This topic explains the various measures that we take to harden Managed Service for Microsoft Active Directory and minimize security vulnerabilities.
No public internet access
To improve security, Managed Microsoft AD is not exposed to the public internet. Managed Microsoft AD makes all connections through private IP from authorized networks:
Hosting: Managed Microsoft AD hosts every VM that runs Active Directory in their own VPC, which isolates users from each other.
Connecting: You can use authorized networks to connect to Managed Microsoft AD through private IP. Managed Microsoft AD handles the VPC peering for these connections.
Patching: Managed Microsoft AD applies Windows patches to the Managed Microsoft AD VMs without using public internet access. For more information about how Managed Microsoft AD handles patching, see Patching.
Shielded VMs are virtual machines (VMs) hardened by a set of security controls that help defend against rootkits and bootkits. Shielded VM's features protect all Managed Microsoft AD VMs at no additional cost.
Managed Microsoft AD VMs are seeded from the public Compute Engine Windows Server 2019 image. These images have Shielded VM features enabled and are optimized for running on Compute Engine infrastructure.
Security monitoring and protection
We use the operating system's built-in antivirus to protect the Managed Microsoft AD instances against virus and malwares. The antivirus scans your Managed Microsoft AD VMs and detects security threats, such as viruses, malware, and spyware. The antivirus then logs these security events which we analyze and remediate if required.
Managed Microsoft AD tests all Windows patches before applying them. During testing, Managed Microsoft AD runs probes, validates customer use cases, availability, security, and reliability. After a patch passes these tests, Managed Microsoft AD applies it.
During patches and updates, the AD domain remains available. When a domain controller (DC) requires maintenance, Managed Microsoft AD adds a new DC running the new and validated patch to the Active Directory domain before it demotes the old DC. This ensures that there are always at least two DCs running at any given time. The update process does not require any public internet access. The full patch rollout usually takes a few days, as it updates domain controllers one after another.
Credential rotation and encryption
Managed Microsoft AD uses several methods to protect credentials. Managed Microsoft AD frequently rotates credentials and encrypts them using industry-standard techniques. Credentials created for managing AD are never shared between instances. Only a smaller-sized support team and automated systems can access these credentials. Managed Microsoft AD destroys these credentials when it deletes the instance.
Restricted production access
Managed Microsoft AD employs multiple systems and processes to ensure that Google Cloud engineers have minimal access to the Managed Microsoft AD domain. Only a small number of on-call engineers have access to production data. They access production environment only to perform a recovery on a domain or advanced troubleshooting. These accesses require a validated justification before they can proceed, and then Managed Microsoft AD logs and audits them internally. Managed Microsoft AD automates most accesses such that they cannot access AD data. In rare scenarios, there might be a need for on-call engineers to remotely access domain controllers. In these cases, the remote accesses use Identity-Aware Proxy (IAP), not the public internet.