Can't Touch This! Whitelisting AD Permissions to Mitigate Insider Threats

According to the Verizon 2015 Data breach investigations report, 55% of incidents where internal actors abusing the access they have been entrusted with.

In another survey done by the Ponemon Institute, 73% of privileged users believe they are empowered to access all the information they can view and 65% say these same people access sensitive or confidential data out of curiosity.

Abuse of privileges has been prevalent throughout human history and curiosity is innate to who we are and that is unlikely to change.

Image credit: Rich Anderson | Licensed under: CC BY 2.0

Unfortunately for companies entrusting staff, contractors, suppliers or vendors, with privileged rights in Active Directory such as, Domain Admins, Enterprise Admins or Account Operators, These abuses of privileges and curiosity can be costly to an organization’s bottom line. According to a 2015 study by the Ponemon Institute and IBM, the average total cost of an intrusion incident has topped $3.8 million.

The Dilemma

How do you grant your IT staff rights to do their job effectively while ensuring their curious hands don’t abuse these entrusted privileged in active directory?

Hmmm…. Bad news: You can’t do this natively in AD. i.e. If you have an admin that requires to have domain admin rights to perform a critical function in AD, you in turn cannot prevent that Admin from doing whatever he or she wants at will. For example, let’s say you have a GPO policy that prevents Domain Admins from logging on to servers containing credit card information and PII data and you say to yourself, “ hah, this will prevent any curious admins from logging on to those boxes.” hmmm.. not really. Why? Because as a domain admin that staff member can disable that GPO policy, he or she can log on to the server and  perform the unauthorized action (accessing credit card and PII data) put GPO setting back the way it was and no event will be recorded in the log indicating the admin changed that GPO setting. Unfortunately there is nothing you can do about it.

Blacklisting Active Directory Permissions

Enter Active Directory permission Blacklisting a feature in Change auditor For Active Directory, With this functionality, you will be able to not only prevent curious admins from modifying unauthorized and critical areas of the your organization’s AD security, regardless of whether they are domain admins. Furthermore, not only will the unauthorized change be prevented, a real-time notification will be sent to the security staff on the unauthorized intrusion attempt, including detailed information on where unauthorized change was attempted from and the specific settings that were trying to be compromised and by whom.

  • Fig 1. I configure Whitelist of authorized users who can modify the mission critical GPO settings. Anybody (including domain admins) will be blacklisted from modifying this GPO.

  • Fig 2. Jimmy Smith, a Domain Admin, tries to modify a Deny Logon Locally GPO Policy for the mission critical apps. GPO. Because he’s not in authorized (whitelist) list of people that can make this change, he gets denied access event (blacklisted) even though he has domain admin rights.

  • Fig 3. A real-time alert is sent to security staff to notify of the authorized action that was prevented from occurring.

To learn more about mitigating active directory insider threats please download our white paper.

Learn Best Practices