Twenty years have passed since Microsoft released Windows 2000 and introduced Active Directory to the market. The excitement about Active Directory has certainly ebbed since then – but at the same time, it is difficult to overstate the impact that Active Directory has had on the IT market.
One remarkable thing about Windows 2000 and Active Directory is that it embraced a number of open standards, most importantly TCP/IP, DNS, LDAP, and Kerberos. Back then, the internet was still new and none of these protocols were very widely adopted yet, so the decision to favor these protocols over proprietary alternatives like NetBEUI, WINS and NTLM was a bold move. Today, it is probably fair to say that Active Directory would not have fared as well if Microsoft had decided otherwise.
An area where Active Directory has not fared quite as well is security. Arguably, the primary reason why the security of Active Directory has been studied so thoroughly and why so many vulnerabilities have been identified is that Active Directory is simply a very juicy target: Almost every company uses Active Directory and more often than not, the security of the entire company network hinges on the security of its Active Directory domain controllers.
Somewhat ironically, one of Active Directory’s major security weaknesses has turned out to be Kerberos, one of the open protocols it embraced. While Kerberos has proven to be much superior to NTLM in just about any way, it has also turned out to have some design flaws that, under certain circumstances, allow credential theft. Putting the right mitigations in place to reduce the risk of such credential is crucial, and today is often the primary focus of discussions about how to best run Active Directory.
Microsoft itself has published a decent set of best practices on securing Active Directory, although arguably the best resource to learn about Active Directory security is Sean Metcalf’s website. Most of these best practices not only apply to on-premises deployments, but also to cloud-based Active Directory environments. But there are some extra things that are worth watching out for in a cloud environment.
To learn more about how to best run Active Directory on Google Cloud, check out my new article Best practices for running Active Directory on Google Cloud which describes 22 best practices, covering architecture, networking, security, and management.« Back to home