Extending Microsoft Active Directory

Written by

Microsoft Active Directory is a database embedded in all Windows server operating systems and in Windows Azure (Microsoft’s cloud-based platform-as-a-service/PaaS offering). The directory is used to store information about objects and their attributes that are active within a given Windows network domain such as printers, network devices, hardware servers and users.

Because of the storage of user data, Active Directory has come to sit at the heart of many organizations' identity and access management (IAM) systems; Quocirca research shows that 68% of Europe enterprises say Active Directory is the primary source of identity for employees (Digital identities and the open business, Feb 2013, sponsored by CA Inc.)

Active Directory helps with the management of users, allowing them to be grouped into organizational units, and it is based around the LDAP (lightweight directory access protocol) standard allowing for easy integration with other tools and applications. This enables developers to use Active Directory’s centralized policy and rules to build access controls in to their applications.

Active Directory dominance has arisen simply because most organzations make extensive use of Microsoft Windows servers and desktops. Why wouldn’t you use it unless your organization is a Microsoft-free environment? However, Active Directory is by no means a full identity and access management system, so most organizations extend its use with other tools.

The need for improved identity and access management has become more and more pressing, as many have come to consider identity as one of the most important security controls for IT access, with traditional physical boundaries around IT systems having dissolved (see Quocirca report The identity perimeter, Sept 2012, sponsored by Ping Identity).

Active Directory provides basic user security, authenticating credentials supplied against the stored user profile and then opening up access to resources. Authenticating those credentials is another matter; for this organizations need to turn to stronger authentication techniques to ensure a user really is who they say they are.

Many also see the need to apply further restrictions on what users can do once authenticated. One product that can be used to extend Active Directory in this way is UserLock from IS Decisions. UserLock permits, denies or limits access based on a range of criteria; for example, preventing concurrent logins via a single identity (making it hard to share their credentials), limiting access to certain device types (helping control use of personally owned devices) and limiting network access methods (think Wi-Fi controls). UserLock also monitors all Active Directory sessions in real time providing flow of information for other IT security tools and a log of access information for audit and forensics.

Another product that builds on Active Directory is Courion Access Insight. It links granular policies around access rights to identities. However, it goes further than this, helping to identify orphan accounts (those not associated with a known active user), excessive access rights and the over-granting of privileges. Access Insight also provides reporting capabilities that specifically help minimise access related risk and enables compliance reporting.

IS Decisions and Courion, like many tools, are often used to extend controls in a purely Microsoft Windows environment. What if you want to extend the use of Active Directory beyond Windows?

Tools such as Quest Authentication Services (owned by Dell) and Centrify DirectControl allow the user details stored in Active Directory to be used in non-Windows environment, including Linux, UNIX and Mac OS. These tools can also be used for single sign on (SSO), where they are joined in a burgeoning market for access control by other vendors. These now include easy-to-provision cloud-based SSO services such as Ping Identity’s PingOne and CA Inc’s SiteMinder.

While some want to extend Active Directory to other environments, others want to federate alternative sources of identity with Active Directory; Ping and CA Inc. both enable this. Such federation is becoming even more necessary as more and more organizations open up their IT systems to external users. Quocirca’s Digital identity and the open business report shows that customer and partner directories, membership lists of professional bodies, government databases and social media (especially for interacting with consumers) are all sources of identity being federated with Active Directory.

In fact, the problem of real-time identity management has become such a large scale data management challenge that the need for high-speed middleware for processing identities in real time has arisen. This need is served by vendors like Radiant Logic whose Hadoop-based RadiantOne product sits between identity sources such as Active Directory and identity consumers such as the SSO tools described earlier; Radiant Logic also enables federate identity management.

Knowing who your users are and managing their access rights is central to effective IT security. Active Directory is just the starting point for most organisations when it comes to identity management and controlling and recording what users can do. Few organizations have plans to replace Active Directory but more and more will be extending it use with supplementary tools in 2014 and beyond.

What’s hot on Infosecurity Magazine?