Active Directory Expert Insight: Planning a Risk-Free Migration to Boost Organizational Security

In this episode of Petri Dish, I speak to Michael Masciulli, Managing Director of Migration Products and Services at Semperis, and an expert in transformational IT and Active Directory. He tells me why you should consider consolidating your Active Directory domains, the benefits for organizational security, how to mitigate some of the risks, and how to manage a migration project.

Transcript

Hello everybody and welcome to this episode of Petri dish. And I’m very happy to say that today we have with us Michael Masciulli from Semperis, who is Managing Director of Migration Products and Services. So welcome today, Michael. Thank you for having me. So I think everybody knows what Active Directory is or probably they wouldn’t be watching this podcast today. But what is Active Directory migration and why why would we even be talking about that?

So Microsoft’s Active Directory came out, if I’m not mistaken, I think it was around February almost 24 years ago. Yeah, actually, I think it was Windows 2000 released in February of 20 of 2000. And inside of that, we got Microsoft’s version of an LDAP, essentially.

So inside of that, you know, and at that time, you know, we were able to create these fully featured Microsoft instance of a directory containing user accounts and configurations and settings and things of that nature. And it was really phenomenal and an excellent product. You know, Microsoft’s kept it up to date over the past 20 plus years. But things change. And as things change, we sometimes have the need to reconfigure, rebaseline, take another look at Active Directory overall. So mergers, acquisitions, divestitures, there’s a lot of driving factors around why somebody may consider making changes to Active Directory.

But Active Directory can be quite large and complex. So, you know, it sounds like a scary proposition, what you’re saying. Oh, yeah, yeah, it definitely is. And, you know, over the past 20 years or so, I think that there’s been a lot of there’s almost been a change in the nature and the way in which companies approach IT overall. And I think that Active Directory specifically can be viewed in some organizations as sort of a black box, something that may be a little bit overbearing or something that, you know, the traditional administrative staff may be a little bit afraid of these days.

So what would you consider to be the biggest risks in maybe a merger or an acquisition situation, for example?

Well, straight through, there’s a lot of there’s a lot of drivers, you know, when you get to those projects and why you may want to actually go ahead and perform the reconfiguration, if you will. And then there’s risks associated with those things. So looking at the drivers first, you know, as things change, morph and adapt, as we have additional things hooking into our Active Directory’s hybrid configurations, cloud services.

We have increased security needs, right? Inside of that, what we’re trying to do really is we’re trying to improve the efficiency and reduce the costs overall of Active Directory and the entire computing environment.

When you look at a acquisition specifically, what you find is that in some cases, you’re actually acquiring somebody else’s technical debt and the decisions that were made that went into those original configurations.

The people that made them sometimes aren’t there.

And nobody really can go back and understand why those decisions were made to begin with. So you end up, yeah, you really do in some cases end up acquiring something that’s a black box and it’s something that you’re not necessarily familiar with.

Yeah, I think I’m sure that many IT pros watching today are going to be very familiar with that situation. But as I understand, we’re not talking about Active Directory migration only in the situation of mergers and acquisitions, because I think what Semperis is saying is that in order to secure Active Directory, that it’s a good idea to consolidate many different domains or forests. Am I right in that understanding? Yeah, absolutely. So each directory has its own set, its own baseline security, if you will. And what happened historically in market was you would land and there would be a business objective to get off of that source domain.

That project was started. In some cases, some of the functional components were done, others weren’t. Maybe applications stayed in that domain. You ended up in this sort of coexistence scenario with that source environment for an extended period of time. And what you ended up then is having to care and feed two Active Directory environments or three or four. In some cases, and in real world experience, I’ve seen over 20 internal Active Directory environments in some places that are still just existing out there.

So you talked about some of the risks before, can they be tolerated or how do you mitigate them?

Well, that’s the key really is understanding where you come from to begin with. So you have to go into those source environments and you have to normalize the security or understand the security prior to setting up any coexistence with that source environment.

And again, that can be a one to many. So you can have as many as 20 source environments feeding one target Active Directory environment. Once you understand those security baselines, you say, okay, this is this acceptable? Is it acceptable for a short period of time or a longer period of time? Or what’s our exposure and what can we do immediately to better our overall security posture? And then what do I want this to be in the target? And how do I make those decisions now to get me there? And what’s the timeframe around that? So it’s largely about communication. It’s largely about understanding the risks involved in the process and getting the correct buy in from the organization.

Absolutely. I guess it’s all very well for us to sit here and talk about Active Directory migration at a high level. But I think IT pros watching are going to want to know, well, what exactly is it that I have to do? And how long is it all going to take? Yeah, absolutely. So, you know, there’s a lot of barriers to getting there to begin with. First of all, internal IT departments, their resource constrained, right? A modernizing Active Directory. And really, we’re talking about the

security centric approach to Active Directory modernization and or migration. But modernizing AD can be resource intensive. It can take a significant amount of time and financial investment.

The complexity of migrations, they are very complex. Internal IT departments have competing priorities. The mechanics of it are pretty straightforward. You essentially have to create one user account in a target environment. A target environment is either pre-existing or inside of a green line.

It’s a green field environment. As you take that account across between the source and target, even if it comes from many sources, you have to customize the attribute flows. So in the case of the 20 to 1, which domain is currently being used by that user? Does that person have multiple user accounts in any of those source domains? Which one is the true source of authority for the account that needs to come across? And then do any other attributes need to flow in from any of those other 20 sources? Or do other things need to be customized inside of that attribute? Yeah, I guess that gets complicated really quickly. Oh, absolutely. And then there’s the whole state history, right? Whether or not there’s a trust relationship, what we’re doing with our ACLs. Are we going to update those ACLs, migrate those servers? How are we going to dispose of our applications inside of that source environment? So yeah, and then the other thing here is that, again, with that, the overall effort around Active Directory migration and the level of competency necessary to do it correctly is, do I really want to train that internally for something that I may do once every 20 years?

Absolutely, yeah. Yeah, something that people have to contend with, for sure. Yeah, I mean, I don’t know, but I guess Active Directory expertise is relatively thin on the ground. I’m not really sure. What the situation with that is? Yeah, and you know, it used to be a specialty. I came up in it. I mean, I’ve been doing transformative IT stuff for the past 24 years. My first migration was NT4 Exchange 552, Windows 2000, Exchange 2000.

Again, Windows 2000, if I’m not mistaken, came out in, I think it was February of 2000. And then if I’m not mistaken, Exchange came out around November. By the same token, we saw the first migration products for Active Directory land around 2003. So it wasn’t that far after, right? We actually started seeing Active Directory migrations.

So, I mean, we’ve talked about, you know, what you need to do, the potential risks and why, you know, it might be mergers and acquisitions, it might be for security reasons, as you pointed out. But I, you know, I guess this might be a hard sell if the IT department or whoever the stakeholder is can’t demonstrate some kind of return on investment. So how might you go about calculating that?

I’m sure. I’m sure there’s a variety of different ways of calculating it.

So, you know, first of all, you have to sell people on the huge opportunity that it is. Again, it’s a once in maybe 20 or 30 year opportunity that you have to get into the environment, understand all of the business and technical requirements around your Active Directory,

rebaseline your security posture, and then bring across only what’s necessary for you to function in that target. And that’s the most secure way to go about doing it. Around an ROI calculation, you would identify the costs, right? The implementation operation and maintenance costs, and then the benefits.

You had to success the probabilities of the expected outcome. So in a case where you’re, you know, going in and removing 22 source environments, right? That’s a pretty compelling argument. I no longer have to do the care and feeding of 22 source environments. I can take the applications out or they’re no longer being used so we can just let them die on the vine or archive them even and shut them off. And that’s real world examples. I mean, I’ve seen situations in which I’ve gone into an application remediation and multi domain environment where I found five or six servers running an application that did facts to SMTP email. And then obviously, you know, to spend custom code money and to spend, you know, care and maintenance on five servers to support something like that when you can replace it essentially with the multifunction unit.

You know, there’s certainly a discussion point there to be had.

So the other thing too inside of that is you have to consider the intangible benefits like improved customer satisfaction, the ability to adopt new technologies quickly.

And then your ability then to also up level your internal staff, meaning that you know you don’t necessarily have to hire the expertise around the legacy technologies that you were supporting. But you can go ahead and look, you know, better towards your future state and start building out for what’s next instead of what was. Right. That’s interesting. I wouldn’t have thought about that, to be honest.

If an organization is in a situation where they think they might want to either modernize their active directory structure for security reasons or as we’ve discussed, there might be a merger and acquisition situation happening.

What do practitioners or security information officers, what should they do to evaluate the situation and prepare for a migration project? Right. I think it’s all about the proactive risk and project management. So CSO specifically, they have to address things through careful planning, security assessments, and a very good and well-documented change management process. So, you know, before considering a migration, I would say go ahead and establish a tier zero group of critical assets before the migration. So an active directory turned model to create those security boundaries and then map the relationships with the critical assets, update the passwords prior to the migration. That’s something that, you know, a lot of people, they do, but some of those hashes are very, very old. So it’s a good practice to get in and update those passwords. And then update the Kerberos ticket granting account as well, KRBTGT, to mitigate some additional security risks.

And then overall, and not to cut you off, go ahead.

Now, I was just wondering about the tiered administration model, because that’s kind of a best practice, at least as far as Microsoft is concerned. And I just wondered in your experience, is that something that’s commonly deployed? Because you mentioned implementing that before a migration project, which sounds like a good idea. Is it something that’s commonly already in place or often not? So again, when I mentioned that, every time that I’m speaking about implementing something, I’m talking about inside of the target. So in that case, it would be building out that tier zero group of critical assets inside of the target environment and then mapping them as they come across.

So things fall into those pre-existing buckets as they come across. That said, overall, mileage varies, right? Because Microsoft changes the thoughts around what is truly secure.

Not frequently, but certainly at different points, right? We’ve heard different things. Empty forest routes, resource forests for applications, exchange, things of this nature. Then Bastion forest, Treadz forest designs, right? And then there’s been changes along the way. Like when we started to integrate Federation and do other things, they went, they collapsed that empty forest route. And it’s just changed considerably.

So, you know, that said, you have to understand the security posture. You have to understand what the level of risk you’re willing to take. And then you have to do everything that’s available to you to make your environment more secure straight throughout the migration. So it’s really, again, that security-centric migration approach.

Great. So what do you see the future being of Active Directory migration strategies?

Well, I think overall migration is going to continue to change, right? As we continue to hook additional things into our Active Directory, it will continue to change. I don’t believe, and I know that there’s been a lot of discussion around people going with a purely in the cloud model of Active Directory. I think that you’ll see that, but I don’t think that you’ll see that in the large enterprise for quite some time. I think that there’s some significant barriers to that.

Overall, I think that when we talk about migration, it used to be that the migration was this line item that was managed by a specific team, usually the administrative staff generally.

And it had its own timelines because migration is kind of easy like that. It has its own built-in compelling event, meaning that, you know, there’s some business drivers behind it and there’s some budget there.

And I think that that security-centric migration approach is going to continue. It’s going to continue to kind of proliferate into future migrations. And when I say that security migration approach, I mean, inside of pre-migration, you have to be able to normalize the security in those source environments, and you have to be able to do it quickly.

The days of being able to land in a customer site and examine the Active Directory, stem to stern, if you will, inside of a couple of weeks, and prepare very detailed reports and have very detailed discussions around configuration settings. That stuff may be there for your target environment, but people aren’t going to want to invest that much in those legacy source environments, right?

So it’s knowing what to understand and what can be done quickly to help mitigate that risk. So some sort of an accelerator, similar to some of the some peer-as-tools that we offer, like Purple Knight, like Directory Services Protector.

You know, we can map the privileged access with Forest Druid and apply those security policies. And we can also get you backups of all of those source and target environments by using our Active Directory Forest Recovery. And then we maintain the change log on those objects inside of our Directory Services Protector application as well. And that’s in the pre-migration phase. And during migration, while the bits are flying between those sources and target environments, we can come in with Directory Services Protector. It’s already set up. We see an audit log. We have the capability and flexibility there to restore any, you know, issue that’s happening. So if we see that we land an object with a certain level of attribute set inside of that audit log, if something comes after us and changes those attributes, we have the ability then to very quickly right click and revert those changes. So it gives us a bit of a rollback capability on those user accounts and the continuously monitoring of the environment to track and rollback anything that’s malicious.

And then finally, you know, in the post-migration phase, when you’re done with the migration, what I find is that, you know, we do these extended coexistence where we take this to history and we proliferate it around these environments. In that 20 to 1 example, in that target account, you’re going to have a minimum of 20 entries, 21 potentially entries inside of the legacy SID history attribute, which is just a huge strength and leads to some token bloat issues further on down the line.

That said, there’d be a reluctance historically to purging that data because people are afraid that when they do that, maybe something wasn’t reacled. Maybe there’s an application depending on it. And the unknown becomes, you know, something that’s not easily quantifiable. So people have a tendency to gravitate away from making that security change.

With best of breed tools, you can quickly remove that SID history. And if there’s an issue, you can very, very quickly restore it. So yeah, you know, it’s going to continue to change. It’s going to become more of a commodity and we have to make it easier.

So I guess ultimately what you’re saying is using a tool like the various tools you mentioned from some peers that do a backup during the process and put in all sorts of abilities to roll back certain things. You’re essentially reducing the risk of doing a migration.

Yeah, we are. I mean, I’ve been on calls and I, you know, it’s I’ve gotten phone calls from people, some friends of a friend and, you know, things like, hey, we reversed the feed on the directory sync and we took the empty forest and we synchronized it to the source forest, right?

And then it’s how do I recover that quickly because they essentially overrode a productive active directory with an empty one.

You know, that didn’t happen. It did happen to my general consulting days before I took the migration specific roles later in my career. But yes, the ability to say in that situation, OK, just stop everything and we can click a couple of buttons and restore that environment is phenomenal.

Other things that, you know, good tooling gives you is the ability to create a test lab and you can very quickly with, you know, those tools and restore a segment or a sample of that active directory, limit it down to one server and isolate that and create a very quick test lab that can then help you vet improperly alpha, beta, pilot, you know, a migration. So yeah, very cool. Very cool. It was interesting what you said as well, because we talked a little bit about, you know, a tiered administration model and implementing that in the target instead of the source and making changes in the source are, you know, time consuming and difficult because I guess it’s much easier to implement that model in a clean target environment than trying to implement something like that in the source where you would have to essentially do lots and lots of testing to make sure that you can implement those in the source.

So that’s a very, very good point.

So you want to, you know, and it’s it’s that mindset. It’s that whole everything that I think of now, every step that I do, even if it’s an incremental thing to do, gets me closer to my target, right, gets me closer to that target environment. That’s really the mindset that people have to adopt when they start talking about these large scale active directory migration. But if I could, you know, just to leave people with a couple of a couple of Scooby snacks, if you will, I’m going to be a little bit more comfortable with that. But if I could, you know, just to leave people with a couple of a couple of Scooby snacks, if you will, keep it simple, always, right. Look at everything. Don’t just assume that because you did migrations 10 years ago and that you required a trust and that you required SID history, that those things are still required.

Understand why you’re migrating each piece. Right. So in documents, it make people sign off on it so that if somebody comes back to you and says, why isn’t this the way that I expect it to be? Or why didn’t you do that? You say, well, you know, based on these security pieces, we made this decision. It mitigates these risks and this is why. And then if they want to, you know, if there’s a discussion around that and it changes, just document why it changes.

So really understand your requirements around coexistence, because what I find and what I’ve seen is people just assume that they need rich coexistence when they don’t always need rich coexistence.

And that’s the same with SID history. If it’s not required, don’t bring it across. Do your re-ackles or your ACL update or your resource update management, depending upon what product you’re looking at. And then if you do take that SID history across, be sure to schedule and remove it from that target environment. Don’t let it proliferate and sit there in perpetuity.

A relatively new thing with some of the exploits that we’re seeing these days, only sync passwords if it’s vital to the organization.

Right. Which is huge. You know, people want to have their passwords synchronized. It does make some things easier during the migration overall.

However, only if it’s only if it’s vital. Right. Much better to move that account without a password and have them go through, you know, and there’s various different mechanisms that that allow you to do it. You know, but a password change in that target environment. And then finally, Russell, and this is huge. Every decision that you make needs to incrementally push you towards that end state. You cannot lose sight of that end state.

Right.

Well, thanks very much, Michael. That’s amazing advice.

I’m going to put a couple of links in the video description below for anybody who wants a bit more explanation as to what SID history is, what an access control list is, and how these things play kind of an important role in, obviously, access control.

So, that’s an active directory and active directory migration.

If you want to find out a little bit more about Purple Knight, Forest Druid, and there are quite several other tools from Semperis, you can head over to Semperis.com.

But thank you very much, Michael. That was very useful advice. I’m sure that a lot of the IT pros who read and watch Petri will be very grateful for that. So, thank you for your time today. Thank you.