Financial and professional consultants are typically entrusted with secure access to organizations’ most sensitive information. In most cases, Microsoft Active Directory (AD) is the central point of contact and the basis for a secure identity strategy.

RSM Ebner Stolz, one of the top auditing, tax, legal, and management consulting firms in Germany, offers its clients a comprehensive portfolio of services. Headquartered in Stuttgart, the firm employs more than 2,100 people at 14 locations throughout the country and generated sales of more than €481 million in 2024. Clients include industrial, commercial, and service companies of all sectors and sizes, from sole proprietorships to listed corporations.

The company’s work requires its employees to have secure access to some of its clients’ most critical systems and data. In an increasingly volatile threat environment, cyber security and operational resilience are priorities for the firm.

No alternatives to identity security

Internal IT at RSM Ebner Stolz plays an important role in maintaining business continuity, ensuring that employees at the company’s respective locations and at customer sites always have quick access to the central resources they need. To this end, the company employs more than 80 people who take care of infrastructure and necessary applications.

A central data center in Frankfurt and smaller, spatially distributed computing units connect via an MPLS network. All employees, both in the office and on the road, are equipped with laptops to connect flexibly to applications such as DATEV and other subject-specific applications.

Against a backdrop of intensifying cyber threats, RSM Ebner Stolz created a team to focus exclusively on IT security issues. As part of this group, IT Security Engineer Ben Glenz focuses on operational IT security. At the team’s inception, his role required a thorough analysis of the company’s existing processes.

“In a company that has grown over many years with many heterogeneous units, it was impossible to expect a uniform security concept that could be implemented only on a greenfield site,” Glenz recalls. Many organizations face this problem; for example, when new structures must be integrated through acquisitions or when activities are increasingly carried out remotely—both of which apply to the firm’s environment.

The critical point in distributed, heterogeneous, and remotely operated infrastructures is control over the access granted to all resources, whether data or applications. Because Active Directory (AD) is the central service enabling RSM Ebner Stolz employees to connect easily and reliably from the firm’s offices, customer sites, or home offices, one of Glenz’s first steps was to conduct a survey of the company’s AD’s security stance.

To do so, he used Semperis Purple Knight, a free community tool that examines Active Directory environments for misconfigurations, vulnerabilities, and potential signs of attack. The tool scans for more than 185 indicators of exposure (IOEs) and compromise (IOCs) and provides a security score and guidance on how to close potential gaps.

An initial analysis at RSM Ebner Stolz showed that although the infrastructure met overall requirements, there was potential for improvement.

“Active Directory was introduced 25 years ago and is based on the algorithms of that time,” explains Ganz. As in most organizations that have expanded over time, especially those that have experienced mergers or acquisitions, he discovered elements that did not meet current security requirements or that were no longer supported. For example, he says, “we found outdated operating systems such as Windows 7. Of course, this opens the door for attackers.”

Continuous monitoring and prioritized security guidance

The scoring determined by Purple Knight tipped the scales in favor of immediately tackling the Active Directory change process, despite the absence of an active threat.

“One thing is clear,” explains Glenz, “if Active Directory is compromised, so is the entire business process.”

The security team decided to install two products: Semperis Directory Service Protector (DSP) and Active Directory Forest Recovery (ADFR). Both products were easy to install, without the need for user involvement.

DSP enables continuous monitoring of all activities related to Active Directory, creating an overview of the firm’s entire identity security surface. In addition, the tool provides prioritized, actionable guidance, developed and delivered by AD security researchers. As such, DSP presented an immediately effective and comprehensive way to control and secure access to the company’s critical assets and sustainably reduce the identity attack surface.

The solution allows Ganz’s team to detect and roll back suspicious or risk changes to AD. RSM Ebner Stolz opted for the tool’s hybrid edition, which provides identity threat detection and response (ITDR) for both Active Directory and Entra ID.

“Even though many activities in the company are still based on the local AD, the processes are developing massively in the direction of Azure,” says Glenz, explaining the decision. “In addition, attackers often move from on-premises systems to the cloud or vice versa.”

Ensuring operational resilience through fast, secure recovery

ADFR enables a fast recovery of AD forests to a trustworthy state in the event of a successful ransomware or wiper attack. Manually restoring an AD forest can take days or weeks and carries the risk of attacker persistence and malware reinfection, potentially causing considerable economic damage to most companies.

In contrast, ADFR restores operational readiness within minutes or hours, reducing downtime by up to 90 percent. ADFR can be used to reset Active Directory to a secure state, using clean installation sources to prevent malware from being reintroduced. Recovery can be performed on any virtual or physical hardware. In addition, Semperis’ Identity Forensics and Incident Response (IFIR) capabilities help to effectively prevent potential follow-up attacks.

“While DSP regularly intervenes when attempts are made to modify the AD with malicious intent, ADFR is the ultimate instance for restoring IT operability in the event of an attack,” says Glenz, explaining the interaction between the two tools. “We went through the recovery process and were back online after 20 minutes.”

Another attractive aspect of ADFR for the firm: The necessary backup data required a storage space of only about 300 MB. ADFR also offers the option of online storage in the cloud.

Building a secure identity foundation

By adopting DSP and ADFR, RSM Ebner Stolz has created a technical foundation for securing Active Directory and for enforcing password policies or individual assignment of rights.

“The products just work, I don’t have to log in every day,” explains Glenz. “If something doesn’t work, I’ll get a notification.”

This not only helps Glenz sleep better, but it also gives him—and the rest of his team—more time to deal with other urgent tasks.

Ready to secure your identity infrastructure? Schedule a personalized demo today.