Because of the need for Windows-based security, we commonly use Active Directory (AD) to manage user privileges. This also presents numerous challenges for administrators tasked with managing that environment and keeping critical business files safe and secure. Damage can be done by those accounts with elevated privileges, but sometimes vulnerabilities are introduced by administrators poorly managing AD. The best practices outlined by Sarbanes-Oxle and PCI audit requirements can help prevent some security issues, if you follow those best practices is a consistent and reliable way all the time. Sometime people make mistakes, and we have listed common mistakes:
- Users as domain administrators. Non-administrative users should not have administrative rights. Even administrative users should have a normal account that they use all the time, and a separate administrative account they only use when actually performing functions requiring elevated privileges. Ignoring the concept of least privilege is a major security issue.
- Accounts with elevated credentials. Most security aware organizations avoid this common mistake by giving users with elevated privileges, such as a domain administrators, a normal account to log onto their machine and a privileged account for elevated access. The main reason for the separation is to avoid security breaches such as a simple drive-by download or email attack. This also includes keeping the user accounts out of the local administrator account.
- Disable Object Protection. Make sure you do not disable simple warning asking you if you are sure you want to delete objects in AD. You don’t want to accidentally delete an object if it can be avoided. A better option would be to never turn off object protection.
- Keep obsolete accounts. Enabled user accounts that aren’t actively being used are one of biggest security threats in any organization. Develop a plan to disable and ultimately delete obsolete accounts within 60-90 days of inactivity. This can be accomplished with an automation script to third-party tools.
- Single Expert. A mistake many small organizations make when it comes to mission critical operations is having all their eggs in the basket of a single expert who is the only one that can make changes to AD. You need to make sure at least two people understand, have access to, and can create and modify any AD settings in your environment. This prevents the single point of failure in case the person who is the expert leaves the organization or is out of town for a few days and can’t be reached in an emergency.
- Poor Active Directory Design. Create a simple to understand and simple to maintain AD structure that is difficult to use incorrectly. Complexity breeds mistakes, so keep the structure and objects as simple as possible.
- No Incident Recovery plans. If someone deletes 10,000 directory objects today, how quickly can you recover AD back to normal? If an automated script improperly disables thousands of users, how do you plan to recover? Planning and testing recovery options are a must for all organizations to quickly recover from mistakes. Plan for the worse possible scenarios, and hope for the best. Have a written plan, and test different scenarios at least once per calendar year.
- Don’t modernize. Do not allow you core of network security to fall behind on technology. You may not want to upgrade your users to the latest version of Windows, but you should keep your AD environment up to date and never allow your environment to fall behind with the latest security improvements and features. Each and every security patch and Windows update needs to be tested and applied as a top priority.
- Share Accounts. Each and every user should have their own network account. There should never be users sharing user accounts.
- No Password Changes. Users will never change their password if you don’t force them to change their passwords. You should force your users to change their password at least every 90 days.
You can get more information about Active Directory here.