By Controlling Active Directory, You Can Control Your Whole Network
The protection of your business’ computing assets is a bigger deal today than ever before. This is because there are dozens of ways that things could go wrong. One tool that many IT administrators like to use is called Active Directory, a feature found on most Microsoft Server operating systems that allow administrators to control users. This month, we take a look at Active Directory.
The first thing you should know about Active Directory is that there isn’t a static plan that can be used by every business. We will go over some of the best practices, but you need to take into account that you need to configure your Active Directory settings to fit your business’ needs. If your business is coming from a situation where it doesn’t have any system in place, Active Directory is a great place to start.
Nobody Needs to be an Administrator
When someone logs into a business’ domain server, they use their account, which by default is centralized in Active Directory. This alleviates the need for a central IT admin to login and set administrative privileges, and works across the network from the server to the endpoint to keep a business safe. After all, if people that don’t need access to certain information, don’t get access, nothing it lost. This is called the least privilege administrative model.
It works like this: each user has the minimum permissions to complete their work. You can always elevate access temporarily if needed. Otherwise, if a user gets a virus, that virus will have the same access the user does, and could do a lot more damage because the user has access he or she didn’t need in the first place. The virus has the capability to spread across the network, where if the user’s permissions were locked down, the virus would only have a minimal impact.
This means that everyone on the network, including the business owner, the employees and the IT staff log in as a regular non-administrator to do their normal day-to-day work. If they need to get administrative control, they can log in with a separate admin account. You will want to keep credentials to that administrative account safe and protected.
Force Strong, Complex Passwords and Set Password Expirations
Most people aren’t able to memorize complex passwords. Some can’t even create them. Unfortunately for everyone, the people that want to break into computing networks have tools that are extremely proficient at guessing passwords that aren’t complex enough.
You will want to ensure that your staff has learned the value of the use of a passphrase. Instead of combining string of words that could potentially makes sense, stringing together multiple random words is actually more secure. Keep in mind, the words need to be very random. Here’s a quick example:
Bad Passphrase Examples:
Good Passphrase Examples:
Back to Active Directory, you should require passwords to be long - at least 12 characters, and settings should lock a user out after three failed attempts. Forcing passwords to expire every month or two is a good strategy to ensure that password security is maintained.
Delegate Permissions to Security Groups, not Individual Accounts
When we go in and audit a new prospect’s network, we often find that they have gone ahead and assigned permissions to individual accounts rather than using security groups. As your organization grows this can present problems with controlling access. Keeping track of who can see what using security groups is a much better and more organized option.
Use LAPS (Local Administrator Password Solution)
Inside Active Directory, there is a feature called the Local Administrator Password Solution (LAPS). It allows Active Directory to handle the local admin accounts on each individual PC on a given computer network. Since the local administrator has full control over the machine, it is definitely not an account you want compromised.
A common practice by IT professionals is to send images of Windows across each machine on a business' network, to save time. After all, setting up every computer individually will take a lot more time than doing it globally on the network. The way this works is that your IT administrator takes a pre-built clone configuration that includes the operating system, most of the software, and optimal settings that your company’s IT admin has agreed on, and sends it out on the new system. Unfortunately this image-based deployment will also carry over admin accounts and passwords. LAPS solves this by assigning each device its own unique password that is controlled through Active Directory. It’s one of the best free and simple solutions for protecting your network against lateral threat movement from device to device.
Document Everything, and Schedule Reviews and Clean Up Sessions
Many organizations go round-and-round thinking about building permission groups and determination of who has access to what, only to be seriously confused when examining permissions a year later.
The key is to document everything. The groups that have access, network permission, exceptions, etc. By scheduling regular audits of your Active Directory setting, having everything clearly defined, and routinely updated, it will make managing your computing resources that much faster and less problematic.
Active Directory is the Backbone of Issue Monitoring
Since Active Directory is used to manage every user and device on your business’ computing network, it can log information and report on potential issues. Our technicians actively use this data to catch potential problems early, often resolving them before they affect a business in any noticeable way.
Here are just a few things that Active Directory lets you monitor and report on:
- Group permission changes
- Account lockouts
- Antivirus being disabled or removed
- Logon and Logoffs
- Spikes in bad password attempts
- Usage of local administrator accounts
Additionally, IT professionals are able to put together Windows Event Logs to provide information about each machine’s physical well-being.
Get Your Network Assessed
Admittedly, Active Directory is a much more vast and powerful resource than we have time to write about here; and it is often improperly configured when we go in to do network audits, meaning that it is being underutilized.
If you would like to see how you are currently using Active Directory, call ISC today and we will assess your business’ computing infrastructure and build a report on any security issues or misconfigurations we find. We can do this very discreetly as to not cause your current IT administration team any undue consternation.
Call us today at 502.292.5097 to learn more.