Microsoft is now okay with domain controllers having internet access

Many organizations have recently migrated to cloud-based identity platforms such as Azure Active Directory (AAD) to take advantage of the latest authentication mechanisms such as passwordless login and conditional access, and to Phasing out the Active Directory (AD) infrastructure. However, other organizations still use domain controllers (DCs) in hybrid or on-premises environments.

For those who don’t know, domain controllers have the ability to read and write to Active Directory Domain Services (AD DS), which means that if a domain controller is infected by a malicious actor, virtually all your accounts and systems are compromised. Microsoft issued an advisory a few months ago regarding an AD privilege escalation attack.

Microsoft already offers detailed guidance on setting up and securing DCs, but now it’s making updates to that process.

Previously, the Redmond tech firm had stressed that DCs should not be connected to the internet in any way. Given the changing cybersecurity landscape, Microsoft has amended these guidelines to state that DCs should not have unmonitored Internet access or the ability to launch a web browser. Basically, it’s okay to have a DC connected to the Internet as long as that access is strictly controlled with appropriate defense mechanisms in place.

A hand choosing a password from a collection of numbers on the screen using tweezers
Image via Trend Micro

For organizations currently operating in a hybrid environment, Microsoft recommends securing at least on-premises AD through Defender for Identity. Its guidance notes that:

Microsoft recommends cloud-based protection of these on-premises identities using Microsoft Defender for Identity. Configuring the Defender for Identity sensor on domain controllers and AD FS servers enables highly secure one-way connection to the cloud service through a proxy and to specific endpoints. A full explanation on how to configure this proxy connection can be found in the Defender for Identity technical documentation. This tightly controlled setup ensures that the risk of these servers connecting to the cloud service is mitigated and that organizations benefit from the increased protection capabilities that Defender for Identity provides. Microsoft also recommends that these servers be protected with cloud-powered endpoint detection like Azure Defender for Servers.

That said, Microsoft still recommends no internet access at all for organizations that operate in isolated environments for legal and regulatory reasons. You can check out the company’s guidance for DCs here.