Active Directory

Owned by Maarten Meijer
Last updated: Nov 23, 2017
2 min read

The Voice of O365 is uses the Active Directory to store user objects and deployment information. The SoftApp-distribution Active Directory environment resides in the local network and is not reacable from the internet. Secure trusts can be made through a IPsec connection. This Trust is configured to only allow a connection to the Active Directory environment. The firewall is designed to only allow traffic from approved Active Directory trust servers. SoftApp-distribution always minimizes the amount of computer connected to the AD environment.

figure 1. SoftApp-distribution AD environment.

The ip-limitation minimizes the attack vector for third parties.

Potential trust risks are:

  • Attack on trusting forest by malicious user in a trusted forest. A malicious user with administrative credentials who is located in a trusted forest could monitor network authentication requests from the trusting forest to obtain the security ID (SID) information of a user who has full access to resources in the trusting forest, such as a Domain or Enterprise Administrator. 
    The risk is minimized by reducing the security level for third parties to only their personal OU in the SoftApp-active directory. The connecting third party has only READ level access to their OU.

  • Attack on shared resources in a trusting forest by malicious users in another organization’s forest. Creating an external or forest trust between two forests essentially provides a pathway for authentications to travel from the trusted forest to the trusting forest. While this action by itself does not necessarily create a threat to either forest, because it allows all secured communications to occur over the pathway, it creates a larger surface of attack for any malicious user located in a trusted forest. Selective authentication can be set on interforest trusts to help minimize this attack surface area. For more information about how to mitigate this threat, see “Security Settings for Interforest Trusts.”
    Customers have the option to minimize the potential access for SoftApp-distribution by using selective access. Thus only allowing certain security groups access.