Does Your Active Directory Disaster Recovery Plan Cover Cyberattacks?

Contributed by Sempris

Sixteen years ago, Gil Kirkpatrick (Semperis Chief Architect) and Guido Grillenmeier (Semperis Chief Technologist)—each working for different companies at the time—got together to share their experience and expertise in protecting and recovering Active Directory (AD). The result of this collaboration was the publication in 2005 of the whitepaper “A Definitive Guide to Active Directory Disaster Recovery.” The whitepaper served a critical need in the industry, as most companies had accepted AD as the de facto standard directory service to use for controlling access to their corporate network, applications, and services for their users. Back then, information about recovering all or part of an AD was scarce, and not many AD practitioners understood the reality of the challenge. The whitepaper explained the mechanics of AD recovery and clarified how necessary it was for companies to prepare themselves to properly recover from various AD problems. It described how to recover from several types of disasters, including inadvertent deletion of AD objects, group policy misconfiguration, and failed AD domain controllers. The document ended with a brief outline of the process to recover an AD environment after a complete meltdown, with the caveat: “However, the likelihood of [needing] a full AD forest recovery is very small.“That was then, this is now. The cybersecurity landscape has drastically changed. A week doesn‘t go by without some organization‘s on-premises Windows network being flattened by a ransomware or wiper attack. For instance, from 2019 and early 2020 (with estimated recovery costs):

• City of New Orleans ($3M+)
• City of Baltimore ($18M)
• Norsk Hydro ($70M)
• Demant ($80M)

And there are dozens more. The point is that the ability to recover your AD environment entirely from backup is no longer a nice-to-have response to a highly unlikely event. It is a requirement. As the threat model has changed dramatically since  2005, so too has the Windows Server Operating  System (OS) and its built-in Active Directory service. Microsoft has improved Windows security substantially, added features and capabilities to simplify AD object recovery, and improved the behavior of AD when running in a virtualized environment. But the fundamental problems of recovering an entire Active Directory forest from backup haven‘t changed. It‘s still an error-prone,  complex process that requires planning and practice for all but the most trivial AD deployments.

It‘s notable that the two latest Windows Server releases (Windows Server 2019 and 2022) are the first versions of Windows Server with no relevant updates to the AD service itself. Apparently, in  Microsoft’s view, there are no more issues in AD to fix and no more service improvements required.  More to the point, AD disaster recovery is not going to get any easier. 

We now need to evaluate a company’s recovery capabilities in the context of the new cyber threats targeting AD today, which we didn’t have to worry about in 2005. Sadly, the increase in attacks means that companies urgently need to prepare for fast remediation of attacks against their corporate AD.  The improvements Microsoft has made to the core of the AD service over the years might still prove  of little help in recovering your AD if you are hit. Is  your company ready to quickly recover your own  corporate AD in case of a true disaster that wipes  out the complete AD service? 

Why Protecting Active Directory is so Important 

Active Directory (AD) has been in production for more than 20 years. As it was originally designed, this  Microsoft server role provides: 

Authentication: Authenticates on-premises users logging in to their PCs and the corporate  network and remote users logging in to in-house hosted applications or virtual desktops  

Authorization: Controls which AD-integrated resources—such as file services, printing, Exchange  Server, SharePoint Server, and SQL Server—they have permissions to access 

Security and control: Group Policy can apply policy configurations to every computer, server, and  user that is joined to AD 

Directory: A single location to discover users and resources 

DNS: AD-integrated DNS to provide network name resolution 

PKI: Active Directory Certificate Services provides certificates for domain users and computers 

The rise of popularity of the Windows Server OS to  provide basic file- and print-sharing services—and  other back-office services such as email, messaging,  and collaboration—helped cement AD as the network  directory of choice. Microsoft evolved practically  all its popular applications to rely on it, making AD  one of the most ubiquitous software services in  the enterprise today. Over 90% of organizations  worldwide larger than 500 employees use AD. 

The rise of cloud computing has not changed this  reliance. In fact, cloud computing has increased AD’s  importance to the enterprise. There are two factors  behind AD’s importance to the cloud. 

First, the cloud computing model doesn’t depend on  trusted networks in the way traditional on-premises  computing does because, unlike traditional corporate  networks, traffic between clients and the resources  they access most often occurs over the public  internet. This traffic is not secured by WHERE you are,  but by WHO you are. As Microsoft puts it, “identity is  the control plane” by which access to cloud resources  is controlled. A user’s identity is front and center in  cloud security. 

“As with system state backups, caution is needed when restoring AD from BMR backups after a cyberattack to avoid re-introducing malware.”

Click here to to read more 

About Sempris 

For security teams charged with defending hybrid and multi-cloud environments, Semperis ensures the integrity and availability of critical enterprise directory services at every step in the cyber kill chain and cuts recovery time by 90%. Purpose-built for securing hybrid Active Directory environments, Semperis’ patented technology protects over 50 million identities from cyberattacks, data breaches, and operational errors. The world’s leading organizations trust Semperis to spot directory vulnerabilities, intercept cyberattacks in progress, and quickly recover from ransomware and other data integrity emergencies. Semperis is headquartered in Hoboken, New Jersey, and operates internationally, with its research and development team distributed throughout the United States, Canada, and Israel. Semperis hosts the award-winning Hybrid Identity Protection conference and podcast series (www.hipconf.com) and built the free Active Directory security assessment tool, Purple Knight (www.purple-knight.com). The company has received the highest level of industry accolades, recently named to Deloitte’s Technology Fast 500™ list for the second consecutive year (2020-2021), and ranked among the top three fastest-growing cybersecurity companies in the 2021 Inc. 5000 list. Semperis is a Microsoft Enterprise Cloud Alliance and Co-Sell partner. To learn more visit https://www.semperis.com/