Active Directory Security

Guido Grillenmeier at Semperis asks whether Windows Server 2025 will improve Active Directory Security

 

Microsoft has stuck to its typical routine of providing a major Windows Server Operating Systems update every three years, with the latest being Windows Server 2025 which is now generally available as of 1 November 2024.

 

Next to various Active Directory (AD) security-updates, which is the focus of this article, this latest iteration is set to bring various adjustments to the OS, including the hotly anticipated ability to apply patches without needing to reboot devices – something that will be in great demand for critical workloads.

 

From a performance optimisation perspective for AD, there are several other changes to highlight including: 

• The option to increase the database page size from 8k to 32k (requires FFL 2025).
• Active Directory (AD) now fully utilises NUMA-capable hardware by using CPUs in all processor groups.
• AD Replication Priority Boost is used especially for the promotion of new domain controllers.
• DC Locator logic improvements allow the mapping of NetBios name of a domain to its DNS name.
• New performance counters (LDAP Client, DC Locator, LSA Lookups). 

Today, however, I’d like to take a closer look at the security-focused enhancements to Active Directory (AD) that Windows Server 2025 will bring, with this update set to mark the first relevant AD security improvements since Windows Server 2016.

 

AD security improvements of Windows Server 2025

There has long been a pressing need to make AD more secure. This vital identity directory service, used by almost 90% of organisation worldwide, controls user and authorisation management for critical applications and data, making it a prime target for attackers.

 

Today, it’s incredibly common for threat actors to go after AD, using it as a tool to elevate privileges and move laterally through their victim’s network after they have gained initial access via phishing or other vulnerabilities.

 

Ransomware attacks, in which a company’s entire infrastructure is paralysed by encryption, have increased dramatically over the last 10 years. And when it comes to ransomware, AD is almost always exploited to carry out these attacks, with Microsoft now taking action to better protect this core technology of its server operating system.

 

So, what exactly are the key AD security improvements that Windows Server 2025 will bring to the table? At a glance, there are six to be aware of: 

• New account type: Delegated Managed Service Accounts
• Various LDAP security improvements
• Support of AES SHA256/385 for Kerberos
• Kerberos & PKINT support cryptographic agility
• Deactivation of mail slots (e.g. for NET SEND Messenger Service)
• Login using a domain/forest trust identifier can be deactivated 

While undoubtedly there are promising components, I do want to say that I believe Microsoft has missed an opportunity here.

 

Critically, it has not adjusted very basic security settings in AD, specifically concerning the default settings for access rights when installing a new directory service, which previously made a new forest easy for attackers to spy on.

 

The standard authorisations for reading privileged identifiers (e.g. domain admins) remain unchanged: both the ‘Pre-Windows 2000 compatible access’ group and ‘Authenticated users’ still have full read permission for all users in a new 2025 domain. Thus, Microsoft has lost an important opportunity to improve the standard security of new AD installations.

 

With that said, the first two security improvements on list are particularly interesting, offering the greatest potential for making your own AD more secure.

 

Delegated Managed Service Accounts

First, let’s look at the new Delegated Managed Service Account (dMSA) type that Windows Server 2025 is set to introduce.

 

For context, it’s important to understand that the original Windows NT domain concept failed to differentiate between ‘human’ and ‘technical’ identifiers. Due to this, applications that required technical user IDs for AD authentication and resource access were often given normal user IDs, coupled with a ‘password never expires’ option.

 

At the time, this setup was a necessary workaround. Critically, these ‘service accounts’ enabled important business applications to integrate with AD, with modern applications also using the ‘Service Principal Name’ (SPN) for Kerberos integration. However, the management problem with these service accounts was their frequently undocumented, cross-system use, which made recommended periodic password changes difficult.

 

To address this challenge, Microsoft introduced ‘Group Managed Service Accounts’ (gMSAs) within its Windows Server 2012 update as a solution. Now, gMSA can be used for a group of servers, and has a complex, 256-character password that is automatically rotated and supports the automatic assignment of SPNs.

 

The problem with this was that many AD administrators were not immediately ready to start or complete a large-scale project to replace all legacy service accounts with the more secure gMSAs owing to budget, skills and resource constraints. In fact, even more than a decade after gMSAs were introduced, there are still many poorly maintained service accounts in Active Directories around the world that remain vulnerable to attack.

 

This situation has worsened since 2014, when attackers began using service accounts with SPNs to elevate rights in AD. Critically, attackers can request a service ticket (TGS) without ever connecting to the target system of the service by knowing the SPN, which they can easily query in AD. This attack technique has become known as ‘Kerberoasting’.

 

Owing to this, many ‘legacy’ service accounts that still exist pose a major threat to existing AD installations. Fortunately, however, it appears that the new Delegated Managed Service Account (dMSA) that Microsoft is introducing with Windows Server 2025 intends to solve this problem.

 

Critically, the dMSA uses the security advantages of gMSAs while being easier to implement in environments in which many services are still configured with classic service accounts. The function of the old service accounts is simply taken over by (or delegated to) the new Managed Service Accounts, with the old service accounts then being deactivated so that they cannot cause any future damage.

 

With that said, it’s important to note that the function of the new DMSA also requires an adjustment to the Kerberos client in operating systems where legacy service accounts are active. However, it is hoped, and expected, that Microsoft will also adapt the Kerberos client of some older operating systems with this function to ensure the solution can be more broadly helpful moving forward.

 

LDAP security improvements

It’s also worth highlighting the various improvements to the protection of the LDAP itself give then significant value it presents in terms of combatting LDAP relaying / man-in-the-middle risks for LDAP access.

 

Critically, the key improvements can be summarised as follows: 

• LDAP Signing is now required by default.
• LDAP channel binding is active by default if client supports it.
• LDAP client encryption is preferred by default.
• Readout of confidential attributes requires an encrypted connection. 

Administrators should know that the first three points are nothing new. Instead, Windows Server 2025 has merely changed the default settings, leaving those customers who do not implement these settings themselves less vulnerable.

 

There is still the option to switch these improvements off in case of problems with applications. However, the more ‘secure-by-default’ approach is certainly the right one. LDAP channel binding in particularly should always remain activated, preventing LDAP relaying attacks that have come increasingly popular.

 

As for the fourth point, it’s another secure-by-default change: to read BitLocker recovery keys or the LAPS password of a computer, an encrypted connection will be required in the future.

 

Promising progress?

Overall, it’s good to see that Microsoft has not given up on Active Directory. The update in Windows Server 2025 is a clear commitment to the longevity of this critical on-prem service.

 

The new default settings for LDAP security are particularly promising, and many small improvements have also been added to ensure that AD will generally become more secure.

 

In the case of the very promising Delegated Managed Service Accounts, we’ll have to wait and see when Microsoft will adapt the Kerberos client of existing operating systems – hopefully back to Server 2016. If/when this happens, the many existing and unfortunately insecure service accounts can finally be replaced by the technical accounts we always wanted.

 

It’s certainly a case of watch this space. However, it’s promising to see that Microsoft seems to finally be taking significant action.

 

---

 

Guido Grillenmeier is Principal Technologist at Semperis

 

Main image courtesy of iStockPhoto.com and PUGUN SJ