Microsoft Issues New Guidance on Securing Domain Controllers

Datacenter networking servers

Microsoft has released updated guidance to help enterprise customers protect domain controllers (DCs) against cyber attacks. The company urges IT admins to deploy Azure Active Directory (AAD) in their organizations to prevent security breaches.

For those unfamiliar, a domain controller is a type of server that responds to security authentication requests from network endpoints (such as user workstations and servers). Domain controllers can read and write data to Active Directory Domain Services (AD DS), which can potentially cause security issues.

Microsoft emphasized that protecting DCs from cyber attacks has always been a top priority of organizations. Previously, the company advised IT admins to completely restrict internet access to DCs. However, the dynamic cybersecurity landscape requires enterprise admins to revisit “best practices” on a regular basis.

As part of this effort, the Redmond giant has recently updated its security guidelines for DCs with recommendations that align with changing security paradigm. Now, Microsoft advises that DCs should not have unfiltered access to the internet or an option to open a web browser from the servers. Essentially, it encourages all companies to adopt a defense-in-depth approach with modern threat protection mechanisms in place to consistently monitor security threats.

Microsoft recommends cloud-powered protection for hybrid environments

Meanwhile, Microsoft says that some organizations are currently using hybrid approaches. Basically, they use local Active Directory in their computing environments and synchronize it with Azure Active Directory. According to Microsoft, these organizations should also use the Microsoft Defender for Identity service.

“To support the hybrid state, Microsoft recommends cloud-powered protection for on-premises Active Directory using Defender for Identity. This can be achieved securely by configuring the Defender for Identity sensor installed on DCs and AD FS servers to communicate to the cloud service through an encrypted, one-way connection, via a web proxy, to nominated endpoint names,” the company explained.

However, it is important to note that Microsoft still recommends blocking internet access to and from domain controllers in organizations operating in “air-gapped” environments due to security or compliance reasons. The firm noted that enterprise admins could use both technical and policy-based controls to prevent DCs from connecting to the internet, and you can find more details in this support document.