Brought to you by:
Enterprise Strategy Group  |  Getting to the Bigger Truth™


Defend and Protect Microsoft Active Directory with

By Carla Roncato, Senior Analyst; and Jack Poller, Senior Analyst
JULY 2021


When it comes to identity infrastructure, Microsoft Active Directory (AD) is ubiquitous in serving organizations as a centralized directory for users, objects, resources, and domain services for access to business applications and data across corporate networks. But what happens when such a central element of IT infrastructure is used as an attack vector? offers a solution that enables security and IT professionals to find and fix weaknesses in AD before cyber-criminals exploit them and incident management teams to detect and respond to attacks in real time.

Identities and the Cybersecurity Threat Landscape

Identity-related Attacks
Techniques such as email phishing to trick users into providing account information and password spraying logon attempts are two of the most common causes of credential compromise and account takeover used by cybercriminals. Once a user or non-user system account is compromised, cyber-criminals can often use multiple techniques to move laterally across an organization’s corporate network of resources and seek to gain additional privileges to access and exfiltrate sensitive data while causing havoc by installing malicious software such as ransomware.
Finding attempts and attacks like these is difficult given the fluidity and frequency of changes that occur across an organization’s on-premises IT environment. As more organizations adopt cloud services and establish hybrid cloud identities using Azure AD Connect, these same threats against identities can be carried out by cyber-criminals from outside the corporate network.
According to research conducted by ESG, overly permissive privileges, misuse of privileged account by employees, compromised user credentials, and spear phishing of privileged credentials rank as the most common cybersecurity attacks organizations have experienced in the last 12 months.1
But what if the directory service itself is compromised? Cyber-criminals with broader objectives view AD as a prime target because domain administrator- and cloud administrator-level access provide unfettered capabilities to seed and control the organization, making eviction of the attacker a nearly impossible task.

The Active Directory Attack Vector

The Active Directory is a broadly deployed directory service included in Windows Server operating systems with additional roles such as Domain Services (AD DS) and Certificate Services (AD CS). ESG research substantiates that two-thirds (66%) of organizations use AD for access to on-premises systems. And for many of these companies, AD has been in use for an appreciable amount of time (since 2000) and will continue to be in use for the foreseeable future.
Organizations typically have two or more AD forests with domains that rely on the following services:
• The schema, which is a set of rules that defines the classes of objects and attributes contained in the directory.
• A global catalog that contains information about every object in the directory.
• A query and index service so objects and their properties can be published and found.
• A replication service that distributes directory data across a network and all domain controllers.
• Group policy objects (GPOs) to combine a set of policies that include thousands of settings and controls.
"66% of organizations use ad for access to on-premises systems. and for many of these companies, ad has been in use for an appreciable amount of time (since 2000) and will continue to be in use for the foreseeable future."
These services are what allow users to find directory information such as printers and conference rooms regardless of which domain in the directory contains the data. As employees change roles and responsibilities, it necessitates changes to group membership, user access rights, and security controls. Infrastructure upgrades and application modernization results in continuous changes and management of GPOs.
IT professionals and administrators can onboard new employees and endpoints, create and modify group policy objects to enable user and machine software installation, set password policies and complexity requirements, and enforce least privilege user access control.
Active Directory Certificate Services is a high privilege role within any IT environment and requires enterprise administrative access to perform machine services such as enabling certificate enrollment for wireless, web, and network access. It is also used to enroll non-domain network devices such as routers that require certificates and, perhaps most importantly, the online responder and revocation services to manage the validity of these certificates.
The management challenge increases as organizations scale their AD deployments by increasing the number of forests, domains, and domain controllers due to activities such as mergers and acquisitions (M&A). The larger the AD deployment becomes, the more complex visibility into risks by insiders and exploits by cyber-criminals becomes. No two organizations have the same AD topology—the multi-generational environment, years of changes and upgrades, IT staff rotation, pace to a hybrid cloud operating model, and uptake of SaaS applications has created gaps and unintended vulnerabilities. In fact, 33% of organizations surveyed by ESG said that one of their biggest identity and access management challenges is maintaining security consistency across their own data center and public cloud environments.
33% of organizations said that one of their biggest identity and access management challenges is maintaining security consistency across their own data center and public cloud environments.
Requirements for Defending and Protecting Active Directory Infrastructure
Defensive and Protective Measures
Organizations that rely on Active Directory identity infrastructure need to adopt both a defensive and protective approach for critical infrastructure since Active Directory is a Tier 0 asset. Measures should span all of AD’s core components and services, including continuous read-only monitoring to disrupt attack paths, incident response plan and root cause analysis of AD service outages and hardware failures, and an AD back-up and disaster recovery plan.
Visibility Requirements
Visibility into AD will allow IT infrastructure and cybersecurity teams to develop a clear understanding of the AD infrastructure, including forests, domains, domain controllers, and certificate services to prioritize and respond to a variety of weaknesses. Tools need to aid cybersecurity teams to detect, identify, and assign severity to threats that directly impact AD such as brute force password spraying, pass-the-hash and golden ticket attacks, and rogue domain controllers.
Controls Requirements
To ensure secure control of the AD infrastructure, IT and cybersecurity teams need to harden the environment. This means establishing and maintaining a set of known good and secure configurations. The organization should develop and apply consistent policies and controls around configuration changes to AD infrastructure.
Strong multi-factor authentication (MFA), combined with just-in-time privilege access management and session monitoring of IT Administrators, Domain Administrators, and Enterprise Administrator roles is a must.
Operational Requirements
As with all cybersecurity programs, tools employed by the Security Operations Center (SOC), including security information and event management (SIEM) and security orchestration, automation, and response (SOAR) systems, will benefit from enriched signals, logs and events, or any changes to AD infrastructure and services for forensic investigation, audit, and compliance purposes.

Introducing enables organizations to discover the underlying issues affecting their AD infrastructure, including AD forests, domains, domain controllers, trust relationships, and certificate services, to prioritize and respond to a variety of weaknesses. The prevention side of the solution identifies the link between AD changes, misconfiguration, and malicious actions and analyzes details of attacks for indicators of exposure (IoEs) such as user primary Group ID with dangerous values, the use of weak cryptographic algorithms in AD CS, and privileged accounts running Kerberos services. connects these directly to the MITRE ATT&ACK framework, indicators of attacks (IoA), for detection in real time about on-going AD attacks such as DCSync, DCShadow, and Brute Force Password Spraying.
Find and Fix Indicators of Exposure uses an agentless, no privilege, read-only mode to collect AD information and to analyze the relationship between objects, attributes, and configuration settings with graph theory to develop an “attack path” view. This information is organized in an indicators of exposure (IoE) dashboard and correlates the types of issues that are specific to your environment. Within the dashboard, each type of IoE provides further contextual details on the exact nature of the vulnerabilities; the exact objects, network paths, and reasons; and the recommended fixes an administrator can take.
Prevent Security Group Drift
Security groups play a critical role in the ongoing management of IT infrastructure by administrators. Even with reasonably good hygiene around privilege access, configuration drift is an ongoing and long-standing challenge in maintaining any environment that is under continual change and is highly problematic when it comes to AD. serves as a check and balance against such drift, down to a user attribute level, acting as a watchdog and identifying and alerting AD administrators and the security operations center (SOC) so this type of risky drift issue can be corrected.

Detect In-flight Attacks

Because cyber-criminals use a variety of techniques and combination of attempts to target AD, provides real-time monitoring of activity that may be indicative of an in-flight attack, which cannot be configured away like password spray and brute force attacks. Additionally, can detect when a cyber-criminal has attempted to use the AD infrastructure itself such as by establishing a rogue domain controller (DC) as a means of side channel access to legitimate DCs. can detect late-stage infiltration techniques, such as DCShadow and DCSync, that impersonate a legitimate domain controller to retrieve password hashes. Attackers can take these password hashes offline and continue on their path of brute force to gain privilege elevation with very low probability of being detected or blocked by security controls that rely on event logs. Since does not rely on event logs, but rather relies on emulation and relationship activity information from domain controllers in real-time, it can alert administrators to respond to these critical attacks.

The Bigger Truth

The significant role and investment that Active Directory infrastructure serves in organizations means that it is an incredibly valuable asset and an attractive target for cybercrime. Any AD compromise has the potential to disable and damage business operations. This has made the continuous monitoring of the security of AD a strategic imperative. Defending and protecting Active Directory requires measures for greater visibility into and greater control over the environment. enables organizations to mitigate existing weaknesses before attacks happen and to detect and respond to attacks in real-time.

Secure Active Directory and Disrupt Attack Paths


This ESG Showcase was commissioned by Tenable and is distributed under license from ESG.

Source: ESG Master Survey Results Trends in IAM: Cloud-driven Identities, Dec 2020. All ESG research references in this showcase are taken from this master survey results set.

All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at 508.482.0188.

Enterprise Strategy Group | Getting to the Bigger Truth™

Enterprise Strategy Group is an IT analyst, research, validation, and strategy firm that provides market intelligence and actionable insight to the global IT community.