On-Prem Active Directory & Passwordless Authentication

Raz Rafaeli | October 1, 2023

Since its release in 1999, Microsoft Active Directory has gradually developed into the technology of choice for managing the digital infrastructure of businesses of various sizes. Active Directory can scale as organizations grow from small to large, from a single building to dozens of geographical locations, from a single server to several large data centers scattered worldwide, and from a dozen to thousands of employees. 

Active Directory provides many benefits, making it the favorite domain controller and directory service of enterprises. But authenticating user accounts in Active Directory has intricacies that, if not addressed, can lead to security incidents and management overhead that can have financial and reputational costs for the organizations. 

Fortunately, some solutions can help enterprises get the best out of Active Directory while also keeping digital assets and employee accounts secure. 

Active Directory authentication 

Active Directory combines a suite of vital components, including a domain controller, certificate services, directory services, federated services, rights management, and more. This all-out integration allows enterprises to manage user, device, and service account access to all their assets and applications. 

At the heart of Active Directory is the Domain Controller, the service that authenticates all entities in the AD network and makes sure they have the required privileges and permissions before they access a resource in the network.  

While the Domain Controller provides a convenient centralized management hub for the security of user accounts and digital resources, it also provides a juicy and attractive target for hackers. Compromising the Domain Controller will give attackers access to an organization’s Identity Access Management (IAM), which could lead to a host of security woes. 

Attackers will look for ways to bypass the Domain Controller to elevate privileges and access or impersonate and hijack accounts. In a nightmare scenario, they could even gain administrative access and create their own users. For this, they need to target the way Active Directory authenticates users. 

Active Directory supports a host of authentication protocols that have been available to different versions of the Windows operating system throughout the years. These protocols include LM (also known as LANMAN and LAN Manager), NTLM, NTLMv2, and Kerberos. Every device, user, and service account that joins an Active Directory domain must use one of these protocols to identify and authenticate itself to gain access to network resources. 

This widespread support of protocols provides backward compatibility and allows devices running older versions of Windows to join an Active Directory network. But not all of them are equally secure. For instance, the LM and NTLM protocols are known for using poor hashing algorithms. They also don’t support multi-factor authentication (MFA). Attackers could potentially capture and crack authentication hashes to impersonate Active Directory accounts or stage man-in-the-middle attacks or obtain passwords and hijack Active Directory accounts.  

The more advanced protocols are more secure, but they still rely on pure password authentication to secure accounts. And we all know how bad users are at choosing and securing passwords. 

Azure Active Directory 

In recent years, Microsoft has also provided Azure Active Directory, the cloud version of its directory service. Azure AD has especially risen in popularity in recent months, as many organizations have rushed to establish a remote infrastructure that can give their employees access to the company network from their home internet connection. 

While many people consider Azure AD as Windows AD in the cloud, there are fundamental differences that, if not taken into consideration, can allow attackers to compromise your organization’s network. 

Since Windows AD has been designed to be installed on on-premise servers or private clouds, its security mechanics are designed to defend the network perimeter. Azure AD, however, is more attuned to the open-internet, cloud-based security model, which puts more focus on single identities. In this regard, securing user accounts becomes more even more important in Azure AD networks.  

For instance, in some Azure network configurations, an Azure user account with a poor password can allow a hacker to gain a foothold in the network, extract information about user accounts, and possibly decrypt passwords to gain access to administrator accounts. 

Security management considerations 

Unfortunately, bad security practices still haunt many organizations that are using Active Directory. Security experts will tell you that protecting an organization’s digital infrastructure will require securing every single user account. 

However, enterprises still struggle to find the sweet spot between security and convenience when it comes to user account security. Many still rely on simple passwords to authenticate users—sometimes even administrators—hoping against hope that they will not fall victim to the next password security nightmare. They also forgo implementing measures such as password complexity policies and MFA to avoid causing friction for their employees. Those who do have a password policy in place are faced with extra help-desk costs as their IT staff must constantly deal with forgotten passwords and account lockouts. 

Given the all-encompassing role that the Active Directory Domain Controller has in providing access to the resources of organizations, many security incidents lead to account takeover and the theft of sensitive business and customer information. 

Passwordless authentication in Active Directory 

There are a series of steps that can harden Microsoft Active Directory networks, such as implementing the principle of least privilege, limiting administrator accounts, and regularly reviewing access rights for users and groups. However, the ultimate solution is the application of passwordless authentication. Passwordless authentication provides convenience and security, two objectives that were previously considered to conflict with each other. 

Passwordless authentication brings everyone on the same page. Users are happy because they enjoy the convenient experience of not having to remember and change complex passwords. Security teams are happy because they don’t need to worry about a password security meltdown looming on the horizon. And IT teams are happy because they don’t need to spend a lot of their time dealing with password-related problems. 

The good news is that Microsoft Active Directory can support passwordless authentication, the less good news is that there are some caveats.  

Microsoft Azure Active Directory natively supports passwordless authentication with Windows Hello, Microsoft Authenticator App, and FIDO2-compliant devices. On-premises Active Directory and hybrid setups, on the other hand, do not support passwordless authentication. Instead, it has support for the SAML protocol through its Federated Services, which essentially means you can integrate it with other authentication services.  

One solution is to use a SAML-compliant passwordless solution that can support Active Directory, Azure AD, and hybrid configurations.  Secret Double Octopus does exactly that and brings secure and convenient passwordless authentication for a host of devices and services, from desktops and laptops to any web or legacy application the employee needs.

Due to its highly secure proprietary encryption technology, its easy-to-use interface, and its support for many different standards and platforms, Secret Double Octopus has become one of the favorite passwordless authentication solutions for enterprises. If you already have an AD setup on-premise or in the cloud, Secret Double Octopus will integrate into your infrastructure seamlessly. And if you want to expand beyond AD and link with other platforms and applications in the future, Secret Double Octopus will guarantee that the passwordless experience will follow you through your journey.