Malicious actors will often seek to leverage stale Active Directory objects in order to execute an attack.
In order to keep your Active Directory clean and secure, it is crucially important that you know exactly who has access to what, how access was granted, and what they are doing with it.
Having a clean AD will help to streamline the process of granting and revoking access permissions. It will also make it easier to carry out security audits and comply with the relevant data privacy regulations.
In some cases, businesses need to migrate the data stored in AD, perhaps due to a merger with another company, or perhaps they decide to migrate their data to Azure AD.
Having a clean AD will make the transition a lot smoother. Below are some of the best practices for keeping your Active Directory clean and secure.
1. Disable Accounts for Users on Extended or Permanent Leave
There are many reasons why an employee might be on extended leave. Perhaps it is for maternity leave, or perhaps they have been furloughed due to unforeseen circumstances [cough]. It is always wise to disable their account until they return.
It’s not just hackers that we need to be concerned about. For example, if an employee is feeling disgruntled after being furloughed, they may try to access their account from home and use it for nefarious purposes.
It should also be noted that just because an account has been disabled, doesn’t mean that a hacker won’t still try to gain access to it. For example, they may try to use social engineering tactics to trick the HR department into re-enabling the account.
In addition to disabling the account, it’s often a good idea to limit the account’s access permissions before doing so. Then, when the employee returns, they can submit a request for more access when required.
If there’s a possibility that the employee will not return, their account could be moved to a separate OU for a period of time before being removed. If a user’s employment contract has been officially terminated, their account should be disabled as soon as possible.
2. Disable Built-in and Unused Admin Accounts
Administrator accounts should only be enabled when absolutely necessary. Likewise, the built-in admin accounts should only be used for setup and disaster recovery and should be disabled when not in use.
The approval process for granting access to an admin account should be well documented, and the process of enabling the accounts should be recorded. Likewise, the process for disabling admin accounts should be scheduled, automated, and recorded. Doing so will give administrators visibility into how, when, and why the accounts were used.
3. Ensure that Guest Access is Disabled
Guest accounts allow users to access the network without a password. The problem with guest accounts is that malicious actors will try to target these accounts in the hope that they can gain elevated privileges, through some means or another.
It’s a good idea to disable all guest accounts by default and rename them. Admins need to ensure that any necessary guest user accounts are deleted, and those that are necessary are assigned the least privileges they need to serve their purpose.
Admins must also ensure that guest users are not allowed to invite other users to the network.
4. Remove All Inactive User Accounts
Attackers often seek to compromise inactive user accounts as these accounts are rarely monitored, largely because security teams are often not aware that they exist. It is crucially important that you are able to identify and remove inactive user accounts in a timely manner.
These days, most sophisticated real-time auditing solutions have built-in features that can detect and manage inactive user accounts.
They typically work by checking the LastLogonTimeStamp attribute, in addition to other factors such as the creation date, the last logon date, and last password reset date, to determine if the account is still relevant.
5. Clean-up User Groups and Organizational Units
Active Directory groups are typically used to assign access rights to groups of users, whereas OUs act as containers for users, groups, and computers.
In some cases, groups and OUs are empty, yet still remain active in the system, thus creating a potential security risk. Security teams will need to ensure that they can identify and remove stale user groups and OUs in a timely manner.
Before removing any OUs, you must check that it doesn’t contain any children. If you’re not 100% sure if the group or OU is going to be used again, you can convert them to a distribution group, and move them to a secure container. That way you can restore them if necessary.
Active Directory Cleanup Solutions
As briefly mentioned already, there are solutions available that can provide you with enhanced visibility and control over your AD environment. These solutions use machine learning algorithms to monitor user activity, which helps to provide you with an overview of the usage patterns associated with specific users, groups, computers, and OUs. There are even specific Active Directory Cleanup solutions that detect and manage inactive user accounts, schedule AD clean-up actions and more.
Using this information, you can make informed decisions about which of these entities are still relevant, and which are not. They can also automate the process of detecting and managing inactive, or “ghost” user accounts, to ensure that malicious actors are not able to hijack them.