Don't Let Anyone Bully Your AD Environment

Co-Authored by Matt Nelson

Picture by Trev Grant, covered by CC 2.0

Image Credit: Trev Grant | CC 2.0

YES! It’s October, and while most of you are using your in-laws’ wardrobe to decorate the front yard for Halloween and scare off (youth) intruders, we thought we’d let you know it is also National Bullying Prevention Month!

Therefore, we have stepped our product expert Matt Nelson-Muntz into AD attacker shoes, to show you once and for all how to not let anyone bully your Active Directory.

Warning: Not for Ex-Nerds

Lisa: [auditioning people for her newspaper] What kind of journalism experience do you have?

Nelson: I dunno. Making nerds cry?

Lisa: Perfect! You can be our TV critic.

Nelson is the TV Critic, looking into criticizing a TV show called “Your Organization”. You just so happen to be the starring nerd (you are the IT Admin, right?). Don’t let bullies make you cry! Have the right auditing solutions in place and make sure you use them to pass audits. The very job of an auditor is to find places where your organization is not in compliance. But unlike Nelson, it is to make sure you DON’T cry. At least not until you get home to your house chores.

Avoid drowning in a pool of your own tears by giving auditors and compliance officers the reports that they need and the data that they require. With Enterprise Reporter 2.6 in place, you can quickly and efficiently give the auditors exactly the data that they need and produce easy to read reports for management and compliance officers.

Trusting Your Admins

Milhouse: [trying out his new 8-Ball] Will I get beat up today?

Ball: "All signs point to yes."

Nelson Muntz: That ball knows everything!

~Nelson punching Milhouse in the head~

~Milhouse knocked unconscious~

Trusting your admins by giving them more access than they really need – which enables them to make unwanted, unwarranted and potentially malicious changes to your Active Directory environment -  is just like Milhouse asking if he’s going to get beat up with Nelson around. While Milhouse got knocked out unconscious, you might not be so lucky.

How do you fight back?

One way is to have enough lunch money with you, EVERYDAY! Another way is by making sure you are utilizing a least privileged delegation model for all privileges inside Active Directory. You need your admins to be able to do their jobs, but not to make changes beyond the scope of their position. Leaving Active Directory open with too much delegation is like asking Nelson for your lunch money back.

Auditing Capability is Key

Nelson: Shoplifting is victimless crime. Like punching someone in the dark.

Not having auditing capability for AD is similar to not having surveillance cameras for Toys “R” Us. Did we mention that it was Christmas Eve? Did we mention that Nelson was out shopping? Well sort of shopping…

This means you will be completely unaware when someone makes unwanted or erroneous changes to your environment, or abuses the elevated access that person has. With a majority of hacks stemming from internal networks and accounts, you must know everything that happens in real time in order to protect yourself from being breached.

How do you avoid getting punched in the dark or, if the CEO of Toys “R” Us is reading this, having your store emptied, you ask?

Ensure that all activity in Active Directory is being monitored and that you are alerting on major changes by staying current on maintenance and upgrading to Change Auditor 6.9. All organizations have accounts with elevated delegation inside of their AD. If misused, these accounts can cause problems ranging from simple but costly mistakes to a complete destruction of your Active Directory.

Elevated Privileges 

Nelson to friends in schoolyard: “The thing about huckleberries is that once you have them fresh, you never get back to canned”

~Nelson noticing school principle overhearing~

Nelson to friends:”Ah…duhm…so anyways, I kicked the guy’s a$$”

Two Lessons Learned Here

1) Only switch to fresh if you never plan to go back to cans.

2) Always assume that just when you thought a bully is innocent, he will kick your ASSet.

Nelson knows he has elevated privileges. He also knows you are never going to sift through event logs to figure out exactly what he’s doing. He believes he has plenty of time to be malicious before you even know.

Keeping audit trails and logs is one important thing, but how often are you going to check these logs? This can be time consuming and you may not even know what you are looking for. Knowing that wedgies exist is one thing. Knowing when you’re going to get one is another. Receiving alerts informs you on the exact minute Nelson did something he wasn’t supposed to do or when some major change occurred inside of your AD.

Don't Be Bart

~Bart falling off a tree~

Nelson: Haw-Haw!

Friend to Nelson: He seems seriously injured

Nelson: I said Haw-Haw

Bart has made a career of being a reckless hell-raiser. Don’t be Bart – you couldn’t survive 26 years. If you do not have a backup plan for your AD, you might as well call Nelson to be around ready to pull the Haw Haw on you. That would be much better than having to explain to your manager why your AD system is down. Even falling off a tree would – a very tall one.

No Jokes Here

Losing Active Directory information due to an accidental deletion or malicious attacks is no laughing matter! Active Directory is the main authentication platform for most organizations these days, and is necessary to log into most on premise applications as well as Office 365 and many of your cloud based applications.

You need to be able to quickly and efficiently recover from any and all Active Directory deletions or outages, and Recovery Manager for Active Directory, Forest Edition 8.8 enables you just that. The time wasted in recreating users, groups or even recovering your entire Active Directory is painful and could be very costly for your company.

Avoid the pain of having to manually restore Active Directory attributes, objects, groups or even the entire directory by updating your enterprise ready, quick and easy recovery product as well as having a repeatable and testable disaster recovery plan.

Learn More: Top 10 Alerts in Change Auditor

About the Author
Alon.Tzeiri
IT security and software - head to toe, 1984 to date, Tel Aviv, Israel to Austin, Texas. With over 9 years of experience in cyber-security software, marketing and business, Alon is the Customer Marketing...