Active Directory (AD) is one of the oldest software still in production today and is used by most organizations today. This is despite the fact that historical security gaps have never been fixed. For example, AD (and the resources it manages) is exposed to the use of compromised credentials because no security measures other than checking that passwords and usernames match can be applied. Moreover, this danger is not limited to on-premises environments. An AD compromise is also a potential risk for his SaaS environment, as it is common to synchronize passwords between AD and cloud identity providers.
This article examines security weaknesses inherent in AD, examining their scope and potential impact. Silverfort’s Unified Identity Protection platform then addresses these weaknesses at the root, giving organizations with AD the resilience they need to stop identity threats and reduce the risk of compromised user accounts. Learn how to give.
Cloud of What? Why AD Remains Part of Hybrid Environments
Cloud computing has caused an IT tectonic shift, but it has not completely replaced on-premises environments, but coexists with them. The practical route most organizations have chosen is to maintain a hybrid environment where user access to SaaS and web resources is managed by dedicated identity providers and AD continues to manage on-premises resources.
From an operations perspective, this strategy makes sense as there are multiple resources that can be moved to the cloud or exchanged for SaaS apps. However, it is important to note that this approach means that long-ignored AD security weaknesses still exist.
To learn more about how Silverfort addresses weaknesses in your identity security posture, visit our resource. Silver Fort MFA: Protect the Unprotectable.
AD’s Achilles Heel: Failure to Detect and Prevent Malicious Access Attempts Using Compromised Credentials
When a user initiates an access request, AD does nothing but verify that the username and password match. Otherwise AD will block access. If it exists, access is allowed. But what does AD do when usernames and passwords match, but are used by the attacker who got them? Unfortunately, there is no answer at all.
It may sound strange, but from an AD perspective there is no difference between a legitimate user providing the correct username and password and a malicious adversary doing the same. Both are granted the same access.
So why can’t traditional MFA solve this problem?
At this point, you may be wondering why you can’t simply add MFA to your AD authentication process like you can with SaaS apps. Unfortunately the answer is not so simple. AD and its authentication protocols (NTLM and Kerberos) were built and designed over 20 years ago, long before MFA existed. As a result, unlike modern authentication protocols used by SaaS apps, it cannot support MFA at all. Also, Microsoft has no plans to publish these protocols and rewrite them with this functionality.
This means we are back to square one. An attacker with compromised credentials in an AD environment can literally connect to any workstation, server, or app without thwarting security measures.
AD Compromise AD opens the way for attackers to cloud resources
What many security practitioners tend to forget is that on-premises and cloud environments are intertwined. In fact, many attackers trying to access SaaS apps choose to compromise on-premises environments to gain access rather than attacking directly via the browser. A common pattern for this kind of attack is to use social engineering to control an employee’s endpoint, and once there, compromise the username and password to gain malicious access to her SaaS app. is to try to use Alternatively, if federated servers are in place, an attacker could compromise them like any other on-premises resource and gain her SaaS access from there.
In any case, when we are talking about security gaps in AD, this is not just the AD-managed environment at risk, but the entire hybrid environment, including all its users and resources. It is important to recognize that
Silverfort Unified Identity Protection: Overcoming the AD Gap with Real-Time Protection
Silverfort has developed the first platform for real-time protection against identity threats that leverage compromised credentials to access targeted resources. Silverfort provides continuous monitoring, risk analysis, and active policy enforcement for all incoming authentication and access requests made by any user to any resource, both on-premises and in the cloud.
In this way, Silverfort is able to fundamentally address AD’s security gap through integration with AD’s native authentication flow, allowing AD to determine if a user can be fully trusted when accessing resources. play a role in
Silverfort’s AD Protection: A layer of threat protection natively integrated into AD’s authentication flow
Here’s how it works:
- A user wants to access a resource and initiates an access request to AD.
- AD forwards this access request to Silverfort instead of making its own decision to grant or deny access based on a password match.
- Silverfort receives an access request and analyzes it using a multi-layered AI engine while simultaneously evaluating the request against preconfigured access policies.
- If the analysis reveals a suspected compromise, Silverfort connects to the MFA service and asks the user to verify their identity.
- The MFA service sends a message to the user and returns the response to Silverfort.
- Based on the MFA response, Silverfort tells AD to block or allow access.
- AD will block or allow access as per Silverfort’s orders.
Agentless and proxyless technology, independent of all protocols and access methods
As you can see, this unique ability to receive all access attempts from AD in real time allows Silverfort to add missing risk analysis and MFA capabilities to their AD authentication flow. Additionally, Silverfort sits behind AD and gets 100% of its authentication requests, eliminating the need to install MFA agents on individual resources or put proxies in front of them. It also means that there is no difference in which protocol is used or whether they support MFA. As long as authentication to AD is performed, AD forwards this to Silverfort for protection.
Interested in learning more about Silverfort’s AD protection? Book a call with one of our experts.
