AD Domain Service and Defender for Identity Demystified
Understanding hybrid environment security with relative ease.
Some members of an organization’s IT staff may be concerned about subjects like “domain services” and “hybrid environments” because they may view it as a complicated transition that affects their on-premises infrastructure. In addition to the complications of implementing the system, there will also be complications when it comes to securing the system.
In this blog, we will go over a brief explanation about how hybrid environments created by products like AD Domain Service work. We will also talk about how products like Defender for Identity can be used to secure the hybrid environment.
When an organization has existing on-premises infrastructure and wishes to use the identities associated with that infrastructure to access cloud resources, they are going to need to use a hybrid environment. AD Domain Service takes on-premises AD identities and syncs them with cloud identities so that the on-premises identities can access cloud resources.
Relationships Between Forests
A forest is a term used to refer to a group of identities that are all within the same domain and that are managed by 1 or more servers. When using a hybrid environment, the existing forests in the organization’s on-premises infrastructure need to form a relationship with the forest that is managing identity in the cloud.
A relationship between two forests can either be one-way or bi-directional. In a one-way trust model, the identities are trusted by one forest, but the identities from the other forest are not treated as trusted. This would allow on-premises identities to access cloud resources, but cloud identities would not be able to access on-premises resources.
In a bi-directional trust model, the identities on-premises and in the cloud are synchronized because they both trust each other. This makes identity management easier, but it is a security concern because if one forest is compromised so is the other forest in the trust relationship.
When working between 2 forests, a useful way to improve security is to use an indirect way of communicating between forests like proxies. Conventional proxy servers, virtual networks, and authentication apps can be put between the two forests so that they will be able to communicate without being directly exposed to the internet.
Defender for Identity Detections
Defender for Identity is Microsoft 365 Defender’s domain service security solution. This service uses a set of detections that are specific to hybrid environments connected to a domain service. Some examples of these detections include reconnaissance attempts, brute force attacks, and identity forgery attempts.
Once alerts like these are generated, security analysts can go through the alerts to determine what happened during an incident in the hybrid environment. Once they are done, they can take remediation actions and send security recommendations to help improve the security of the hybrid environment.
Connection with MCAS
Defender for Identity is directly connected to Microsoft Cloud App Security (MCAS) because Active Directory is one of the Apps that MCAS is responsible for monitoring. In addition to the alerts in the Defender for Identity menu, there will be MCAS activity logs that analysts can use to learn more about the incident in the context of a cloud environment.
We will continue to share best practices and lessons learned in future posts on defending domain services in customer environments. Security needs to be managed throughout the entire organization and using security tools like Defender for Identity will help with securing both the on-premises and cloud parts of the organization.
In closing, consider these three questions when using Defender for Identity in your organization:
- What kind of hybrid model are we using for managing identities across on-prem and clouds, and what are the security concerns associated with that model?
- Do we understand what proxy settings we are using and how that will affect our security?
- Are our security analysts trained to understand the server administration topics that appear in the Defender for Identity alerts?