Does Your Active Directory Disaster Recovery Plan Cover Cyberattacks?

  • By Paige Russo
  • in
  • on July 19, 2022

Contributed by Sempris

Sixteen years ago, Gil Kirkpatrick (Semperis Chief Architect) and Guido Grillenmeier (Semperis Chief Technologist)—each working for different companies at the time—got together to share their experience and expertise in protecting and recovering Active Directory (AD). The result of this collaboration was the publication in 2005 of the whitepaper “A Definitive Guide to Active Directory Disaster Recovery.” The whitepaper served a critical need in the industry, as most companies had accepted AD as the de facto standard directory service to use for controlling access to their corporate network, applications, and services for their users. Back then, information about recovering all or part of an AD was scarce, and not many AD practitioners understood the reality of the challenge. The whitepaper explained the mechanics of AD recovery and clarified how necessary it was for companies to prepare themselves to properly recover from various AD problems. It described how to recover from several types of disasters, including inadvertent deletion of AD objects, group policy misconfiguration, and failed AD domain controllers. The document ended with a brief outline of the process to recover an AD environment after a complete meltdown, with the caveat: “However, the likelihood of [needing] a full AD forest recovery is very small.“That was then, this is now. The cybersecurity landscape has drastically changed. A week doesn‘t go by without some organization‘s on-premises Windows network being flattened by a ransomware or wiper attack. For instance, from 2019 and early 2020 (with estimated recovery costs):

• City of New Orleans ($3M+)
• City of Baltimore ($18M)
• Norsk Hydro ($70M)
• Demant ($80M)

And there are dozens more. The point is that the ability to recover your AD environment entirely from backup is no longer a nice-to-have response to a highly unlikely event. It is a requirement. As the threat model has changed dramatically since  2005, so too has the Windows Server Operating  System (OS) and its built-in Active Directory service. Microsoft has improved Windows security substantially, added features and capabilities to simplify AD object recovery, and improved the behavior of AD when running in a virtualized environment. But the fundamental problems of recovering an entire Active Directory forest from backup haven‘t changed. It‘s still an error-prone,  complex process that requires planning and practice for all but the most trivial AD deployments.

It‘s notable that the two latest Windows Server releases (Windows Server 2019 and 2022) are the first versions of Windows Server with no relevant updates to the AD service itself. Apparently, in  Microsoft’s view, there are no more issues in AD to fix and no more service improvements required.  More to the point, AD disaster recovery is not going to get any easier. 

We now need to evaluate a company’s recovery capabilities in the context of the new cyber threats targeting AD today, which we didn’t have to worry about in 2005. Sadly, the increase in attacks means that companies urgently need to prepare for fast remediation of attacks against their corporate AD.  The improvements Microsoft has made to the core of the AD service over the years might still prove  of little help in recovering your AD if you are hit. Is  your company ready to quickly recover your own  corporate AD in case of a true disaster that wipes  out the complete AD service? 

Why Protecting Active Directory is so Important 

Active Directory (AD) has been in production for more than 20 years. As it was originally designed, this  Microsoft server role provides: 

Authentication: Authenticates on-premises users logging in to their PCs and the corporate  network and remote users logging in to in-house hosted applications or virtual desktops  

Authorization: Controls which AD-integrated resources—such as file services, printing, Exchange  Server, SharePoint Server, and SQL Server—they have permissions to access 

Security and control: Group Policy can apply policy configurations to every computer, server, and  user that is joined to AD 

Directory: A single location to discover users and resources 

DNS: AD-integrated DNS to provide network name resolution 

PKI: Active Directory Certificate Services provides certificates for domain users and computers 

The rise of popularity of the Windows Server OS to  provide basic file- and print-sharing services—and  other back-office services such as email, messaging,  and collaboration—helped cement AD as the network  directory of choice. Microsoft evolved practically  all its popular applications to rely on it, making AD  one of the most ubiquitous software services in  the enterprise today. Over 90% of organizations  worldwide larger than 500 employees use AD. 

The rise of cloud computing has not changed this  reliance. In fact, cloud computing has increased AD’s  importance to the enterprise. There are two factors  behind AD’s importance to the cloud. 

First, the cloud computing model doesn’t depend on  trusted networks in the way traditional on-premises  computing does because, unlike traditional corporate  networks, traffic between clients and the resources  they access most often occurs over the public  internet. This traffic is not secured by WHERE you are,  but by WHO you are. As Microsoft puts it, “identity is  the control plane” by which access to cloud resources  is controlled. A user’s identity is front and center in  cloud security. 

“As with system state backups, caution is needed when restoring AD from BMR backups after a cyberattack to avoid re-introducing malware.”

Click here to to read more 

About Sempris 

For security teams charged with defending hybrid and multi-cloud environments, Semperis ensures the integrity and availability of critical enterprise directory services at every step in the cyber kill chain and cuts recovery time by 90%. Purpose-built for securing hybrid Active Directory environments, Semperis’ patented technology protects over 50 million identities from cyberattacks, data breaches, and operational errors. The world’s leading organizations trust Semperis to spot directory vulnerabilities, intercept cyberattacks in progress, and quickly recover from ransomware and other data integrity emergencies. Semperis is headquartered in Hoboken, New Jersey, and operates internationally, with its research and development team distributed throughout the United States, Canada, and Israel. Semperis hosts the award-winning Hybrid Identity Protection conference and podcast series (www.hipconf.com) and built the free Active Directory security assessment tool, Purple Knight (www.purple-knight.com). The company has received the highest level of industry accolades, recently named to Deloitte’s Technology Fast 500™ list for the second consecutive year (2020-2021), and ranked among the top three fastest-growing cybersecurity companies in the 2021 Inc. 5000 list. Semperis is a Microsoft Enterprise Cloud Alliance and Co-Sell partner. To learn more visit https://www.semperis.com/

Leave a Reply
PUBLISHED BY Paige Russo

View all posts by Paige Russo

Related Posts
Looking to
Sponsor?

Reach thousands of C-Level
Executives every month.

Next Request More Information
Become a Guest
Contributor

Do you have content that you feel will
resonate with our audience? We'd love to
welcome you as a guest contributor!

Next Contact Digital Diary
Lovin’ Digital
Diary?

Premium content to our readers
interested in all things business.

Next Subscribe Now
Check Us Out!

Millennium Membership offers Fortune 1000 C-Level executives, leading public sector/government officials, and thought leaders across a variety of disciplines unique and exclusive opportunities to meet their peers, understand industry developments, and receive introductions to new technology and service advancements to help grow their career and overall company value.

Next About Millenium Alliance
team
About Digital Diary
The go-to source for all things digital transformation.

Launched in 2017, Digital Diary was created to provide premium content to our members interested in executive education and business transformation. With C-Suite executive and top academic contributors, interviews with industry leaders, and digital transformation insights from technology experts, Digital Diary has all of the professional development tools you need to stay ahead of the curve.

Meaningful Opportunities
Leadership skills at every level

We are dedicated to distributing meaningful opportunities for our reader to increase their personal knowledge, simplify business initiatives, and to have the right information to build their capabilities and leadership skills at every level.

team
Millennium Alliance Membership

In the midst of disruption across all industries, our members are given the tools they need to digitally transform their organizations.

 
What does it mean to be a
Millennium Member?
Joining Mill All is an opportunity unlike any other to connect with the best professionals in your industry and be a part of a community to become the best leader you can be.

Interested in Learning More?

Reach out to us or
keep learning

arrow Check Out Our Events
Next Check Out Our Community Dinners
Next Check Out Digital Diary