Event banner

Protecting Active Directory from management plane attacks

Event Ended
Tuesday, Mar 26, 2024, 02:30 PM PDT
Online

Event details

Mind the management plane! Whether your organization is running Active Directory on-premises, hybrid, or fully in the cloud, virtualized domain controllers are almost always present. But when is the last time you checked to ensure your privileged access model, aka Tier 0, extended to encompass the management plane?

Explore the common modern deployment scenarios for virtualized domain controllers and examine the relationship with the management plane. Why? Because attackers can exploit a weakly implemented privileged model and use the management plane as an easy back door into Active Directory.

In this session, we explore scenarios where organizations can unknowingly leave the door open to these attacks, diving deep into commonly observed gaps, and walking through a demonstration of using the management plane as a means of pivoting into Active Directory. Learn how to defend yourself and get actionable recommendations your organization can take today to ensure that the management plane does not become an attacker’s new friend.

Speaker: Eric Woodruff

 
Thanks for tuning in to the Windows Server Summit on demand!
Char_Cheesman
Updated Dec 27, 2024

9 Comments

Sort By
  • Char_Cheesman's avatar
    Char_Cheesman
    Bronze Contributor
    Mar 29, 2024

    Thank you for joining us this week for the Windows Server Summit! Q&A is now closed, but all sessions are available on demand so you can watch and learn when it is convenient for you. We hope you enjoyed the event.

  • KiliMuc's avatar
    KiliMuc
    Icon for Microsoft rankMicrosoft
    Mar 28, 2024
    Great session. I really like your explanation why Tier 0 is important even we have the Enterprise Access Model => Tier 0 is key. If the attacker controls Tier 0 he controls everything. Maybe here is a good link to protect Tier 0 in the On-Premises world https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/protecting-tier-0-the-modern-way/bc-p/4099397#M5944 The combination of Azure RBAC, with PAWs and OnPrem T0 account isolation it is the right way
  • Dustin_Halvorson's avatar
    Dustin_Halvorson
    Steel Contributor
    Mar 26, 2024
    Great session. I wish there was a better guide / in-depth session to the 'in-the-middle' solution however. Not the old tier model, and not the model where everything is running in Azure. But perhaps one that considers DCs, etc running on premises, but branching out to all these cloud solutions (like Entra). It seems like a lot of guidance today skips over those details.
  • Karl-WE's avatar
    Karl-WE
    MVP
    Mar 26, 2024
    do you plan to reveal the command in Azure Monitor History? eventually do not reveal passwords or such to the logs (once for security) but at least which commands have been issued.
    • Pierre_Roman's avatar
      Pierre_Roman
      Icon for Microsoft rankMicrosoft
      Mar 26, 2024
      This event focuses on Windows Server. But i can pass this question to the Azure Monitor PM.
    • msfthiker's avatar
      msfthiker
      MVP
      Mar 26, 2024
      Karl if you're asking if the commands themselves will be captured, I think that's one we'll have to take to the PG to be answered, as I don't have the answer if there is anything down the road to better capture what has been run.
  • Char_Cheesman's avatar
    Char_Cheesman
    Bronze Contributor
    Mar 26, 2024

    Welcome! Protecting Active Directory from management plane attacks is starting now. If you have any questions or feedback for our product teams, please post them here in the Comments.

Date and Time
Mar 26, 20242:30 PM - 3:00 PM PDT