98% of security threats start with Active Directory. Active Directory literally holds the keys to your kingdom. If the right security principles aren’t set up and you are giving excessive permissions to your users, you are leaving yourself exposed to potential security threats.
Within Active Directory, there are numerous security protocols to choose from to implement a policy of least privilege where you are only granting administrative access to those that genuinely need it.
In this blog, we will go through exactly what security groups in Active Directory are, the difference between distribution groups and security groups, what security groups can be used for, how to create security groups and best practices to use them.
What Are Active Directory Groups?
Active Directory, in general, is a program that sorts users into various groups. It is a centralized platform that most enterprises use to manage their computer accounts and to grant access to sensitive data.
An Active Directory group is a group of users that have been given access to certain resources. There are two ways that groups can be given this kind of access; through a Globally Unique Identifier (GUID) or a Security Identifier (SID).
SIDs are mostly used when access wants to be given to specific users, whereas GUIDs are used when grouping together users who all need access to the same resources.
Groups can be created based on individual users that all need access to certain resources, or they can be created based on global groups (such as department), or members of a certain domain.
Types of Active Directory Groups
Active Directory groups are split into two categorizations – Active Directory Security Groups and Active Directory Distribution Groups.
The actual type of group you need will depend on the required function of the group. Distribution groups are simpler in that they would be used if only one-way notifications are required from the central controller. Security groups are more complex, and they are applied when you want to enable users to access and modify data.
Security teams need to pay far more attention to security groups to ensure that permissions do not sprawl out of control and that the risks to the security of your data are mitigated.
Why Should You Use Active Directory Security Groups?
Security groups are vital when it comes to maintaining appropriate access rights to your most sensitive data. The ability to group users into pots to assign levels of permissions is incredibly useful for maintaining a policy of least privilege.
For example, you can use Active Directory security groups to assign high level permissions to members of the board so that they can submit financial information and KPIs for their colleagues. You can also use security groups to assign lower level permissions to new joiners.
Active Directory security groups can also be modified via the AD portal, where users can be moved around or removed completely.
How to Create a Security Group in Active Directory
The following steps apply to Windows 10 and to Windows Server 2016. Please note that you are going to need to be a member of the Domain Administrators group, or have the correct permissions already applied, to be able to create new groups yourself.
- Open the Active Directory Users and Computers Console.
- Select the container in which you want to store your group (“Users”, for example).
- Click “Action” – “New” – “Group”
- Name your group using the Group name text box and enter a description.
- Depending on your Active Directory forest infrastructure, choose the correct Group scope: Global or Universal.
- Click “Security” as the Group type and then click “Ok” to create your security group.
Best Practices to Use Active Directory Security Groups
Below are some of the key best practices to use AD security groups:
1. Ensure Default Security Groups Do Not Have Elevated Permissions
Whenever an Active Directory domain is set up, a default security group is set up. Sometimes, these default security groups will have excessive permissions that may lead to users being granted access to resources and data that they do not need.
Ensure that your users only have access to the data and resources that they need to do their job and nothing more. If domain admin access is required, it should be provided on a temporary basis as and when needed.
The Domain Administrator account is generally only required for setting up the domain and for emergencies, such as disaster recovery. The account should not really be used for any other purpose and the credentials for this account should be stored securely.
One common attack method for Active Directory is to take advantage of the Local Administrator account password. The Local Administrator account is often configured with the same password across domains and the same SID across installations.
2. Maintain an Up to Date Active Directory
All the software on your system should be up to date to ensure that known vulnerabilities have been patched. Attackers often take advantage of these known vulnerabilities, so regular patching can help minimize this risk.
3. Maintain a Policy of Least Privilege
As we previously touched on, you need to ensure that your users only have access to the data and resources that they need to do their job. This is known as a policy of least privilege. You should act as though all of your users are potential insider threats. If everyone has elevated privileges, and you suffer a data breach, it can be incredibly difficult to investigate the source.
Insider threats are notoriously tricky to identify and remediate at the best of time. Don’t make it harder for yourself by creating users with excessive permissions.
4. Ensure Passwords Are Strong and Regularly Rotated<
It’s a simple point, but it’s worth emphasizing. Your passwords for your Active Directory should be the strictest passwords you can come up with. Best practices suggest using passphrases of three or four different random words. Passphrases are much harder for attackers to guess than complex passwords are.
Where possible, two-factor authentication should be used, and accounts should be locked out if incorrect passwords are entered more than two or three times.
5. Audit Changes to Active Directory Security Groups
Having a proactive and continuous auditing strategy for your Active Directory security groups is possibly the best way to prevent security threats. Most security threats that originate through Active Directory could potentially have been prevented through better visibility into the changes being made.
How to Improve the Security of Your Active Directory Security Groups
Many enterprises must deal with joiners, leavers, and movers within their environment. As users change roles, leave the business, or start a new role, their required permissions will be different.
Unfortunately, many enterprises are not communicating effectively enough with the IT and security teams to ensure that permissions and members of security groups are maintained appropriately. In the worst-case scenario, this could potentially lead to insider threats getting their hands on your most sensitive data.
The Lepide Active Directory Auditor will give you the ability to instantly generate a list of users who have been deemed to hold “excessive permissions”, or generate alerts in real time when permissions are changed, so that you can take the required steps to maintain your policy of least privilege.
To see the solution in action, schedule a demo with one of our engineers today or download free trial.