Enterprise Active Directory project to reduce University's cyberthreat exposure

January 21, 2020

UNIVERSITY PARK, Pa. — On an average day, Penn State repels millions of hostile cyberattacks against its network infrastructure that come from around the world. 

As part of efforts to fortify the University’s data and people from potential cyberthreats, the Office of Information Security (OIS) and Penn State IT are working with IT units throughout Penn State to consolidate all local instances of Microsoft Active Directories — an authentication and account system for computers and servers — to the University’s more secure Enterprise Active Directory (EAD) service. To this end, all distributed IT units must decommission their local Active Directory by June 30, 2020 (unless an explicit exception is granted by OIS for its continued operation).

The EAD service, which is co-managed by OIS and Penn State IT, provides a single, more secure directory and authentication service offered centrally, enabling IT staff members to better manage users’ “digital credentials” and access to applications and data while reducing the University’s threat surface for cyberattacks. 

“Since Active Directory is an authentication and account system, it is a common target for those intent on compromising Penn State systems,” said Rich Sparrow, the University’s acting chief information security officer. 

According to Sparrow, the more Active Directories we have, the larger the risk posed to the University. Distributed IT units running their own local instances of Active Directory increase their security risk profile, enabling cybercriminals to gain administrative privileges on computers that have been joined to Active Directory, including client computers and servers.

“Once inside, they have the keys to the kingdom, so to speak, and may move throughout the network undetected,” said Sparrow.

The Enterprise Active Directory Adoption Project (EADAP) began in December 2018 to aid Penn State’s distributed IT units as they transition their computers, servers and services to authenticate with the single, centrally managed EAD service. At that time, there were more than 90 distributed local Active Directories throughout Penn State.

“This presented a huge attack surface for cyberthreats,” said Sparrow.

To date, 41 local Active Directories have been decommissioned, and of the more than 53,000 computer objects in the University’s enterprise, 42,541 — or 80% — now use EAD for authentication. 

“Our mission moving forward is to capitalize on the adoption project’s momentum, thus strengthening the security posture at the University,” said Sparrow. “Protecting credentials and the authentication systems that use them are essential to protecting Penn State's information assets and is a foundation for our overall cybersecurity strategy.”

Penn State’s EAD was designed with assistance from Microsoft’s Cybersecurity team to integrate with enterprise-level security monitoring systems to enable a high level of security, especially when compared to the practice of distributed IT units running their own local deployment of Active Directory. Upon migrating to EAD, units transfer the burden of maintaining a secure Active Directory and associated risks to OIS and Penn State IT.

“There are many talented IT staff in the units who are working to consolidate directory services and reduce the attack surface as we look to move away from some of the reliance on legacy authentication and authorization systems (e.g. Cosign and Kerberos) in the near future,” said Sparrow. “The University's security posture is greatly improved by migrating Linux and Macs, as well as Windows operating systems to authenticate against a single EAD.” 

In addition to mitigating risks, the EAD adoption project aligns with the University’s IT Modernization efforts to increase efficiencies throughout IT and control costs. This project will also decrease the University’s technical debt and reliance on local unit Active Directories. 

“Not only does moving to EAD mitigate our risk exposure, but the single platform controls redundant costs and advances the mission of the University by allowing the units to focus on their specific objectives,” said Don Welch, interim vice president for Information Technology and chief information officer. 

“Our most effective security is happening where we have consolidated our infrastructure,” said Sparrow. “By transitioning to an Enterprise Active Directory infrastructure, Penn State is better positioned to respond to the increasingly complex challenge of protecting information that has been entrusted to the University.” 

To learn more about the benefits of EAD and the EAD adoption project, visit the Enterprise Active Directory Adoption Project website.

Last Updated January 21, 2020