Why Active Directory Segregation is Crucial
Here’s Part III in our ongoing series on keeping your systems ransomware free:
Most organizations have an Active Directory for single sign-on for all their users. This makes perfect sense since most people want to use the same set of credentials everywhere. However, this causes some security problems.
A breach of that directory will result in a loss of literally all your infrastructure. There are many organizations that manage firewalls, switches, routers AND servers using the same directory. What happens when that directory is compromised? A hacker can destroy not just your servers, but wipe out your switch configurations and everything else.
A better way to handle this problem is to use separate directories for desktops and for critical infrastructure like servers. A well-designed trust relationship between the domains will ensure that a breach in the desktop Active Directory cannot be used to hack server infrastructure. It will also allow single sign ons for most rank and file users. Domain Administrators will need to maintain multiple credentials but that’s a small price to pay for real security.
Without going into details, I will say that at Chi Networks, we don’t use a single directory but instead use multiple Active Directories for various customer-facing and internal infrastructures. We then create trust relationships among the directories to prevent a compromise on a single directory from triggering a global compromise of just about everything. We also use Linux-based LDAP for certain services as well so as not to put all our eggs in a Windows basket – never a good idea, given the ongoing security issues at Microsoft.