CISOs: Want to Secure Your Organization? Start With Active Directory.
AD Administrators often face questions such as: When and Why was userX made an administrator? Have any new user accounts been added that they didn't know about? Why can't user X access this folder anymore? Where did this user account come from!?
The Active Directory Challenge
When an employee begins his/her employment at an organization, there is not a moment to lose. They must be given the right permissions, the right software, the right access to servers, folders, and even files. Multiply this task across all levels of an organization, and with additional layers. Now think of the various group memberships each individual has permission to access.
Are the AD settings up to date for each and every employee? More importantly, is monitoring for AD changes part of an organization's security culture? Most likely, this is not the case.
However, as previously mentioned by Active Directory: Do You Need a Change Management Strategy, in today’s technology climate, monitoring for changes should be part of the organization’s security culture. Skyport’s recent report notes AD mismanagement can be to blame for 90 percent of enterprise security breaches.
Who Has Access?
As detailed by Active Directory Security, determining the access each group has within AD is the challenge. AD rights is more than group memberships.
The combined rights of Active Directory can include:
- Active Directory group membership.
- AD groups with privileged rights on computers
- Delegated rights to AD objects by modifying the default permissions (for security principals, both direct and indirect).
- Rights assigned to SIDs in SIDHistory to AD objects.
- Delegated rights to Group Policy Objects.
- User Rights Assignments configured on workstations, servers, and Domain Controllers via Group Policy (or Local Policy) defines elevated rights and permissions on these systems.
- Local group membership on a computer or computers (similar to GPO assigned settings).
- Delegated rights to shared folders.
Understanding Your Organization
New hires, new fires. New buildings, new access. Though organizations do their best to keep IT departments informed with the latest employee news, do they provide the tools needed to keep an infrastructure not just compliant but also secure?
To implement change management with Active Directory, an organization will need a combined smart policy and automation-based tools. Specifically, smart tools are needed to effectively monitor for changes.
Best Practices for AD monitoring can include:
- Mechanisms for Change Control: organizations need to implement controls around users with the ability to make changes. Logs should include sufficient information to detect red flags that could indicate account compromise, such as location, device, and time.
- Ability to Understand the "Quality" of Changes: Changes via AD can move your organization out of compliance in a matter of seconds. Using a file integrity monitoring tool allows you to accurately determine if changes are negative, positive, or neutral.
- Structured Change Workflows: This can be accomplished with a comprehensive information security policy, which is required for PCI and other regulatory compliance. Built-in processes for implementation and administration of changes is critical for organizations of any size.
- Ability to Remediate Negative Changes: Restoring a system backup and remediating negative changes should not involve complex or drastic measures. Using a FIM tool can enable administrators/security personnel to immediately reverse negative changes to critical files of an infrastructure when change monitoring tools indicate actions impacted security or file integrity.
- Ability to Understand and Act on Audits in Real-Time: A FIM solution with human-readable intelligence about changes, can immediately piece together the context of a change, including where it originated, who is responsible, and how it impacts your network. Contextually-rich, human-readable audit logs can enable true real-time change management with Active Directory.
For more information on high-level Active Directory Monitoring and Management, we recommend Change Monitoring vs. Control vs Management: What's the Difference?
Understanding the Risks
Because the Active Directory allows for the network to managed centrally, if changes occurring to a network are not being monitored, how can they effectively stay managed? Monitoring for change is a necessity with the number of breaches occurring annually.
In Attack Methods for Gaining Domain Admin Rights in Active Directory, the attack occurs once an attacker is on the inside, and running the malicious code inside of the network. the next steps that can occur may include:
- Malware Injection (Spear-Phish, Web Exploits, etc)
- Reconnaissance (Internal)
- Credential Theft
- Exploitation & Privilege Escalation
- Data Access & Exfiltration
- Persistence (retaining access)
Systematic monitoring is necessary to ensure consistent service delivery in a large environment with many domain controllers, domains, or physical sites. As a distributed service, Active Directory relies upon many interdependent services distributed across many devices and in many remote locations.
As you increase the size of your network to take advantage of the scalability of Active Directory, monitoring becomes more important. It helps you avoid potentially serious problems, including:
- Security Policy Failure: Effective application of security policies requires correct replication of the SYSVOL policy.
- Account Lockout: Accounts and logons can fail if there are issues with your PDC emulator
- Domain Controller: Without sufficient disk space, you can experience domain controller functionality issues.
- Application Issues: Critical applications can cease operations if queries do not work.
- Directory Data Quality Problems: Data replication failures can require extensive time to resolve.
CimTrak for Active Directory
Monitoring AD isn't simple, but it can be for you. As a comprehensive security, integrity, and compliance software offering agent-based covered for a wide array of endpoints, CimTrak for Active Directory helps monitor directory services for deviations that may go unnoticed in larger environments.
Designed for awareness, CimTrak's human-readable logs, built-in intelligence and accountability keeps organizations protected. Learn more about CimTrak today.
Since 1999, Jacqueline has written for corporate communications, MarCom agencies, higher education, and worked within the pharmacy, steel and retail industries. Since joining the tech industry, she has found her "home".