Overview
Identity Infrastructure Security protects the systems that store, manage, and authenticate identities—Active Directory, Entra ID, LDAP directories, identity providers, and certificate authorities. These systems are the crown jewels of enterprise security: if attackers compromise identity infrastructure, they gain persistent access to the entire environment. Identity infrastructure attacks (Kerberoasting, Golden Ticket, DCSync, federation token forging) are central to nearly every major breach. Securing this infrastructure requires hardening configurations, implementing tiered administration, monitoring for attack indicators, and preparing for rapid response. Good looks like no successful identity infrastructure compromises, immediate detection of attack attempts, and the ability to recover identity services within hours of a catastrophic incident.
Architecture & Reference Patterns
Pattern 1: Active Directory Tiered Administration
Implement Microsoft's tiered administration model to contain credential exposure:
- Tier 0: Domain controllers, AD administrators, PKI, federation services—highest privilege, most restricted
- Tier 1: Servers and enterprise applications—cannot access Tier 0
- Tier 2: Workstations and user devices—cannot access Tier 0 or 1
Credentials used at one tier cannot be used at a lower tier. Privileged Access Workstations (PAWs) enforce this boundary.
Tier 0 (Identity Infrastructure)
↑ (one-way trust, PAWs only)
Tier 1 (Servers/Applications)
↑ (restricted access)
Tier 2 (Workstations/Users)
Pattern 2: Cloud Identity Hardening
For Entra ID (Azure AD) and other cloud identity providers:
- Protect Global Admin accounts with phishing-resistant MFA and emergency access procedures
- Enable Privileged Identity Management (PIM) for just-in-time admin access
- Configure Conditional Access to block legacy authentication and enforce device compliance
- Deploy Microsoft Defender for Identity or equivalent for threat detection
Pattern 3: Hybrid Identity Security
Secure the boundary between on-premises AD and cloud identity:
- Harden AD Connect servers (treat as Tier 0)
- Secure federation services (AD FS, PingFederate) against token forging attacks
- Monitor synchronization for unauthorized changes
- Implement CAEP for real-time security event propagation between environments
Key Decisions
| Decision | Options | Recommendation | Notes / Gotchas |
|---|---|---|---|
| Tiering implementation | Full tier model, Simplified (Tier 0 only), None | Simplified at minimum | Full model is ideal but complex; protect Tier 0 first |
| Domain Controller access | RDP from PAWs, Local console only, Remote management tools | PAWs with MFA | Never expose DC RDP to Tier 1/2 systems |
| Admin account strategy | Separate accounts per tier, Shared with MFA, Same as user accounts | Separate accounts per tier | "God accounts" used everywhere are catastrophic risk |
| Password for KRBTGT | Rotate annually, Rotate after incident, Never rotate | Rotate annually + after any incident | Golden Ticket persistence requires KRBTGT rotation |
| Federation server protection | On-premises hardened, Cloud-hosted, Eliminated (cloud-native auth) | Cloud-native where possible | Each federation server is a token-forging risk |
| Monitoring approach | Native AD auditing, SIEM integration, Dedicated ITDR | SIEM + ITDR | Native auditing alone misses sophisticated attacks |
Implementation Approach
Phase 0: Discovery
Inputs: Current AD architecture, cloud identity configuration, admin account inventory, security baseline assessment Outputs: AD security assessment, Tier 0 asset inventory, misconfiguration findings, attack surface analysis, remediation priority list
Phase 1: Design
Inputs: Assessment findings, compliance requirements, operational constraints Outputs: Target security architecture, tiered administration design, PAW deployment plan, monitoring strategy, emergency access procedures
Phase 2: Build & Integrate
Inputs: Architecture design, selected tools, deployment plan Outputs: Tier 0 hardening completed, PAWs deployed, monitoring implemented, emergency access configured, AD security configurations applied
Phase 3: Rollout
Inputs: Built infrastructure, migration plan, training materials Outputs: Admin accounts migrated to tiered model, monitoring validated with attack simulations, operations team trained, runbooks deployed, legacy admin practices deprecated
Phase 4: Operate
Inputs: Secured infrastructure, operational procedures Outputs: Continuous monitoring and response, monthly security configuration reviews, quarterly attack simulations, annual penetration testing of identity infrastructure
Deliverables
- Identity infrastructure security assessment
- Tiered administration architecture and design
- Privileged Access Workstation (PAW) deployment guide
- Emergency access ("break glass") procedures
- AD security configuration baseline
- Entra ID conditional access policy catalog
- Identity infrastructure monitoring strategy
- Incident response playbooks for AD attacks (Kerberoasting, DCSync, Golden Ticket)
Risks & Failure Modes
| Risk | Likelihood | Impact | Early Signals | Mitigation |
|---|---|---|---|---|
| Tier model enforcement breaks down over time | H | H | Admins using regular workstations, credential reuse across tiers | Regular auditing, technical enforcement (policies, PAWs) |
| Attackers compromise AD before detection | M | H | Late-stage breach discovered, persistent access established | ITDR deployment, attack path analysis, red team exercises |
| Emergency access procedures fail during crisis | L | H | Break glass doesn't work when needed, extended outage | Regular testing, multiple recovery paths, documented procedures |
| Legacy systems require Tier 0 credential exposure | M | H | Old apps need domain admin, NTLM dependencies | Application modernization roadmap, compensating controls |
| Hybrid sync becomes attack path | M | H | Cloud-to-on-prem lateral movement, sync account compromise | Harden AD Connect, monitor sync changes, least privilege |
KPIs / Outcomes
- Tier 0 systems compliant with security baseline (target: 100%)
- Admin accounts using dedicated privileged credentials (target: 100%)
- Time to detect identity infrastructure attacks (target: less than 15 minutes)
- KRBTGT password age (target: rotated at least annually)
- Emergency access procedure test success rate (target: 100%)
- Privileged access using just-in-time elevation (target: greater than 90%)
- Legacy authentication protocols blocked (target: 100% in cloud identity)