If you would like to read the next part in this article series please go to Active Directory in the Cloud (Part 2).
Introduction
In my previous 3-part article series over on our WindowsNetworking.com sister site, titled Windows 10: Nearing the Finish Line, I provided a broad overview of some of the new features and functionalities of Microsoft’s next (and some say “last”) client operating system, expected to be released later this year. We took a look at both the interface changes and some of the business-oriented features such as the Unified App Store, Windows as a Service (WaaS) and new or improved enterprise-centric security mechanisms such as Data Loss Prevention (DLP), better biometrics support and secure integration of data sharing across multiple devices.
Something that I didn’t mention in that article, or in my previous article here titled Windows 10: Secure Enough for Government?, is one of the most important reasons for security professionals to welcome this latest version of the OS: integration with Azure Active Directory. Windows 10 will be first client operating system that’s built to help bridge the gap between on-premises and cloud networks while providing users with both convenience and security.
The history and evolution of directory services
Windows network administrators are intimately familiar with Active Directory, but even though it might seem as though AD has been around forever, it wasn’t a part of the venerable Windows NT Server – the operating system that dared to challenge Novell NetWare. NetWare dominated the server space for most of the 1990s, thanks in part to its global directory service, NDS, which was introduced in NetWare v4 in 1993.
Windows NT Server 3.1 came out in 1993, as well. It had a rudimentary directory service, NT Directory Services (NTDS) but the NT domain model was flat and not very scalable. As Microsoft sought to appeal to the enterprise market where Novell had a seeming stranglehold, it was necessary for them to create a more sophisticated and extensible version of directory services that could compete with NDS.
Directory services are important components of large IP networks, because they serve as the means for storing, organizing and making available information about the objects on the network. Objects include users, computers, printers, files, folders – all of the resources that reside on the network. Directory services define a namespace and rules governing how network objects are identified.
Objects have attributes, which are the properties of the object. For example, a user object has such attributes as display name, email address, telephone number, etc. as well as security attributes such as memberOf, which lists the groups to which the user account belongs, and many more. Objects are grouped into classes, and directory schemas define all of the objects and attributes that the directory can use to store information. Without directory services, it would be much more difficult for users and applications to locate resources on the network.
Enter Active Directory
Microsoft introduced Active Directory in the 1990s, but it was first officially released as part of the operating system with Windows 2000 Server at the turn of the century (and millennium). Active Directory was hailed as a game-changer and indeed, whether coincidentally or not with the release of Windows 2000 Microsoft began to make serious inroads into Novell’s server market share.
Active Directory is an LDAP-compatible directory service. What that means is that it’s based on the Lightweight Directory Access Protocol, which is an industry standard application protocol that is defined in IETF (Internet Engineering Task Force) RFCs (Requests for Comment). LDAP was an outgrowth of DAP (Directory Access Protocol), which was part of the X.500 standards developed in the 1980s.
LDAP directory services are hierarchical, so that the objects are organized into a tree-like structure. Active Directory uses the constructs of forests, trees, domains, subdomains and organizational units (OUs), all of which are containers that hold objects. Security principles (users and computers) can be placed into groups for easier management. Users, computers or groups can be placed into organizational units. Organizational units can be nested inside other OUs.
OUs reside within domains, which also can be placed inside other domains; this created “parent” and “child” domains that make up a domain tree. The domains in a tree share a contiguous namespace and a transitive trust relationship. Multiple domains can then be grouped into forests. Finally, forests can be connected in federations. Group Policy can be applied at various levels of the directory, which greatly simplifies management and centralizes security.
What’s the down side?
All of the powerful features of Active Directory come with a price – both monetary and in terms of administrative time and effort. It requires Windows Server, obviously, and best practices dictate that you have multiple domain controllers (the servers that are responsible for handling logon and access authentication for the AD domain). Setting up an Active Directory infrastructure can be a complex process and requires proper planning, especially if your domain spans multiple physical sites. In a large network with many domains and trees, trust relationships can be complicated.
Active Directory is also a favorite target of hackers and attackers. If the directory or your DCs go down, users won’t be able to access any of the resources in the domain.
Directory services in the cloud
Windows networks have been depending on Active Directory to maintain a central repository of information for many years. Now along comes cloud computing, which is proving to be a disruptive technology and is changing the way many organizations operate their IT services.
Many applications that have been traditionally used on premises rely on Active Directory for authentication and access permissions. When these applications are moved to the cloud, it becomes necessary to extend your Active Directory into the cloud, as well. One way to do this is to host Windows Server running as a domain controller in a virtual machine in a public cloud such as Azure or AWS.
Sticking with the Microsoft solution, this involves connecting your on premises network to a virtual network running on Azure, which can be done via a site-to-site VPN. Then the Azure virtual network will function like another subnet. You will need to configure on premises Active Directory Sites and Subnets, register DNS servers in Azure, create your Azure virtual network with a site-to-site VPN and then create a new replica DC in Azure. If you’re interested in going this route, you can find more detailed instructions for all of this on this TechNet blog site.
Azure Active Directory to the rescue
The second way to extend Directory Services into the cloud is the real focus of this article series. That centers on using the Windows Azure Active Directory. Azure AD was built specifically for providing identity management and authentication for cloud-centric applications.
Azure AD gives you an identity service that can be used across all of your cloud applications and it can be used as a standalone directory service in the cloud or it can be synchronized with your on premises Windows Server Active Directory infrastructure. Your users get the convenience of single sign-on for both on premises applications and cloud based applications – the best of both worlds.
A big advantage of Azure AD is that it works with all of the different computing platforms that we now see enterprise users using to access their work resources in this BYOD era: Windows desktops, laptops and phones, Mac OS X computers, iOS-based tablets and phones, and Android devices. This enables the mobile workforce that is becoming more and more important.
Azure Active Directory also supports Azure Multi-factor authentication (MFA), which you can use to make access to the cloud-based applications and services more secure. This also helps to protect Azure administrator accounts from compromise. It also works with Office 365 and other SaaS applications and can be built into your applications with the SDK. MFA is available with Azure Active Directory Premium.
There are three editions of Azure Active Directory: the free edition comes with any subscription to Azure. It gives you single sign-on across Azure, Office 365, Google Apps, Dropbox and many other popular software services. The next step up is the basic edition, adds group-based access management and self-service password resetting. You can also publish on premises web applications to Azure Active Directory with its application proxy and you get “three nines” uptime (99.9%) in the SLA.
The premium edition for enterprises includes MFA, Microsoft Identity Manager (MIM), self-service management of groups, and advanced security reports and alerts, also with “three nines” uptime.
Summary
Now that we’ve laid the foundation and provided a broad overview of what Azure Active Directory is and what it does, in Part 2 we will go into more detail about how it works and how to implement it in business scenarios.
If you would like to read the next part in this article series please go to Active Directory in the Cloud (Part 2).
