Hybrid Identity Protection with Dr. Nestori Synnimaa

By Sean Deuby July 21, 2022 | Active Directory

“Every component in your on-prem environment that is part of a hybrid [Active Directory] configuration needs to be treated as a Tier 0 server, so they need to be protected as well as your domain controllers,” explains Dr. Nestori Synnimaa, AADInternals creator and Sr Principal Security Researcher at Secureworks Counter Threat Unit (CTU). Understanding this is key to hybrid identity protection.

“If you have hybrid identity, your on-prem environment is always connected to Azure AD,” Dr. Synnimaa continues. “You are synchronizing information. If you are able to compromise your Azure AD server, you can export the credentials … and if you are using password hash synchronization, you will now have keys to the kingdom, because those credentials have very powerful access to both Azure AD and on-prem AD… those credentials can get password hashes of any user in your directory.”

In a recent episode of the HIP Podcast, I spoke with Dr. Synnimaa about the origins of AADInternals and how the toolkit can help admins protect their Azure AD or hybrid AD environments.

“My job nowadays is to find the box of vulnerabilities before the bad guys do…,” Dr. Synnimaa notes. “I wanted to make it easy for administrators so that they can use the same techniques in their own environments that the treat actors are doing, but in a safe manner. Can your current security posture detect this technique? Better to [find out] before you’re being attacked.”

We also discuss the implications of Microsoft’s recent decision to deploy security defaults to all tenants that don’t have conditional access policies in place. You won’t want to miss it.

Tune in!

What is the Hybrid Identity Protection Podcast?

Launched in April 2020, the HIP Podcast is the premier podcast for cybersecurity pros charged with defending hybrid identity environments. In each episode, I interview some of the industry’s most knowledgeable—and interesting—experts. Want to learn more about the topics

Want more information about identity protection in an Azure AD or hybrid AD environment? Check out these resources:

About the author
Sean Deuby
Sean Deuby Director of Services
Sean brings 30 years’ experience in enterprise IT and hybrid identity to his role as Director of Services at Semperis. An original architect and technical leader of Intel's Active Directory, Texas Instrument’s NT network, and 15-time MVP alumnus, Sean has been involved with Microsoft identity since its inception. Since then, his experience as an identity strategy consultant for many Fortune 500 companies gives him a broad perspective on the challenges of today's identity-centered security. Sean is an industry journalism veteran; as former technical director for Windows IT Pro, he has over 400 published articles on AD, hybrid identity, and Windows Server. Linkedin
Unlock cyber resilience. Get a demo