The Active Directory is one of the most important security mechanisms for any Windows network. The Active Directory contains everything from user accounts and password policies, to group policy settings. As such, most organizations put considerable effort into determining which Active Directory settings will best meet the organization’s security requirements. Even so, all of this careful planning can be undone by configuration drift.
Configuration drift happens when changes gradually occur over time. The concept of configuration drift is often discussed in relation to software development, or desktop operating system configuration, but the concept is equally relevant to the Active Directory. In an Active Directory environment, configuration drift can result in inconsistencies with regard to the way in which objects are configured, or even undocumented settings. It is normal for Active Directory settings to evolve over time, but such evolutions need to take place in a tightly controlled manner, so as to prevent configuration drift.
In spite of an organization’s best efforts, configuration drift within the Active Directory can, and often does occur. An administrator might for example, forget to document a new setting. Similarly, an administrator may apply a new security setting to a domain, and forget to apply the setting to the organization’s other domains, resulting in inconsistencies from one domain to the next.
Although the tools that are built into Windows Server can be used to detect configuration drift within the Active Directory, the evaluation process is labor intensive and detection does not occur in real time. IT pros who wish to protect their Active Directory environments against configuration drift are better off using a third party solution such as LepideAuditor for Active Directory.
There are three keys to protecting an organization’s Active Directory against configuration drift. Lepide’s Active Directory audit software is able to address each of these requirements.
The first requirement for protecting the Active Directory against configuration drift is meaningful auditing. The Windows operating system is natively capable of performing extensive auditing. However, it can be extraordinarily difficult to locate a specific event within the Windows audit logs. If an organization wants to monitor its Active Directory, then it should ideally be using an auditing mechanism that compiles a simple, but meaningful list of modifications to Active Directory settings. An administrator should easily be able to locate the log entry for any modification and see who made the change and when.
The second requirement is real time alerting. Given the role that the Active Directory plays in an organization’s overall security, it is critically important for the administrative staff to know when changes are being made. An administrator should never find an Active Directory modification weeks after the modification was made. Changes to Active Directory settings should be brought to the administrator’s attention in real time, so that the administrator can determine whether or not those changes are authorized.
The third requirement for guarding the Active Directory against configuration drift is a roll back mechanism. Suppose for a moment that someone on the IT staff makes an improper modification to the Active Directory. It would be better for the administrator to be able to roll back the change, then to manually undo the change. Rollbacks are less labor intensive than manual modifications, and are less prone to human error.
Being that an organization’s entire security infrastructure is often based on the Active Directory, it is important to know exactly how the Active Directory is configured. A third party auditing system such as Lepide’s Active Directory auditor can help administrators to detect changes to Active Directory settings, so that those changes can either be documented or rolled back.
About Author – Brien Posey is a freelance author, technical speaker and Microsoft MVP.