Microsoft Offers Cloudy New Advice on Securing Domain Controllers
Microsoft on Wednesday announced that it has updated its "best practices" advice for securing domain controllers.
In general, Microsoft wants organizations to use the Azure Active Directory identity and access management service, plus the Microsoft Defender for Identity service. Microsoft also recognized that organizations are continuing to use local Active Directory in their computing environments, which it doesn't view as a best practice.
"We continue to recommend the use of Azure Active Directory as the sole identity and access management tool in your organization if possible," the announcement indicated.
Organizations also use so-called "hybrid" approaches, where local Active Directory gets synchronized with the Azure Active Directory service, hosted by Microsoft. However, Microsoft thinks those organizations should also use the Microsoft Defender for Identity service in such cases.
Here's the announcement's description to the effect:
To support the hybrid state, Microsoft recommends cloud-powered protection for on-premises Active Directory using Defender for Identity. This can be achieved securely by configuring the Defender for Identity sensor installed on DCs and AD FS servers to communicate to the cloud service through an encrypted, one-way connection, via a web proxy, to nominated endpoint names.
The announcement and this Microsoft document on domain controller security got a bit fuzzy on whether Internet access should be permitted on a domain controller. The document flatly advised organizations that "no web browser should be used on domain controllers." The announcement, though, offered this advice:
Microsoft is no longer recommending that DCs should have no internet access under any circumstances. Instead, we've made recommendations that align with the changing security landscape. To be clear from the outset, Microsoft still advocates for DCs to not have unfiltered internet access and using the internet via a browser from these servers should still be prohibited. Instead of completely isolating DCs from internet access and assuming they will never be breached, we recommend a defense in depth approach including modern threat protection to always monitor for breaches.
The idea seems to be that organizations can use a "modern threat protection" solution and not worry about Internet connections on domain controllers, but further details weren't explained. It's also unclear why Microsoft's best practices document doesn't echo that sentiment.
For organizations that are "air gapped" and don't connect to the Internet at all for security or compliance reasons, Microsoft advocated never allowing Internet access to domain controllers. That view was consistent in both the announcement and Microsoft's document.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.