AD Security Glossary

Active Directory (AD) is a Microsoft identity and access management (IAM) service that performs user authentication and controls access to an organization’s resources and data. More than 90 percent of organizations use AD, Azure AD, or a combination of the two (hybrid AD) as their core identity solution. Most cyberattacks target AD as a means to access data or lock down systems in malware attacks.

Attacks on AD environments typically follow a certain path: lateral movement between systems, privilege escalation, malware or ransomware insertion on domain controllers, establishing persistence, data exfiltration, and (in the case of ransomware) detonation/encryption. Therefore, AD security depends on defense at every stage of this lifecycle: before, during, and after an attempted cyberattack.

See also: cyber kill chain, domain dominance

An Active Directory-specific backup separates AD components (e.g., database, logs, registry hives) from backups of the system drives of a physical or a virtual machine, including applications, operating systems, and so on. AD-specific backups enable your organization to quickly recover AD safely and free of pervasive malware or ransomware. In contrast, system state or bare metal recovery can re-introduce malware hidden in the backups.

See also: system-state restore

For 90% of enterprise organizations, Active Directory controls access to all users, systems, and resources. If AD isn’t working, nothing is. Recovering AD after a cyberattack or other disaster is the most important step in restoring operations and proving cyber resilience.

Semperis ADFR is the fastest, most flexible, and surest way to recover AD after a cyberattack. An organization can recover AD to any hardware—virtual or physical—by either restoring it from backup or by automatically re-promoting fresh servers as domain controllers into the recovered forest. Recovering the forest restores each domain in the forest to its state at the time of the last trusted backup.

Active Directory hardening involves practical techniques to protect your AD environment. AD plays a critical role in the IT infrastructure and ensures the harmony and security of different network resources in a global, interconnected environment.

No organization with an IT infrastructure is immune from attack, but appropriate policies, processes, and controls can help to protect key segments of your organization’s computing infrastructure, including AD. Hardening AD can help to prevent a breach or other threat from growing to a wholesale compromise of the computing environment.

Regularly assessing the risk and health of your organization’s Active Directory is an important step in reducing the AD attack surface. A robust AD security assessment solution like Purple Knight can provide a prioritized list of recommendations, specific to your deployed infrastructure, to improve your AD health.

Cyberattackers who manage to breach an organization’s environment typically seek to gain privileges in Active Directory in an attempt to access data and resources. Once threat actors gain a toehold, they use it to increase their reach, ideally until they compromise an administrative account. This increase in access is known as privilege escalation.

AD recovery restores each domain in the forest to its state at the time of the last trusted backup. Restoring Active Directory from backup or reinstalling AD Domain Services on every domain controller in a forest can be a time-consuming and complicated task. However, ransomware that locks down or corrupts AD makes this step necessary. 

When coupled with an AD-specific backup, an AD recovery solution that automates steps in the restoration process can significantly reduce AD downtime. For example, Semperis Active Directory Forest Recovery speeds AD forest recovery by as much as 90%.

An Active Directory risk assessment looks for indicators of exposure (IOEs) or indicators of compromise (IOCs) to determine your organization’s risk during a cyberattack or other catastrophic event. A robust risk assessment provides specific actionable guidance to help you mitigate security risks to the AD and to your organization.

See also: Active Directory health check, indicators of compromise, indicators of exposure

Because Active Directory is used to configure permissions and network access, it is a prime target for cyberattackers. Years of growth, mergers, and so on often result in sprawling “configuration creep” and misconfigurations that leave AD open to attack. Closing security gaps in AD is therefore an important part of an organization’s overall cybersecurity strategy. 

An evaluation of an organization’s AD environment to help your organization identify, quantify, and reduce the risks affecting your AD. This analysis generates a list of issues to address and might also offer remediation guidance and best practices to improve the performance or security of the AD infrastructure.

See also: Active Directory security auditing

The process of collecting data about AD objects and attributes and analyzing and reporting on that data to determine the overall health of the directory, the adequacy of system controls, compliance with established security policy and procedures, any breaches in security services, and any changes that are indicated for countermeasures.

AD security auditing helps you detect and respond to insider threats, privilege misuse, and other indicators of exposure (IOEs) or indicators of compromise (IOCs), thereby strengthening your security posture.

See also: Active Directory security assessment

AD security indicators fall into several categories:

• Indicators of attack (IOAs)
• Indicators of compromise (IOCs)
• Indicators of exposure (IOEs)

Solutions such as Semperis Purple Knight and Directory Services Protector (DSP) use these indicators to help organizations identify attack vectors that threat actors can use to gain access to the AD environment. These vulnerabilities which can lead to an escalation of privileges and eventually to deployment of malware.

An evaluation of the vulnerabilities in your organization’s Active Directory environment can help to identify, quantify, and reduce security and configuration risks to AD. Such analyses generate a list of issues to address and might also offer remediation guidance and best practices to improve the performance or security of the AD infrastructure.

See also: Active Directory security assessment

Administrative tiering helps an organization better secure its digital environment by defining three or more layers of access to resources and systems. This layering creates buffer zones that separate administration of high-risk or valuable assets such as Active Directory domain controllers.

An authoritative restore updates existing domain controllers with restored data, which then replicates to all other DCs in a multi-DC environment.

See also: non-authoritative restore

Microsoft Azure Active Directory (Azure AD) is a cloud-based identity and access management (IAM) service. Although Azure AD shares part of its name with the on-premises AD, it has a completely different security model. If your organization uses Microsoft 365, it also uses Azure AD.

A BMR restores a system state backup plus all non-user data on critical volumes on the server. Since it is an expanded version of a system state backup, a BMR is subject to the same restrictions (same hardware, malware residence) as a system state backup.

See Active Directory backup (AD backup)

In a brute-force attack, an attacker systematically tries all possible combinations of usernames and passwords until they find the correct credentials to gain access to Active Directory.

The Cybersecurity and Infrastructure Security Agency (CISA) is an agency of the United States Department of Homeland Security that is responsible for strengthening cybersecurity and infrastructure against threats.

The 2021 Colonial Pipeline ransomware attack is one of the most well-known critical infrastructure attacks in recent history. The Colonial Pipeline attack demonstrated the importance of maintaining a robust Active Directory security posture.

A cyberattack that occurs with the purpose of stealing or exposing confidential, sensitive, or protected information to an unauthorized person. 

An attack designed to change directory objects using malicious replication. During this attack, DCShadow impersonates a replicator domain controller (DC) using administrative rights and starts a replication process, so that changes made on one DC are synchronized with other DCs.

Learn more.

DCSync attacks weaponize the Active Directory DCSync feature, which impersonates a domain controller (DC) by using Directory Replication Services (DRS) to request password data from the DC. This type of attack is adept at bypassing traditional auditing and detection methods.

Defense in depth uses multiple security measures in a layered approach to protect an organization from cyberattacks.

See also: layered defense.

Semperis Directory Services Protector (DSP) is the only identity threat detection and response (ITDR) solution that provides a single view of security vulnerabilities across hybrid Active Directory/Azure AD environments. With DSP, you can correlate changes across on-prem AD and Azure AD, detect advanced attacks, automate remediation of suspicious changes, and minimize the AD attack surface.

Active Directory forests often contain multiple security risks, ranging from management mistakes to unpatched vulnerabilities. With access to AD or Azure AD, threat actors can gain dominance over your entire infrastructure. Cyberattackers target AD to elevate privileges and gain persistence in the organization. To defend AD, administrators need to know how attackers are targeting the environment and which vulnerabilities they might exploit.

See also: Active Directory privilege escalation, indicators of compromise, indicators of exposure

If an attacker gains unauthorized control over a domain controller (DC), they can manipulate Active Directory objects, modify permissions, create backdoors, or perform other malicious actions that compromise the entire AD infrastructure.

During a cyberattack, threat actors often seek access to Active Directory. Such access can enable attackers to eventually gain administrative privileges and ultimate power over Active Directory domains, and thus all application and data that rely on Active Directory.

See also: Active Directory attack lifecycle, cyber kill chain

Members of the DnsAdmins group have access to network DNS information. This group exists only if the DNS server role is or was installed on a domain controller in the domain. Attackers who gain access to this group can use that access to compromise Active Directory.

Active Directory heavily relies on DNS for name resolution and service location. DNS attacks, such as DNS spoofing or DNS poisoning, can redirect or manipulate DNS requests, leading to unauthorized access or disruption of AD services.

A common directory, such as Microsoft Active Directory, enables a more secure environment for directory users and common expectations of the role the directory can provide to both users and applications. A common enterprise directory resource facilitates role-based access to computing resources.

Forest Druid is a Semperis community security tool that identifies and prioritizes attack paths that lead to Tier 0 assets. Rather than chasing down every avenue, defenders can use Forest Druid to quickly identify undesired or unexpected attack paths for remediation, accelerating the process of closing backdoors into Active Directory.

A Golden Ticket attack enables an attacker to forge a Kerberos ticket, giving them unauthorized access to any system in the domain as a highly privileged user, such as a domain administrator. Such elevated privileges can give the attacker almost unlimited access to Active Directory and the resources that depend on it. 

Group Policy is an integral feature built into Microsoft Active Directory. Its core purpose is to enable IT administrators to centrally manage users and computers across an AD domain. This includes both business users and privileged users like IT admins, and workstations, servers, domain controllers (DCs) and other machines. Group Policy security is an important part of AD security.

Many organizations today use both on-premises Active Directory and in-the-cloud Azure AD. This hybrid identity environment enables a common user and system identity for authentication and authorization of resources regardless of location. However, it also presents unique cybersecurity challenges.

In response, Semperis delivers identity threat detection and response (ITDR) solutions designed for hybrid identity protection. We also sponsor the Hybrid Identity Protection (HIP) podcast and conference series.

See also: HIP podcast, HIP Conference

From phishing emails to cyberattacks targeting Active Directory, threat actors love to target identity resources. If a cyberattacker can gain a user’s identity credentials (for example, via a phishing email), they don’t need to break into your environment; they can simply log in. Once inside your environment, the attacker can attempt to take over additional identities, working their way up (through privilege escalation) to admin-level access. At that point, the attacker can make changes to Active Directory to take over, lock down, or shut down user and system accounts, resources, and data.

Identity systems are coming under sustained attack. Misuse of credentials is now a primary method that cyberattackers use to access systems and achieve their goals. Therefore, your organization needs a collection of tools and processes to defend identity systems. Gartner defined the identity threat detection and response (ITDR) category to evaluate solutions that detect and derail identity-based attacks.

Indicators of attack (IOAs) in cybersecurity are security indicators that demonstrate the intent of a cyberattack. Detecting IOAs early in an attack can help defenders prevent further damage.

See also: security indicators, indicators of compromise, indicators of exposure

Indicators of compromise (IOCs) in cybersecurity are security indicators that demonstrate that the security of the network has been breached. Investigators typically spot IOCs after being informed of a suspicious incident, discovering unusual callouts from the network, or during a security assessment. Semperis Purple Knight and Directory Services Protector (DSP) scan for IOCs.

See also: security indicators, indicators of attack, indicators of exposure

Indicators of exposure (IOEs) are security indicators that provide insight into potential exploitable vulnerabilities before a cybersecurity incident occurs. By understanding such risks, security teams can better prioritize security management efforts and be prepared to contain attacks quickly. Semperis Purple Knight and Directory Services Protector (DSP) scan for IOEs.

See also: security indicators, indicators of attack, indicators of compromise

Kerberoasting targets the weakness in the Kerberos authentication protocol used by Active Directory. Attackers request a service ticket for a targeted service account and then crack the encrypted service ticket offline to obtain the account’s password.

A known secure state represents the state of an environment that is confirmed not to contain any malware or ransomware. Returning to a known secure state after a cyberattack helps to prevent the loss of confidentiality, integrity, or availability of information.

Lateral movement occurs when a cyberattacker uses compromised accounts to gain access to additional clients and accounts throughout an organizations network. Cyberattackers use lateral movement in combination with privilege escalation to identify and gain access to sensitive accounts and resources that share stored sign-in credentials in accounts, groups, and machines. A typical goal of successful lateral movement is eventual administrative access to Active Directory domain controllers.

See also: domain dominance, least privilege, privileged access, privilege escalation

A layered defense is one that applies multiple layers of protection (e.g., endpoint security, SIEM, and Active Directory security) to help ensure that a cyberattacker who penetrates one layer of defense will be stopped by a subsequent layer.

See also: defense in depth

Sometimes called minimum privilege, the information security principle of least privilege emphasizes that users and applications should be granted privileged access only to the data and operations they require to perform their jobs. By taking this approach, IT and security teams can help to prevent potential lateral movement in their organization’s networks.

See also: domain dominance, lateral movement, privileged access, privilege escalation 

A file that is assigned to a user account and that runs automatically when the user logs on. A logon script can adjust settings in the operating system, map network drives for different groups of users, or even display a welcome message that is specific to each user. These scripts reside in a folder in the SYSVOL network share of a domain controller and thus are available throughout the domain.

Microsoft Defender for Identity (formerly Azure Advanced Threat Protection) is a cloud-based solution that uses on-premises Active Directory signals to detect and respond to cybersecurity threats and compromised identities. Defender for Identity monitors and analyzes user and client activities and information across the network, creating a behavioral baseline for each user. MDI then alerts on unusual client or user activity as established by this baseline.

The MITRE ATT&CK Framework is a commonly used tool for understanding current security coverage and determining how to improve it. This knowledge base provides foundational information that can be used to develop threat models and is a popular tool for building comprehensive security plans. 

Multicloud security solutions help to protect your infrastructure, application, and data across multiple cloud providers’ cloud systems.

A non-authoritative restore restores an AD domain controller to a point in time. However, because this type of restore is not marked as authoritative, if another domain controller has updated objects or attributes since the target domain controller’s restored date and time, those updates replicate into the restored domain controller, making its data current.

See also: authoritative restore

Operating system (OS) provisioning is the act of installing a given operating system across several hosts. 

Once inside your environment, cyberattackers typically seek privilege escalation, from lower- to higher-privileged accounts in an effort to gain administrative privilege and access to Active Directory.

See also: domain dominance, lateral movement, privileged access

Privileged access grants higher than standard rights and control over resources in an environment. This type of access should be granted sparingly, as gaining control of a privileged access account can enable cyberattackers to shut down or disable Active Directory and gain control of your network.

See also: domain dominance, lateral movement, privilege escalation

When it comes to protecting your enterprise from cyberattacks, protecting your identity infrastructure is key. Infiltrations of identity systems not only expose your most important assets and business operations to attack but can go undetected for long periods, causing significant damage. So, strengthening your identity security stance is an important step. For at least 90 percent of enterprises, that means prioritizing Active Directory and Azure AD security.

Purple Knight helps identify security gaps in your AD environment that can leave the door open for cyberattackers. The tool also provides assessment reports with grading based on the following categories: AD delegation, AD infrastructure security, account security, Kerberos, and Group Policy security.

A type of malware that encrypts a victim’s data until a payment is made to the cyberattacker. Victims are told that if payment is made, they will receive a decryption key to restore access to their files, although this is often a ruse. In a double extortion attack, not only is the decryption key withheld, but the malicious actor also threatens to publish the data on data leak sites (DLSs).

Ransomware groups are often connected to criminal or terrorist organizations or to hostile nation states. Payment of ransom typically funds further criminal activities.

See also: malware, ranswomware as a service

A business model in which threat actors lease or purchase ransomware variants from ransomware developers in the same way that organizations lease SaaS products from legitimate software developers. RaaS has grown in popularity in recent years.

See also: malware, ransomware

Red Forest, also known as Enhanced Security Admin Environment (ESAE), was a Microsoft security concept in which all your administrative credentials resided in a separate AD forest, trusted by your production AD forests. The approach aimed to remove admin credentials from AD forests and thus improve security. The concept has been retired.

A recovery point objective (RPO) sets a limit on how old data can be before it is backed up (e.g., 24 hours old). 

See also: recovery time objective

A recovery time objective (RTO) sets a limit on the amount of time that an application, system or process, can be unavailable (e.g., no more than 2 hours).

See also: recovery point objective

Security indicators are values based on metrics obtained by comparing logically related attributes about the behavior of an activity, process, or control within a specified time. These critical indicators are derived from predefined criteria, and they may be predictive of the overall security posture of an organization. Security indicators include indicators of attack (IOAs), indicators of compromise (IOCs), and indicators of exposure (IOEs).

See also: indicators of attack, indicators of compromise, indicators of exposure

With the advent of cloud services, mobile devices, and remote work, organizations’ security perimeters have changed from the on-premises servers that comprise a network to a new frontier: identity. 

In early 2020, cyberattackers secretly broke into Texas-based SolarWind’s systems and added malicious code into the company’s software system. The system, called “Orion,” is widely used by companies to manage IT resources. SolarWinds had 33,000 customers using Orion, according to SEC documents. However, around March 2020, up to 18,000 SolarWinds customers installed updates that left them vulnerable to cyberattackers. Included were several SolarWinds high-profile clients, including Fortune 500 companies and multiple agencies in the US government, including parts of the Pentagon, the Department of Homeland Security, and the Treasury.

Tier 0 assets are those that are critical to the operation of your IT environment. Such assets include Active Directory and AD domain controllers, which in turn control access and privileges to every user, system, and resource in the organization.

Zero Trust is a security concept that assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location. Zero Trust requires all users to be authenticated and authorized before being granted access to applications and data. Identity security is at the heart of successful Zero Trust initiatives.