There are few tasks an IT administrator will perform that are more important than securing and protecting the data stored in
Active Directory. When done properly, Active Directory serves to authenticate those with permission to access the data while keeping everyone else out of the system. It's a tricky balance. The users you serve want fast and easy access to their data. Place too many hoops in front of them, and they may attempt to route around your security policies. But you don't want to compromise the security either by loosening checks and balances that keep everyone safe.
LUA is the opposite of granting everyone administrative privileges, and then scaling back permissions as needed. It's one of the best tips for keeping your network safe. So why don't more administrators use this model? Well, it takes a lot of planning. You have to determine what each user needs to access on the network. Doing that for every user can take some time. In practice, I've seen similar approaches to this model that meet some of the requirements, but not all. For example, an administrator might create a group called
accounting, and then place everyone in that department into that group. This approach assume everyone in accounting requires the same permissions. That's unlikely to be the case at any company unless accounting is comprised of one employee. LUA takes planning and time. It's difficult to implement across the company. But you can begin with each new hire, and then tackle a group at a time. The time investment will be worth it in the long run. The goal here is avoid user accounts with broad and deep privileges across the company. And keep in mind, you can always grant more permissions as necessary.
Active Directory Permissions Best Practices
Active Directory is a complex directory service that started out as a domain manager on Windows. But since 2008, Active Directory has performed a number of critical directory, authentication and identity-based services. In simple terms, Active Directory determines what each user can do on the network. Over the years, Microsoft has built products that integrate with Active Directory services to improve network security. When properly configured, Active Directory and other services work in harmony to provide each user access to the data he or she needs to do their job. This week, I'd like to look at number of best practices for securing data through the Active Directory model. Some of these recommendations take more planning, while some are generally simple to integrate. I hope at least one of of them is new to you. Let's get started!Least-Privilege User Access (LUA)
This is a tip I'm sure you've heard before now. It's almost so obvious that many administrators overlook it. The idea behind it that all users should login to the network with the minimum permissions needed to carry out their job. Nothing more, nothing less. Following this principle keeps people from getting into areas of the network where they could cause problems. You don't want a user running rogue code in an area that could bring down the whole system. Yet we've all been there before.
Brush Up on the Security Model
Active Directory has changed a lot over the years, especially as Microsoft has given it more responsibility. Now would be a good time to brush up your understanding of how Active Directory is structured. Much like a relational database, Active Directory contains a schema that defines each object and its attributes. For example, the "user" object may contain a set of attributes which include first name, last time, department, manager, phone number and so on. These attributes help determine its permissions. Each object in Active Directory has an associated security descriptor. This descriptor defines the permissions on that object. Of course, all these attributes comprise the permission set or Access Control. List (ACL). Understanding how ACLs are used to secure permissions for users and groups gets to the core function of what Active Directory provides a company. Going a step further, understanding how permissions are inherited is also very helpful. This is a deep topic that's impossible to cover in a few paragraphs. It's unlikely that even the professionals, with many years of Active Directory experience, understand the entire security model. Paramount Defenses provides an excellent overview if you'd like a quick primer.