The expansion of networks and the increasing use of cloud applications and services have significantly changed the security landscape for IT professionals. In the past, the main concern for network security was limited to the Active Directory domain and the firewall that protected it. However, with the advent of the internet and the widespread adoption of connected devices and cloud applications, the security boundary has expanded.
IT professionals now have to worry about more than just the computers listed in their Active Directory users and computers. They need to be concerned about applications and APIs that could create authentication links into apps inside their domain. Usernames and passwords have become a crucial part of the security boundary, and IT professionals need to keep track of where these credentials are being used. Are they being used to access cloud applications or resources that are connected to the network? Are they being used for single sign-on authentication? Are they syncing data to a cloud resource?
The security boundary also extends to external consultants and managed service providers who have access to the network. If these individuals have usernames and passwords or remote access tools, they become part of the security defenses, and IT professionals need to consider their security measures as well.
Recently, a vulnerability in MOVEit software highlighted the fact that even with robust security measures in place, organizations can still be impacted by software within their domain. Notifications have been sent out by agencies warning customers about the potential impact.
To further emphasize the expanding security boundary, Microsoft interviewed Sean Metcalf, an expert in Active Directory security. He discussed the challenges faced by many networks that have been set up over a long period of time, often with the impact of mergers and acquisitions on permissions and forest levels. Many networks, including large organizations, have accounts and services with permissions that are too permissive.
The forest level of a network can also impact security. For example, a domain with a functional level below Server 2008 may face issues when KrbtgFullPacSignature enforcement comes into effect. It is crucial to regularly rotate account passwords and ensure that the forest level is at or above Server 2008 to avoid potential vulnerabilities.
Securing Active Directory environments can be challenging, especially for organizations lacking visibility into risky configurations. Legacy applications and complex environments pose additional challenges, particularly for larger organizations. Lack of in-house expertise can hamper efforts to maintain proper Active Directory hygiene, which is especially true for smaller businesses or vertical markets with limited resources.
One key aspect of network security is thoroughly testing and confirming the effects of any network changes. Often, there are users in the network with administrative rights who are not even aware of their level of access. This can be the result of inherited setups from previous network infrastructures or lack of awareness about the implications of certain settings.
Azure Active Directory and single sign-on have become popular choices for organizations looking to sync their existing infrastructure into the cloud. However, it is important to review and audit the accounts that are being synchronized to ensure that only necessary accounts are included. Attackers have found ways to exploit the Azure AD connector account and the AD DS Connector account, particularly if there is a local administrator with access to the server running Azure AD Connect. Legacy settings from older domains may still be impacting the security posture of hybrid Microsoft customers.
As networks continue to evolve and organizations adopt new technologies, it is crucial for IT professionals to stay vigilant and adaptive. The expansion of the security boundary beyond Active Directory and the increasing complexity of network environments require constant evaluation and proactive measures to ensure the security and integrity of the network.