Microsoft now allows Internet access through Domain Controllers

According to the latest report, many organizations have recently transitioned to cloud-based identity platforms such as Azure Active Directory (AAD) to take advantage of the latest authentication mechanisms, including passwordless login and conditional access, and gradually Retire Active Directory (AD) infrastructure.

Join tip3x on Telegram

However, other organizations still use domain controllers (DCs) in hybrid or on-premises environments. The DC is able to read and write Active Directory Domain Services (AD DS), which means that if the DC is infected by a malicious actor, basically all of your accounts and systems will be compromised. 

Just a few months ago, Microsoft issued an advisory about AD privilege escalation attacks. Microsoft has provided detailed guidance on how to set up and secure a DC, but now, it’s making some updates to this process.

Previously, the Redmond tech company had emphasized that DC should not be connected to the Internet under any circumstances. In light of the evolving cybersecurity landscape, Microsoft has revised this guidance to indicate that DCs cannot access the Internet or launch web browsers unmonitored. 

Basically, a DC can be connected to the Internet as long as access is strictly controlled using appropriate defense mechanisms. For organizations currently operating in a hybrid environment, Microsoft recommends at least securing on-premises AD with Defender for Identity. Its guidance states:

“Microsoft recommends cloud-driven protection of these on-premises identities using Microsoft Defender for Identity. The configuration of Defender for Identity sensors on domain controllers and AD FS servers allows for highly secure one-way connections to cloud services through proxies and specific endpoints.

Related For full instructions on how to configure this proxy connection, please refer to Defender for Identity’s technical documentation. This tightly controlled configuration ensures that the risk of connecting these servers to cloud services is reduced and organizations benefit from the protection capabilities provided by Defender for Identity. Added. Microsoft also recommends protecting these servers with cloud-driven endpoint detection such as Azure Defender for Servers.”

Still, for legal and regulatory reasons, Microsoft recommends that organizations operating in isolated environments refrain from accessing the Internet at all.

(via)