Active Directory Faces Greater Risks Than Ever in 2024

You are woken by a call at 7am to find out your Active Directory (AD) infrastructure has been hit by ransomware. The helpdesk is overwhelmed by calls from users who can’t log in and management is already demanding to know how long it will take to restore. You break into a cold sweat realizing IT has never validated testing of a complete AD forest restore.

Thanks to Semperis for sponsoring this article.

According to a recent report by Semperis, this scenario isn’t that uncommon. The report’s findings show that Active Directory is the most targeted attack surface for ransomware in 2024. In this article, I look at the risks, the complexity of restoring AD, and what you can do to mitigate a ransomware attack.

Active Directory is still critical infrastructure in 2024

Active Directory (AD) is one of the most important pieces of IT infrastructure because it is the core identity and access management (IAM) solution for many organizations. Even though the technology is 25 years old and Microsoft encourages organizations to use Entra ID, its modern cloud-based identity management solution, millions of companies across the world still use AD.

Unless you have a simple AD architecture, i.e. a couple of domain controllers (DCs) in a single site, it’s widely accepted that relying on Windows Server Backup or generic server backup solutions to recover AD is a bad idea. The AD recovery process is complicated. There are 40 high-level steps that must be completed to ensure that AD functions correctly after a restore operation.

In the event of a ransomware attack, you need to ensure critical systems can be restored without reintroducing malware or backdoors that allowed the hackers to get a foothold in the first place. And the entire restoration can take days or weeks, especially in larger, more complicated environments.

Here are some key reasons why attackers target AD:

• High–value asset – attackers know that losing access to Active Directory can result in disruption to business operations, reputational damage, revenue loss, fines, and even temporary or permanent business closure.
• Centralized management – AD holds the keys to your kingdom. It controls access to all user resources in a network, making it an attractive target. Compromising AD gives attackers the perfect ‘foot in the door’ to access a wide array of network resources and computers.
• Lateral movement – Once attackers gain access to AD, they can move laterally around the network, escalating privileges and gaining control over various systems.
• Reconnaissance – Attackers use AD for reconnaissance to find hosts, servers, shared folders, and other critical information within a network’s boundaries.
• Privilege escalation – AD privileged accounts are the most sought after and targeted by hackers. Gaining access to these accounts allows them to obtain admin access, which can be used to encrypt (or decrypt) sensitive data points.

The Semperis report – 3 key findings

Semperis recently released their 2024 ‘Ransomware Risk Report.‘ Here are some of the most interesting findings:

1. AD is the target of 9 out of 10 attacks.

2. 87% of attacks caused significant disruption, including data loss and downtime, despite having ‘recovery processes’ in place.
3. Only 27% of organizations have dedicated recovery solutions for identity infrastructure (Active Directory).

The report’s findings show how attractive AD is as a target and that most organizations are inadequately prepared to deal with the consequences of an attack against this critical piece of IT infrastructure. Let’s look at what you can do to be better prepared.

Protecting Active Directory

Organizations must protect Active Directory because of the key role it plays in providing access to critical business systems. As the underlying infrastructure of Active Directory is complex and fragile, a standard backup won’t get you back seamlessly to a fully operational state. IT organizations need to carefully devise and document a disaster recovery plan for Active Directory and make sure it is validated regularly.

As prevention is better than cure, there are many fundamental steps organizations can take to enhance the security of their AD environments, like implementing a zero-trust security model, installing monthly security patches, implementing least privilege security, and making sure a disaster recovery (DR) plan is in place and regularly tested.

There are several myths about how Active Directory works, what backup strategies are effective, and common misconceptions about the robustness of ‘free’ or low-cost solutions. I will go through them below to assist you in understanding what you may have in place, and what the recommended solutions are to fully protect Active Directory.

AD replication isn’t a replacement for a backup solution

AD replication ensures that your core AD databases are periodically copied between domain controllers (DCs). By default, this replication framework is automatically created when new DCs are added to AD. However, replication health and effectiveness should be manually validated periodically.

In the event of a ransomware attack, AD data could be modified or deleted. These changes would then be replicated to all your DCs, thereby infecting your entire environment. This is the primary reason AD replication isn’t enough to protect against ransomware or other incidents where data might be modified or deleted.

Having at least two DCs is the recommended minimum. However, having twenty DCs will not protect you against ransomware. Any ‘bad’ changes to Active Directory will be automatically replicated to your remaining 19 DCs. The damage will be swift. At this point, you would need to take all your DCs down and perform a forest restore.

Windows Server Backup falls short for protecting Active Directory

Windows Server Backup, included free with Windows Server, will back up Active Directory. But it doesn’t support orchestrating restoration of Active Directory forests. In the case of a ransomware attack, you should clean install the OS on each DC and then make sure a clean copy of the AD database is replicated. Using the native tools, this process can take weeks, especially if your DCs are spread geographically and/or over slow wide-area-network links.

Testing your AD disaster recovery plan is a critical step

You can have the most robust and high-grade data protection procedures in place in your environment, but have you tested restoring your entire AD forest? Can you restore it quickly and reliably?

Perform monthly or quarterly restores of your entire AD forest(s) to safe test (virtual) environments. Being able to validate your Active Directory DR plan is crucial to your data protection and business continuity plans.

Meeting Recovery Time Objectives in your AD disaster recovery plan

Investing in an Active Directory backup solution is the best way to ensure you can quickly recover from a ransomware attack in the time (Recovery Time Objective) established in your DR plan for recovering from an outage.

It’s one thing for a backup solution to use API calls to back up Active Directory databases and the System State. The key to an effective disaster recovery plan is having an automated process that orchestrates putting DCs in the correct state so that a restore can occur without losing any information and without any remnants of ransomware.

Using Windows Server Backup or generic server backup tools to restore AD can be time-consuming because they are not designed to perform the complex steps to restore Active Directory to a clean and ransomware-free state.

Ensuring the security of AD is essential for maintaining the integrity and continuity of business operations in the face of ever-increasing ransomware threats. I recommend evaluating dedicated disaster recovery solutions for Active Directory that can restore operations quickly if the worst happens.