Protecting Hybrid Active Directory Environments from Attack
Following the Solorigate attack in late 2020, which used SolarWinds’ IT monitoring and management solution Orion, Microsoft has provided advice to its customers on how to better protect their systems. The SolarWinds attackers compromised networks through malicious code in the Orion product. It allowed them to elevate privileges and get access to organizations’ trusted SAML token-signing certificates.
Security Assertion Markup Language (SAML) is an open standard that facilitates user logon to on-premises and cloud services. It is the basis on which Azure Active Directory (AD) forms trusts with systems like Windows Server Active Directory. The attackers forged SAML tokens to impersonate organizations’ existing users, including privileged accounts.
Attackers could potentially have accessed any resources trusted by an organization’s SAML token signing certificates. Although, Microsoft says that its built-in Azure AD security and monitoring features were able detect anomalies in SAML authentication.
Compromised on-premises systems can be used to ‘hack the cloud’
Regardless of how secure Microsoft’s cloud is, the Solorigate attack showed how compromised on-premises systems can propagate malicious activity to the cloud. Microsoft has some important advice to help organizations protect themselves against these kinds of attacks.
1. Disable federated trust relationships
Microsoft has long been pushing account and password hash synchronization as the easiest and most secure way to connect Azure AD and Windows Server Active Directory. There are few, if any in most cases, advantages of using Active Directory Federation Services (ADFS) to connect Azure AD and on-premises AD. ADFS is complicated to set up and maintain, and as we now know, it can make Azure AD vulnerable to attack if on-premises AD is compromised.
2. Synchronized objects should not hold admin permissions in Microsoft 365
Make sure that users synchronized from on-premises AD to Azure AD don’t hold rights beyond ‘user’ in Microsoft 365. Also check that synchronized users aren’t inheriting privileges beyond ‘user’ from roles or groups they might be included in.
3. Manage your Microsoft 365 administrator accounts
Microsoft 365 administrator accounts should be created in Azure AD and not synchronized from on-premises AD. See point 2. Administrator accounts should be protected with multifactor authentication (MFA), Conditional Access policy, and only used from Azure Managed Workstations.
4. Use Mobile Device Management and Azure AD join
Microsoft says that devices joined to Azure AD and managed by Mobile Device Management (MDM), using a solution like Intune, are more secure because it eliminates dependencies on Windows Server Active Directory.
5. Use Azure AD to authenticate users
And finally, Microsoft says you better use Azure AD for user authentication. Again, to eliminate dependencies on on-premises AD. You should always use strong authentication. I.e., not just a password. Examples of strong authentication include MFA, Windows Hello, FIDO2 security keys, and the Microsoft Authenticator app.
Check out these Petri articles for more information on strong authentication and passwordless authentication:
Microsoft 365 Passwordless Sign-In: Windows Hello vs. FIDO2 Security Keys
How to Set Up Passwordless Sign-in Using the Microsoft Authenticator App for Microsoft 365
How FIDO2 Passwordless Logins Work in Hybrid Azure AD Environments
Understanding Windows 10 and Microsoft 365 Passwordless Sign-In
Is Azure AD more secure than on-premises AD?
You could be thinking that Microsoft is just trying to push its cloud solutions. And there might be some truth to that. But it is also true that if set up correctly, Azure AD can provide a more secure identity management solution than Windows Server Active Directory.
Microsoft invests in new security innovations and technologies for Azure AD. And while some of them can be extended to Windows Server AD in hybrid environments, most of them are exclusive to the cloud. Azure AD has secure defaults, and it is less complex than Windows Server AD, which can lead to more secure systems.