A Healthy Active Directory Makes For a Healthy Environment Do What You Can to Bolster Your Security Posture
October is National Cybersecurity Awareness Month! In honor of the occasion, our Loop1 Technical Account Manager, Katie Boldizar, gives insight about the importance of maintaining Active Directory (AD) and how a healthy AD can significantly improve your cybersecurity protocols!
Keeping your AD secure is fundamental to maintaining services for Microsoft-based servers and networks. Proper upkeep of your Active Directory is crucial to cybersecurity because Active Directory holds the keys to the proverbial kingdom—so to speak. With the ability to assign and enforce security & encryption protocol, control the storage & flow of data, and manage access rights, certificates, & security roles, AD is truly the core of the entire IT infrastructure.
Because Active Directory is such an integral piece of our technical environments, there are numerous housekeeping tasks that need to be addressed to maintain optimal domain health. But, due to the chaotic nature of the modern SysAdmin role, many of these tasks are often neglected, overlooked, or take a backseat to more mission-critical tasks. We’ve all heard the saying the squeakiest wheel gets the grease – well, that sentiment rings true for IT professionals world-over.
Alas – You are not alone in your journey to maintaining a healthy AD. SolarWinds has a deep bench of security-related tools that will help increase the security posture in your environment with minimal time and effort on your part. Let’s look at some of the most commonly overlooked tasks and how SolarWinds Access Rights Manager (ARM) can simplify these tasks.
To start, let’s talk about finding and fixing the broken inheritance permissions.
I won’t make you air your dirty laundry in a public forum, but, I am willing to bet that someone reading this is thinking to themselves, “When was the last time I checked for broken inheritance permissions in my environment?” – Last week? Last month? Maybe even last year??!
Regardless of where you fall on this spectrum, establishing a regular maintenance schedule can help you avoid broken inheritance permissions and will further secure your environment from external attack. For practitioners utilizing SolarWinds ARM, I encourage you to incorporate the out-of-the-box features into your maintenance schedule. A handy, built-in report will identify all your corrupted inheritance issues with no manual processes or messy scripts to maintain, saving you time and effort in the long run.
It’s possible that you are using some kind of complex scripting to automate this process in order to avoid setting up reminders to check for errors or anomalies. While it may be more convenient to automate most of the time, in this instance automation can pose a security risk to your AD.
Creating automatic workflows to check permissions instead of establishing a schedule could lead to a situation where incorrect permissions are applied to the wrong object. This could be anything from granting the wrong permission to a file resulting in a breach of confidential data, to security permissions being incorrectly applied to an Organization Unit (OU), resulting in a catastrophic failure. Ultimately, inaccurate inheritance permissions can cause errors or inability to edit objects for administrative accounts or groups trying to modify the Active Directory – a headache we all want to avoid.
Next, we need to talk about circular nested groups.
For those of you new to the conversation, circular nested groups occur when groups are created that include overlapping user access by means of nested group access creating an infinite loop in the full membership path. Active Directory allows “children” to also be “parents” in the same instance of their family tree so to speak, which can lead to circular nested groups. If you have a nested group structure that loops in a circular manner, every user who is a member of any of the other recursive groups will be granted access rights for all of the groups. Needless to say, this structure makes group membership assignments ineffective and pose rather obvious security risks.
You are more likely to have circular nested groups as more and more layers are added to your nested group structure. There are a number of ways to identify circular nested groups in your environment from manual process to utilizing PowerShell scripts, but for those that can, we recommend using SolarWinds ARM which can automatically identify any recursion that exists in your environment.
The last major task we need to discuss is monitoring assigned permissions using DirectAccess.
Because DirectAccess gives us the ability to determine how permissions are assigned to any user and identify users with directly granted permissions, we are able to swiftly eliminate any inappropriate access, thus reducing overall risk and strengthening security posture. SolarWinds ARM can pinpoint all of the direct access rights on your file server(s), allowing you to use the built-in drag and drop functionality to effortlessly direct access rights into a particular group. As always, security best practices should be top of mind when using DirectAccess to set permissions in Active Directory.
Using DirectAccess to assign permissions through group membership ensures that we are eliminating security risk where possible. This approach allows us to utilize the rule of privilege – an AD best practice that emphasizes the importance of assigning users the permissions they need to do their job and nothing more. Keep in mind that the rule of privilege is used to prevent the spread of potential threats to your entire environment and has nothing to do with the trustworthiness of your employees or team members.
All-in-all, Active Directory is an extremely useful tool utilized by nearly 90% of businesses to supports sysadmins, accidental DBAs, and IT professionals of all sorts, in their attempt to keep our IT environments safe and secure. If you are looking to bolster your security protocols, your first step is to ensure that your environment is set up properly. Once that is established, maintaining regularly scheduled checkups in your Active Directory will help you sustain a secure environment. Beyond that, utilizing DirectAccess, checking for broken inheritance permissions, and keeping a clean environment are the best ways to keep your organization safe from a security threat. Good luck and God’s speed in your security journey. For further support, or any questions you may have about Active Directory contact a member of the Loop1 team today!
By: Katie Boldizar
Loop1 Technical Account Manager
Network+, Security+, SCP