Q&A
Active Directory's Place in the Modern Enterprise
Enterprises aren't ditching the on-premises version of Active Directory, despite Microsoft's best efforts with Azure AD.
Despite Azure Active Directory hogging the spotlight, Microsoft's on-prem version is still widely being used across enterprises. But is IT up to the task and unitizing the service to both get the most out of it and keep it secure?
Derek Melber, an 18-time Microsoft MVP and VP of Product Engagement & Outreach at QOMPLX, discusses some of our questions on the state of Active Directory and what IT is doing right (and wrong) when using the on-prem version of Microsoft's legacy product.
And to go deeper into the world of Active Directory, you won't want to miss Melber's security breakdown during his upcoming TechMentor (taking place taking place in Redmond, Wash. from July 17-21.) session, "Securing Azure Active Directory."
Redmond: How has managing users changed in an era of a growing remote workforce? Has there been any shortcomings to AD's security protections that have come from an increasing remote workforce?
Melber: Remote users now need to use some type of connection from their WFH environment to the office. This can lead to more exposure and even issues with BYOD, which can leave basic security wide open.
The shortcomings that are related to AD really have little bearing on if someone is sitting next to the DC or remote working 10000 miles away. The issues are plentiful and not secured in so many cases.
What's the top insider threat, whether deliberate or accidental, that you see still occurring even with Active Directory security features deployed?
Due to the fact that all AD users have read access to AD is a major issue. With this, simple queries can expose exploitable settings and accounts, which can lead to near-immediate privilege escalation.
How are IT shops incorrectly or underutilizing Active Directory and what is the number one step they should take today?
It is not that AD is underutilized, but rather well-utilized. With this, there is not enough attention given to basic and advanced settings/configurations within AD, which can lead to privilege escalation. The top step is to secure AD NOW and then ensure there is no drift! Not only with basic (audit type settings), but in the "nooks and crannies" of AD.
Is Microsoft dropping the ball when it comes to Active Directory capabilities? And, if so, what is your top feature or tweak you would like to see made?
Microsoft has literally stopped working on AD at all. If it was up to Microsoft, they would convert everyone over to Azure AD and negate all on-prem AD. So, there are too many areas that need attention, mostly, around security. Microsoft has NEVER provided good reporting of anything, so security is "shot gunned" all over AD and DCs, where it is so difficult to see what you have. They need a better assessment solution, combined with tools that provide real-time, agentless, automatic analysis of every change to determine if the change has a security issue related to it. They do have some solutions, but they are SaaS only and limited in scope.
Can you share a memorable Active Directory horror story that should be taken as a cautionary tale?
I see organizations try to lock down AD permissions (AD delegations). I see over and over AD breaking due to overzealous admins that want to remove too much, thus removing admins and other key privileged accounts from accessing AD. "I can break AD in one permission" is not a good thing to have occur to you!