Active Directory Permissions: Best Practices for Data Protection

JUNE 20TH, 2017
There are few tasks an IT administrator will perform that are more important than securing and protecting the data stored in Active Directory. When done properly, Active Directory serves to authenticate those with permission to access the data while keeping everyone else out of the system. It's a tricky balance. The users you serve want fast and easy access to their data. Place too many hoops in front of them, and they may attempt to route around your security policies. But you don't want to compromise the security either by loosening checks and balances that keep everyone safe.

Active Directory Permissions Best Practices

Active Directory is a complex directory service that started out as a domain manager on  Windows. But since 2008, Active Directory has performed a number of critical directory, authentication and identity-based services. In simple terms, Active Directory determines what each user can do on the network. Over the years, Microsoft has built products that integrate with Active Directory services to improve network security. When properly configured, Active Directory and other services work in harmony to provide each user access to the data he or she needs to do their job. This week, I'd like to look at number of best practices for securing data through the Active Directory model. Some of these recommendations take more planning, while some are generally simple to integrate. I hope at least one of of them is new to you. Let's get started!

Least-Privilege User Access (LUA)

This is a tip I'm sure you've heard before now. It's almost so obvious that many administrators overlook it. The idea behind it that all users should login to the network with the minimum permissions needed to carry out their job. Nothing more, nothing less. Following this principle keeps people from getting into areas of the network where they could cause problems. You don't want a user running  rogue code in an area that could bring down the whole system. Yet we've all been there before.
LUA is the opposite of granting everyone administrative privileges, and then scaling back permissions as needed. It's one of the best tips for keeping your network safe. So why don't more administrators use this model? Well, it takes a lot of planning. You have to determine what each user needs to access on the network. Doing that for every user can take some time. In practice, I've seen similar approaches to this model that meet some of the requirements, but not all. For example, an administrator might create a group called accounting, and then place everyone in that department into that group. This approach assume everyone in accounting requires the same permissions. That's unlikely to be the case at any company unless accounting is comprised of one employee. LUA takes planning and time. It's difficult to implement across the company. But you can begin with each new hire, and then tackle a group at a time. The time investment will be worth it in the long run. The goal here is avoid user accounts with broad and deep privileges across the company. And keep in mind, you can always grant more permissions as necessary.

Brush Up on the Security Model

Active Directory has changed a lot over the years, especially as Microsoft has given it more responsibility. Now would be a good time to brush up your understanding of how Active Directory is structured. Much like a relational database, Active Directory contains a schema that defines each object and its attributes. For example, the "user" object may contain a set of attributes which include first name, last time, department, manager, phone number and so on. These attributes help determine its permissions. Each object in Active Directory has an associated security descriptor. This descriptor defines the permissions on that object. Of course, all these attributes comprise the permission set or Access Control. List (ACL). Understanding how ACLs are used to secure permissions for users and groups gets to the core function of what Active Directory provides a company. Going a step further, understanding how permissions are inherited is also very helpful. This is a deep topic that's impossible to cover in a few paragraphs. It's unlikely that even the professionals, with many years of Active Directory experience, understand the entire security model. Paramount Defenses provides an excellent overview if you'd like a quick primer.

Protect and Update Software

This sounds reasonable. You might assume everyone already does this. Yet the WannaCry malware attack took down a number of servers running Windows Server 2003.  Microsoft had released patches to thwart the attack, but it still struck far too many systems and networks. WannaCry is a good example of malware that located data on the server, encrypted it, and held it for ransom. WannaCry found a lot more victims running Windows XP and Windows 7, but one can imagine the damage such malware can cause on a server running Active Directory. Patching all desktop and server software is an excellent start to keeping your environment safe. Retiring older hardware and software is another important practice. I've seen too many companies invest in desktop clients only to dip into the parts bin to create a server. Begin your investment with the server by using modern hardware running the latest software. Development environments running custom software are especially susceptible data intrusions. That same goes for all internet-facing applications, whether they rely on Active Directory or not. Keeping those systems patches is critical to the overall security of your environment. Microsoft actually does a very good job of communicating security issues to its customers. In addition to TechNet, I like to monitor the Microsoft Secure Blog for the latest in cloud, cybersecurity and data privacy news.

Utilize Built-in Active Directory Features

Active Directory contains a number of nifty features that help to protect your data and your environment. Microsoft IT recommends using the following Active Directory features where applicable:AdminSDHolder - This ensures consistent enforcement of permissions on protected accounts and groups, regardless of location on the domain.Security Descriptor Propagator - This compares the permissions on the domain object with the permissions on the domain's protected accounts and groups. If it finds they don't match, it resets the permissions.Role-based Access Control - Allows the administrator to group users, and give them access to resources on the domain according to business rules. You should not use this as a shortcut to LUA.Privileged Identity Management - Allows the administrator to grant temporary rights and permissions to an account to perform build or break-fix functions. None of these features is a security holy-grail. But adding one or more of them to your security plan can drastically decrease your risk for intrusions, and keep your data protected.


Few deployments are as critical to the success of your IT infrastructure as a Windows Server running Active Directory. With data residing on servers, files shares, and desktops not to mention mobile devices, it's more important than ever to ensure Active Directory is doing its part to keep you and your data safe. The best security blanket take planning, time and a lot of patience. You may need to tweak your configuration now and then based on how your environment changes. Expect Microsoft to continue to add more features to Active Directory, giving it more responsibility than ever before. With data and applications moving to the cloud, a strong security model is as important today as it's ever been before.