securing active directory and azure ad
TRANSCRIPT
The issues and paths to transformation
White Paper
Securing Active Directory and Azure AD
2
IntroductionSince its launch more than 20 years ago, the Active Directoryservice has become a market standard that is present inalmost all the information systems of organizations. In recentyears, two significant trends have brought it back into thespotlight.
The first is the result of the high exposure of this componentto cyber threats. Since the Active Directory is thecornerstone of the information system in terms of rights andprivileged accounts, it is a top-priority target for hackers,who are looking to break into the information system andgain broad access. In this way, they can use it to deploymalware or to access, and then divulge, information. In recentyears, many organizations have launched major remediationprojects to face up to this threat.
The second trend is due to the rise in the use of collaborativeservices, which has increased sharply with the spike in homeworking. To enable all the new usages in the modernworkplace, user management has extended its scope ofaction to include the cloud, thanks to Azure AD. Most casesdo not consist of a switch from full on-premises to full cloud,but more of an extension of the existing configuration in theform of hybrid architectures. This shift must take into accountthe security considerations to avoid exposing theorganization.
Microsoft and Wavestone teamed up to analyze the trendsobserved in the field, to list the necessary considerations andto provide a few keys and best practices to be adopted whenmaking structural changes.
Contents1
2
3
What level of maturity was observed in the field?
How can the situation be improved?
How to combat a cyber attack
Which architectures and what level of cyber securitymaturity?
Feedback on the attacks observed by the CERT-W
Enterprise Access Model
Securing tier 0 and implementing the control plane
Understanding the difficulties of rebuilding Active Directory inorder to better anticipate a crisis
Simply rebuilding AD is not enough
Securing Azure AD subscriptions
Migrating from Active Directory to Azure Active Directory
Improving the security situation
4
5
11
19
20
25
Conclusion
33
43
52
55
59
60
54
This chapter aims to present the observedcurrent level of security for Active Directoryand Azure AD.To begin with, we will look at the main typesof architectures we observed and thesecurity issues, and then we will share thelessons learned from the attacks encounteredby the Wavestone CERT (CERT-W).
What level of maturity was observed in the field?
5
Which architectures and what level of cyber security maturity?There are three main types ofarchitecture:
On-premises AD architectureTraditional architecture is on thedecline amongst customers(<10%). For these customers,sovereignty is usually animportant factor.
Hybrid AD/Azure ADarchitectureA majority of customers (80% to95%) have adopted thisarchitecture, which has beendriven by the rise of Office 365.But there are variations in theimplementations, especially in thesynchronization or not ofpassword hashing.
100% Azure AD architectureThis architecture is only found innew entities that are createdthrough a 100% digital prism(<5%). It requires an informationsystem that meets a number ofprerequisites.
On- premises Active Directory, or the weight of history
Active Directory is organizedaround domains, grouped intoone or more forests. In largeorganizations, it is quite commonto have more than 100 domainsor forests.This complex architecture can beexplained by the weight ofhistory and the multitude ofchanges that the enterprise hasgone through, such as mergers,acquisitions, restructuring, etc.Since Active Directory is notperceived as an application that“adds value to the business”, newscopes are integrated withminimal changes (the cheapestand fastest way) and withoutgiving any global thought to theoptimization of the architecture.Trust relationships betweendomains or forests are added, sothat users can be recognizedeverywhere in the IS.
A low level of securityIn most organizations, keepingAD in a secure state oftenconsists simply of installingsecurity patches and dealing withthe obsolescence of the OS.
“Only 25% of authentications still take place on-premises”
“In 80% of the audits, the IS was breached in less than 24 hours” Wavestone, 2020 AD audits
6
Functional upgrades are rarelyimplemented, usually due to theignorance or the fear of thepossible impacts of extending thesystem. Consequently,organizations do not benefit fromthe new functionality that limitssecurity risks (for example, theimplementation of protectedusers groups, authentication silosand Kerberos armoring).Similarly, too few organizationsdeactivate obsolete protocols.
It is quite common fororganizations to have hundredsof domain or enterpriseadministrator accounts, whilebest practices and theapplication of the principle ofleast privilege require theseaccounts to be limited to fewerthan five. This situation can beexplained by the difficulty ofmanaging change (thewithdrawal of rights can beperceived as a form of demotionor dispossession). But also by thedemand for service accounts withexcessive rights that make iteasier to integrate newapplications.
Changes to the architecture, andin particular the establishment oftrust relationships, are definedexclusively from a functionalperspective, without assessingthe risks of the propagation of anattack between the domains andthe forests. In the course of itsaudits, Wavestone regularlycomes across abandoneddomains with a two-way trustrelationship. And this is whatdetermines the overall level ofsecurity!
Likewise, the implementation ofAzure AD is intended to meetfunctional needs, without anyconsideration of security. Veryfew organizations have defined amanagement process forprivileged accounts that is welladapted to the specifics of AzureAD. In another example, only30%(*) of global administratoraccounts have activated multi-factor authentication, while thisfunctionality is native and free.
(*) Microsoft, August 2021
The recent rise in the awareness of security issuesAgainst the backdrop of thecurrent explosion of attacks thatexploit the AD configurationerrors, it has become commonfor executive committees toquestion the CIO or theInformation System SecurityOfficer about the level of securityof AD, and to approveinvestments of hundreds ofthousands, or even millions, ofeuros in rework and securityprojects.
“53% of major corporations are running projects to make AD secure” CESIN, 2021 Barometer
7
A large majority have launchedprojects to make AD secure, butthe audits conducted byWavestone show us that:
Even if administration practicesmay have evolved, there areoften configuration faults thatallow access to tier 0 (thisconcept is described in detail inChapter 2). For example, meansof compromising security andincreasing privileges can beconcealed in dangerous accessrights (ACL) configured on tier 0objects, or result from the misuseof accounts with high privileges.The AD security model isdescribed in Chapter 2.
A 100% Azure AD architecture: the target for all?Today, no large organizations arein a position to completelyreplace their on-premises ADwith a service that is supported100% by Azure AD. Feworganizations are capable ofhaving an IS that meets all thetechnological prerequisites of thistransformation (workstationsmanaged by Mobile DeviceManagement (MDM) and AzureAD, absence of applications using
NT LAN Manager (NTLM),Kerberos or LightweightDirectory Access Protocol(LDAP) authentication, creationof users in the cloud, etc.). Usinga managed AD service could bean option to guarantee backwardcompatibility, without having tomanage tier 0.
Using the cloud could beperceived as delegating riskmanagement to Microsoft, butthis is only partial. Customersremain responsible for theconfiguration of the platform,identities and data.Unfortunately, awareness of thisfact remains low. Any newsubscription to the Teamssolution includes the creation ofan Azure AD subscription.
To control their security, it isimportant for organizations totake possession of the tools onoffer that did not exist on-premises. However, these toolsmay require advanced licenses.The Secure Score (detailed in aFocus later on in this document),which is the target thatorganizations aim for, should bebetween at least 60 and 70.
“Less than 10% of customers correctly implemented good security practices” Wavestone, 2020 AD audit
32/100The average SecureScore34.6 is the highest score in the technology sector24 is the score when creating an Office 365 E3 subscription
88
Azure AD: a cloud directory
Azure Active Directory (AzureAD), released in November 2011,is an Identity as a Service (IDaaS)solution.
Azure AD provides organizationswith the functionality required tomanage the authentication ofmodern applications (SAML andWE-Federation, OAuth2, OpenIDConnect and FIDO2).
It is not simply Active Directoryin the cloud, but an entirely newsolution.
Azure AD was designed on acloud architecture, based onmicro-services and distributedacross several geographic zones.
An Azure AD tenant isautomatically created when anorganization subscribes to aMicrosoft cloud service, such asAzure or Office 365.
Graph APIAzure AD proposes anApplication ProgrammingInterface (API), called Graph API,to interrogate and update theobjects in the directory.
Graph API is a gateway thatunifies several other REST APIs,including those of ExchangeOnline, OneDrive, EndpointManager or Security Graph.
A miracle cure?Even if most common attackstoday target AD, migration toAzure AD is not a miracle cure.Azure AD simplifies theimplementation of passwordlessstrong authentication or risk-based conditional access control,but privileged accounts must stillbe tightly controlled.It is imperative to implement asecurity project to control thisnew building block and to benefitfrom the transformation in orderto adopt state of the artadministration practices.
In particular, it is advised to:/ Audit the Azure ADconfiguration, regularly validatethe members of the privilegedroles and the applicationsauthorized to interact with AzureAD;/ Develop specific detectionscenarios to limit the time forwhich intruders remain invisiblein the IS.
FO
CU
S
345 millionAzure AD manages more than 345 million active users every month, with an average of 30 billion authentication requests per day.
99
Is NTLM still the Achilles heel of security? Applications use NT LANManager (NTLM) to authenticateusers and, possibly, to makesessions secure, when requestedby the application.The NTLM protocols are obsoleteauthentication protocols that usea challenge-response method toenable clients to mathematicallyprove that they possess the NTpassword hash. Current and pastversions of Windows supportseveral versions of this protocol,including NTLMv2, NTLM and theLM protocol.
Kerberos has been the defaultauthentication protocol sinceWindows 2000. However, if, forany reason, the Kerberosprotocol is not negotiated, thenthe applications linked to ActiveDirectory will attempt to use oneof the NTLM protocols, ifavailable.All the versions of NTLM arevulnerable to widely documentedattacks. This is the reason whythe NTLM protocol is notsupported in Azure ActiveDirectory, and can bedeactivated in Azure AD DS andin Active Directory.Beyond weak cryptographicsupport, the absence of anyserver authentication can allowhackers to steal the identity of aserver. Consequently,
applications that use NTLM maybe vulnerable to reflectionattacks, in which hackers stealthe authentication exchangebetween a user and a legitimateserver and use it to authenticatethemselves on another computer,or even on the user’s computer.
The complete removal of NTLMfrom an environment undeniablyimproves security by avoidingPass-The-Hash (PTH) typeattacks. However, it does notprevent other classes of attack,such as clear password theft orthe theft of Kerberos Ticket-Granting Tickets (TGT).
Organizations are encouraged toimplement Kerberos or to usemodern authentication protocols(OpenID Connect, SAML, etc.) fortheir existing applications,because Microsoft does notexpect the NTLM protocol to beimproved.
Why is NTLM stillused?
NTLM is still widely used due tolegacy applications that have notevolved, but also due to poorapplication configurations, whichsupport Kerberos nevertheless.
The NTLM protocol is not supported in Azure Active Directory.
NTLMNTLMv1NTLMv2 LM
FO
CU
S
1010
Doing away with NTLM in four steps
Identify all the use cases of NTLM
Activate the global inhibition of NTLM with an exception strategy
Isolate any applications that cannot evolve and
harden the configuration of NTLM
Prepare the applications to use the Negotiate
Package
21
34
Draw up a list of the devices andapplications linked to NTLM,classify them and determine whatneeds to be included in anexception strategy.
Solve any compatibility problems(including the replacement ofhardware and software),configure the applications to usethe Negotiate security package toenable the OS to use the bestavailable authentication protocoland meet the prerequisites(Kerberos, or others)
Inhibit the use of NTLM, exceptfor the applications and hardwarethat cannot evolve and must behandled as part of an exceptionstrategy (step 4).
Isolate the devices andapplications according to a logicof network segmentation. Hardenthe configuration of NTLM andcontinuously supervise theauthentications.
It is inadvisable to universally inhibit the use of NTLM, without firstmapping out the legacy applications and conducting an impact analysis.
FO
CU
S
Feedback on the attacks observed by the CERT-W
AD at the heart of the threat from ransomware and the hackers’ methodsSince it is at the heart ofinformation system security, ADhas become the preferred targetof large-scale cyber attacks.The 2020 Wavestone CERTbenchmark is unequivocal.
These findings are shared by theFrench National Agency ofInformation Systems Security
(ANSSI): An analysis of themethods used in recent attackshighlighted a rise in the targetingof Active Directory directories.This observation can beexplained by the central role thatAD plays in the enterprise IS.Acquiring high AD privilegesoften enables hackers to takecontrol of the entire Windowsecosystem, or even to reachother environments through theworkstations of developers oradministrators. Further to thisbreach, sensitive data can beextracted or business activitiesand services can be durablydisrupted, in particular byransomware attacks.2019 and 2020 saw anunprecedented increase inransomware attacks.
11
“AD was compromised in 95% of the cyber crises handled by the CERT-W”
A large majority of the crisisinterventions by the CERT-W in2020 in all sectors were inresponse to ransomware attacks.
An observation shared by theMicrosoft Detection andResponse Team, or DART.More recently, a high proportionof demands for ransom paymentshave been made for both thedecryption of encrypted data andthe non-disclosure of stolen data.
This combination of locking downthe IS and leaking data hasgradually spread as a result ofthe actions of the Maze group inNorth America.
Attackers make use of thepossibility to execute distributedcode offered by AD, and theGroup Policy Objects (GPO) orthe local administration rights onmachines linked to the AD, todeploy loads that encrypt thesystem. GPOs and direct accessto systems through legitimateadministration tools, which aresometimes used simultaneously,allow the entire Windowsenvironment to be encrypted in amatter of hours.
Are backups safe from hackers?
While it is still unusual for hackers to specifically target backupinfrastructures, they may be part of the collateral damage caused byattacks. In the absence of a dedicated backup infrastructure that is notintegrated in the live AD forest, the deployment of a load that encryptsthe entire environment will also encrypt the backup systems.
Groups of hackers only specifically targeted backups in a minority of theattacks investigated by the CERT-W, on either the backup server systemplatforms or through administration consoles that implement singleauthentication with AD.
Since this method maximizes the chances of receiving payment of theransom, this trend will probably become stronger in the years to come.
192The number ofransomware attacks inFrance reported toANSSI in 2020 was upby 255% on 2019.
12
13
This attack draws inspirationfrom an intervention by theCERT-W, following thedeployment of ransomware in anenvironment comprising severaltens of thousands of machines.Faced with the vulnerabilities andconfiguration faults that arefrequently exploited, this analysishighlights the Tactics, Techniquesand Procedures (TTP) of aransomware operator. All theinformation can could be used toidentify the parties has beenanonymized.
Once the security of a firstresource has been breached,increasing the privileges in anActive Directory environmentforms an integral part of themethods used by groups ofhackers. In the majority ofransomware attacks, and inparticular in attacks that use theRansomware-as-a-Service model,no advanced attack techniquesare observed. In this model, thecyber criminals are affiliated witha ransomware supplier in order tobenefit from the encryptionagent and the associated services(payment and contactinfrastructure, publications site,etc.), in exchange for a share ofthe ransom. In this way, theattackers operate mainlyopportunistically in order to gaina short-term return oninvestment.
As a general rule, at least one ofthe phases of the chain of attackcould have been avoided byadopting good basic cyberhygiene and computer securitypractices.
Looking beyond non-targetedand opportunistic attacks, groupsof ransomware assailants usemore advanced resources andskills in their operations. Thistrend, known as Big GameHunting, enables groups of cybercriminals to target organizationswith higher levels of IT security.
Study of a ransomware attack based on an intervention by the CERT-W in 2020
14
Diagram of the studied attack
15
The intruder breaks into the IS byfirst breaching the security of adomain account through aninfrastructure of virtual desktopsexposed on the Internet. In theabsence of multi-factorauthentication, the breachedidentifiers can be reused bydefault.
While phishing and criticalvulnerabilities remain the mainchannels of infection, reusingidentifiers on exposed remoteaccess services, without anymulti-factor authentication,
accounts for almost one in fivecases of initial breachinvestigated by the CERT-W.Examples include cases ofattacks by brute force on theRemote Desktop Protocol (RDP)services exposed on the Internet.The assailant can then escapefrom the restricted desktop usinga command interpreter, executedthrough authorized software,gain access to the system andstart actively reconnoitering. Adelay is often observed betweenthe first malevolent access andthe start of the activereconnoitering phase. This delaycan be explained by the time ittakes the group of specializedhackers to sell the access to aransomware operator.
The exposure of the access service on the Internet without MFA exposes the IS to illegitimate access through the reuse of identifiers
Initial access
16
The attacker can then raise theirprivileges using rebounds fromthe local administrator’s accounton the breached server, whosepassword is shared with accountson a multitude of other servers.
Consequently, a first privilegeddomain account is breached, thenattempts are made to makelateral movements on a largescale on several thousandmachines from this account, untila domain administrator’s accountis breached.
The absence of the LAPS1
solution makes lateral movements easier
Hackers can use critical vulnerabilityon a Windows 2003 server (for whichsupport has expired and no moresecurity patches are provided) totake remote control of the server andset up a base camp.
Obsolete servers must be isolated and must not lower the level of security of the entire IS
1. Microsoft’s Local Administrator Password Solution (LAPS) offers the possibility to automate the management of the passwords of local accounts on the machines integrated in AD and guarantees that the password of one local account per machine is unique.
Lateralization and increase of privileges
17
Despite the signature-based anti-viral solution installed on thetargeted systems, utilities thatare natively present on theWindows systems allow thememory of the LSASS memory,which contains the authenticationsecrets of connected users, to beextracted.Using accounts with domainadministrator privileges toperform routine tasks makes itpossible to raise privileges usingsuccessive lateral movements.
Once the domain has beenbreached, the attacker enters apost-operation phase in order toidentify and extract theenterprise’s sensitive data. Thedomain administrator privilegesgrant very wide access to theenrolled resources (network fileshares, mailboxes, etc.).
In the final step, the malevolentload is deployed by groupstrategy and an automaticprocess, executed from a domaincontroller, to allow for rapidpropagation in the victim’s IS.
As well as encrypting thebreached machines, theencryption agent also deletes theWindows log files stored on themachines and any copies that arestored locally.
If structured administration per level (the tiering model) is not implemented, the AD domain is exposed to increases in privileges
Deployment of the ransomware
18
Supply chain attacks are agrowing channel of infection, inaddition to the more commonvectors of breach. Despite thefact that they have already beendocumented for several years,attacks through suppliers andservice providers have increasedin the last 2 years, in terms ofboth numbers and scale. Thisgrowth can be explained byimprovements in the IT securityof corporate infrastructures,which force assailants to breachthird parties in order to reachtheir final targets.
Also, supply chain attacks offer aparticularly attractive return oninvestment for groups ofattackers, because compromisingan initial entity can potentiallyopen up points of access to manyof its customers. These attacks,which are only made by hackerswith the most advanced technicalcapacities, have been used byransomware operators forfinancial gain and by States forspying.
The SolarWinds attack in 2020made a strong impression. Thisattack demonstrated thepotential scale of supply chainattacks, because 18,000SolarWinds customers wereimpacted. This attack, which usedhighly sophisticated intrusionmethods (injection of a load oncompilation, deployment ofdedicated infrastructures foreach end target, etc.), also reliedon conventional lateralizationtechniques and, in part, exploitedordinary vulnerabilities.
The hackers very quickly createdsecret doors, discreetly openedchannels of communication andcamouflaged and concealed theirtraces, while looking for means ofobtaining higher privileges. Butthey also used known techniques,such as reusing compromisedpasswords or lateral movementswith identical administratoraccounts on all the machines.
The privileges on the AD directory granted to third-party solutions, which are often set too high by publishers for simplicity’s sake, can have disastrous consequences in the event of a supply chain attack.
Supply chain attacks: an emerging trend
This chapter explains the new AD EnterpriseAccess Model security model, then makesrecommendations on how to make on-premises AD and Azure AD secure anddescribes a road map for modernization withAzure AD.
How can the situation be improved?
Enterprise Access Model
In 2012, Microsoft introduced thetier-based administration model,which aims to partition theauthentication secrets in anActive Directory environment.
The principle of implementationconsists of creating a partitionbetween the administrators,according to the resources theymanage. This helps to protect theauthentication secrets andprevents breaches at a lowertrust level from being propagatedto a higher trust level.
This model separates theadministration of resources intothree levels, according to theircriticality. This means that theadministrators who manage theusers’ workstations are separatedfrom those who manage theservers and those who managethe enterprise identity repository,which is Active Directory in thiscase.
The documents Mitigating Pass-the-Hash and Other CredentialTheft, versions 1 and 2 describethis administration model indetail, associated with anEnhanced Security AdminEnvironment (ESAE), widelyreferred to as the hardenedforest.
In December 2020, Microsoftupgraded this administrationmodel to take into account cloudand hybrid environments. Thenew Enterprise Access Model isan evolution of the precedingmodel, in which the concept ofthe tiered model remains, but hasbeen restructured, with newterminology.
The ESAE approach has beenwithdrawn from the generalrecommendations, because it iscomplex and costly toimplement. But theimplementation of anadministration forest may still beappropriate in certain cases, andin particular for disconnectedenvironments.
20
This concept is based on the Bell LaPadula model, which was introduced in the 1970s.
21
It is essential to understand theprinciples of the tiering model inorder to fully grasp the bestsecurity practices in a Microsoftenvironment.
Technical assets are used toisolate the tiers.
Tier 0 is the most privileged leveland includes the accounts,groups, domain controllers andresources that have direct orindirect control over ActiveDirectory. Therefore, tier 0includes the servers connected toActive Directory (domaincontrollers), plus any othercomponents with closeinteraction, such as federationservers, WSUS update servers,application deployment servers,internal PKIs and Azure ADConnect.
Tier 0 administrators can controland supervise the resources onevery level (in the AD sense ofthe term), but they must onlyinteract with tier 0 resources.They must do this on anadministration workstation withhardened security that is on thistier.
Tier 1 refers to the servers andapplications that are members ofthe AD domain, and theresources that gravitate around
them. The accounts that controlthese resources potentially haveaccess to sensitive data. Tier 1administrators can access the tier1 resources and can only managetier 1 resources in ActiveDirectory.
Tier 2 includes the user devices(workstations, printers, etc.). Forexample, the support hot line andassistance service belong to thistier. Tier 2 administrators canonly log onto tier 2 resources andcan only manage tier 2 assets inActive Directory.
Understanding the preceding tiered model
22
The new Enterprise Access Modelwas created for hybridorganizations that have on-premises and multi-cloudapplications that apply the ZeroTrust security principles.
In this new model, security is notexclusively controlled usingActive Directory, but also byAzure Active Directory.
The terms have changed, but theprinciples of separation intolevels of privileges (tiering)remain.Tier 0 has been replaced by theControl Plane. Management ofthe control plane must be tightlycontrolled and limited to veryhigh-trust devices. The controlplane has been extended beyondthe resources found in the formertier 0, to include Azure AD andcloud solutions, such as MDM-type device management tools ordevelopment solutions, likeGitHub/Azure DevOps.
The notion of management tiershas been introduced in the formof the management plane andthe data/Workload plane, whichare used to manage applicationsand data. This was previouslyknown as tier 1. Finally, there arethe users and other applicationsthat consume services(applications and data), includinginternal users, partners,customers, etc.
The Enterprise Access Modeldoes not explicitly mention theuser workstations, which werepreviously in tier 2. Instead, thecontrol plane of Azure AD is usedto determine which types ofdevices can connect to this orthat service or application. This iscalled conditional access controland it forms the cornerstone of aZero Trust architecture.
A new model for hybrid enterprises
23
In its guide to Securing PrivilegedAccess, Microsoft shares abaseline implementation thatillustrates the above-mentionedEnterprise Access Model.
The goal consists of strictlylimiting the capability to performprivileged actions to authorizedpaths, while disrupting the returnon investment of the hackers.
In addition to prevention, theaccess paths are closelymonitored to detect anyanomalies or devious behaviors.
The strategy consists ofencouraging organizations tofirst use the rich functionality thatis natively available in the cloud.
In this Microsoft guide,implementation is based on thesecurity solutions available inMicrosoft 365 Enterprise E5. It isa starting point for theimplementation of a Zero Trustarchitecture in a Microsoftenvironment.
Conditional access control andstrong authentication areuniversally applied to all users.The Microsoft Cloud App Securitysolution, combined with IdentityProtection, is used to supervisesessions.
A guide to Securing Privileged Access
24
In this case, the use of privilegedaccounts (which are flagged assensitive) is explicitly restrictedto specific devices, with theconditional access control inAzure AD Premium.
An Endpoint Detection andResponse (EDR) is deployed onthe workstations. MicrosoftDefender for Endpoint is capableof interacting with Azure AD,through the MDM, in order toescalate the state of health of thedevices.
The workstations are managed,and the security profiles aredeployed using the MicrosoftEndpoint Manager MDM.
In the specialized andadministration workstationprofiles, the device’s user is nolonger the administrator of theirworkstation.In addition, the list of applicationsthat are authorized to beexecuted is restricted.
Also, the principles of leastprivilege and just-in-time access(temporary increase) of theadministration rights areimplemented with Azure ADPremium.
In this case, this baselineimplementation can be used toadminister resources in the cloud,but also critical assets, such asActive Directory, throughintermediaries (VPN, reboundserver, etc.).
24
Securing tier 0 and implementing the control planeIrrespective of the reason forlaunching a project to reinforcethe security of AD (action planfollowing a major security breach,results of intrusion tests or redteam exercises, etc.), a significantpreparatory phase is necessarybefore launching such a vastprogram. The priority consists offocusing on tier 0 and takingaccount of the other tiers in viewof the transformation of the IS(use of the cloud and Azure AD).
Step 1: prepare - 1 to 6 monthsEven if the general outlines areknown when the project tosecure AD kicks off, it is essentialto define the boundaries of theproject.Obviously, the duration of thescoping phase depends firstly onthe complexity of theenvironment. The challenges ofevery project are unique, fromthe simple case of a single ADforest with a single domain that isoperated by a central team, tothe more complex case of a largeorganization that is present onevery continental plate and hasmade numerous acquisitions,
resulting in the creation of trustrelationships and a multitude offorests.
The three main goals of thescoping phase are to:
1. Map out the legacy environment(forests and the correspondingtrust relationships) and identifyany vulnerabilities.
2. Determine the security target tobe reached and the deadlines(e.g., priority scopes, level ofhardening of the target,dedicated character of theinfrastructures, forests that canbe decommissioned, removal ofmemberships between the ADbackup system and AD itself,etc.).
3. Define the project structure thatwill allow the targets set in theschedule to be reached.
25
It is necessary to secure tier 0. The efforts made will not be wasted, even in the event of a cloud transformation
26
In these phases, any existingaction plans are also taken intoconsideration (reports by theGeneral Inspectorate, auditsalready completed, findings ofthe red team, etc.), so that theycan be incorporated in the globalproject.
The approach to drawing up thismap is based on:
/ known market tools (e.g.,PingCastle, BloodHound, OAADS,etc.) or frameworks (e.g., theANSSI checkpoints);
/ interviews with contacts in thebusinesses or geographies inorder to identify autonomousActive Directory infrastructuresthat may not have been detectedby the tools.
Once all this input has beencollected, the goals of thetransformation project aredefined and the paths leading tothose goals are identified. Thistype of project is usually brokendown into several sub-projects.
Rationalize the infrastructures(forests and domains to be
decommissioned or migrated)and the trust relationships,wherever possible.
Harden and correct theidentified vulnerabilities, updateassets whose OS is no longersupported, harden the systemand AD, regularly install thesecurity patches, etc.
Implement the tiered model (tier0 is the priority) and deploy thearchitectural changes to be made(partitioning, deployment ofassets dedicated to tier 0,implementation of dedicatedadministration workstations, useof administrative silos, etc.).
Define the administration RACIand model: the activities of theteams, types of privilegedaccounts to be made available tothem and administration silos.
Prepare the reconstruction, withthe transfer of the backups ontosystems that are not members ofActive Directory, reconstructiontests, etc.
Recommendations on the use of public tools
Numerous Open Source scripts and tools are available on the Internet toassess the level of security of an Active Directory / Azure ADenvironment. However, a number of cautionary rules should be obeyedbefore executing them:1. Wherever possible, review the source code of the tool to check its behavior.2. Execute the tool with the lowest required privileges, according to the least
privilege principle, and in a restricted environment (e.g., a dedicated virtualmachine).
3. Limit outgoing flows according to needs (no flows onto the Internet for anActive Directory configuration review, only to Microsoft resources for anAzure AD review)
26
27
Is it necessary to create anadministration forest?As explained previously,Microsoft no longer recommendsthis model, except in the specialcases described here, because itis complex and costly toimplement.
What about the administration of the virtualization infrastructure hosting tier 0 assets?The critical nature of theinfrastructure hosting tier 0assets requires it to be dedicatedand its administration to beintegrated in tier 0. The use of ashared platform incurs the risk ofa lack of control of access tothese virtual machines.However, providing a dedicatedinfrastructure can take a longtime in certain organizations. Tomitigate the risk more rapidly, anexisting shared infrastructure canbe used tactically in order to starttaking the security-relatedactions described in the nextsection without delay.
The residual risk mentionedpreviously can then becompletely covered by amigration to the target dedicatedinfrastructure a few months later.
Step 2: implementing tier 0- 6 to 24 monthsAt the start of this phase, thefinal workshops take place tofine-tune the targets to bereached on the basis of thescoping, to bring the teamsonboard and to present thesequence of actions.
Identification of theorganization’s variousadministration teams (e.g., ITsupport, AD teams, server teams,workstation teams, etc.), theirresponsibilities and activities andthe rights they need to performthem (least privilege principle).This step defines a clear RACIand prepares the future accountsthat will be used, in accordancewith the delegation model of thetiering.
28
Then come the central steps: theapplication of the tiered structureto Active Directory, the creationof the administration accountsspecific to each tier and themovement of the objects into theright Organizational Units (OU).The final step consists of
disabling connections using anaccount in a given tier to an assetin a lower tier (as shown in thediagram below). This can bedone, at first, through "denylogon" GPOs, then in a morepermanent way throughAuthentication Policy Silos.
Deploying a "deny logon" GPOtechnically prevents logins fromTier 0 accounts to the machineson which the GPO is applied (Tier1 & 2). However, GPOs are clientconfiguration items, which couldbe disabled locally by an attacker(in order to trick a Tier 0administrator into logging in on acompromised machine forexample). The "deny logon"GPOs therefore protect againstadministration errors but haveflaws that can make themvulnerable in case of an attack.Authentication Policy Silos allowauthentication of certainaccounts (typically Tier 0administration accounts) onlyfrom certain machines (typicallyadministration workstations).
Compared to the GPO blockingmechanism, Authentication PolicySilos are no longer based on aclient configuration but on amechanism imposed by theActive Directory services. Thismechanism also covers the risk ofreplaying Tier 0 credentials(Kerberos tickets) elsewhere thanon an administration workstation(which must therefore also becompromised). However, thegreater complexity ofimplementing this methodcompared to GPO's can lead to astep-by-step approach: in theshort term, implement GPO's, inthe medium term, implementAuthentication Policy Silos tofurther strengthen the securitylevel.
29
Finally, this step must alsoinclude the definition anddeployment of the PrivilegedAccess Workstation (PAW) foradministration purposes. Thisworkstation must only be able tolog onto tier 0 assets to takeadministrative actions. Therefore,it can be hardened to the higheststandards and only the softwareused to make remoteconnections should be installedon it.Access to the Internet (apartfrom the Azure cloud portal in ahybrid infrastructure, forexample) and to e-mail must notbe possible, in order to limit theexposure of this workstation. Ifnecessary, a zone for exchangesbetween the office and theadministration environmentsshould be provided.
Difficulties: membership of theadministration bastion thatalready exists in the organization,with its established model, cansometimes be a source ofcomplexity, despite theadvantages that it offers (i.e.,easy implementation of multi-factor authentication, records ofactions).
HardeningHardening amounts to taking thesecurity measures whereverpossible, in order to raise thelevel of security.Hardening tier 0 assets: formaldefinition and application of aguide to hardening, minimizationof the number of agents on tier 0assets, because they can
constitute a channel of breach.Ideally, only native Microsoftsoftware (anti-virus, integratedbackup, transmission of eventsby WEF(1), MDI(2) supervisionagents, Application Control, etc.)should be present.
It is also necessary to modify theconfiguration of these assets inorder to use the MCO/MCSsystems dedicated to tier 0(supervision, OS updates,software deployment, etc.).The remediation actions onprivileged accounts must also betaken in this step: replacement ofthe accounts belonging to theBuilt-In groups by accounts withrights that apply the leastprivilege principle, mapping ofthe service accounts, use ofManaged Service Accounts(MSA/gMSA) wherever possible,identification and quarantining ofinactive accounts, activation ofLAPS, etc. The list of ActiveDirectory checkpoints providedby ANSSI can be used to raisethe level of security in steps.
From the strict perspective of riskreduction, using the tier-basedmodel takes priority for hardeningpurposes, even if it is morecomplex, due to its impact onadministration practices.
(1) Windows Event Forwarding (2) Microsoft Defender for Identity
30
Difficulties: the service accountsof certain solutions that demandto be a member of the DomainAdministrators or EnterpriseAdministrators groups, often forsimplicity’s sake. Accounts whosemembership is unknown andwhose impacts in the event of anoutage are difficult to estimate.The implementation of a reliableprocess to deal with inactiveaccounts, apart from by massmanual processing as part of theproject.
BackupsOn the whole, organizations havea strong command of the backingup and restoring of machines.Nevertheless, it is necessary toreview this question in view ofthe current threat and of theworst-case scenario, in whichActive Directory and its backupsare breached and totallydestroyed. The backupinfrastructure is often linked tothe AD domain that it backs up.Despite this program to increasesecurity, it is important to remaincautious and to always rememberthat a breach is possible (assumebreach). The goal consists ofcompleting the existing backupsystem, which will be maintaineddue to its performance andrestore times, with an externalbackup system that isdisconnected from AD.
DetectionOnce the tier-based model is inplace, and since the modes ofadministration are known andstandardized, detection scenarioscan be deployed to detect any
practices that deviate from themodel (e.g., addition of anaccount in the built-in groups,modification of sensitive andnormally stable configurations ofAD, use of emergency accounts,etc.). Finally, the implementationof attack technique detectionscenarios (e.g., hash retrieval,high numbers of Kerberos ticketrequests in a short lapse of time,etc.). Microsoft provides a basiclist of AD events to be collected.Alert and incident processesmust obviously also be describedand operational.
Difficulties: the collection method(use of WEF), which may bedifferent from the standarddefined by the SOC (collection byan agent installed on the asset)and require adaptations.
RationalizationIn parallel to these actions toreinforce security, it is alsonecessary to keep track of thedecommissioning or migrationplan defined in the scopingphase.
31
Any delays in the schedule wouldimmediately incur a serious risk,since no measures would betaken to increase the security ofthese scopes. Especially if theyhave trust relationships with theother forests.
Difficulties: uncertainty about theprecise impacts when the trustrelationships are broken, or theimpacts of decommissioning.
Program supervision, changemanagement and reportingIt is essential to mention all thecross-functional activities thatare inherent in the supervision ofthe program, in order to beexhaustive. Scheduling, thesynchronization of the teams andcommunications with thestakeholders are all key factors,in view of the number oftechnical actions to be taken,their interdependency and theirpotential impacts.
Moreover, the significant changesin administration practices (e.g.,use of separate administrationaccounts for each tier, use of aPAW) required by theimplementation of the tieredmodel, means that closeattention must be paid to changemanagement, to avoid anydisruption of the activities.
Finally, it is essential to makesure that the communicationsand reports on the state ofprogress of the program aresufficiently simple and clear toavoid any frustration andmisunderstandings about theinevitable roadblocks andrequests for arbitration.
Difficulties: the difficulty inmaking the link between theperformance of technical actionsand risk mitigation, the majoreffort that the teams tasked withthe AD run are asked to make inorder to take the technicalactions.
Step 3: guaranteeing durability – 1 to 3 monthsMore than any other componentof the IS, the security of ADcannot be reduced to a programthat lasts for a finite duration, butit must be transformed into aregular process that checks theoverall level of security. Thisprocess must be executedregularly, and any identifieddeviations must give rise tocorrective actions in the shortterm, and preventive actions inthe long term.
32
SUMMARY: Securing Tier 0
This control plan can call on avariety of resources:scripts, additional market tools,ANSSI’s Active Directory Security(ADS) service or manual checks,when they cannot be easilyautomated. It is also possible tocall on annual red team auditsand exercises to check that tier 0can no longer be breached.
Finally, as well as checking thatthe backups of the ActiveDirectory infrastructure aresuccessfully completed
systematically, the completerestore process of a backupshould also be tested, just like inany continuity plan.These tests also measure thetime required to completelyrestore a backup. Thesemeasurements should be sent tothe team responsible for businesscontinuity and they also providean indicator that needs to beoptimized, test after test.
Keep the components in a secure conditionInstall security patches and harden the configurations.
Implement tier 0Partition Active Directory against the risk of breach.
Back up and run restore testsPut the backups out of reach and be prepared to rebuild.
Rationalize and decommissionFocus efforts on the long-term scopes and decommission the rest.
Centralize the log files and implement detectionMonitor and detect weak signals in order to respond rapidly.
Supervise the actions and manage changeOversee and rigorously deploy this action plan.
32
33
Securing Azure AD subscriptions
The Identity SecureScore: a first stepThe Identity Secure Score is anative indicator that comparesthe situation of the organizationwith Microsoft’s best identitysecurity practices.
This score was introduced in2020 on the basis of theMicrosoft Secure Scorepresented at the end of 2017.
The following calculationprinciples apply:/ Percentage of implementation
of the checks proposed byMicrosoft
/ The checks measured dependon the identity architectureand the available licenses (seetable below)
/ A single security licenseactivates the appearance ofthe check
If all the checks are available tothe organization, the score is
currently broken down asfollows:/ 61 points for the cloud
identities (Azure AD settings, conditional access, self-service password reset, Azure AD Identity Protection)
/ 58 points for the local identities (with Microsoft Defender for Identity)
Changes can be explained by twocases: a change in theorganization’s situation orchanges made to the checks byMicrosoft.
The reasons for these changescan be tracked by looking at thechanges affecting the MicrosoftSecure Score in the Microsoft 365Security Center.
Note that the Microsoft SecureScore does not include all theIdentity Secure Score checks.
In hybrid organizations without aMicrosoft Defender for Identity license, the following checks are made:
Free (P1 or P2): A Premium license is required to customize the security measures
34
The Identity Secure Scoreproduces metrics of theorganization’s situation relativeto Microsoft’s best practices,which are indispensable but notexhaustive.
It is also essential to make surethat all the Azure AD settings areconsistent with the issues facingthe organization (e.g., domainsauthorized for guests). It onlytakes a few hours to review anddefine concrete means of makingimprovements.
Looking beyond theconfigurations of the platform, itis more than advisable toimplement a permanent control
plan to keep track of the objectsthat are bound to multiply (cloudor on-premises applications,internal and external users,conditional access policies, etc.).
This control plan will keep AzureAD in an operational and securecondition, just like the existingplans for the local ADs.These checks in the programmust cover the following points:
Administrators: / Lists and rights used/ Use of the break-
glass accounts
Azure AD applications: / Persons authorized to
register an application/ Management of
owners, secrets and permissions for every application
Conditional access: / Changes to the
access policies/ Exception
management
Internal users: / Enrollment status of
the authentication factors
/ Lists and rights used/ Attachment to an
entityDevices: / Compliance of the
devices/ Number of devices
per user
Guest users: / Legitimacy of the
account/ The associated rights
and permissions
Going further than Secure Score
35
Azure AD roles are an importantpart of the Microsoft cloudsecurity system. There are morethan 70 integrated roles thatapply to both the management ofthe Azure AD resources, but alsoto certain Microsoft 365(SharePoint Online, ExchangeOnline, Teams, AIP, etc.) andAzure (Azure DevOps, etc.)services. To take things further, itis possible to create your ownroles using customized roles.
The following diagram shows theroles specific to Azure AD andthe roles that apply to otherMicrosoft 365 services.
By default, the Azure AD andAzure resources are securedindependently of one another.Nevertheless, Azure AD generaladministrators can elevate theiraccess to manage all thesubscriptions and resources inAzure.
Through the User AccessAdministrator role, this higherlevel of access allows forinteraction with all the Azuresubscriptions that trust theirAzure AD tenant. Consequently,general administrators can usethis role to grant access to theAzure resources to other users.
Understanding the roles with rights extending beyond Azure AD
Understanding the roles in Azure AD
Azure ADApp Admin, User Admin,
Groups Admin, Auth Admin, ...
Exchange
ExchangeAdmin
ExchangeAdmin
Intune
Security Admin
Security Reader
MCAS
TeamsTeams Admin, Teams Devices Admin, Teams
Comm Admin, ...
36
Amongst the identities managedin Azure AD, it is essential tounderstand applications, whichare very different from whatexisted on-premises.
Registration of an applicationAn application that wants tooutsource authentication toAzure AD must be declared inAzure AD by applicationregistration, which registers anduniquely identifies the application(Appld) in the directory using thenotion of an application object.
This application registration ismade in the tenant of the ownerof the application. (e.g.,Exchange Online is registered inthe Microsoft tenant).The owner of the application canthen declare APIs, which will beused by the application (e.g.,read and write an e-mail inExchange Online).
The application can then be used,either in its tenant or in anexternal tenant, depending on itsconfiguration.To this end, the applicationobject is used as a model tocreate one or more main serviceobjects. A service principal iscreated in each tenant, in whichthe application is used.
It is important to note that theadministrator of the tenant, in
which the application isregistered, can add credentials(secrets or certificates).
Anyone in possession of thecredentials can use thepermissions of the application.Applications are represented inAzure AD by two classes ofobjects:/ Application objects, which
store the information about the application,
/ Service Principal objects, which represent an instance of the application.
Service PrincipalAuthentication is necessarythrough either a user or anapplication, also called theservice principal, in order toconsume the resources protectedby Azure AD.
Service principals are a type ofobject that exists in Azure AD torepresent an application.
In particular, a service principal iscreated when an application or acode must access or modifyresources, which can only befacilitated by an identity with thenecessary authorizations.Creating an identity for anapplication enables theadministrators to attribute rolesand authorizations to it.
Understanding the applications in Azure AD
37
There are three types of serviceprincipal:
/ Application: An instance of anapplication created by anadministrator or a user, whenthe requested permissions aregranted.
When the application isdeclared as multi-tenant, aservice principal is created ineach tenant that adds theapplication (with a differentspecific ObjectId identifier).
In this way, specific policiesand permissions can beapplied, as well as anauthentication andauthorization specific to eachtenant.This SP is created in everyother tenant after consent.
The owner of an instance ofthe application can addcredentials.
/ Managed identity: An identity used by an Azure service to obtain an Azure AD token without having to use authentication secrets.
/ Inheritance: A long-standingservice principal similar toapplications, but which canonly be present in a tenant(not recommended).
The registered enterpriseapplications, granted permissionsand the corresponding credentialsmust be reviewed on a regularbasis
Applications and service principals
Adatum tenant
HR applicationService principal
HR application (application object)
Service principal
HR applicationService principal
HR applicationService principal
Contoso
Fabrikam
Keys of the HR application
Contains a set of keys used by the HR application
When an administrator grants therequested permissions, a serviceprincipal is created in the tenantfrom the application object presentin the source tenant
1
2
3
38
Knowing how to managecredentials in the code can be achallenge when creating cloudapplications.Ideally, they are never handled onthe developer workstations andthey are not present in the sourcecode of the applications.
There are three types of serviceaccounts in Azure AD:/ Managed Identity:
recommended for native Azure services
/ Application: recommended if the service is not native in Azure or is multi-tenant
/ Dedicated user account: not recommended if the application supports OAuth
Common recommendationsNo matter which type is chosen,a life cycle should be defined(creation, review and deletion)and the least privilege principleshould be applied:/ Prefer OAuth2 permissions
(e.g., read the files) rather thannative Azure AD roles (e.g.,SharePoint Onlineadministrator)
/ Use different service accountsfor different permissions
/ It is also advisable to limit theauthorized applications byelement for Exchange Onlineand SharePoint Online.
Protecting application credentials
Since service principals do notcurrently support conditionalaccess, there is a risk that thecredentials will fall into the wronghands.
In order to protect oneself, it isnecessary to:/ Only use applications created
in one’s own tenant/ Store secrets in Azure Key
Vault
There are two types of ManagedIdentity.A managed identity allocated bythe system is directly activatedon an Azure resource. When theresource is activated, Azurecreates an identity for theresource in the Azure AD tenant.Once the identity has beencreated, identificationinformation is sourced on theresource. The life cycle of anidentity allocated by the systemis directly linked to the Azureresource.
An identity managed andallocated by the user is createdas an autonomous Azureresource. Azure creates anidentity in the Azure AD tenantthat is approved by thesubscription with which theresource is associated. Once theidentity has been created, it canbe allocated to one or moreAzure resources. The life cycle ofan identity attributed by the useris managed separately from thelife cycle of the associated Azureresources.
Securing the service accounts
3939
(1) It is possible to use conditional access through a third-party identity supplier,but this will not allow for any granularity for the various Azure AD applications orthe management of the duration of sessions.(2) Identity protection: User or connection risk strategy and risk-based conditionalaccess policies.(3) Identity Governance: Azure AD PIM, access revisions, access packagemanagement.
Understanding Azure AD licenses and their benefits in terms of securityIt is impossible to talk about identity security in a Microsoft environmentwithout mentioning the different levels of licenses.
Azure AD Premium adds advanced administration functions, conditionalaccess control, dynamic groups, identity protection, self-service functionsfor users and a higher service level (99.99% guaranteed since 2021).
Application Proxy is another function of Azure AD Premium.. This serviceenables organizations to connect traditional intranet applications toAzure AD. This connection is made by combining modern protocols(based on identity claims) and older protocols, such as Kerberos or NTLM.
Users must possess the licenses shown below in order to benefit from themain security functions:
FREE AZURE AD / O365
AZURE AD PREMIUM P1
AZURE AD PREMIUM P2
Security defaults
Integration with MIPSelf-service
password resetPassword protection
Azure MFAConditional access (1)
Identity protection (2)
Identity governance (3)
FO
CU
S
4040
In 2019, Microsoft introduced the security defaults for security policiesthat are predefined by Microsoft and guarantee a situation of minimalsecurity, without any licensing conditions:
The Azure AD Premium Plan 1 or 2 licenses are necessary to customizethese policies.
Note that the security defaults cannot be activated at the same time asconditional access policies.
Security defaults: a minimum security level accessible to all
For administrators, activation of multi-factorauthentication with every connection1
For users, activation of multi-factor authentication forhigh-risk connections2
For all users, registration of an MFA factor within 14 daysof their first connection3
Deactivation of inherited protocols4
Access to the Azure AD portal for administrators only5
40
FO
CU
S
414141
Which governance for AzureActive Directory?
In certain organizations, responsibility for Azure Active Directory is in ano man’s land. This is largely due to the absence of a target:/ a simple technical directory for Office 365/Teams or a future identity
repository for the organization’s applications?/ an identity repository for cloud applications only, or for internally
hosted applications too?
Who are the players today?
Three players are usually involved in the administration of Azure AD:
/ the Identity team, which configures synchronization andfederation or connects applications.
/ These operators are used to having high-level rights on ActiveDirectory and they inherit the Global Administrator’s role, evenif they do not yet have the skills required by this role.
/ The Digital Workplace team, which configures thecollaborative services. The scope of this team is often extendedbeyond Exchange or SharePoint Online for convenience’s sake.Even if they were not responsible for identities in the past, it isoften the same team, which has the skills required to manageall subjects related to collaboration (e.g., guests, conditionalaccess or third-party applications).
/ The Security team, which defines the policies for security andthe control of the installed applications.
Which principles for the governance of Azure AD?
The logics used to govern Active Directory and Azure ActiveDirectory are similar. The operational model must apply twofundamental principles: the segregation of rights and the leastprivilege principle. In a word, everything that can be delegated mustbe delegated.
On the other hand, Azure AD does not allow for the same level ofdelegation as Active Directory, in which everything can be delegatedby changing the environment, despite the fact that Microsoft recentlyintroduced some changes in this regard.
FO
CU
S
424242
What are the possibilities to delegate?
First, it is necessary to differentiate the container (Azure AD and theunderlying synchronization and federation infrastructure buildingblocks) from the content (the user and application identities andidentities linked to terminals).Microsoft proposes an RBAC model (Role-Based Access Control)with these native roles. These roles include the administration of theAzure AD tenant, of the Office 365 services and of the differentidentities. Note that only the global administrator role can edit certaingeneral settings, such as the graphics of the login page.
In 2019, Microsoft introduced the possibility of creating customizedroles using APIs. For the time being, only actions related to applicationadministration can be used when defining one of these roles.It is also essential to remember that Azure AD is currently designed as a centralized organization, even if Microsoft published the administration units in 2021, which are the equivalent of local organizational units (OU), in order to restrict the scope of action of an administrator.
What are the possible scenarios for the management of AzureAD?
In order to adhere to the above-mentioned principles, it is necessary toidentify teams that each have their own specific responsibilities andrights.This is not complicated for content management, if the centralizedcharacter of the platform is put to one side. For example, the DigitalWorkplace teams will logically be in charge of the Office 365 servicesand data. Container management remains THE central question..
A central team must be set up with global administrator’s rights. Thisteam performs all the administration tasks requiring very highprivileges, which may extend beyond the strict scope of identity./ This team must be sufficiently staffed and trained./ Processes with SLAs must be implementedSince the central team is not capable of defining all the functionalityaccessible by this level of administration, making the right teamsresponsible is a key factor (e.g., communications for the graphicalguidelines).Since these rights are rarely used, it is essential to control who canaccess them and when (through a bastion or Azure AD PIM).One scenario could consist of assigning this responsibility to theidentity team in order to remain consistent with identity managementand data quality. Another could consist of training the central team, sothat it acts as the guarantor of the applications on a group-wide scale.
FO
CU
S
43
Migrating from Active Directory to Azure Active DirectoryIn a modernization strategy,Microsoft ultimately recommendsreducing Active Directory, as theinternal applications andresources gradually becomeavailable in the cloud, either asSaaS applications or simply asexisting applications.
While the identities will bemigrated to Azure AD, theworkstations will be taken out ofActive Directory and managedfrom an MDM service in thecloud. This switchover willgradually limit exposure toattacks.
Identity management with acloud service like Azure AD iseasier to understand, becausethere are fewer concepts to learnand no infrastructurecomponents to be updated.
By migrating to Azure ActiveDirectory, it is easier to benefitfrom the centralized analysis ofconnection events, a fact thatfacilitates the detection of low-volume attacks and connectionanomalies.
Why attach adevice to AzureAD?Attaching a device to Azure ADproduces several benefits:/ Reinforcing conditional access
control on the basis of the stateof health of the device or itsgeographic location;/ Gaining simple and secureaccess to cloud applications withSSO by obtaining a PrimaryRefresh Token (PRT);/ Managing devices with anMDM solution;/ Deploying passwordlessauthentication, like in WindowsHello for Business of FIDO2.
What is Azure AD DS?Azure Active Directory DomainServices (Azure AD DS) is the ADdirectory in the form of a cloudservice proposed by Microsoft,and by other cloud serviceproviders too. In simple terms, inthis case, Microsoft manages tier0 and the organization managesthe other tiers. Azure AD DSprovides a sub-set of ActiveDirectory functionality, such asthe domain junction, groupstrategies (GPO), the LDAPprotocol and Kerberos/NTLMauthentication.
This solution can be used forWindows servers that aremigrated to the cloud by lift-and-shift or that are removed fromthe live AD forest.
4444
None of the ActiveDirectory accounts musthave high privileges onthe cloud
Manage theadministrators’ devicesfrom the cloud
Protecting the cloud against a breach of AD
44
1 3
3 4
Completely isolate theMicrosoft 365 and AzureAD administratoraccounts
The administrator accounts mustbe:/ Created in Azure AD;/ Authenticated by multi-factor
authentication (MFA);/ Controlled by Azure AD
conditional access;/ Only accessible from
workstations managed inAzure;
/ Activated for a limited periodof time using Azure AD PIM.
2
Make sure that these accounts,including the service accounts,are not included in the privilegedroles or groups in the cloud, andthat any changes made to theseaccounts cannot have an impacton your entire cloud environment.The on-premises assets in tier 0must not be capable of having animpact on the privilegedMicrosoft 365 accounts.
Use Azure AD Join and MDM-type management of devices inthe cloud to remove anydependencies on themanagement infrastructure of on-premises devices that maybreach the security measures ofthe devices used to administerthe cloud.
Use Azure ADauthentication to removethe dependencies on AD
Always use a strongauthentication method, such asWindows Hello for Business,FIDO2 or MicrosoftAuthenticator.Switch to a passwordlessauthentication method andconsider removing the passwordsfrom these accounts.
FO
CU
S
45
When a project to migrate to AzureAD is considered, it is only naturalto ask the following question: whenwill Azure AD be capable ofcompletely replacing ActiveDirectory? Even if it may betempting to look for a precise date,bear in mind that Azure AD is not“Active Directory in the cloud”, sothere is no point in looking for thesame functionality.
This transition will probably takeseveral years, both for organizationsand for Microsoft. Today, all thetechnologies required for a 100%cloud deployment of Azure AD arenot yet available.
The best solution consists ofapproaching this journey toAzure AD immediately, and in apragmatic manner that does notseek to cover every case, in orderto avoid falling into the trap ofwaiting for the perfect solutionthat covers every eventuality.
An Active Directory containsdevices, applications and users.The migration path must takethese three elements intoconsideration, so that they can
gradually be shifted to Azure AD.The speed of the migration path of organizations with a strong legacy with Active Directory will depend on the number of objects to be migrated, but also on the complexity of the AD environment and the number of existing forests.
The journey to Azure AD
4646
Modernization based on three pillars
Devices
Put the existing Windows10 workstations in HybridAzure AD Join mode
Natively attach the newWindows 10/Windows 11workstations to Azure ADusing Windows Autopilot
Applications
If possible, migrate application authentication to Azure AD
Migrate the AD FS federation servers to Azure AD
Migrate to Azure AD DS any applications that are too old, are based on NTLM and cannot be migrated to more modern protocols
Users
Implement strong and passwordless authentication for all users
Deploy the new Azure AD Connect Cloud Sync tool, which simplifies management by centralizing the configuration in Azure AD, facilitates high-availability deployments and grants access to new scenarios, such as support for multi-forest AD environments in disconnected mode
FO
CU
S
47
For organizations that choose tomodernize towards the cloud, thetransition to Azure AD is gradualand takes place in steps:synchronize the users, migratethe workstations, integrate theapplications in Azure AD, thenmigrate the eligible applicationservers to the cloud.
The content of Active Directoryis gradually reduced andsimplified. The respectivemigrations of tier 2 and tier 1 toAzure AD and Azure AD DS takepriority.
The center of gravity shiftstowards Azure AD, whichbecomes the Zero Trust controlplane and the environment wherethe resources are created andthen synchronized locallytowards Active Directory, ifnecessary.
Active Directory is graduallyisolated and is only used toservice critical scenarios andapplications that cannot bemigrated to the cloud. Thecreation of tier 0 and thehardening of the Active Directoryconfiguration are the only long-term investments.
In this transformation, thedevices are no longer present in
Active Directory, but are directlyintegrated into Azure ActiveDirectory and are managed bymodern, MDM-type solutions.The approach to securitybecomes more modern byintegrating the applications inAzure AD, and in particular bypublishing the IaaS and on-premises applications that havenot yet migrated to the cloudusing Azure AD ApplicationProxy.
Granting secure access toapplications that are accessiblefrom the Internet, without using aVirtual Private Network (VPN),represents a major change formany organizations, even if split-tunneling has become anincreasingly common approach.
Migrating applications that arehighly dependent on ActiveDirectory to Azure AD DomainServices is a solution that shouldbe preferred.
Azure AD becomes the baselinedirectory that synchronizesidentities with third-partyrepositories, such as a local AD.
Over time, Active Directory willbecome a lesser cause forconcern, due to the reduction inthe number of managed assets.
47
…
Which path towards modernization?
48
The steps in detailThe progress of a project tomove from Active Directory toAzure AD can be measured bythe following steps:1. First steps towards the
cloud and the use of AzureAD
2. Universal implementationof the hybrid mode
3. Cloud-centric investment4. AD is isolated and reduced
to a strict minimum5. 100% cloud – Azure AD
The first steps
Organizations possess an AzureAD tenant containing at least theuser objects, in order to accessOffice 365 and the Microsoftcloud services in general.
This is the situation of anyorganization that has started touse the Microsoft cloud: an on-premises Active Directory,devices joined to AD that areconfigured using group strategies(GPO), on-premises applicationsthat use integrated AD
authentication to control useraccess, and finally, users who arecreated in AD with HR systemsand are then synchronized fromAD to Azure AD using Azure ADConnect.
Hybrid mode
The next step, which numerouscustomers are currentlyexploring, consists of becominghybrid and using the securityservices available in the basicversion of Azure AD, but also inthe premium versions, such aspasswordless authentication,conditional access control,management of privilegedidentities or self-servicepassword reset for users.
Existing Windows devices aredeclared in Azure AD using theHybrid Azure AD Joined mode,which facilitates SSO.
Certain applications are migratedto the cloud on an IaaSinfrastructure, by joining AzureAD Domain Services.
49
Other legacy applications are stillhosted on-premises, but they arepublished for remote workersusing Azure AD App Proxy. Thisgrants external access without aVPN, while still protecting accesswith Azure Active Directory.
Becoming cloud-centric
During this phase, the decision istaken not to add any new devicesor applications to ActiveDirectory. Investment in thecloud now takes priority. ActiveDirectory integration projects arewound down in order to preventthe spread of the technical debt.
The migration of tier 2 and tier1 to Azure AD now takespriority.In this phase, organizations stopintegrating new devices in ActiveDirectory and attach new
workstations directly to AzureAD using Autopilot, and performmanagement tasks with an MDM,such as a Microsoft EndpointManager. GPOs are no longerused to manage new devices.
The federated applications aregradually migrated to Azure AD.They are hosted in the cloud anduse Azure AD for authenticationpurposes. Legacy applicationsare gradually published usingApplication Proxy and, ifnecessary, are migrated to AzureAD Domain Services.Applications that require userprofiles to be synchronized usethe ECMA connector.
Legacy applications use AzureAD DS and are published usingApplication Proxy.
File shares and printer serversare gradually migrated to thecloud. The Azure Files andUniversal Print services aregradually used.
50
After this step, Active Directorymust be reduced to administeringinternal resources that will not bemigrated to the cloud (e.g.,industrial systems) withreinforced workstations, networksegmentation and detectionsystems that guarantee thesecurity of a scope that is nowexcessively restricted. If it has notalready been done, setting up tier0 and hardening theconfiguration of Active Directorytake priority.Users are gradually created and
managed in Azure AD only,according to a cloud-firststrategy, and they are onlysynchronized with ActiveDirectory using the write-backfunctionality, if necessary.
To progress to this step, it is firstnecessary to modernize thelegacy applications, by updatingthe configuration and the code ofthe applications, or replacingthem with an equivalent cloudversion. When Azure ADbecomes capable of issuingKerberos service tickets, it willthen be possible to continue tomanage legacy applications thatare Kerberos-compatible, withoutany need for user accounts inActive Directory. Moreover,managed AD services, such asAzure AD DS, help to supportlegacy applications on IaaSservers by offering the ADservice in the cloud.
50
Isolating AD
51
Finally, step 5 is “100% CloudAzure AD”, in which theorganization no longer has anActive Directory footprint. At thispoint, there are no more ActiveDirectory domain controllers andAzure AD provides all the identitymanagement tools.
The applications authenticateusers with Azure AD usingmodern protocols or with thesupport of Kerberos with AzureAD DS and Azure AD. At thispoint, all the devices are onlyattached to Azure AD and theyare managed with a compatibleMDM.
The main subjects to be addressed when switching to 100% Azure AD
NTLM
Kerberos /OpenID Connect
GPO
MDM strategy
AD Join
Azure AD Join
OBSTACLE
TARGET
COMPLEXITY
Full Cloud
52
Improving the security situation
Did you say “Zero Trust”?Addressing cyber security fromthe perspective of identity is oneof the underlying trends thatorganizations are trying to adoptthrough a Zero Trust approach.What is the principle? Nevertrust, always check.
Every time a login request ismade, the context of the accessis analyzed to assess the level oftrust that can be granted to theuser and their device, but also tothe applications.
This approach to securityprotects organizations bygranting access on the basis of acontinuous verification ofidentities and the securitysituation of the devices.
Is this the end of VPNs due to Zero Trust?One widespread misconception isthat switching to a Zero Trustarchitecture means that anyremote access to the enterprise’sresources over a VPN can bediscontinued.
But the answer is not so simple.For example, if the workstationsuse Hybrid Azure AD Join, thenthese devices must occasionallyconnect to a domain controller,
because they are attached toActive Directory and Azure AD.Active Directory is the authoritythat signs the verifier of theauthentication secrets on thedevice in order to open a sessionin disconnected mode. If thecredentials cache is empty ordesynchronized, the device mustengage with a domain controllerin order to add new credentialsto the cache. This is possible overa VPN connection or over theorganization’s network.
In another example, if a userforgets their password and asksto reset it or resets the passwordthemselves using self-service,their device must be able toreach the Active Directorydomain controller in order to usethe new password and unlock thecomputer.
The same requirement for on-premises connectivity applies tothe first configuration ofWindows Hello for Business on aHybrid Azure AD Join device. Thedevice requires a connection witha domain controller in order tofinalize the configuration ofWindows Hello for Business(definition of the PIN code,opening the first session withWindows Hello for Business).
These restrictions do not apply toAzure AD Join devices, which donot need a connection withActive Directory, unlike in thepreceding scenarios.
53
“Always on VPN” technology,which is natively present inWindows 10, is very useful inorder to open a VPN tunnel,before the user even opens asession, and to meet thisrequirement for internalconnectivity.The modernization of VPNs, witha more flexible split-tunneling-type approach, increases thelong-term chances of successwhen implementing a Zero Trustarchitecture.
Managing passwordsPassword spraying is an attackthat enables a third party tobreak into accounts. It consists oftesting a few weak passwords onhigh numbers of user accounts,rather than using numerouscommon passwords. Theseattacks are dangerous, becausethe usual security measures(locking accounts or imposingtime delays between successiveattempts) are ineffective.
Azure AD detects passwordspraying-type attack models byexamining failed login attemptsfor millions of organizations allover the world.
This protection can be extendedto Active Directory by installingan agent on the domaincontrollers and following theinstructions in the deploymentguide.
The move towards passwordlessauthenticationWe have observed strongenthusiasm for passwordlessauthentication. This is hardlysurprising, given that passwordsare responsible for 80% ofbreaches by hackers and that thedeployment of multi-factorauthentication is thought toreduce the risk of breach by99.9%.
Authentication is based on abiometric characteristic, such asa face, a fingerprint or aconfidential code specific to adevice that is not sent over thenetwork. You can choosebetween using your Windows PCwith biometrics and/or a PINcode, connection using a FIDO2security code of the MicrosoftAuthenticator application formobile devices.
A Microsoft survey ofCIOs in severalcountries who havestarted their journey toZero Trust revealedthat 76% of theminitially implementedstrong authenticationand that 60% of themhave implementedpolicy-basedconditional access.
This chapter explains the main difficultiesencountered when rebuilding an ActiveDirectory and proposes actions that shouldbe taken in readiness for a cyber attack.
How to combat a cyber attack
55
Understanding the difficulties of rebuilding Active Directory in order to better anticipate a crisis
Side effects that are difficult to predict and to resolve very quicklyFollowing a security breach,there are two methods that canbe used to rebuild AD: rebuildingthe domain and directorycontrollers from scratch, orrebuilding the domain controllersfrom a replication of the existingdirectory.
The first method ensures that anypossible means that the hackercan use to remain present will beeliminated, but it demands asignificant reconstruction effortand involves a seriousinterruption of service.The second method, on the otherhand, allows AD to restart morequickly, but without guaranteeingfor certain that the directory isintact.Any operational side effects of areconstruction will vary
significantly, depending on theenvironment. When rebuildingActive Directory after an attack,for example a ransomwareattack, hardening andremediation actions are taken,frequently during theimplementation, without ananalysis and test phase. Theseactions may have operationalside effects.Notable side effects include:/ breakdown of the Secure
Channel between the machines and Active Directory due to the reset / restore of the computer accounts;
/ malfunction of applications using service accounts whose password has been reset;
/ denial of access rights (ACL) on network file shares (in the event of a restore from scratchthat invalidates the SIDs defined on the resources);
/ the need to migrate obsolete servers that are unable to authenticate themselves because the legacyauthentication protocols have been deactivated.
Moreover, the absence of anover-arching vision of the entireinformation system can make thereconstruction
Reconstruction following amajor cyber incident is oftenan opportunity to pushthrough security measures,unlike the “small steps”approach that is adopted instandard projects in order toavoid any disruption ofbusiness activity.
56
much more complex (digitaldocuments destroyed, obsoletephysical copies, partial residualknowledge, etc.). The length ofthe downtime does not onlydepend on the complexity of theoperations but also on the abilityto mobilize enough experts andthe priority given to thereconstruction of AD, whichinvolves players who are alsorequired to maintain a possibledegraded mode.
Internal resources are oftencalled on to implement adegraded mode, to the detrimentof the reconstruction operations.In addition, the possibility ofquickly calling on reinforcementsfrom partner organizationscannot be guaranteed in a crisis.Today, there are only a fewoperators that possess the levelsof expertise required tooperationally support ADreconstructions.
Multiple discreet means of persistenceAs the IS comes back on stream,it is also necessary to eliminatethe hacker’s means of persistencein order to prevent theenvironment from beingbreached again.
There are numerous techniquesof Active Directory persistencethat are difficult to verifyexhaustively. While somepersistence techniques are wellknown and tools exist to combatthem, such as the renewal of the“krbtgt” account, the detectionand correction of othertechniques can be more complex.For example, this is the case ofpersistence that uses specificextended permissions and rights,or instances of local persistenceon domain controllers.
While the completereconstruction of the ActiveDirectory forest may not becompatible with a quickresumption of activity, it is oftenthe only means of making surethat all the attacker's ADpersistence capabilities areeliminated following the breachof a domain.
In addition to the domaincontrollers and the ADdirectories themselves, resourcesand services that domaincontrollers relies on, such asupdate servers or PKI, or Tier 1servers, may also have beencompromised by the attackerand used as persistence means.
“On average, it takes at least one week to rebuild the AD core without any preparations ”
The CERT-W lists numerous techniques that attackers can use to maintain AD persistence following a breach.
57
An action plan must be prepared for these various elements, which form the trust core of the IS, that is adapted to the knowledge of the attack produced by digital investigations.
Can Azure AD be of help during the reconstruction?Definitely, by using SaaSsolutions to restore certainproductivity services.
However, Azure AD will not be ofany help in the following cases:/ A large majority of the
applications used in theorganization are linked to AD.Authorizations are usuallygranted to accounts on thebasis of the on-premisesActive Directory, and theapplications do not even knowwhat Azure AD is.
/ The organizations can onlynatively join workstations(Windows 10/Windows 11) toAzure AD, but not servers.
This is the reason why it isessential to make regular anddisconnected backups of ActiveDirectory for greater resilience inthe event of a ransomware-typeattack.
57
585858
Preparing the reconstruction of Active Directory
A backup of AD that is resilient to the selected cyberattack scenarios and is protectedEncrypted Windows backup stored in an unalterable place
Essential
A trusted environment for the reconstructionIndependent infrastructure and network
Recommended
Possibility to call in the right peopleAudit, incident response, crisis management and operationalteams
Access the applications of the IS without ActiveDirectoryStandalone Azure AD for Office 365, local accounts
Have procedures to clean up and rebuild ActiveDirectoryFormalize, automate and practice
Access to the IS without any dependencies on ADHealthy administration workstation, bypass of the NAC, VPNwithout AD
Anticipate the opportunity of relying on Azure AD torebuildWorkstations in Azure AD Join
To be analyzed
FO
CU
S
Simply rebuilding AD is not enough
The reconstruction of an IS aftera cyber attack is a sprint to whicheveryone must contribute. Butthere is a danger of assumingthat the race stops there.In this case, it is quite common tobe attacked again a few monthsor years later.
Look beyond the crisis to transform the IS Rebuilding the IS solves the mosturgent problems and reaches afirst plateau in terms of security.However, the breach of the IS isoften a symptom of a security
debt that stretches back foryears. For example, whenmanaging a crisis for severalweeks, it will not be possible totransform the security model orto address all the cases ofobsolescence. The narrow pathmust be set out to restore theservice for the business asquickly as possible.
Crisis management must be seenas the first leg of the race thatallows the business to reach amilestone in terms of securitymaturity. It is then necessary todraw up a program to transformthe IS in order to pay off the debtand, often, to change the securitymodel, by aligning it with theneeds of the business. This is areal marathon!
59
“A program lasting several years is necessary to transform a security model”
“80% of the companies that paid a ransom have been victims of a second cyber attack”Cybereason
60
Conclusion
The security of identity repositories is often addressed interms of numerous technical details that are discussedbetween experts.
However, it is possible to maintain a pragmatic approach byasking the right questions: How is Active Directoryadministered? From which workstations? Since the serviceshave strong relationships with these servers, are theseworkstations really secure? The vision must be broadenedto include the security of Azure AD, which is not just asimple extension of Active Directory into the cloud.
It is necessary to define a short- and medium-term targetthat is consistent with the transformation strategy of theorganization.
Security is a question of arbitration. It is essential to knowwhich vulnerabilities expose the organization, while alsounderstanding the associated risks and benefits. This willhelp to take the right decision on the path to modernizationand the priorities.
The administration model evolves and takes the newdimensions of the extended enterprise into accountthrough these hybrid and multi-cloud aspects.
Throughout this transformation, organizations must remainfocused on the essentials, with identity as the cornerstoneof information system security.
The identity system of organizations is now hybrid and thisnew reality must be embraced.
61
AcknowledgmentsAUTHORS
THOMAS DIOTSenior Consultant,
Wavestone
Photo
ARNAUD JUMELETNational Security
Officer, Microsoft France
THIBAULT JOUBERTManager,
Wavestone
CONTRIBUTORS
PIERRE AUDONNET Principal Customer Engineer, Microsoft Canada
FLORENT BENOITPartner Technology Strategist, Microsoft France
RÉMI ESCOURROUManager, Wavestone
JEAN-YVES GRASSETChief Security Advisor, Microsoft France
BENOÎT MARIONSenior Manager, Wavestone
GREGORY SCHIROCompromise Recovery Security Practice, Microsoft
JULIEN ROUSSON Manager, Wavestone
ÉTIENNE LAFORESenior Manager,
Wavestone
ALEXANDRE LUKATManager,
Wavestone
62
Useful linksANSSI - ACTIVE DIRECTORY CONTROL PATHShttps://github.com/ANSSI-FR/AD-control-paths
ANSSI - THE ACTIVE DIRECTORY SECURITY (ADS) SERVICEhttps://www.ssi.gouv.fr/administration/actualite/le-service-active-directory-security-ads-accompagner-la-securisation-des-annuaires-active-directory-des-acteurs-critiques/
ANSSI - ACTIVE DIRECTORY CHECKPOINTShttps://www.cert.ssi.gouv.fr/uploads/guide-ad.html
ANSSI - SECURITY RECOMMENDATIONS FOR ACTIVE DIRECTORYhttps://www.ssi.gouv.fr/guide/recommandations-de-securite-relatives-a-active-directory
M365INTERNALS - INCIDENT RESPONSE IN A MICROSOFT CLOUD ENVIRONMENT (HUY KHA)https://m365internals.com/2021/04/17/incident-response-in-a-microsoft-Cloud-environment/
MICROSOFT - APPENDIX L: EVENTS TO MONITORhttps://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor
MICROSOFT - AZURE ACTIVE DIRECTORY SECURITY OPERATIONS GUIDEhttps://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-introduction
MICROSOFT - BEST PRACTICES FOR AZURE AD ROLEShttps://docs.microsoft.com/en-us/azure/active-directory/roles/best-practices
MICROSOFT – DETAILS OF AZURE AD LICENSES https://www.microsoft.com/en-us/security/business/identity-access-management/azure-ad-pricing
MICROSOFT - ENTERPRISE ACCESS MODELhttps://docs.microsoft.com/en-us/security/compass/privileged-access-access-model
MICROSOFT - SECURING AZURE ENVIRONMENTS WITH AZURE ACTIVE DIRECTORYhttps://aka.ms/AzureADSecuredAzure
63
MICROSOFT – APPLICATION OBJECTS AND SERVICE PRINCIPALShttps://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals
MICROSOFT - AZURE DEFENSES FOR RANSOMWARE ATTACKhttps://azure.microsoft.com/en-us/resources/azure-defenses-for-ransomware-attack/
MICROSOFT – WHAT IS THE IDENTITY SECURE SCORE?https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score
MICROSOFT – SECURING AZURE SERVICE ACCOUNTShttps://docs.microsoft.com/en-us/azure/active-directory/fundamentals/service-accounts-introduction-azure
MICROSOFT – DOCUMENTATION ON EXTERNAL IDENTITIEShttps://docs.microsoft.com/fr-fr/azure/active-directory/external-identities/
MICROSOFT – MICROSOFT AZURE AD ASSESSMENThttps://github.com/AzureAD/AzureADAssessment
64
Microsoft is committed to trusted, inclusive andsustainable digital technology. Its mission consists ofgiving every individual and every organization the meansto achieve their ambitions in the era of the smart cloudand the intelligent edge.
A catalyst of innovation in France for almost 40 years,Microsoft France has been chaired by Corine de Bilbaosince July 2021. With more than 1,800 employees and10,500 economic and technological partners, players inthe public sector, researchers or start-ups, MicrosoftFrance contributes to the development of the economyand digital skills all over the country.
6565
In a world where the ability to transform oneself is the keyto success, Wavestone has set itself the mission ofinforming and guiding major corporations andorganizations in their most critical transformations, with aview to making them positive for all the stakeholders. Thiswhat we call “The Positive Way”.
As one of the leading independent consulting firms inEurope, Wavestone employs more than 3,000 people ineight countries, including more than 600 cyber securityconsultants. These consultants help organizations toaddress all the issues related to cyber security, from themost strategically important, to operationalimplementation, incident response and digitalinvestigations.Wavestone is listed on Euronext in Paris.
More information at www.wavestone.com/fr/@Wavestone_@RiskInsight
T +33 (0)1 00 00 00 00 | M +33 (0)6 00 00 00 00
First Name LAST NAMELevel (Partner…)
T +33 (0)1 00 00 00 00 | M +33 (0)6 00 00 00 00
First Name LAST NAMELevel (Partner…)
T +33 (0)1 00 00 00 00 | M +33 (0)6 00 00 00 00
First Name LAST NAMELevel (Partner…)
www.wavestone.comwww.microsoft.com