Since debuting in 1999, Active Directory has been the go-to directory service for many mid-sized and enterprise companies. And though it has its issues, many of the companies that we see running Active Directory haven’t had it serviced in ages nor had old users, old policies, and old groups reviewed and culled.
One thing that we’ve certainly been guilty of is making temporary changes permanent. And by that we mean in the past when we’ve figured out a solution to a problem in our environment, we’ve tended not to document exactly how the problem was fixed and configured and eventually we forget to do so all together. Simply put, while Active Directory as a product is still extremely strong, there still exists a certain type of inertia that can settle in as it rarely causes any noticeable issues.
But here’s something that should always be at the top of your mind. Active Directory is the first place hackers go when breaching a system. Why? If someone is able to get access to your AD, they can create their own superuser credentials and ultimately control the whole network, hiding information in the directory structure so that the only way to ensure you’re rid of that intruder is to rebuild the whole domain from scratch.
And as we are willing to bet that’s about the last thing you want to do with your precious time, here are 5 time-tested ways to improve your AD security.
No Individual Permissions
When setting up AD, it can be easy to leave the individual permissions on so when modernizing your servers and doing a review, try to get on top of your permissions and assign them to groups so that it becomes infinitely easier to manage who has access to what.
Additionally, when creating new groups or adding new users to existing groups, try to limit the number of groups you create and conduct a periodic audit to remove any outdated groups and reviewing what types of permissions you are giving to specific groups.
Lastly, privileged access is a concept we’ve been talking to a lot of clients about and that refers to giving the least amount of access to users while enabling them to do everything that they need to do. And if you’re working with a smaller company, it’s easy to not want to make your employees think that you distrust them by cutting back on their access. But by explaining that it has nothing to do with them and everything to do with the hackers that can cause serious damage, that should help smooth things over.
Who Has Access to What?
Next up is conducting an audit of who exactly has permission to what and changing those permissions. Ultimately, you want to be identify the types of roles you need to regularly create so that you can give users just the right amount of access and thus enact least privileged access.
Managing Service Accounts
Of course, it can be tricky to keep track of roles and permissions when the applications you install create automated service accounts. What type of access do software publishers gives these accounts? Typically, it’s full access to cut down on technical support calls from users and to allow that application to run in as many environments as possible.
So review all existing and any incoming service accounts to determine if there are any service accounts that have potential exploits associated with them and set the permissions in the most correct places while getting rid of any outdated services.
Clean Up Licensing
When creating a cleaner, tighter directory, take the time to clean out identities. By doing so you’ll be able to save yourself on some outdated licensing costs. In addition, document everything that you’re doing so that you have a good policy to make sure you know what’s getting changed and who has access to what. As our senior tech Jane Tyler puts it, “Document, document, document.” It doesn’t get much easier than that, right?
Audit Sensitive Folders
Our final tip has to do with an area in which we see a lot of exposure that stems from AD, even though you may be viewing the data on a filer server, shared drives, or map drives. Individual access is never a good idea because individuals get added to certain types of groups where they then gain new access that in turn gets forgotten about, often long after they’ve left the company.
We know that just begins to scratch the surface, but be sure to check out our webinar on improving AD security here. We have such experts here at Productive as Jane Tyler whose expertise can help save you time and money. Contact us today to learn more about how we can help you improve your AD security!