Microsoft will allow Domain Controllers to be allowed to have an internet connection

Recently, many enterprises have transitioned to cloud-based identity platforms such as Azure Active Dircetory (AAD) to take advantage of the latest authentication mechanisms such as passwordless sign-in and access. conditional.

At the same time, they also phased out the Active Directory (AD) infrastructure. However, other organizations are still using Domain Controllers (DCs) in hybrid or on-premises environments.

What you may not know is that the DC is also capable of Active Directory Domain Services (AD DS), which means that if the DC is infected with malicious code then basically all your accounts and systems are compromised. A few months ago, Microsoft issued a warning about an AD privilege escalation attack.

Microsoft has also provided detailed instructions on how to set up and secure DC, but they are currently preparing some updates to the process.

Microsoft will allow Domain Controllers to be allowed to have an internet connection Picture 1 Microsoft will allow Domain Controllers to be allowed to have an internet connection Picture 1

Previously, Microsoft emphasized that DCs should not be connected to the internet under any circumstances. With the changing cybersecurity landscape in mind, Microsoft has amended the rule that DCs should not have unattended access or the ability to run a web browser. Basically, it is possible to have a DC connected to the internet as long as that access is tightly controlled with the right protection mechanisms.

For companies using hybrid environments, Microsoft recommends that IT admins at least implement on-premises AD security through Defender for Indentity.

Basically, Microsoft still recommends that organizations operating in an air-gapped environment do not access the internet for legal and regulatory reasons. Other businesses can consider adding internet connectivity for Domain Controllers if they feel it's necessary and in line with internal policies.

Microsoft further shared that running web browsers on DCs should be limited by technical and policy controls. In addition, internet access to and from DCs in general also needs to be strictly controlled.

Microsoft recommends that all organizations move to a cloud-based approach for identity and access management, and move from Active Directory to Azure Active Directory (Azure AD). Azure AD is a complete cloud identity and access management solution for directory management, allowing access to cloud and on-premises applications, and protecting your computer from security threats. secret.