Understanding Active Directory

As hybrid work grows -- almost 30% of employees now work hybrid schedules -- threat actors are setting their sights on Active Directory (AD). 

SMBs with fewer than 1,000 employees are in the crosshairs, with 65% reporting that they’ve already experienced an Active Directory attack.  

But why is Active Directory such a popular target? The answer is simple: many legacy environments have weak AD password security, enabling easy access to admin-level privileges. With privileged access, attackers can control all resources within an organization’s ecosystem. 

If you use Active Directory, it’s important to learn the role IAM (identity and access management) and PAM (privileged access management) play in securing it.  

What Is Active Directory? 

Definition and purpose of Active Directory 

What is an Active Directory used for? 

Active Directory (AD) is Microsoft’s directory service for domain networks. Basically, it’s a central platform for authenticating and authorizing users to access network resources such as users, devices, applications, and services.  

Originally, AD was based on the rather complex, resource-intensive X.500 standard. In 1993, however, the International Telecommunication Union (ITU) created a “lightweight” version of X.500 called LDAP (Lightweight Directory Access Protocol). 

Unlike X.500, LDAP is based on the TCP/IP protocol. This means LDAP uses the TCP transport protocol to provide directory services over IP networks. 

For example, you can make LDAP queries in AD to find the location of a server or the email address of a department manager.   

Today, other protocols such as Kerberos, HTTP/HTTPS, and DNS (Domain Name System) also help define the standards by which AD should be accessed. 

Microsoft premiered AD in 1999 with its Windows 2000 Server edition as an on-premises identity and access management service for businesses.  

Key components and structure of Active Directory 

By now, you may be wondering, "How do I access Active Directory?” 

You’ll need Windows Professional or Windows Enterprise. Follow the steps for setting up Active Directory here. 

Active Directory uses a hierarchical structure to organize information. Its key components include: 

• Active Directory Domain Services (AD DS): This is the main component in AD that organizes network elements into a hierarchical structure. AD DS manages communications between users and domains, including logins and directory searches. 

• Objects: These are basic units in AD, such as users, devices, and applications. Access control lists (ACL) are stored with objects, allowing you to manage permissions efficiently. 

• Containers: These are objects that can hold other objects like domains and Organizational Units (OU). 

• Domain: Many people are curious about the link between a domain and Active Directory, prompting them to ask, “What is Active Directory versus a domain?” In AD, a domain is a collection of objects that share the same AD database. Domains are connected by “trusts.”  

A parent domain can have one or more child domains. The latter inherits the namespace of the parent domain. For example, a parent domain like “google.com” can have child domains like “sales. google.com” and “hr.google.com.” Meanwhile, an AD domain controller processes authentication requests and controls access to Active Directory resources. 

• Trees: Multiple domains form a tree, and multiple trees form a forest. 

• Forest: An AD Forest consists of multiple trees that share a common schema, root (configuration), and global catalog. Forests are top-level containers in AD, providing a security framework for multiple trees across geographical boundaries.  

For example, a multinational soda beverage corporation sets up a forest with trees in North America, Europe, Asia, and Africa. Trust relationships are established between trees so that users in Africa can access resources in Asia, North America, and Europe. The hierarchy would look like this: 

	Forest Root Domain: global.sodacorp.com
	Parent Domain	Child Domain
Tree #1: North America	na.sodacorp.com	us.na.sodacorp.com
		ca.na.sodacorp.com
		mx.na.sodacorp.com
Tree #2: Europe	eu.sodacorp.com	uk.eu.sodacorp.com
		fr.eu.sodacorp.com
		swe.eu.sodacorp.com
Tree #3: Asia	as.sodacorp.com	jp.as.sodacorp.com
		in.as.sodacorp.com
		cn.as.sodacorp.com
Tree #4: Africa	af.sodacorp.com	gh.af.sodacorp.com
		eg.af.sodacorp.com
		sa.af.sodacorp.com

• Organizational Units (OU): These are containers within a domain that consists of users, devices, and groups. It exists within a single domain, unlike forests that can contain multiple domains. OUs make it easier to manage objects and apply group policies within one domain.  

For example, the above soda corporation might create OUs for the HR, sales, marketing, and IT departments in countries like Canada, France, Japan, or South Africa, each having their own policies for managing users and resources.  

• Schema: This is the blueprint for data storage. Schema defines every object and attribute that can be stored in AD. 

• Global Catalog (GC): This is a catalog of all objects in a forest. You can perform forest-wide searches using the Global Catalog. 

Benefits of using Active Directory 

According to Microsoft, Active Directory will have a new functional level and significant security improvements in the upcoming Windows Server 2025 release.  

Meanwhile, you can access the Windows Server 2025 public preview, which has been available since July 5, 2024. 

At its core, Active Directory promotes organizational efficiency and seamless access to resources. Below are seven key benefits: 

• Enhanced security and access control: AD enables role-based access control (RBAC) according to least privilege principles. Meanwhile, new security enhancements to the authentication protocols Kerberos and LDAP provide strong data confidentiality. 

• High availability and redundancy: AD’s backup and recovery features protect against data loss, ensuring business continuity in the event of a breach. 

• Scalability: AD’s forest, domain, and organizational unit structure supports the addition of more users as your organization grows. 

• Group policy management: AD administrators can use Group Policy Objects (GPO) to securely manage security and policy settings for all users in AD. 

• Centralized management: AD provides a single interface for managing users, devices, and resources. This greatly reduces administrative burdens. 

• Hybrid identity management and federated SSO: Microsoft Entra Connect integrates on-premises AD with cloud-based Entra ID to enable hybrid identity management and federated SSO. 

• Integration with other popular Microsoft services: AD integrates with other products in the Microsoft ecosystem, such as Microsoft 365, SharePoint, and Exchange.  

How Does Active Directory Work? 

Authentication and authorization process in Active Directory 

AD uses the Kerberos protocol to authenticate users. The protocol, named after Cerberus in Greek mythology, consists of three elements: 

• The client (The user’s system) 

• The service server 

• The Key Distribution Center (KDC). 

When a user joins the network, a secret key is generated with the user’s password. Their system then sends an authentication request to the KDC. Upon verification of the user’s credentials, the KDC issues a Ticket Granting Ticket (TGT) to the user’s machine.  

For the user to maintain continued access, the TGT is cached on the user’s computer. This ensures the user can request tickets without reauthenticating.  

Once authenticated, AD references group policies, access control lists (ACL), and access control entries (ACE) to determine the user’s access rights. This is the authorization process. 

This dual process ensures that only legitimate users can access resources, reinforcing robust security across your organization. 

Management of user accounts and access rights 

Leverage these tools to manage user accounts and access rights in Active Directory: 

• Active Directory Users and Computers (ADUC): This is the primary tool for managing user accounts. Learn how to add, delete, modify, or restore a deleted user with this ADUC guide. 

• Active Directory Administrative Center: This newer interface offers similar functionality to ADUC but simplifies management of AD objects. 

• Group Policies: Use Group Policy Objects to apply access controls, such as restricting domain administrators from workstations. 

• Organizational Units (OU): Structure your AD hierarchy using OUs for more granular policy application, such as managing user rights for workstation administrators with privileged administrative rights. 

• Account attributes: Manage account expirations, user contact info, password policies, and login restrictions with PowerShell scripts. 

Integration with other systems and applications 

AD’s flexibility promotes its integration with key applications and cloud platforms through protocols like LDAP, OAuth 2.0, and SAML. 

This interoperability facilitates Single Sign-On (SSO), where a single set of credentials provides access to resources – without needing repeated logins.  

For example, AD can act as an identity provider (IdP) in SAML-based SSO. Meanwhile, AD can be integrated with Microsoft Entra ID to enable federated SSO. 

Best Practices for Active Directory Security 

Implementing strong password policies in Active Directory 

A strong password policy can stop credential stealing and brute-force attacks in their tracks. To that end, you’ll want to: 

• Follow NIST recommendations in implementing a strong password policy in AD. 

• Configure an account lock-out policy after several failed login attempts. 

• Implement Microsoft and CIS password policy best practices to improve the security of Active Directory accounts. 

Role-based access control and privileged account management 

Role-based access control (RBAC) assigns permissions based on a hierarchical role structure, minimizing the risk of unauthorized access to privileged accounts. 

You can use either Active Directory Users and Computers (ADUC) or Active Directory Administrative Center (ADAC) to set up role-based access control (RBAC) in AD. 

Here are the key steps for implementing RBAC in AD: 

• Determine the roles for your business and define the permissions you’ll allow for each role. 

• Go to the Start menu, type in Active Directory Users and Computers, and click to select. 

• Open Active Directory Users and Computers (ADUC) and create security groups for each role. 

• Next, assign users to the security groups corresponding to their roles. 

• Finally, configure access control policies using Active Directory Security Editor (ADSE) or the Delegation of Control Wizard. Both ADSE and Delegation of Control Wizard are integrated into ADUC. 

• ADSE uses security identifiers (SID) to manage granular permissions and access control, while the Delegation of Wizard focuses on task-based permissions, like giving your IT staff the power to delete accounts. 

Next, we’ll discuss privileged access management and its critical role in securing Active Directory.  

How does Privileged Access Management (PAM) help protect Active Directory? 

At its heart, PAM enforces five (5) key functions in AD: 

• The principle of least privilege, where users are given the minimum level of access necessary to complete tasks 

• Role-based access control, where users are authorized to use only those resources associated with their roles 

• Just-in-time access, where users are granted a set period to complete tasks with elevated permissions 

• Threat detection and response, where privileged access is revoked, accounts are isolated, and mitigation efforts are triggered during an attack 

• Auditing and compliance, where all privileged actions are logged and audited to ensure compliance with security standards 

To implement privileged account management (PAM), you’ll want to: 

• Identity which accounts are privileged or have elevated permissions. 

• Require administrators to use specially configured privileged access workstations (PAW) for administrative tasks. 

• Implement MFA to activate privileged roles. 

• Implement time-bound access with start and end dates for temporary elevated permissions. 

With AD, there are several ways you can set up PAM: 

• Connect your on-premises AD with cloud-based Microsoft Entra ID . 

• Set up MIM (Microsoft Identity Manager) privileged access management for offline environments. 

• Set up JIT (just-in-time) access in Windows Server 2016 Active Directory or later versions with Microsoft Defender for Servers Plan 2. The latter offers server protection for both cloud virtual machines and on-premises servers.  

Auditing and monitoring techniques for Active Directory security 

Event log monitoring and alerting is critical to a secure Active Directory platform. 

While 66% of businesses have sufficient evidence in their logs to alert them of a breach, few are privy to them because of a lack of active monitoring. 

In general, you’ll want to monitor and audit the following activities within AD: 

1. logon/logoff events 
2. policy changes 
3. directory service changes 
4. account management 
5. Group Policy Object changes 
6. Kerberos service ticket operations 

You can leverage two key technologies to monitor and audit AD for a robust, comprehensive security posture: 

• Security Information and Event Management (SIEM) tools like Splunk and Log Sentinel to collect and analyze security incidents 

• Extended Detection and Response (XDR) tools like Microsoft Defender XDR to detect anomalies and automate incident response 

Securing Active Directory with LastPass 

Best practices for password management in Active Directory 

According to NIST, password length is more critical than complexity. It’s important to set a minimum password length of 12 to ensure stronger protections against brute-force attacks. 

You’ll also want to enforce a password history policy that prevents users from recycling the last 10 passwords. 

Finally, you’ll want to set the minimum password age to three (3) days to discourage frequent password changes. 

Many businesses require password changes for employees every 30-60-90 days. However, frequent changes have the tendency to overwhelm busy employees. For ease and convenience, many of them resort to familiar practices like appending a special character to an existing password. 

However, this makes your business more susceptible to cyber-attacks as attackers can easily “crack” those hastily amended passwords. 

Implementing multi-factor authentication (MFA) in Active Directory 

As credential theft underpins many cyberattacks against SMBs, securing your systems is more important than ever. 

If your business uses Active Directory, you can integrate Active Directory Federation Services or Entra ID with a password manager like LastPass to enable MFA and federated SSO (Single Sign-On).  

In doing so, your employees use just ONE set of credentials to access resources across multiple platforms, promoting seamless collaboration between all stakeholders in your supply chain.  

Here's how it works: 

1. Active Directory serves as the central Identity Provider (IdP). 
2. Active Directory Federation Services (AD FS) extends the AD infrastructure to enable federated IAM and PAM. It acts as the Security Token Service (STS) that issues tokens for authenticating users. 
3. LastPass integrates with ADFS to provide secure credential storage and user access management. 
4. When a user attempts to access a federated resource through LastPass: 

• LastPass redirects the user to AD FS for authentication.  
• AD FS authenticates the user against Active Directory by verifying their primary credentials (username and password).  
• If the credentials are valid, AD FS can optionally prompt for another authentication factor before issuing a security token to LastPass. 
• Once it receives the security token, LastPass can also prompt for more authentication factors such as biometric authentication (retina, facial, and fingerprint recognition). This adds a layered MFA approach for particularly sensitive projects. 

Troubleshooting options for Active Directory security issues 

It’s no secret that Active Directory is a favorite target of threat actors.  

This is because Active Directory controls access to virtually all network resources. Essentially, hackers target AD because it “holds the keys to the kingdom.” 

Popular tactics include exploiting SharePoint vulnerabilities and spreading ransomware using AD Group Policy Objects. 

In 2019, sophisticated threat actors exploited a SharePoint CVE-2019-0604 vulnerability to gain access to the Active Directories of more than 40 servers at UN offices in Geneva and Vienna. 

Meanwhile, “kerberoasting” (an attack that exploits the Kerberos authentication protocol in AD) is occurring with frightening regularity. IBM’s 2024 X-Force Threat Intelligence Index reports that kerberoasting has increased by 100%. 

Here’s why: businesses continue to use plaintext passwords in their enterprise environments. In addition, more than 95% don’t implement their own password security policies, especially for automated service accounts. 

Meanwhile, up to 85% of privileged permissions aren’t revoked after maintenance tasks are completed.  

To make matters worse, manually configured service accounts often have the “password never expires” flag enabled. These passwords follow old security practices and are much easier to crack. 

In the Windows Server 2025 public preview, Microsoft included new security enhancements to address kerberoasting attacks on AD service accounts:  

• the use of SHA-256 & SHA-384 to support stronger encryption for authentication 

• PKNIT (Kerberos Public Key Cryptography for Initial Authentication in Kerberos) support for cryptographic agility 

You can also add an extra layer of security by enforcing strong IAM/PAM and multi-factor authentication policies. 

If you use Active Directory (AD), there’s an effective way to do this. Integrate AD with Entra ID for hybrid identity management – and connect Entra ID to a password manager like LastPass to generate secure passwords and enjoy military-grade FIDO2 passwordless logins. 

To get started, sign up for a free trial of LastPass Business to protect your business.