← Go back to the Active Directory Security Glossary
Authentication is the mechanism through which a user, computer, or service is authorized to use Active directory. This happens through Active Directory’s imperial gateway, the domain controller.
This is where Active Directory’s central database of user accounts, computers, groups, and organizational units (OUs) resides. It is also the host for Group Policy Objects (GPOs) used to enforce policies, DNS services, synchronization services, and trust relationships between itself and other domain controllers. The domain controller has immense significance, which is why hackers devote such a lot of effort trying to compromise them.
Lose your DC to hackers and your Active Directory will be about as reliable as a chocolate teapot.
Read more: MFA & access management: How to secure on-premise Active Directory identities for network, cloud & remote access
Authorization for Active Directory means the process of verifying that a user can access x, y or z resource.
Within Active Directory, authorization is a story of three protocols:
- NT LAN Manager (NTLM)
- Lightweight Directory Access Protocol (LDAP)
It all started with the ancient and insecure NT LAN Manager (NTLM), maintained to support a handful of legacy applications.
This was replaced more than 20 years ago with the more modern Kerberos, designed for authentication within a single network.
Today, Active Directory employs LDAP for inter-directory communication or connection to apps outside the network.
Passwords and credentials
What comes first in Active Directory, the password or the password creation policy? Ah, aren’t IT jokes just the spice of life?
For the user, it’s always the password, which is stored using a one-way unsalted hash. For admins, it’s more about the policy and how they are applied.
Password length and complexity is rising across the board, which raises the possibility that there will come a time when they are so long and random that nobody will be able to remember them.
Fortunately, Active Directory supports other types of credentials, including:
- Smart cards and tokens
- Biometric IDs
- Kerberos tickets
- NTLM hashes
Here’s a tidbit for an interesting life: choose a very long password.
If Windows allowed it, in theory users could set Active Directory passwords of up to 256 characters that would take five minutes to enter. (Of course, not even that would take away the need for logon security beyond the password).
Read more: Windows login Active Directory security
The idea of shared credentials is normally verboten on the basis that the more people who use a credential the less secure it is. In Active Directory, sharing credentials shouldn’t be necessary for privileged users; admins use their own credentials with the privileges assigned to them.
However, there are exceptions, for example service accounts which are necessary for applications and automation routines. For this, the benefits of using a single account override the risk of sharing.
Read more: Protection from password sharing
Unauthorized access attempt
Unauthorized access attempts – attempting to gain malicious access to Active Directory – are the number one security problems facing Windows admins. If hackers gain access, they can exploit this to target other accounts and steal data.
But if a user has the correct credentials, how do we know they are unauthorized? The short answer is we don’t. The clues that used to be reliable indicators of unauthorized access such as geo-location and IP address can be spoofed quite easily.
A better measure of a suspicious login these days is that it was preceded by a series of failed logins.
Read more: Reducing the risk of security breaches that stem from unauthorized network and file access