Windows® Domain Controller And Zero Trust Security

By Zach DeMeyer Posted February 23, 2019


There’s a new security model being adopted in the IT world these days. It is known as
Zero Trust Security, and you can see its instantiation in models such as Google® BeyondCorp. But, from a more practical standpoint, many IT admins are wondering about the intersection of the Windows® domain controller and Zero Trust Security.

Exploring the Windows Domain and Zero Trust Security

Does the Windows domain controller work in a zero trust security environment? It’s actually a really insightful question and a foundational topic. Another way to ask the question is what role does the Windows domain play with Zero Trust Security? In order to answer the question, we must first explore what each of the two parts entail.

The Windows domain is a construct of the early days of IT, instantiated by the widespread use of Microsoft® Active Directory® (AD). Since IT environments were nearly entirely Windows-based, using a directory service designed specifically for the OS only made sense. So, given that everything IT at the time was Windows-centric, AD acted as the “portcullis” to the “castle” that was the Windows domain. This domain controller became the backbone of a perimeter-based approach to security, but more on that in a second. With this approach, there were several layers of security, including AD, firewalls, and more, that users had to pass through to reach the juicy inner core of critical data, or the “royal court,” if you will.

The concept of Zero Trust, on the other hand, is based on the assumption that every user and device is a potential attack vector. Zero trust security lets no one into the network without first establishing trust, usually via passwords, TOTP (time-based one time passwords), and other forms of user authentication. Compared to the perimeter security model, zero trust does not use “hard outer shells” to protect data. Instead, it relies on guided discretion (nearing paranoia) as a weathervane for all security decisions. As Robbie Sinclair said, “Security is always excessive until it’s not enough.”

Aligning the Windows Domain Controller and Zero Trust Security

So, using these two definitions, we can align the Windows domain controller and zero trust security. At best, the two are orthogonal; they are two completely different methods of locking down an IT network. While they are both perfectly capable of safeguarding the network, the Windows domain-centric approach is quickly falling out of favor.

That viewpoint makes a great deal of sense in the modern era of IT. Today’s networks are hardly all Windows-based and on-prem, based around Active Directory and the domain controller. A modern network is full of macOS® and Linux® systems, AWS® cloud infrastructure, web applications, NAS appliances and Samba file servers, WiFi networks, and more non-Windows components.

A Cloud Domain Controller for Zero Trust Security

Since the Windows domain has broken down in the face of the modern IT environment, admins are searching for a new directory service to use in tandem with a zero trust approach to security. This replacement to the traditional domain controller should be leveraged from the cloud and capable of federating user access to virtually all resources, regardless of their provider, protocol, platform, or location. This cloud directory needs to also contain features geared towards fostering a zero trust environment. These features include password complexity requirements, multi-factor authentication (MFA), RADIUS authentication, VLAN assignment, full disk encryption (FDE), and more.

The good news is that this concept is available from the modern cloud identity management platform, JumpCloud® Directory-as-a-Service®. With a ‘domain-less’ concept, this cloud directory is enabling users to access the IT resources they need wherever they may be and across whatever platforms, provider, and protocols that are required. Directory-as-a-Service also features cross-platform policies which admins can use to enforce password requirements, MFA, and FDE.

Learn More

If your organization is embroiled in the conceptual understanding between the Windows domain controller and zero trust security, make your choice easier and give JumpCloud a try. The platform is completely free for your first ten users, and you can contact us for support, regardless whether you have a paid account or not. You can also schedule a demo of the product to see how it operates in the hands of an expert.

Zach DeMeyer

Zach is a writer and researcher for JumpCloud with a degree in Mechanical Engineering from the Colorado School of Mines. He loves being on the cutting edge of new technology, and when he's not working, he enjoys all things outdoors, making music, and soccer.

Recent Posts