Active Directory is foundational and organizations that operate upon it possess the three cardinal organizational imperatives - foundational security, operational autonomy and organizational privacy.
Organizations that value their security, independence and privacy operate on Active Directory.
Active Directory
Active Directory is Foundational.
Active Directory is the lifeline and foundation of IT and cyber security in IT infrastructures powered by Windows Server.
At 85% of organizations worldwide, all organizational user accounts and passwords are stored, protected and managed in Active Directory and almost all organizational computers are joined to, secured by and managed from Active Directory.
Further, access to the entirety of an organization's IT assets (files, folders, applications, portals, email etc.) is controlled using domain security groups, which too are stored in Active Directory.
As such, in Windows based networks, all three A's of cyber security i.e. Authentication, Authorization and Auditing are completely integrated with and depend on Active Directory, and the most powerful privileged accounts and groups, and the majority of all privileged access lies in Active Directory.
Most importantly, Active Directory enables organizations to operate autonomously, i.e. without having to relinquish control of their primary identities, their security and their organizational privacy to an external entity (e.g. a Cloud IDP provider.)
Consequently, an organization's foundational Active Directory is undoubtedly one of its most valuable and critical assets.
Active Directory is one of the most secure foundational technologies ever built, and over the last twenty five years, thousands of organizations worldwide have been securely operating on it.
The only breaches involving Active Directory have been those in which the compromised organization itself had been deficient in attaining and maintaining least privileged access in Active Directory, resulting in privilege escalation attacks.
A Playing Field
Active Directory levels the playing field for all organizations, in relation to its developer, Microsoft Corporation, because when organizations operate on Active Directory, Microsoft has no access to their Active Directory deployments.
In contrast, when organizations transition their primary identities to the Cloud and/or rely on a(ny) Cloud provider for identity and access services, technically speaking, the Cloud provider always has* access to, control in and visibility into all the tenants in its Cloud, thus having an advantage.
*In today's world, amongst other scenarios, a scenario wherein a Cloud provider could be coerced to providing a government entity access to or control over a domestic or foreign tenant's assets, and wherein such access could be used to subvert organizational security or national sovereignty, is not inconceivable.
Active Directory is Secure, Modern and Cloud Integratable
Active Directory is also a highly trustworthy, enterprise-grade, time-tested modern foundational technology that is also fully Cloud-integratable.
Windows Server 2025 is Microsoft Corporation's latest server operating system and a(ny) technology released in 2025, must by definition, be modern.
Active Directory is also the foundation of a Microsoft Windows Server 2025 based IT infrastructure, a testament to its suitability for modern times.
In fact, here are ten (10) new Active Directory capability enhancements introduced by Microsoft in Windows Server 2025 -
- New optional 32K database page sizes substantially improve performance and scalability
- Improved algorithms for Name/SID lookups now use Kerberos and the DC-Locator algorithm
- Improved security for confidential attributes by only allowing operations on an encrypted channel
- Kerberos PKINIT support for cryptographic agility now introduces support for additional algorithms
- An enhanced DC-location algorithm introduces ability to map of short NetBIOS names to long DNS names
- LDAP Encryption by default ensures that all LDAP communications, post initial SASL bind, use sealing by default
- LDAP support for Transport Layer Security (TLS) 1.3 enhances security by supporting TLS 1.3 for LDAP over TLS connections
- Kerberos changes for algorithms used for Ticket Granting Tickets (TGTs) enhance security by deprecating RC4 encryption use for TGTs
- Improved security for default machine account passwords introduces the use of randomly generated passwords for computer accounts
- Non-uniform Memory Access (NUMA) support now lets Active Directory use all CPU processor groups, and also expand use beyond 64 cores
Active Directory is also fully cloud integratable, and can be integrated using Active Directory Federation Services, Azure Cloud Connect, Google Cloud Directory Sync, AWS AD Connector, SalesForce Identity Connect, Okta and several other technologies.
Active Directory Security is Paramount
The compromise of Active Directory would be tantamount to a system-wide compromise.
Active Directory Security is paramount to organizational cyber security because an Active Directory compromise or breach is tantamount to a catastrophic system-wide compromise.
It is catastrophic because once a perpetrator has compromised an organization's Active Directory, he/she would have compromised its very foundation of security, and obtained command and control (C2) over it.
This would allow the perpetrator the ability to access, tamper, copy, divulge, exfliltrate and/or destroy just about any and practically every organizational IT resource.
An Active Directory compromise is thus tantamount to a compromise of the foundation of organizational cyber security.
Consequently, the adequate protection of an organization's foundational Active Directory and its contents must be the #1 cyber security and corporate priority for every organization.
The Princple of Adequate Protection states that "An asset must be protected to a degree consistent with its value". Given Active Directory's foundational role, it's security must be the highest cyber security priority.
The Active Directory Attack Surface
Active Directory is highly stable, robust and securable, but it does require organizations to adequately secure it and its contents i.e. attain and maintain least privilege access, and adequately protect it.
The adequate protection of Active Directory and its contents requires that organizations identify, understand and then sufficiently secure and defend its attack surface, comprised of -
Domain Controllers
Active Directory Privileged Users and Groups
Active Directory Contents and Configuration Data
Active Directory Logical Structure (Trust Relationships)
Active Directory Backups and Administrative Workstations
A considerable portion of its attack surface is actually comprised of its valuable contents, which includes all organizatonal user accounts, computer accounts, credentials and security groups, including all privileged user accounts and groups.
Active Directory Attack Vector #1 - Privileged Access
Easiest way to compromise AD is by gaining privileged access.
What do the components that comprise 99% of Active Directory's attack surface, i.e. DCs, AD privileged accounts and groups, AD contents, config data and admin workstations, have in common?.
They are all represented by an object in Active Directory.
You see, literally everything inside Active Directory is an object, protected by an access control list (ACL), and in each AD, in thousands of ACLs lie thousands of security permissions that govern and control exactly who has what access.
These permissions control everything, from who can change the Domain Admins group membership to who can reset a Domain Admin's password to who can link a malicious GPO, to who can control every single privileged user and group.
Anyone who can correctly* analyze this ocean of permissions in Active Directory, could find thousands of ways to gain privileged access over any component of its attack surface and control AD.
* The correct analysis involves determining effective permissions.
Securing Active Directory
In light of its foundational role, Active Directory Security must be an organization's #1 cyber security and corporate priority, and Active Directory must be adequately secured and actively defended at all times.
Active Directory can be adequately secured using nominal resources - a small team of trustworthy and proficient IT personnel, a few essential cyber capabilities (1, 2 and 3), trustworthy guidance and secure computing practices.
Adequately securing Active Directory requires five security measures -
Protecting Domain Controllers and Admin Workstations
Identifying and Securing Active Directory Privileged Users and Groups
Securing Active Directory Contents and Configuration Data
Ensuring a Sound Active Directory Logical Structure
Adequately Securing Active Directory Backups
Organizations need only enact these measures to secure Active Directory, and of these security measures, measures, 1, 4 and 5 are easy and straightforward to accomplish and Microsoft offers guidance on how organizations can do so.
It is security measures 2 and 3 that have been challenging to accomplish, but now these too can be easily accomplished as they only require the ability to accurately assess and lockdown access in Active Directory.
Active Directory is a Vault
Active Directory is a highly securable and trustworthy digital vault.
Microsoft Active Directory is one of the most highly securable and trustworthy foundational technologies ever built.
Thousands of organizations worldwide have been securely operating on Active Directory for over two decades.
Active Directory's security model actually makes it possible to completely secure and lockdown its entire contents.
The main capability required to substantially secure Active Directory is the ability to accurately assess access in it, because once you can accurately assess access, you can easily precisely configure and lock down access, to every single object in Active Directory, and 99% of its attack surface.
Only those who do not possess the ability to accurately assess access in Active Directory find it hard to secure it.
Those who possess the ability to accurately assess access in Active Directory can easily secure and bulletproof it.
They keys to securing Active Directory lie in being able to accurately assess and lockdown access in Active Directory.
V
Effective Permissions
The Keys to AD Security
From Domain Admins to every privileged account and group, and from the Domain Controllers OU to every DC's and admin workstation's computer account, literally every high-value asset in Active Directory is an AD object.
Further, from the CEO's domain user account to those of thousands of employees, and from all organizational computers to all groups used to secure all IT assets, literally everything in Active Directory is an object.
Each one of these thousands of AD objects is protected by an access control list (ACL) that specifies who has what security permissions on the object, and its the net cumulative resulting set of "effective permissions" that determines who actually has what access on the object.
Cardinally, it is not Who has what permissions in Active Directory but Who has what effective permissions in Active Directory that ultimately governs the security of all Active Directory content.
Thus, it is effective permissions that are the keys to correctly identifying and locking down all access in Active Directory, including accurately identifying privileged access and identifying privilege escalation paths.
Organizations that have the ability to accurately assess who has what access in Active Directory based on effective permissions i.e. 1, 2 and 3, can easily secure and lockdown the entire contents of Active Directory.
Our Global Customers
Corporate Headquarters
620 Newport Center Drive, Suite 1100
Newport Beach, CA. 92660. USA.
Telephone: 001-949-468-5770
