1 Introduction
Active Directory is the core IT identity infrastructure system for almost all large global organizations, including those that deploy both Windows and Unix servers. Even organizations using identity-as-a-service (IDaaS) solutions (e.g., Okta, OneLogin, Microsoft’s Azure Active Directory) still depend on the ability to populate cloud-based directory accounts and/or to authenticate users from a premise-based AD installation. Should AD be compromised or corrupted, the whole enterprise hybrid cloud is in trouble.
Success attracts cyberattackers like flies to honey. Typically, attackers compromise a single computer or obtain the domain credentials of a single user. From this beachhead, they identify targets via directory reconnaissance. Subsequently, an attacker might obtain the keys to the kingdom by compromising a Domain Administrator's account. Increasingly, automated ransomware programs (such as Samas) are also using AD queries to enumerate computers or accounts, and then spread to those distant systems. Ransomware may also strike domain controllers directly, bringing the network to its knees.
For all these reasons, organizations must enhance AD security, discover breaches faster, and get AD environments back to normal quickly after a breach is detected. With eighteen years in production, many changes, multiple versions, and various production use cases AD implementations tend to be highly complex. Recovery is easier said than done. AD forests are susceptible to human error, hardware failure, and software corruption. According to the Semperis White Paper “Averting Disaster: Preparing Your Organization for an Active Directory Failure,” examples of Active Directory failures include:
- Schema extension corruption
- Forest functional level raise leading to authentication failure of legacy applications
- Malicious privileged user modifying system permissions
- Ransomware attack encrypting Domain Controllers (DC) system data
- A single, critical DC failure
- Accidental deletion of Group Policies
- Incorrect modifications of critical applications’ accounts and groups
Microsoft does not provide a built-in forest recovery process. Only a lengthy Active Directory Forest Recovery Guide is available, and many of the procedures it recommends are manual in nature. Recovery could take days, even if complete and current backups are available.
To fill the gap, Semperis provides three main capabilities, all focused on Active Directory security:
- Full AD forest recovery
- State management
- Real time activity dashboard
Active Directory Forest Recovery constitutes Semperis’ original, and best known, product. It provides an advanced solution for AD Disaster Recovery (DR). It takes regular backups of all domain controllers and preserves all AD attributes, objects, relationships, and other domain structures. The backups are kept on-premise, or in cloud storage enabling full or partial forest recovery scenarios. Semperis provides more information on the AD Forest Recovery solution on its website.
Semperis also offers AD State Management and a Real Time Activity Dashboard via its DS Protector for Active Directory product. As described in the Service Description below, DS Protector provides more granular solutions to AD infrastructure security issues.