Passivity may risk Security and Reliability of your Active Directory

Written by

We all read news of network breaches every day, but somehow think that it cannot happen to our network. While a few have actually worked on improving the network security, others think so probably just out of indifference.

How much has your network security initiative come along?  If today a network breach has to happen, how primed are you to deal with the situation? Or, can you say for certain that it won’t happen? You cannot. Nobody can. But you can certainly prepare your network to deal with any eventuality.

Setting up an Active Directory network is what a network administrator does, but a few practical, real-world tips are always welcome and these few tips will surely improve your network’s security.

Network asset enumeration: Having information about your network is the first step towards securing it. In earlier days, I used to recommend documenting everything, but we don’t want to make an epic out of the AD configuration, do we?

These days all such things can be done automatically. Firstly, get asset management software. Software should list everything in the network, including domain controllers and their names, OS versions, anti-virus software, backup software etc. Secondly, paper your Active Directory configuration. Forest layout, domain configuration, OU structure, trust relationships, site topology and all remaining settings should be well documented.

Too many cooks spoil the food: What should be the size of the privileged group? I have known companies having up to 500 accounts in built-in administrator groups. One thing we all agree upon is too many admin accounts in privileged group are certainly a threat as some of them could be obsolete accounts, some might not be changing their passwords as frequently as required, while some others might have password-never-expire policy.

Some privileged accounts can be service accounts which are preferred to have a non-expiring password policy, which is a security risk. If manually changing passwords of service accounts is archaic, you can try Managed Service Accounts feature introduced in Windows Sever 2008 R2 wherein passwords are automatically updated every 30 days.

Segregating administrative functions from operational functions: Grapes and green peas might look similar but are not the same. Separate administrative tasks from regular operational tasks.

Sometimes administrative privileges are given to do normal operational tasks, one specific example is giving administrative privilege to the person who looks after the server’s health where DC is installed. Such things should be avoided. Clear demarcation between administrative tasks and operational tasks will lead to distinct delineation of duties of the persons involved, addressing the security risks arising out of such things.

One person one account policy: ”Some administrative tasks are regularly performed, and for that we have an account which is jointly used by the two junior helpdesk staffs.” Some of you can relate to this situation. Avoid it. Every employee should have their own administrative account that should be grouped according to the privileges they have, and should be kept in one OU on which required rights can be assigned.

Use a dedicated console server for administration: Admins running core Active Directory services should have a dedicated server console instead of using their desktop to do these tasks. In these cases, an isolated, secure terminal is always preferable over using your personal computer.

Adding biometric authentication to Active Directory: It’s the time to replace the old password based login with the advanced, secure and more reliable biometric systems like fingerprint and smart cards if you have not done it yet. Problems like insider threats to corporate data and the burden of answering huge numbers of helpdesk calls are automatically solved.

Focus on auditing: Auditing is an important part of Active Directory security. Enable it, preferably at domain level, and ensure that all the systems in the network are audited, and all important events are tracked. After a disaster has struck, many are seen barking up the wrong tree.

Know where to look for logs in case of disasters, have a centralized log repository to do event investigation. Automatic, real-time alert system for critical events will just serve the purpose.

Formulate a disaster recovery plan: Even when we are fully prepared, AD disaster may still struck our Active Directory environment: at least that is what is evident from so many instances of Active Directory security breach in established organizations being reported in the newspapers around the globe.

So why not have a disaster recovery plan in advance so that at the time of exigency? You will just have to follow the steps that are already delineated. Document the plan and run-through it on off days.

Quite a lot has already been said on Active Directory security, and these tips are more important, or are left out in other places. There are fundamentally three questions that will address your Active Directory security concerns: what should I do to ensure its security? How should I respond if a breach happens? What can I do to annul any benefit that hackers or competitors may get out of the data breach?

When devising your Active Directory security strategy don’t forget to include these tips, as that will undeniably help you.

What’s hot on Infosecurity Magazine?