user into giving up their credentials will be able to access systems, with AD as an active accomplice. The philosophy of AD authentication was based on simpler times — before there was a plethora of malware to steal user credentials, and before hackers were able to use social engineering techniques to extract credential information from users.

AD also allows logins using smart cards, eliminating the possibility that imposters will be able to log in to systems with compromised authentication information. But card management has its own issues; it's more expensive than username/password authentication — the company has to buy the cards, which can be lost, meaning more costs for new cards. Presumably, employees will report immediately if they lose their cards, but since card authentication is based on trusting certificate authority certificates, which can be hacked, simply not losing one's card doesn't necessarily guarantee anything.

MFA for All
Cognizant of the problems and sensing a market opportunity, vendors by the dozen offer MFA solution add-ons for AD. Second factors can include one-time passwords sent via text message, biometric authentications (thumbprints, etc.), smart cards, tokens, and even voice authentication.

While these are certainly more secure than username/password authentication, there are no guarantees; second factors can be hackable, some more than others. And if the username/password is already compromised, we're back where we started. For a more secure user experience, it would be best to do away with that first factor altogether, and implement more secure authentication methods. This, of course, would significantly impact AD, which is so strongly associated with credential-based SSO, speaking to the need for a major update.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How to Keep Security on Life Support After Software End-of-Life."

Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus, is a results-driven business executive with more than 25 years of technology and leadership experience in the software, security, semiconductor, and telecom industries. Previously, Raz was the CEO of MiniFrame and ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/29/2020 | 10:08:09 AM
This Important
i think this final alert :)
User Rank: Apprentice
1/19/2020 | 5:24:32 AM
Re: Issue
We completely agree 
User Rank: Apprentice
1/16/2020 | 11:41:03 AM
The 2nd issue you mentionned is the most concerning imho.
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-22
graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.
PUBLISHED: 2020-02-22
Couchbase Server 4.x and 5.x before 6.0.0 has Insecure Permissions for the projector and indexer REST endpoints (they allow unauthenticated access).
PUBLISHED: 2020-02-22
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Samsung Galaxy S10 Firmware G973FXXS3ASJA, O(8.x), P(9.0), Q(10.0) devices with Exynos chipsets. User interaction is required to exploit this vulnerability in that the target must answer a phone call. T...
PUBLISHED: 2020-02-22
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-1330 1.10B01 BETA Wi-Fi range extenders. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP login requests. The issue ...
PUBLISHED: 2020-02-22
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-2610 Firmware v2.01RC067 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. The issue results from the ...