IS Decisions logo

IS Decisions Blog

MFA & access management for on-premise Active Directory

With UserLock's multi-factor authentication (MFA) and access management for on-premise Active Directory (AD), you can secure your AD identities across network, cloud, and remote access.

Updated May 30, 2024
RDP Gateway MFA

After over two decades, Active Directory (AD) continues to dominate how organizations, including over 90% of the Global Fortune 1000, manage the user directory and credentials for their Windows domain networks. This means that at most of the world’s organizations, large and small, your AD credentials hold the keys to your kingdom: Windows networks, programs, and sensitive company data.

Small wonder AD is an attractive target for cyber-attacks. And the meteoric rise in remote work and widespread adoption of Microsoft 365 continue to reveal significant AD vulnerabilities as well (ones attackers love to exploit).

Protect the keys to your kingdom: Secure your Active Directory credentials

Following the onset of the pandemic, global organizations experienced an 81% increase in cyber threats. In 2023 alone, several ransomware attacks involving AD made global headlines. And the attack surface is only growing as many on-premises AD environments transition to hybrid environments.

Once an attacker logs in to AD using an employee’s legitimate login details, your anti-virus, anti-intrusion, firewall and other technologies are not going to flag anything unusual. Those tools believe the person accessing your network is exactly who they say they are.

What does all this mean? Knowing how easy AD user passwords are to compromise, it’s crucial for organizations to better secure user credentials to protect against a network breach.

Perimeter-based security is no longer enough

AD traditionally relies on a strong security perimeter to protect sensitive data. And when most employees worked on-site, a security perimeter made sense as an access security strategy. The organization controlled the environment: who has access to the building, office or machine, and when.

Today, that's not the case

Why? We'll only scratch the surface here, but a few of the top reasons are that:

  • Remote work is driving the shift to hybrid infrastructures: The modern organization embraces remote work and collaborates across cloud resources.

  • Security strategies are shifting to better secure a larger attack surface: As the architecture extends outside of traditional, on-site security perimeters, the security strategy needs to shift as well.

  • How users connect to the network is shifting: Many more users rely on RDP and VPN connections for remote access.

  • Identity and authentication mechanisms often exist on premise: VPNs and other remote connections depend on an on-premises corporate identity source, usually Active Directory, to authenticate users accessing the corporate network.

Access management for AD is the answer

Now, you might ask yourself, why access management and not something else, like Next Gen Antivirus or Endpoint Security?

It’s a valid question.

Unlike most security solutions, which attempt to reside at the point of the malicious actions, access management seeks to seamlessly insert itself into the point of access, stopping the threat action before it happens.

Why access management?

Access management prevents attacks effectively because it:

  • Protects the logon, the common root of almost every attack, by requiring user authentication before granting any kind of access.

  • Supports the zero trust model of “never trust, always verify” focused on visibility and controlling user access.

  • Automates controls that prevent attacks by blocking access before any damage is done.

  • Meets compliance standards for secure access by limiting access only to those who need it, proving that sensitive information is monitored and protected.

  • Facilitates cost-effective security by preparing for the “when, not if” of an attack, ensuring a high level of security at a low cost.

5 ways to protect all on-premise AD identities, everywhere

1. Protect privileged access, but not only

In a zero trust security model, every user is some sort of privileged user. This means privileged access management (PAM) isn’t only for your most privileged accounts, like Windows local administrator accounts, domain admin accounts, or Active Directory service accounts.

PAM’s real value is in protecting any account with access to critical data, applications and systems.

2. Enable multi-factor authentication

A strong user name and password don’t cut it any more. We’ve known that for a long time. We’ve also known that multi-factor authentication (MFA) adds an extra layer of security to ensure users are who they say they are.

While the recent shift to remote work drove an increase in MFA adoption, it’s still too low.

So, why have so many organizations been slow to adopt MFA? Unfortunately, MFA still has a reputation as hard to implement, complex to manage, and disruptive to users. But that’s not always the case.

MFA can block over 99.9% of account compromise attacks on Active Directory.

4 Myths of Multi-Factor Authentication


My company is too small to use MFA!


Using MFA should be a key security measure for any company, regardless of size.


MFA should only be used to protect privileged users.


Cybercriminals don't target only privileged accounts, they take advantage of any account.


MFA should only be used to protect privileged users.


Most hackers who encounter MFA prefer to move on to their next (easier) victim.

You can also take simple precautions to avoid some vulnerabilities, such as choosing MFA authentication methods that don't rely on SMS.


MFA disrupts user productivity.


MFA requires flexibility. It doesn't have to be disruptive. It should be customized according to each organization's needs.

The right balance between productivity and security looks different for every organization. With customized, granular MFA, you choose what that needs to look like, based on your organization’s unique needs.

3. Restrict, monitor, react & respond with session management

Contextual access policies help ensure each user has enough access to fully perform their tasks, but no more. Applied across all AD identities, these access policies provide a strong layer of security to detect and prevent insider threats, external attacks, and lateral movement.

  • Restrict logons with contextual access policies to reduce the risk of inappropriate access. Truly granular access restrictions allow IT to restrict logons based on time, machine, location, and session type allowed.

  • Monitor all access for all accounts, privileged and non-privileged, with real-time visibility for each AD identity.

  • React & respond to access events by allowing IT to track and receive alerts of logon and logoff activity in real-time. This reduces the burden on IT admins, and increases security since they can react instantly to remotely block, log off or restart any user session.

With accurate insights into logons, logoffs, and user activity, IT can quickly spot suspicious behavior, perform forensics, or prove regulatory compliance. These forensics are often the only way to understand vulnerabilities, how an attack may have occurred, the extent of the attack, and how to remedy it.

Meet compliance and insurance requirements with access management

Regulations and compliance standards such as GDPR, HIPAA, PCI DSS, ISO 27001, NIST, and a host of cyber insurance providers hold organizations accountable for controlling access.

Access management can:

  • Prove your AD identities are secure.

  • Prevent unauthorized access.

  • Monitor and report on all access events.

4. Secure remote access

Remote work is great news for flexible working, but it’s a big shift for IT leaders. Remote work requires protected access to machines, protected connections back to the network, and protected connections to cloud-based resources.

A few extra precautions and security measures help secure remote access to on-premises AD identities, protecting against common threats like ransomware, insider threats, external attacks, and lateral movement.

  • Protect remote connections like VPN, Remote Desktop Protocol (RDP), Remote Desktop Web Access (RD Web Access), and Remote Desktop Gateway (RD Gateway). Applying MFA and access restrictions can significantly increase the security of these connection types.

  • Protect off-domain, non-VPN connections for when remote workers connect to a VPN that fails, or when they simply don’t need to access the network. In these scenarios, native AD is generally unable to ensure a secure logon.

  • Increase remote security with session management so the same contextual access policies and monitoring capabilities that protect your AD identities onsite also protect them off-site. Restrict access based on authorized machines, location (initial access point or IP address), time, or working hours to ensure the right user, and only the right user, gains access.

5. Secure cloud access

Remote work goes hand-in-hand with the shift to the cloud. As more employees go remote, the on-premises AD environment is shifting to a hybrid one. One with a pressing need for easy access to both network and cloud resources.

Opt for single sign-on

Between 2020 and 2021, Gartner reports the number of workers using collaboration tools for work jumped from just over half to nearly 80%. That’s a lot of new accounts and new passwords for users to remember (and for IT to secure).

Enter, single sign-on (SSO), which:

  • Streamlines access to all cloud resources. No need to remember complicated passwords since employees only need to log in once using their AD credentials.

  • Improves user productivity since employees no longer lose time logging into each app.

Reduce SSO security risks

SSO is inherently a means to gain access. Meaning, SSO brings the risk of security gaps. That said, IT leaders can significantly reduce those risks by implementing additional controls, like:

  • Granular multi-factor authentication.

  • Contextual access restrictions.

  • Session management.

Retain Windows Server AD for authentication

When on-premise AD environments try to go hybrid, outsourcing user authentication to the cloud is a major obstacle. For optimal security, it’s critical to retain the onpremise identities as the authoritative user directory. Read: don’t outsource user authentication to the cloud.

And since you keep user authentication on-premises, there’s no need to create a new directory for AD identities in the cloud. Good news for busy IT teams!

Opt for straightforward MFA plus access management to secure on-premise AD identities

Thanks to UserLock, on-premise AD environments can hold onto the infrastructure they’ve invested so heavily in, while extending it to secure remote and cloud access. And as on-premise AD needs are evolving, our solution is evolving with them.

Protecting your AD identities doesn’t have to mean paying for expensive, hard-to-manage, disruptive security tools. UserLock is a cost-effective, comprehensive access management solution that builds on your existing AD infrastructure to protect against unauthorized user access, prevent network breaches, and make your life easier.

Try UserLock for free

3400+ organizations like yours choose UserLock to secure access for Active Directory identities and meet compliance requirements.

Download a free trial