Most organizations using directory services are moving towards using a cloud-based identity platform, like Azure Active Directory, to take advantage of newer authentication methods like passwordless authentication, use conditional access to enforce zero-trust methodologies, and aspire to reduce their infrastructure footprint by phasing out Active Directory.
However, we realize that customers are on a journey and hybrid will be an important state for many customers for a long time. Domain Controllers still act as a pivotal piece of infrastructure for many organizations, and the identities that Active Directory holds are often the target for attackers.
Protecting DCs from attack has always been a priority for administrators. Some examples of ways organizations keep their DCs secure include:
Limit the use of Domain Admin privileges
Use jump boxes for RDP access or MMC access.
Do not install 3rdparty applications on DCs
Restrict internet access to DCs
Given the challenges that a modern security team is faced with, there’s potential to revisit these best practices to see where improvements can be made.