Active Directory is a feature of most Windows Server operating systems. In other words, if your organization has a Windows server, you most likely have Active Directory. Active Directory essentially dishes out access permissions to your users as they are logged in to the network.
This might sound pretty boring, but you can do a LOT to control your users and protect your business. On the other side of the coin, if your Active Directory isn’t set up very well, you could be leaving things wide open, preventing you from meeting industry compliance regulations or granting your users with more access than they really should have.
We’re going to discuss some of our Active Directory best practices, but a quick disclaimer first: there isn’t a one-size-fits-all solution for all organizations. Depending on your security needs, the type of permissions you need to have, and any compliance regulations your business falls under, some of these policies won’t apply as-is for you. Still, if you are coming from a situation where you don’t have anything (or hardly anything) in place, this is a great place to start.
Nobody Needs to be an Administrator
When users log into their PC on your domain, they are logging in with their domain account, which is centralized in Active Directory.
Not a single user on your network, whether it’s the owner of the company, or your onsite IT person, or the Pope, needs to log into Windows on a daily basis with administrative privileges. This includes both privileged access as the Domain Admin, AND as a local admin on that particular machine.
Why? It’s just too risky. This overrides all other settings and there is just no reason for it. Instead, we suggest following the least privilege administrative model. Each user should only have the minimum permissions to complete their work. You can always elevate access temporarily if needed. Otherwise, if a user gets a virus, that virus will have the same access the user does and could do a lot more damage because the user has access he or she didn’t need in the first place. The virus has the capability to spread across the network, whereas if the user’s permissions were locked down, the virus would only have a minimal impact.
This means that everyone on the network, including the business owner, IT staff, and/or the Pope, log in as a regular non-administrator to do their normal day-to-day work. If they need to get administrative control, they can log in with a separate admin account.
Keep that administrative account secret, safe, and carefully guarded (by the Swiss Guard if need be).
Force Strong, Complex Passwords and Set Password Expirations
Human beings are terrible at creating and memorizing complex passwords. Unfortunately, hackers, or at least the tools that hackers use, are very good at guessing passwords that aren’t complex enough.
Quick tip: Teach your staff to use passphrases instead. Combining multiple random words is actually more secure than using an eight-character complex password. Keep in mind, the words need to be very random. Here’s a quick example:
Bad Passphrase Examples:
Good Passphrase Examples:
Back to Active Directory, you should require passwords to be long - at least 12 characters and lock a user out after three failed attempts. Forcing passwords to expire every 30, 60, or 90 days is a good idea too, and Active Directory can remember the password history to prevent a user from rotating back to last month’s password.
Delegate Permissions to Security Groups, not Individual Accounts
This is something we catch pretty often when we audit a prospect’s network for security issues. At some point, it was decided that one particular user needed access to a specific directory so that person’s account was granted that permission.
You’ll want to be able to keep track of who can see what. This will save you a lot of time and money when it comes to managing it and making sense of it later.
Use LAPS (Local Administrator Password Solution)
LAPS is a handy tool built into Active Directory that enables Active Directory to handle the local administrator accounts on each individual PC on the network. This local administrator account basically has full control over everything on that particular workstation or laptop, so it is something you definitely don’t want compromised.
Many businesses and IT experts will deploy images of Windows across each computer in the organization to save a ton of time when configuring settings. Basically, when you purchase a new workstation, IT takes a pre-built clone configuration that includes the operating system, most of the software, and optimal settings for your company, and rolls it out on the new system. Unfortunately, this image-based deployment will also carry over admin accounts and passwords. LAPS solved this by assigning each device its own unique password that is controlled through Active Directory. It’s one of the best free and simple solutions for protecting your network against lateral threat movement from device to device.
Document Everything, and Schedule Reviews and Clean Up Sessions
Ever find a note you wrote down for yourself a year later and wonder what was going through your mind when you wrote it?
We don’t all have hyperthymesia (the ability to remember an abnormally large number of things in vivid detail). You may have put a ton of thought and foresight into building out your permission groups and determining who should have access to what, but when you go to revisit that a year or two later, it is going to be like trying to read a foreign language.
Document everything carefully. What groups have access to what directories? What network permissions do they have? Are there exceptions? Having all of this clearly defined and kept updated as things change will make managing and re-arranging things much faster.
It doesn’t hurt to plan regular audits of your Active Directory as well, depending on how often things change, or users get added or moved around.
Active Directory is the Backbone of Issue Monitoring
Because Active Directory essentially rules over every user and device on your network, it can also collect logs and report on signs of compromise and other issues. Our technicians in the Network Operations Center utilize this data for clients that we provide monitoring and maintenance for, because when we catch a problem early, we can resolve it before the client even feels the results of it.
Here are just a few things that Active Directory lets you monitor and report on:
- Group permission changes
- Account lockouts
- Antivirus being disabled or removed
- Logon and Logoffs
- Spikes in bad password attempts
- Usage of local administrator accounts
Plus, we are able to do Windows Event Log reporting, which includes a ton of information about each individual machine like the status of the hard drive, errors that could result in computer crashes and slowdown issues, failed updates, and a whole lot more.
Get Your Network Assessed
This just barely scratches the surface with what a properly configured Active Directory can do for your organization. Whenever we audit a new client’s network for the very first time, we often see Active Directory being underutilized or improperly configured.
Do you ever question the setup of your network? If you often run into issues or feel that your staff has more access than they really need, running a network assessment certainly wouldn’t hurt.
We offer a free, one-time network assessment where we build a report on any security issues or misconfigurations found on your network. We also understand that you might not want to tip off your existing IT person(s) that you are having a third-party audit their work, so we can do this very discreetly to give you peace of mind without causing any upset with your internal IT department.
Want to get started? Give us a call at (847) 803-0044 today.