Microsoft Issues New Guidance on Securing Domain Controllers
Microsoft has released updated guidance to help enterprise customers protect domain controllers (DCs) against cyber attacks. The company urges IT admins to deploy Azure Active Directory (AAD) in their organizations to prevent security breaches.
For those unfamiliar, a domain controller is a type of server that responds to security authentication requests from network endpoints (such as user workstations and servers). Domain controllers can read and write data to Active Directory Domain Services (AD DS), which can potentially cause security issues.
Microsoft emphasized that protecting DCs from cyber attacks has always been a top priority of organizations. Previously, the company advised IT admins to completely restrict internet access to DCs. However, the dynamic cybersecurity landscape requires enterprise admins to revisit “best practices” on a regular basis.
As part of this effort, the Redmond giant has recently updated its security guidelines for DCs with recommendations that align with changing security paradigm. Now, Microsoft advises that DCs should not have unfiltered access to the internet or an option to open a web browser from the servers. Essentially, it encourages all companies to adopt a defense-in-depth approach with modern threat protection mechanisms in place to consistently monitor security threats.
Microsoft recommends cloud-powered protection for hybrid environments
Meanwhile, Microsoft says that some organizations are currently using hybrid approaches. Basically, they use local Active Directory in their computing environments and synchronize it with Azure Active Directory. According to Microsoft, these organizations should also use the Microsoft Defender for Identity service.
“To support the hybrid state, Microsoft recommends cloud-powered protection for on-premises Active Directory using Defender for Identity. This can be achieved securely by configuring the Defender for Identity sensor installed on DCs and AD FS servers to communicate to the cloud service through an encrypted, one-way connection, via a web proxy, to nominated endpoint names,” the company explained.
However, it is important to note that Microsoft still recommends blocking internet access to and from domain controllers in organizations operating in “air-gapped” environments due to security or compliance reasons. The firm noted that enterprise admins could use both technical and policy-based controls to prevent DCs from connecting to the internet, and you can find more details in this support document.
More in Azure Active Directory
Microsoft Now Lets IT Admins Review & Remove Inactive Azure AD Users
May 27, 2022 | Rabia Noureen
Microsoft's Azure AD Conditional Access Service Can Now Require Reauthentication
May 13, 2022 | Rabia Noureen
Microsoft's Update Compliance Service Will Soon Require Azure AD
May 4, 2022 | Rabia Noureen
Azure Container Apps Add Built-In Authentication Support in Preview
Apr 28, 2022 | Rabia Noureen
Microsoft Simplifies IT Monitoring with New Azure Managed Grafana Service
Apr 19, 2022 | Rabia Noureen
Microsoft Rolls Out Dynamic Administrative Units Support for Azure AD
Apr 18, 2022 | Rabia Noureen
Most popular on petri