98% of security threats start with Active Directory. Active Directory literally holds the keys to your kingdom. If the right security principles aren’t set up and you are giving excessive permissions to your users, you are leaving yourself exposed to potential security threats.
Within Active Directory, there are numerous security protocols to choose from to implement a policy of least privilege where you are only granting administrative access to those that genuinely need it.
In this blog, we will go through exactly what security groups in Active Directory are, the difference between distribution groups and security groups, what security groups can be used for, how to create security groups and best practices to use them.
Types of Active Directory Groups
Active Directory groups are split into two categorizations – Active Directory Security Groups and Active Directory Distribution Groups.
The actual type of group you need will depend on the required function of the group. Distribution groups are simpler in that they would be used if only one-way notifications are required from the central controller. Security groups are more complex, and they are applied when you want to enable users to access and modify data.
Security teams need to pay far more attention to security groups to ensure that permissions do not sprawl out of control and that the risks to the security of your data are mitigated.
Built-In Active Directory Security Groups
Built-in Active Directory security groups are pre-defined groups created automatically when you set up a domain. They play a crucial role in simplifying access control and managing permissions within your domain. These groups are assigned specific privileges and rights, allowing you to efficiently grant access to resources based on user roles and responsibilities.
Here’s an overview of some key built-in Active Directory security groups:
- Enterprise Admins: The most powerful group, granting full control over the entire forest, including all domains and OUs. Use with extreme caution and restrict membership to a limited number of trusted individuals.
- Domain Admins: Have full control over a single domain, including managing users, groups, computers, and domain controllers. Membership should be limited to domain administrators.
- Schema Admins: Control the Active Directory schema, which defines the structure of objects and attributes. Grant membership only to users who need to modify the schema.
- Built-in Administrators: A powerful group on each domain controller, granting control over the local system. Membership should be restricted to domain controllers and specific administrative tasks.
Other Important Groups
- Account Operators: Can create, modify, and delete user accounts but cannot manage groups or permissions.
- Backup Operators: Can back up and restore files on domain controllers.
- DHCP Users: Granted access to DHCP servers for lease renewal.
- DNSAdmins: Manage DNS servers and records.
- Domain Guests: Have limited access to domain resources, typically used for external users needing basic access.
- Domain Users: The default group for all domain users, granting basic user rights.
Why Should You Use Active Directory Security Groups?
Security groups are vital when it comes to maintaining appropriate access rights to your most sensitive data. The ability to group users into pots to assign levels of permissions is incredibly useful for maintaining a policy of least privilege.
For example, you can use Active Directory security groups to assign high level permissions to members of the board so that they can submit financial information and KPIs for their colleagues. You can also use security groups to assign lower level permissions to new joiners.
Active Directory security groups can also be modified via the AD portal, where users can be moved around or removed completely.
How to Create a Security Group in Active Directory
The following steps apply to Windows 10 and to Windows Server 2016. Please note that you are going to need to be a member of the Domain Administrators group, or have the correct permissions already applied, to be able to create new groups yourself.
- Open the Active Directory Users and Computers Console.
- Select the container in which you want to store your group (“Users”, for example).
- Click “Action” – “New” – “Group”
- Name your group using the Group name text box and enter a description.
- Depending on your Active Directory forest infrastructure, choose the correct Group scope: Global or Universal.
- Click “Security” as the Group type and then click “Ok” to create your security group.
Best Practices to Use Active Directory Security Groups
Below are some of the key best practices to use AD security groups:
1. Ensure Default Security Groups Do Not Have Elevated Permissions
Whenever an Active Directory domain is set up, a default security group is set up. Sometimes, these default security groups will have excessive permissions that may lead to users being granted access to resources and data that they do not need.
Ensure that your users only have access to the data and resources that they need to do their job and nothing more. If domain admin access is required, it should be provided on a temporary basis as and when needed.
The Domain Administrator account is generally only required for setting up the domain and for emergencies, such as disaster recovery. The account should not really be used for any other purpose and the credentials for this account should be stored securely.
One common attack method for Active Directory is to take advantage of the Local Administrator account password. The Local Administrator account is often configured with the same password across domains and the same SID across installations.
2. Maintain an Up to Date Active Directory
All the software on your system should be up to date to ensure that known vulnerabilities have been patched. Attackers often take advantage of these known vulnerabilities, so regular patching can help minimize this risk.
3. Maintain a Policy of Least Privilege
As we previously touched on, you need to ensure that your users only have access to the data and resources that they need to do their job. This is known as a policy of least privilege. You should act as though all of your users are potential insider threats. If everyone has elevated privileges, and you suffer a data breach, it can be incredibly difficult to investigate the source.
Insider threats are notoriously tricky to identify and remediate at the best of time. Don’t make it harder for yourself by creating users with excessive permissions.
4. Ensure Passwords Are Strong and Regularly Rotated<
It’s a simple point, but it’s worth emphasizing. Your passwords for your Active Directory should be the strictest passwords you can come up with. Best practices suggest using passphrases of three or four different random words. Passphrases are much harder for attackers to guess than complex passwords are.
Where possible, two-factor authentication should be used, and accounts should be locked out if incorrect passwords are entered more than two or three times.
5. Audit Changes to Active Directory Security Groups
Having a proactive and continuous auditing strategy for your Active Directory security groups is possibly the best way to prevent security threats. Most security threats that originate through Active Directory could potentially have been prevented through better visibility into the changes being made.
How to Improve the Security of Your Active Directory Security Groups
Many enterprises must deal with joiners, leavers, and movers within their environment. As users change roles, leave the business, or start a new role, their required permissions will be different.
Unfortunately, many enterprises are not communicating effectively enough with the IT and security teams to ensure that permissions and members of security groups are maintained appropriately. In the worst-case scenario, this could potentially lead to insider threats getting their hands on your most sensitive data.
The Lepide Active Directory Auditor will give you the ability to instantly generate a list of users who have been deemed to hold “excessive permissions”, or generate alerts in real time when permissions are changed, so that you can take the required steps to maintain your policy of least privilege.