In my first post in this series, I explained what Active Directory is and what it’s used for. In the next post, we explored Active Directory management. Now let’s dig into Active Directory security and compliance. What do you need to do to keep your environment secure and compliant?
Assessing your environment
Because AD plays such a critical role in any Microsoft environment, security has to be a top priority. Therefore, one of the most important Active Directory security best practices is to regularly review the state of your Microsoft environment and look for potential security and compliance issues. In particular, you should examine your system configuration settings and compare them to a known good state so you can remediate any unintended drift.
A critical part of this review is Group Policy. We explored Group Policy in the previous post in this series because of its role in AD management. But Group Policy also has profound effects on Active Directory security and compliance. For example, a deliberate or accidental change to a GPO could allow users to insert USB drives that could release malware into your systems and enable them to steal confidential information. Therefore, you need to make sure that your GPOs work as intended and be able to quickly spot and revert any improper or unauthorized changes to them.
Controlling user and admin permissions
One of the bedrock best practices for IT security is the least-privilege principle: Give each user exactly the access they need to do their job, no more, no less. If you had to manually assign each user permissions to each resource individually — and keep those permissions up to date as users come and go and change roles within the organization — you’d be overwhelmed in no time flat, and your organization would be at high risk of data breaches and compliance failures.
Fortunately, AD offers a better approach: Put users with similar roles (such as all helpdesk admins or all HR staff) into an AD security group and manage them together. When you hire a new salesperson, for instance, you give them access to all the right resources just by adding them to the Sales security group. Similarly, you can give all salespeople access to a new file share just by giving the Sales group access to the share, instead of having to add it to each user one by one. Users can be — and usually are — members of multiple AD groups, such as project-based groups. This approach is not merely convenient for administrators; it improves security by reducing errors in provisioning and minimizing the complexity of the permissions structure, so it’s easier to say with certainty who has access to what.
Of particular concern are Active Directory security groups that grant administrative-level privileges, such as the extremely powerful Enterprise Admins, Domain Admins and Schema Admins groups. Organizations need to tightly control who is in these groups and be alert for any changes to their membership, which could open the door to a data breach or other security incident.
Keeping a close eye on user and admin activity
In addition to ensuring that user permissions are assigned correctly and stay that way, you need to monitor what people are actually doing with those permissions. Both regular users and admins can misuse their privileges, either on purpose or by mistake, or attempt to perform unauthorized actions such as reading confidential files. End users in particular are notorious for disregarding Active Directory security best practices, whether out of ignorance, carelessness or expediency; for instance, they might click on phishing emails or email sensitive files to recipients outside the organization. An improper action by admins can have even more dire consequences: It could result in a data breach or downtime, or even damage or destroy an entire Active Directory forest.
Moreover, any user or admin account could be exploited by someone else from inside or outside the organization. Attackers have a wide array of tactics for taking over accounts, from buying credentials on the dark web to harvesting them through social engineering or brute-force attacks. Being able to establish a baseline of what’s normal activity for each account and watch for activity outside that baseline — like a user accessing files they haven’t touched before or logging in at unusual times or from new locations — can help you quickly spot and block security threats.
Investigating and recovering from security incidents
No matter how good your prevention efforts are, though, you will experience security incidents, so you need to be prepared to investigate them quickly and respond appropriately. You need to be able to quickly determine where the breach originated, how it unfolded and exactly what was accessed. Having an enterprise Active Directory backup and recovery strategy, as we discussed the previous blog post, is essential to getting the business back on its feet.
Many organizations are subject to internal security policies or external regulations, such as GDPR, HIPAA, SOX and PCI-DSS. Taking all the steps outlined above will take you a long way toward compliance, but you need to make sure you actually meet the specific requirements they impose and be able to demonstrate your compliance to auditors. Moreover, many regulations require you to take specific steps to notify them and all affected parties in case of a security incident such as a data breach. Much of Active Directory compliance, therefore, comes down to proper reporting, so I’ll tackle it in more detail in the last blog post in this series, which covers Active Directory reporting.
If that sounds like a lot to be responsible for, that’s because it is. Having the right tools will make all the difference. Quest is the go-to vendor for Active Directory solutions — including solutions for Active Directory security and compliance. Here are main ones to know about:
- As we saw in the previous post, Active Administrator enables you to manage your Active Directory effectively from a single pane of glass. But it improves security as well as management. In particular, you can strictly manage permissions with approval-based workflows so you can enforce the least-privilege principle and that accounts are promptly disabled or deleted when the owners leave the organization. You can also stay on top of changes to your GPOs, quickly roll any GPO back to a known good state, and granularly delegate AD administrative tasks to keep admins in their lanes.
- Change Auditor for Active Directory tracks user activity and changes to your AD environment in real time, alerts you to critical changes so you can respond quickly, and provides easy-to-understand reports with all the critical details. You can even protect your most essential AD objects from being changed in the first place. Plus, you can easily generate comprehensive reports that help you achieve and prove compliance with GDPR, SOX, PCI-DSS, HIPAA, FISMA, GLBA and other regulations.
- Change Auditor Threat Detection proactively detects threats by modeling individual user behavior patterns and using that baseline to detect anomalous activity that might indicate malicious insiders or compromised accounts. Specifically, it analyzes user activity using proprietary advanced learning technology, user and entity behavior analytics (UEBA), and sophisticated scoring algorithms to identify the users who pose the highest risk to your organization. As a result, you can block threats from permissions misuse and privilege escalation to malware and brute-force attacks.
- IT Security Search is a Google-like IT search engine that enables you to quickly respond to security incidents and analyze event forensics. Its web-based interface correlates disparate IT data from many sources into a single console to speed troubleshooting, investigation and remediation.
- Enterprise Reporter Suite provides deep visibility into Active Directory, including users, security groups and permissions. Even better, it includes Security Explorer, so you can quickly take action from within the Enterprise Reporter user interface to remove any inappropriate permissions. Security Explorer provides an array of additional security features, such as the ability to quickly grant, revoke, clone, modify and overwrite permissions from a central location. This combination of reporting and remediation facilitates security and compliance, enabling you to stay ahead of security vulnerabilities to prevent breaches. We’ll explore the reporting capabilities of Enterprise Reporter more in the fifth post in this series.