Microsoft can now access the internet through domain controllers

Many organizations have recently transitioned to cloud-based identity platforms such as Azure Active Directory (AAD) to take advantage of the latest authentication mechanisms, such as passwordless login and conditional access, and gradually Retire Active Directory (AD) infrastructure. However, other organizations still use domain controllers (DCs) in hybrid or on-premises environments.

For those who don’t know, a DC is able to read and write to Active Directory Domain Services (AD DS), which means that if a DC is infected by a malicious actor, essentially all of your accounts and systems will be affected damage. Just a few months ago, Microsoft issued an advisory about an AD privilege escalation attack.

Microsoft already provides a detailed tutorial on how to set up and secure a DC, but now, it's making some updates to the process.

Redmond Technology has emphasized that DCs should not be connected to the Internet under any circumstances. In light of the evolving cybersecurity landscape, Microsoft has modified this tutorial to state that DCs should not have unmonitored Internet access or the ability to launch a web browser. DCs can be connected to the Internet as long as access is tightly controlled with appropriate protections.

Image via Trend Micro

For organizations currently operating in a hybrid environment, Microsoft recommends that you protect with at least Defender for Identity Local AD. Its guidance states:

Microsoft recommends using Microsoft Defender for Identity for cloud-driven protection of these on-premises identities. Configuration of Defender for Identity sensors on domain controllers and AD FS servers allows for highly secure, one-way connections to cloud services through proxies and specific endpoints. For detailed instructions on configuring this proxy connection, please refer to the Defender for Identity technical documentation. This tightly controlled configuration ensures that the risks of connecting these servers to cloud services are reduced and organizations benefit from the increased protection capabilities provided by Defender for Identity. Microsoft also recommends using cloud-driven endpoint detection like Azure Defender for Servers to protect these servers.

Still, Microsoft recommends that organizations operating in isolated environments not access the Internet at all for legal and regulatory reasons.

The above is the detailed content of Microsoft can now access the internet through domain controllers. For more information, please follow other related articles on the PHP Chinese website!