Search
Table of Contents
- What Is Access Management?
- What Is Access Control?
- What Is Passwordless Authentication?
- What Is CIAM (Customer Identity and Access Management)?
-
Authentication and Authorization Explained
- Authentication and Authorization Explained
- Differentiating Authentication from Authorization
- Authorization Models: RBAC, ABAC, and Policy Enforcement
- Lateral Movement and Attacker Workflow
- Cloud Security Implications for Authorization
- Zero Trust Alignment with Access Control
- Authentication and Authorization FAQs
- What Is Single Sign-On (SSO)?
- What is BeyondCorp?
- What is the Evolution of Multifactor Authentication
- What Is the Principle of Least Privilege?
- What Is Cloud Infrastructure Entitlement Management (CIEM)?
- What is Multifactor Authentication (MFA) Implementation?
- What Is Identity and Access Management (IAM)?
What Is Active Directory (AD)?
4 min. read
Table of Contents
Active Directory (AD) is Microsoft’s centralized database and identity security management service used to manage users, computers, and permissions within a Windows domain network. It serves as the authoritative source of truth for authentication and authorization. AD ensures that the right individuals have secure access to the specific corporate resources they need to perform their roles.
Key Points
-
Centralized Administration: Manage, create, and configure all user identities and network resources from a single, unified console. -
Hierarchical Structure: Organize objects into logical groups, including domains, trees, and forests for scalability. -
Identity Security: Authenticate users via Kerberos and LDAP to prevent unauthorized access to sensitive data. -
Policy Enforcement: Apply Group Policy Objects (GPOs) to maintain consistent security configurations across all endpoints. -
Extensible Schema: Customize the directory database to store specific organizational attributes and application data.
How Active Directory Works
Active Directory functions as the enterprise’s identity control plane. It maintains the directory database of objects, such as users, groups, devices, and service accounts, and enables consistent access control across the environment.
Core Components
- Domain Controllers (DCs): Servers that host the AD database and process authentication requests. DCs are among the most sensitive assets in a Windows environment because compromise can enable broad control over identities, permissions, and trust relationships.
- Domains: Logical partitions where objects share a common directory database and security policies.
- Trees: Collections of domains that share a contiguous namespace and hierarchical relationship.
- Forests: The highest-level AD boundary. Forests can contain multiple trees and domains that share a schema and trust relationships.
- Organizational Units (OUs): Containers used to group objects and apply policies or delegate administration in a controlled manner.
How Active Directory Is Attacked
Attackers rarely compromise Active Directory immediately. Instead, they typically follow a predictable sequence of steps to gain access, escalate privileges, and eventually take complete control of vital infrastructure.
1) Enumeration
After gaining an initial foothold (often on a workstation), adversaries inventory the environment to identify high-value targets and misconfigurations. Common objectives include discovering:
- Privileged groups (for example, Domain Admins) and those who belong to them
- Domain trusts, OUs, GPOs, and administrative pathways
- Service accounts and systems that run with elevated privileges
This phase is about building a map of “who can access what” and locating the easiest route to privilege.
2) Privilege Escalation
Next, attackers attempt to upgrade their access from a standard user to privileged roles. Common paths include:
- Abusing weak or overbroad permissions (excessive rights, delegated admin gone wrong)
- Exploiting credential exposure on endpoints or servers (cached credentials, local admin reuse)
- Targeting misconfigured service accounts or privileged access workflows
The goal is to obtain credentials or tokens that allow broader control across the domain.
3) Persistence
Once privilege is gained, attackers establish durable access that survives password resets, endpoint reimaging, or partial remediation. Persistence in AD often involves:
- Adding accounts to privileged groups
- Modifying GPOs or logon scripts
- Creating new service accounts or altering delegation settings
- Establishing alternate authentication paths that are less visible to defenders
At this stage, the attacker is optimizing for time and resilience, not speed.
4) Domain Controller Compromise
The endgame is typically access to Tier 0 assets, especially domain controllers, because they enable domain-wide authority. With DC-level control, attackers can:
- Manipulate authentication and authorization decisions
- Create or modify accounts and group memberships at scale
- Disable security controls, disrupt operations, and accelerate ransomware deployment
- Access sensitive systems broadly through trusted identity paths
This is why Tier 0 isolation, least privilege, and high-fidelity monitoring around privileged changes are non-negotiable controls in AD security.
Authentication and Authorization in AD
Active Directory authenticates users and systems primarily through Kerberos, then uses group membership and permissions to enforce authorization. Many environments also rely on LDAP for directory lookups and queries. NTLM may still be used for compatibility with legacy systems, but it is generally avoided due to its security limitations.
Why Active Directory Is a High-Value Target
Active Directory is frequently targeted because it concentrates identity and access control across the enterprise. Threat actors often pursue domain-wide control (“domain dominance”) to:
- Escalate privileges and impersonate administrators
- Enumerate users, groups, and systems to identify high-value targets
- Move laterally across the network
- Disable defenses or disrupt operations
- Deploy ransomware or enable large-scale data theft
From a business perspective, AD represents a single point of systemic risk: misconfigurations, weak privilege boundaries, and credential hygiene issues can create enterprise-wide exposure.
Use Cases and Real-World Examples
Unit 42 research highlights that credential theft remains the "keystone" of modern cyber attacks. In the Shamoon 2 attacks, adversaries leveraged stolen AD credentials to spread Disttrack malware across thousands of systems.
Centralized Identity and Access Management (IAM)
Organizations use AD to onboard users, assign access based on roles, and enforce consistent policies across departments and locations. The directory-based model supports secure access to shared file systems, internal applications, and Windows-based infrastructure.
Delegated Administration at Scale
AD’s hierarchical structure enables organizations to delegate tasks, such as password resets or workstation management, without granting broad privileges. This improves operational efficiency while reducing the risk of overprivileged accounts.
Adversary Behavior and Common Intrusion Patterns
Credential theft remains a primary driver of modern intrusions. Once an attacker gains initial access to a single endpoint, they frequently leverage AD to map the environment, identify privileged accounts, and plan paths for privilege escalation and lateral movement.
In high-impact incidents, stolen AD credentials have been used to propagate malware across large environments. In the Shamoon 2 attacks, adversaries leveraged compromised credentials to spread the Disttrack wiper at scale. In many enterprise intrusions, valid credentials provide a low-friction path to privilege escalation and persistent access, making AD hardening and monitoring a top priority.
Active Directory Best Practices
The goal is simple: reduce privilege, reduce exposure, and detect abuse fast. Here’s a practical baseline:
| Category | Implementation Step | Business Impact |
|---|---|---|
| Access Control | Enforce the Principle of Least Privilege (PoLP) with role-based groups | Limits the blast radius of compromised accounts |
| Privileged Security | Separate admin accounts (no “one account does everything”) | Reduces credential theft impact and lateral movement paths |
| Authentication | Require MFA for admins (and strong auth for privileged actions) | Neutralizes password-only compromise for high-risk roles |
| Admin Model | Use a Tiered Administrative Model (Tier 0/1/2) | Prevents high-value credentials from touching low-trust systems |
| Hardening | Lock down DCs (limit logons, restrict tools, reduce services) | Protects the most sensitive infrastructure in the domain |
| Monitoring | Audit privileged group changes, DC logons, replication events | Improves detection of privilege escalation and persistence |
| Account Hygiene | Remove stale accounts; rotate/service-account credentials | Shrinks the attack surface and reduces “forgotten access” risk |
| GPO Governance | Control who can create/edit/link GPOs; monitor changes | Prevents policy tampering and mass configuration abuse |
| Recovery Readiness | Maintain tested backups + documented AD recovery process | Cuts downtime and speeds recovery after compromise |
A domain is a single collection of objects that share a single database. A tree is a group of domains with a common root name. A forest is the highest-level security boundary that contains multiple trees that share a schema.
AD primarily uses the Kerberos protocol for secure authentication. It also supports LDAP for directory queries and NTLM for legacy system compatibility.
An OU is a container within a domain that groups users, groups, and computers. It allows administrators to apply specific policies and delegate control to sub-administrators.
AD holds the "keys to the kingdom." If an attacker compromises a Domain Controller, they can create new accounts, change permissions, and access any data on the network.
Organizations use tools like Microsoft Entra Connect to synchronize identities between local AD and the cloud. This enables hybrid identity management and consistent access across all platforms.
