Have you been thankful enough for the Group Policy Object (GPO) lately? Where would your group policy management be without it? Remember what Windows security was like before we had GPOs?
“Back when I was your age,” wheezes the old-timer on your IT staff, “managing Group Policy Objects was a lot tougher. We had to use secedit.exe to configure local group policies. We all thought we’d died and gone to heaven when Windows 2000 finally came along with group policies tied to Active Directory. Yep, you guys just don’t know how easy you have it. We had it a lot harder in those days.”
Image credit: John White | Licensed under: CC BY-SA 3.0 US
GPOs and Abused Access Privileges
Still, GPOs are not a cure-all for maintaining Active Directory security. They save you boatloads of work, but they can also be one of those Active Directory backdoors that you’re always trying to lock. People can access them – sometimes by accident and sometimes on purpose – and change them at will. At greatest risk are the mission-critical group policy objects in your Active Directory, like password policies used across the enterprise, permissions for logging on to sensitive servers and the level of network authentication used by your computers.
That’s a big reason that 55% of security incidents involve internal actors abusing their access privileges, knocking a hole in the security wall you’ve been building. Worse yet, native security logs don’t track changes to GPO settings, so you could go a long time without even knowing there’s a hole in your wall.
Think about your GPO security in layers, like the fences in the photo. Each successive layer is a higher threshold and a stronger defense. With a layered security framework, your administrators can make authorized changes to GPO settings, but at the same time it’s more difficult to make unauthorized changes, either externally or internally.
Governing GPOs with a Layered Security Framework – New White Paper
We’ve released a new white paper called Governing GPOs with a Layered Security Framework that describes this model in more detail.
The paper gives an example of how users with sufficient privileges can modify a GPO in ways that compromise network security. It then takes you through these five layers of increasingly tight protection to keep that from happening to your mission-critical GPOs:
Read the paper to see whether a layered framework for AD security would meet your organization’s needs. If you think it makes sense, please share it with your followers.