Active Directory (AD) functional levels, play a crucial role in the enterprise's security posture. The security capabilities and features of AD are directly dependent on the functional levels within the Domain and Forest architecture. This article will go into detail about current AD functional levels, and what security features are introduced into each version.
Why are AD Functional Levels Often Forgotten?
AD functional configuration is often forgotten for many reasons. In most of the environments I have reviewed, they are at a lesser level than what they should be. Here are a few reasons I see this often forgotten.
Environment Complexity. Most AD environments are highly complex, with many moving parts. There is a huge demand on a systems engineer. Implementing projects, directives from management, firefighting, just to name a few.
Lack of Understanding. Some engineers may not know the implications and benefits or underestimate of updating the functional levels.
Fear of Disruption. If it isn't broken don't touch it because there is so much else to do. There is usually apprehension when upgrading functional levels, what are the implications, what will break, what will be the impact to users, how long of an outage do I need?
Legacy Systems. Sometimes old domain controllers are the reason for staying on an older functional level.
AD Functional Levels Security Features
Below are the current AD functional levels and the security features introduced in them.
Windows Server 2000
Supported domain controllers: Windows Server 2000, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2
Domain: Universal groups can be utilized as both distribution groups and security groups.
Domain: Group nesting.
Domain: Security identifier (SID) history.
Windows Server 2003
Supported domain controllers: Windows Server 2003, Window Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016.
Domain: Last Logon Timestamp Attribute. This helps identify inactive accounts that may pose a security risk if compromised. For more information click here.
Domain: Constrained Delegation. Allows administrators to limit the services to which a server can act on behalf of a user, enhancing the security of delegated authentication scenarios. For more information click here.
Domain: Selective Authentication over Forest Trusts: This feature gives administrators the ability to specify which users in a trusted forest can access shared resources in the trusting forest, significantly enhancing security in a multi-forest environment.
Forest: Forest Trusts: The ability to create forest trusts between Active Directory forests simplifies resource sharing across forests while maintaining security boundaries. This feature allows for more granular control over which resources are accessible to users from trusted forests.
Forest: Improved Replication: The introduction of the Knowledge Consistency Checker (KCC) algorithm improvements and the ability to create instances of application directory partitions across domain controllers within a forest improved the efficiency and reliability of AD replication. Enhanced replication security is a byproduct of these improvements, as they ensure more consistent application of security policies and changes across the forest.
Forest: Linked Value Replication (LVR): LVR improves the replication of multi-valued attributes by replicating only the changed values instead of the entire set. This enhancement reduces replication traffic and improves overall efficiency, indirectly benefiting security by ensuring that critical updates, such as group membership changes, are propagated more quickly and reliably.
Forest: SID History: The use of the SID (Security Identifier) History attribute in forest trusts allows for smoother migrations and interoperability between forests by ensuring that users retain access to resources despite having their SIDs changed. This aids in secure migration scenarios, allowing organizations to maintain access controls during transitions.
Windows Server 2008
Supported domain controllers: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022.
Domain: Fine-Grained Password Policies: This feature allows for more detailed control over password policies, enabling different password and account lockout policies to be applied to different users or groups within the same domain. This is particularly useful in organizations where different levels of security are required for different sets of users. For more information click here.
Domain: Advanced Encryption Standard (AES) Support for Kerberos Authentication Protocols: AES encryption enhances the security of Kerberos authentication by providing a stronger encryption algorithm than what was previously available, making it more difficult for attackers to compromise network traffic.
Domain: Read-Only Domain Controllers (RODCs): RODCs provide a way to deploy domain controllers in locations where physical security cannot be guaranteed, reducing the risk of exposing sensitive AD data. RODCs hold a read-only copy of the AD database and do not allow changes to be made directly to the AD database, mitigating the risk of credential theft from these less secure locations.
Domain: Last Interactive Logon Information: This feature provides information about the last successful logon and any unsuccessful logon attempts on a per-user basis, offering better visibility into potential unauthorized access attempts. For more information click here.
Windows Server 2008 R2
Supported domain controllers: Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022.
Domain: Authentication Mechanism Assurance: This feature enhances the security of network resources by embedding information about the type of authentication (e.g., smart card) used to log on to a computer within the user's Kerberos ticket. This allows administrators to apply different access controls based on the strength of the authentication method, ensuring that more sensitive resources require stronger authentication methods for access.
Domain: Managed Service Accounts (MSAs): MSAs were introduced to provide a more secure and manageable method for handling service accounts. With Windows Server 2008 R2, SPNs for services running under MSAs are automatically managed by AD, reducing the administrative burden and improving the security of service accounts. For more information click here.
Forest: Active Directory Recycle Bin: Although not exclusively a security feature, the Active Directory Recycle Bin improves the ability to recover from accidental deletions of AD objects, thereby enhancing the overall resilience of the AD environment. For more information click here.
Windows Server 2012
Supported domain controllers: Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022.
Domain: Dynamic Access Control (DAC): This feature enhances file system security by allowing administrators to apply permissions and access controls based on user claims, device claims, and resource properties. DAC facilitates more granular access control policies, improving data governance and reducing the risk of data leakage. For more information click here.
Domain: Support for Claims, Compound Authentication, and Kerberos Armoring (FAST): These improvements provide a richer and more secure authentication mechanism. Claims-based authentication allows for more detailed access control decisions, compound authentication supports scenarios where both user and device claims are evaluated, and Kerberos Armoring (FAST) helps protect against various types of attacks on the authentication process.
Domain: Group Managed Service Accounts (gMSA): Extending the Managed Service Account concept, gMSAs provide a more secure and manageable method for services running on multiple servers to access resources. This feature reduces the overhead associated with password management for service accounts across servers. For more information click here.
Windows Server 2012 R2
Supported domain controllers: Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022.
Domain: Authentication Policy Silos: This feature allows administrators to create policies that can provide tighter control over which accounts can log on to which computers. By grouping users and computers into silos, organizations can implement more granular access controls, reducing the risk of privilege escalation and lateral movement within the network. For more information click here.
Domain: Protected Users Security Group: Members of this new security group are afforded additional protections against certain types of attacks, such as credential theft and pass-the-hash attacks. For example, members of the Protected Users group cannot authenticate with NTLM, use DES or RC4 cipher suites in Kerberos pre-authentication, or be delegated with unconstrained or constrained delegation. This feature significantly enhances the security posture for sensitive accounts. For more information click here.
Windows Server 2016
Supported domain controllers: Windows Server 2016, Windows Server 2019, Windows Server 2022.
Forest: Privileged Access Management (PAM): This feature, although part of Microsoft Identity Manager (MIM) 2016, relies on AD functional level 2016 to offer enhanced security for high-privilege accounts. PAM helps to mitigate security risks associated with privileged accounts through time-bound membership in administrative groups, reducing the attack surface by making privileged access available only when needed. For more information click here.
Forest: Group Membership Expiration: Directly related to PAM, this feature allows administrators to add users to a group for a specified period. This is particularly useful for granting temporary access to resources or for roles that require limited-time elevation of privileges, automatically revoking access after the expiry time. For more information click here.
How to Upgrade Your AD Functional Level
Verify Active Directory health. For more information click here.
Review your domain controllers for compatibility. Upgrade any legacy domain controller operating systems. For instance, to gain 2016 functional level, all domain controllers must be Server 2016 or higher.
Make sure applications and services that rely on Active Directory are compatible with the new level.
Make a backup of your Active Directory. I've never had to restore after upgrading, but it is always good to have a plan of just in case.
Raise the domain functional level. After all domains have been upgraded, move on to the next step.
Raise the forest functional level.
Verify Active Directory health. For more information click here.
Upgrading AD domain and forest functional levels are easy. Implementing the security features introduced may take a little time to implement but well worth it in helping your enterprise's security posture.