Who's On First?

It’s hard not to love Abbott and Costello.

The“Who’s on first” routine has become a staple of Americana even for foreign transplants like me. But if figuring out the identity of who is on second base (no, wait, that’s What on second, right?) is so hard when we’re dealing with a few people, the challenges of managing identity in large enterprises can be just as hard. And, really, nowhere near as funny.

I was recently at Microsoft’s TechEd Conference in New Orleans – always a great opportunity to meet the people who, day to day, keep the IT lights on and the networks humming. Despite my background in security, I spent a lot of time talking about Active Directory (AD) and Group Policy, which is probably not surprising given the type of individuals at the show, and the increasingly high profile that security for Active Directory now has. The most common question I got was – “So, some guy made a change to group policy and now (insert large number of people) can’t get access to their stuff anymore. Anyway, no one would admit to doing it, and I really don’t want to have that happen again. How do I fix that?”

This kind of non-malicious insider incident, in which a simple mistake can cause massive disruption, is exactly the reason why it is so important to get AD security right.

The problem is that even with the best of intentions, a simple mistake with group policy can knock out access for a lot of people, and that can cost equally impressive amounts of money.  However, the real challenge comes in figuring out who did what (apologies to Mr. Abbott and Mr. Costello) and then fixing it.  Finger pointing, and lack of accountability will only make things worse.

So, the question came up again and again:  How do I know when someone has done something bad, and how do I figure out who did it?

It’s a challenge, and as Active Directory becomes the cornerstone of managing identity in so many enterprises, it’s one that has to get solved. Good controls over delegation of privilege can reduce the scope of the problem, but what’s also needed is solid auditing and logging of activity. The best approach is to roll up alerting on unmanaged changes into your security monitoring infrastructure, such as a SIEM tool, simply because it gives you better visibility into what’s going on, better ability to correlate changes with other events, and ultimately, a better chance of figuring out what happened if the worst occurs.

As a simple example, if I see Bill make a change to move a little-used service account into the finance group, it would be good to know if that same account suddenly starts grabbing large amounts of sensitive information.  Perhaps something is going on, methinks…

For more thoughts on that, let me direct you to the blog of Erin Avery, who also attended TechEd and who generally gets in to a lot of conversations around Active Directory, and especially the problems of provisioning and de-provisioning users in a secure way.

Getting management of users and their access rights under control is one of the most fundamental building blocks of good security. It applies equally to the people who manage them too, however. Simply saying “Well, just hire people you trust” (yes, we really did hear that from someone who shall remain nameless) isn’t going to be a strategy that keeps you out of the headlines. 

Active Directory is a great place to manage identities, but frankly, it’s going to need a little help to make sure that, in the end, your security doesn’t end up looking like something from, well, Abbott and Costello.

Comment on this blog