98% of security threats start with Active Directory.
Active Directory literally holds the keys to your kingdom. If the right security principles aren’t set up and you are giving excessive permissions to your users, you are leaving yourself exposed to potential security threats.
Within Active Directory, there are numerous security protocols to choose from to implement a policy of least privilege where you are only granting administrative access to those that genuinely need it.
In this blog, we will go through exactly what security groups in Active Directory are, the difference between distribution groups and security groups, what security groups can be used for and exactly how to create one.
What Are Active Directory Groups?
Active Directory, in general, is a program that sorts users into various groups. It is a centralized platform that most enterprises use to manage their computer accounts and to grant access to sensitive data.
An Active Directory group is a group of users that have been given access to certain resources. There are two ways that groups can be given this kind of access; through a Globally Unique Identifier (GUID) or a Security Identifier (SID).
SIDs are mostly used when access wants to be given to specific users, whereas GUIDs are used when grouping together users who all need access to the same resources.
Groups can be created based on individual users that all need access to certain resources, or they can be created based on global groups (such as department), or members of a certain domain.
Types of Active Directory Groups
Active Directory groups are split into two categorizations – Active Directory Security Groups and Active Directory Distribution Groups.
The actual type of group you need will depend on the required function of the group. Distribution groups are simpler in that they would be used if only one-way notifications are required from the central controller. Security groups are more complex, and they are applied when you want to enable users to access and modify data.
Security teams need to pay far more attention to security groups to ensure that permissions do not sprawl out of control and that the risks to the security of your data are mitigated.
Why Should You Use Active Directory Security Groups?
Security groups are vital when it comes to maintaining appropriate access rights to your most sensitive data. The ability to group users into pots to assign levels of permissions is incredibly useful for maintaining a policy of least privilege.
For example, you can use Active Directory security groups to assign high level permissions to members of the board so that they can submit financial information and KPIs for their colleagues. You can also use security groups to assign lower level permissions to new joiners.
Active Directory security groups can also be modified via the AD portal, where users can be moved around or removed completely.
How to Create a Security Group in Active Directory
The following steps apply to Windows 10 and to Windows Server 2016. Please note that you are going to need to be a member of the Domain Administrators group, or have the correct permissions already applied, to be able to create new groups yourself.
- Open the Active Directory Users and Computers Console.
- Select the container in which you want to store your group (“Users”, for example).
- Click “Action” – “New” – “Group”
- Name your group using the Group name text box and enter a description.
- Depending on your Active Directory forest infrastructure, choose the correct Group scope: Global or Universal.
- Click “Security” as the Group type and then click “Ok” to create your security group.
How to Improve the Security of Your Active Directory Security Groups
Many enterprises must deal with joiners, leavers, and movers within their environment. As users change roles, leave the business, or start a new role, their required permissions will be different.
Unfortunately, many enterprises are not communicating effectively enough with the IT and security teams to ensure that permissions and members of security groups are maintained appropriately. In the worst-case scenario, this could potentially lead to insider threats getting their hands on your most sensitive data.
The Lepide Active Directory Auditor (part of Lepide Data Security Platform) will give you the ability to instantly generate a list of users who have been deemed to hold “excessive permissions”, or generate alerts in real time when permissions are changed, so that you can take the required steps to maintain your policy of least privilege.
To see the solution in action, schedule a demo with one of our engineers today or download free trial.