Even though there are a lot of books and papers that discuss Active Directory security, incidents of AD security breach just don’t seem to stop. What can be the reason for this? Are IT admins just not being able to grasp the tinges of AD security? Or Are they unable to adapt to the new, advanced threats that are being invented every day?
Both of these could be the reasons. While each of these in themselves are areas that require intensive research to overcome, sticking to the scope of this blog, I can give a few basic security tips upon which the bigger grange of security infrastructure can be setup. These tips can well be seen in the light of PDCA (Plan-Do-Check-Act) cycle, which aims to manage and continuously improve processes, a concept based on which Active Directory security can be aligned.
You need to have a plan to start with. Apart from the basic network topology which will be primarily driven by the business need, you need to have a framework ready to authenticate users, control accesses and enforce policies, as security can only be ensured when you have these things in the mind from the beginning itself. A few things are there to consider in this regard – user rights, group policy objects, administrative and elevated accounts etc. Who should be able to look into what and how much? – these questions should be better answered at the planning stage itself, even if it’s quite understood that alterations shall be required in the future to meet changing security requirements.
- User Rights: Conniving user access rights is at the core of the AD security especially when it comes to insider threats. You should duly weigh in the decision of adding every single user to the privileged groups, and that should be done only by the management accounts. Organizational Units (OUs) are there for a purpose. Classify accounts and keep them in separate OUs as they make managing accounts easier.
- Least privileged administrative model: I have seen administrators giving away more rights than required just to save the pain of doing a thorough analysis on what permissions are precisely needed. The approach should be completely opposite, instead of giving full permissions give least permission, and then add on to it if required.
- Bring your own device (BYOD) policy: Will you mind if insert my flash drive into one of your network computers? As a network administrator you should. Though BYOD is selling hot on the back of employee gratification measures by the corporates, there are inherent risks that you should be ready to address – “end node problem”. Your personal device is used within trusted network, and then for any reason such as theft, is used for stealing company data. Have a plan ready on how to deal with such matters.
Once you have planned it out, it’s time to follow through in a way that serves the purpose. Here are a few things that require special mention.
- Pulling off privileged accounts: Privileged accounts should be used only for the tasks that they were created to do, and not for any other tasks. Even stricter measures entails that every time you do a task with a privileged account, change the password to prevent misuse.
- System updates: Not all network admins show the same punctuality that they should in applying updates and patched released by Microsoft. What may appear to some like a routine exercise, patches, fixes and updates create the basic environment in which a strong security ecosystem may flourish. So ensure that your network is updated that way.
- Password policy: Password is there to keep off my colleagues from login into my system in my absence. I have known folks who think that way, but that’s incorrect. Passwords can do more than that, and even stop breaches launched from outside the network by professional hackers, as long as you have a stringent password policy based on complexity, password length, history and expiration rules.
- Biometrics beats: Too strict password policy may lead some users to find a way around it. For example “oneplusone” – a password that can pass stringent password policy, and yet is easy to guess by any hacking programs. Can you afford to move to a biometrics based authentication system? Integrating biometrics with active directory is after all not a big deal these days. You can use multi-factor authentication system including fingerprint, PKI and HID cards, which are not only secure but also convenient to end users.
Planning and implementing are only half of the battle won. Examining Active Directory to determine accuracy, quality and condition of its schema and state is equally challenging. Thankfully there are a few applications which make this part easy, Lepide Software offers Lepide 2020 audit and control suite which simplifies auditing to a great extent.
- Proctor privileged accounts: Active Directory has four built-in highest privilege groups: Enterprise Admins (EA) groups, Domain Admins (DA) group, built-in Administrators group and Schema Admins group. Other privileged accounts are Local Administrative Accounts, Privileged User Accounts, Domain Administrative Accounts, and Service Accounts etc. Not monitoring these accounts for every single change is a sin. Extra effort should be put in for these accounts.
- Ascertain Active Directory events: Who is logging into which system, when and from where? After tracking privileged accounts, finding answers to these questions should be your next priority. Tracking logon events, object accesses, process events, system events etc. should be part of the daily routine.
- Monitor critical services and do system health checkup: For normal functioning of active directory it is important that certain critical services are running properly. Server service, File replication service, Net logon service, DNS Client service – these are some of the services wherein even a little disturbance can cause big problem. Key server parameters like CPU usage, memory usage etc. give important inputs on server health. Monitoring these services and getting precise stats of system health is very important.
Get you acts together to work on the reports. Besides there are a few other things to act upon.
- Move to the latest technology: Your business infrastructure investment needs time to breakeven, but for that you cannot gamble network security, because risks arise out of the obsolete systems that can throw the business continuity itself in jeopardy. Discard systems and applications that are no longer supported by Microsoft for security updates and patches, as they naturally become vulnerable to security risk.
- Remove inactive accounts: A single, inactive, obsolete account in your active directory has the potential to bring out a big disaster. But we can avoid the problem easily if it can be tracked in timely manner before it is used to pull off a job. Find and remove obsolete, unused accounts before they become a threat.
- Install antivirus: Virus programs have been used since old times to launch network security breach. There are some well-known products that promise to protect your network from security breaches. Let one of these take care of your network to neutralize virus threats.
- Get real time alerts: How much should I watch and for how long? Is it practically feasible to check out all the events? Even if it is, it’s certainly not the right way to do it. Create real-time alerts for important events so that you act only when it is required, and action is taken within time. LepideAuditor Suite for Active Directory auditing gives convenience to get alerts anytime anywhere in your mobile device.
- Have restoring capabilities: So now you have the means to know the problem, and you also have the means to know it in time. But that’s not all. You should have a means to fix the problem at the earliest as well. And what can be easier to fix the problem than just opening the report, selecting the undesirable event and clicking restore button which puts everything back to normal. LepideAuditor provides these means.
Conclusion: Always watch your network. There are others who can be watching, and you should see more than them. Ensuring network security is an on-going process, it’s not like a fire-and-forget method that you once deploy and are assured of the success. External compliance standards are a good baseline. If done diligently a compliance adherence like SOX or HIPAA can go a long way in securing active directory. Nothing is invincible, every day we hear news of all sizes of corporation falling prey to hackers. Have a backup plan ready in case active directory breach happens, so that it can be rolled back to the normal state in time.