An increasing number of enterprises, in line with leading information security advisory bodies around the world are starting to wake up to the fact that to develop and maintain a continuous view of their security posture, a new approach is needed. Regular monitoring. Not just of their devices, applications and data but of the one, most constantly evolving and unpredictable element of the network. Its’ users.
Today, Microsoft’s Active Directory (AD) is the most widely deployed and relied upon tool to provide user authentication and authorisation and therefore represents the keys to the kingdom to all of an enterprise’ network resources.
AD is dynamic in nature. It changes constantly over time and many organisations have been reliant on AD to provide access to sensitive resources for many years. Without regular management of your AD environment, small errors introduced, sometimes a long time ago, can develop and manifest themselves as serious implications relating security, compliance and operations.
Individual AD user accounts may provide access (either directly or via a group membership) to a wide array of devices and information. Accounts often become “orphaned” either by employees leaving the business or were created for temporary staff, contractors or maybe were only ever created for test purposes. Operating procedures should stipulate how these accounts are retired but are frequently overlooked.
As individual accounts embody the basic entity around which security policy is structured, it is common for auditors and custodians of these resources to ask about existing accounts, why and when they were created. It is all too often, an impossible question to answer.
The same is true of user groups. Users obtain group memberships to fulfil a specific function in the environment. However, people’s functions within the enterprise evolve, perhaps moving to another departing meaning a user no longer need to access resources. Group membership should therefore be revoked but experience suggests otherwise. When you add in that group memberships can be inherited, the problem is exacerbated.
Furthermore consider what happens following major restructuring of the AD environment by moving an Organisational Unit (OU) under a new parent OU. This could result in the new parent OU gaining administrative rights on objects within the new child OU. Objects within AD probably have security policies via Group Policy Objects (GPOs) which are applied directly to these OU objects.
Recommended best practice from leading industry experts is periodic security audits to ensure that AD is being properly managed and protected. There are some key areas around which such audits should focus.
When new accounts are created there are several attributes that are useful to know beside the account ID and the Distinguished Name (DN) (the path by which account may be located within the directory tree). One the most important pieces of information is the identity of the person who (or at least the administrative user which) created the new account. Should that user have authority to create new accounts? Was there a valid reason for its creation? These are typical resulting questions.
A clear picture of the time and date accounts were created as well as the server used are important pieces of forensic information in the verification of appropriate use.
The volume of new accounts over time should also be carefully monitored. In particular failed attempts to create new accounts could indicate a potential risk to the business.
Finally, accounts which have not been accessed for a specific length of time may be redundant or orphaned. These orphaned accounts represent a significant security risk and are frequently exploited by attackers to launch an attack. At the very least, an orphaned account represents valid login credentials of a former employee who still has potential access to networked resources.
An individual’s effective rights and permissions within an organisation are dependent on the groups to with they belong. Therefore we must gain a level of appreciation towards their group memberships and inheritance.
As part of an AD audit, groups with high levels of access, such as the Domain Admins group, should be reviewed for their memberships. Additionally, any further periodic changes made to group memberships should be verified via an audit.
To ensure that the AD environment is being well managed and that security policies are being applied correctly, it is highly recommended the OU is audited regularly. This would include any changes made to an OU and report specifically on any GPOs applied or removed.