Securing Active Directory via third party vendor

  • Last Post 30 July 2016
BrianB posted this 29 July 2016

We have a presentation with a vendor called SkyPort that offers a security solution for placing critical servers like Active Directory Domain Controllers on an appliance as a VM. They state that they can offer more secure solution because they are able to sandbox certain functions of the DC and they follow the latest guidance from Microsoft for Securing Active Directory. I was hoping that someone else in the field had some knowledge or experience with this vendor and would be willing to share your experience and thoughts.


Thank you in advance.


Order By: Standard | Newest | Votes
a-ko posted this 29 July 2016

I’m not really sure what they mean by “securing certain functions of the DC”. Securing a DC: ·       Limit access to the DC·       Use separate Domain Admin accounts that are not used anywhere else in the organization. These accounts should be prevented via policy from authenticating to any other machine in the domain (Deny Logon* GPO policies to Domain Admins, Enterprise Admins)·       Add the separate DA accounts to the “Protected Users” group, which enforces Kerberos-only authentication and limits Kerberos ticket lifetime·       Physical security·       Use MFA for DA accounts (Smart Cards) with DA-specific workstations that all sit in a red forest.o   Server 2016 + MIM handle this a little easier with some of the new PAM management functions.o   One-way trust where your production domain trusts the red forest, but not the other way around. Physical security is important. This goes even if they’re virtual. The disks should be encrypted. If you’re virtualizing, try running on a specific virtual stack for DCs (to prevent cross memory/guest escape attacks into the DCs themselves). The ideal virtual situation would be Generation 2 VMs running on Hyper-V 2016 (not yet released) using host attestation + bitlocker + TPM. Using Server 2016 DCs. Absent the above virtual scenario (since you know, it relies on a yet-to-be-released OS and probably a complete overhaul of your virtualization environment)—use physical 1U boxes in your datacenters with RAID1 + Bitlocker encryption. Limit access to the OOB Management ports (iLO, DRAC, etc.)  


ken posted this 30 July 2016

Looks like the solution does a few different things – micro-segmentation like VMWare NSX / Cisco ACI to block east/west traffic (lateral attacks), as well as some content inspection

(e.g. DNS, IMCP) to try to detect data exfiltration, and LDAP and other protocols inbound. And a security hardened hardware/virtualisation platform.


Not sure if this is that revolution, as there are other vendors that provide similar. I’d be most interested in their management stack and how scalable/robust/resilient it is.


In terms of the below points from Mike – they are all good recommendation, but those are mostly things you can do within Windows, whereas these types of solutions are about providing

a security layer enforced outside the host itself. You can add additional controls, like CyberArk etc. to further protect your privileged accounts and provide further auditing.