Even after more than 20 years of service, Active Directory (AD) remains one of the most critical components of the typical enterprise’s IT infrastructure. AD is easy for users to take for granted when it is working. However, in the event of an attack, its criticality to business operations can become painfully clear.
When security attacks occur, every second that ticks away before the threat is contained and remediated and systems are restored represents a hit to the business. The longer the downtime, the greater the disruption to operations. Speed matters, but ensuring AD is successfully recovered matters as well, as does making sure any threat actors have been booted out and that there are no entry points for future attacks.
The first step for accomplishing that task in the wake of an attack is establishing an isolated recovery environment (IRE). However, as with the rest of the recovery process, a balance between speed and security needs to be struck. It is here where automated OS provisioning capabilities begin to shine.
Taking the pain out of the process
The days have long since passed when the concerns about AD outages were focused on events like natural disasters and electrical issues in the data center. Today’s organizations are facing several scenarios where it may be necessary to recover an entire forest. It could be that a threat actor has made malicious changes to the Active Directory schema. Maybe all the domain controllers (DCs) have been corrupted or damaged, rendering services unavailable. Regardless of the reason, the consequence of these events is downtime that can stretch from hours into days. The longer the downtime, the more damage to business operations.
Those who have been through the recovery process know all too well that it can be largely manual and tedious. Large environments can take several days to bring back to full functionality without the help of third-party tools. Automation is your friend; recovering AD without it is like performing reconstructive surgery without any surgical tools.
Whether in the aftermath of a cyberattack or when dealing with an attack in progress, an organization performing full AD forest recovery will need to set up an IRE and handle the provisioning of the OS on virtual machines. The IRE allows organizations to begin the recovery process in an environment that is inaccessible to attackers. This is critical: frequently, attackers exist in secrecy in a production environment for weeks before striking. If they discover they have been detected, it may cause them to take actions that could complicate recovery. In effect, IREs allow the incident response team to test AD changes without concern that the backups will become infected and consequently re-releasing malware into the production environment.
Reproducing a production environment can be a time-consuming task, and effective provisioning is a must. At Semperis, we developed a standalone UI & PowerShell-based tool to prepare virtual machines for full forest recovery. We added this tool, which currently only supports Hyper-V, to our Active Directory Forest Recovery (ADFR) solution. It offers several capabilities, including:
- Full independence for the AD team.
- The ability to create new VM that can used for new DC (re-promoted), secondary ADFR MS, and New DP.
- A view of backup metadata, such as a list of DCs included in the backup set and the state of each DC when the backup occurred.
- Provisioning configuration by allowing you to select a template per Windows OS and define the default hardware and network settings to be applied to the DCs in the backup.
- Allows you to edit settings (overriding the default settings) for individual DCs before provisioning a computer’s OS
- Automatically installs the ADFR agent.
Semperis ADFR gives users the ability to restore AD on any hardware on-premises or in the cloud. It also simplifies the process of spinning up a copy of production DCs in a virtual lab, significantly reducing the time it takes to maintain dev/test, staging, training, and support environments. To further support security, ADFR’s post-recovery forensic capabilities enable organizations to determine if an attack was in progress when an environment backup was taken and identify any changes made by threat actors during a defined attack window.
Preventing attackers from maintaining persistence is one of the most important aspects of a recovery, and IREs provide safe, contained places to test AD changes without running the risk of compromising the organizations any further. With the clock ticking, there will be pressure to get AD back online quickly and securely and eliminating some of the time it takes to establish an IRE with automated OS provisioning will aid in those efforts.
Here’s a quick demo to show you the upcoming ADFR OS Provisioning enhancements. Have questions or feedback? We’d love to hear from you.
Contact us at [email protected].