All You Need to Know about Active Directory

Active Directory is an item in most Windows Server operating systems. In other words, if your company has a Windows server, you probably have Active Directory, which basically hands out access permissions to your users as they are logged in to the network.

This might sound dull, but you can do a lot to control your users and protect your organization. However, if your Active Directory isn’t properly set up, you could be leaving things wide open, preventing you from meeting industry compliance regulations or granting your users with more access than they really should have.

Lets discuss some Active Directory best practices, but a quick disclaimer first: there isn’t a one-size-fits-all solution for all businesses. Depending on your security requirements, the type of permissions you need to have, and any compliance regulations your company falls under, some of these policies won’t apply as-is for you. Still, if you are coming from a situation where you don’t have anything in place, this is a great place to start.

Nobody Needs to be an Administrator

When users log into their PC on your domain, they are logging in with their domain account, which is centralized in Active Directory. 

Not a single user on your network, whether it’s the owner of the organization, or your onsite IT person, or the President, needs to log into Windows on a daily basis with administrative privileges. This includes both privileged access as the Domain Admin, AND as a local admin on that particular machine.

Why? It’s just too dangerous. This overrides all other settings and there is just no reason for it. Instead, we suggest following the least privilege administrative model. Each user should only have the minimum permissions to complete their work. You can always elevate access temporarily if needed. Otherwise, if a user gets a virus, that virus will have the same access the user does and could do a lot more damage because the user has access he or she didn’t need in the first place. The virus has the ability to spread across the network, whereas if the user’s permissions were locked down, the virus would only have a minimal impact.

This means that everyone on the network, including the business owner, IT staff, and/or the President, log in as a regular non-administrator to do their normal day-to-day work. If they need to get administrative control, they can log in with a separate admin account.

Keep that administrative account secret, safe, and carefully guarded.

Force Strong, Complex Passwords and Set Password Expirations

Human beings are bad at creating and memorizing complex passwords. Alas, hackers, or at least the tools that hackers use, are very good at guessing passwords that aren’t complex enough.

Quick tip: Teach your staff to use passphrases instead. Combining multiple random words is actually more secure than using an eight-character complex password. Keep in mind, the words need to be very random. Below is a quick example:

Bad Passphrase Examples:
classofeightyfive
Eyeofthet1g3r
GameofTHRONE$19
September24!1982
pizzaistasty69

Good Passphrase Examples:
SstructureBalloonmamm0th
Peanutbutterdoghousellamatown5!
ExileSausageYodelNoodleMagnet!82
BLUEdisneyhockeylasagna64
captainamericapancakesbbqALF80

Back to Active Directory, you should require passwords to be long: at least 12 characters and lock a user out after three failed attempts. Forcing passwords to expire every 30, 60, or 90 days is a good idea too, and Active Directory can remember the password history to stop a user from rotating back to last month’s password.

Delegate Permissions to Security Groups, not Individual Accounts

This is something we catch often when we audit a prospect’s network for security problems. At some point, it was decided that one particular user needed access to a specific directory so that person’s account was granted that permission.

You’ll want to be able to keep track of who can see what. This will save you a lot of time and money when it comes to managing it and making sense of it later.

Use LAPS (Local Administrator Password Solution)

LAPS is a convenient tool built into Active Directory that permits Active Directory to handle the local administrator accounts on each individual PC on the network. This local administrator account essentially has full control over everything on that particular workstation or laptop, so it is something you definitely don’t want compromised.

Many organizations and IT experts will deploy images of Windows across each computer in the company to save a ton of time when configuring settings. Basically, when you buy a new workstation, IT takes a pre-built clone configuration that includes the operating system, most of the software, and optimal settings for your organization, and rolls it out on the new system. Alas, this image-based deployment will also carry over admin accounts and passwords. LAPS solved this by assigning each device its own unique password that is controlled through Active Directory. It’s one of the best free and simple solutions for protecting your network against lateral threat movement from device to device.

Document Everything, Schedule Reviews and Clean Up Sessions

Ever find a note you wrote down for yourself a year later and ponder what was going through your mind when you wrote it?

We don’t all have the ability to remember an abnormally large number of things in vivid detail (hyperthymesia) You may have put a lot of thought and foresight into building out your permission groups and determining who should have access to what, but when you go to revisit that a year or two later, it is going to be like trying to read a foreign language. 

Document everything carefully. What groups have access to what directories? What network permissions do they have? Are there exceptions? Having all of this clearly defined and kept updated as things change will make managing and re-arranging things much faster.

It doesn’t hurt to plan regular audits of your Active Directory as well, depending on how often things change, or users get added or moved around.

Active Directory is the Backbone of Issue Monitoring

Because Active Directory basically rules over every user and device on your network, it can also collect logs and report on signs of compromise and other issues. Our technicians in the Network Operations Center utilize this data for clients that we provide monitoring and maintenance for, because when we catch a problem early, we can resolve it before the client even feels the results of it.

Here are just a few things that Active Directory lets you monitor and report on:

• Group permission changes
• Account lockouts
• Antivirus being disabled or removed
• Logon and Logoffs
• Spikes in bad password attempts
• Usage of local administrator accounts
  
  

Additionally, we are able to do Windows Event Log reporting, which includes a lot of information about each individual machine like the status of the hard drive, errors that could result in computer crashes and slowdown issues, failed updates, and a whole lot more.

Get Your Network Assessed

This barely scratches the surface with what a properly configured Active Directory can do for your business. Whenever we audit a new client’s network for the very first time, we often see Active Directory being underutilized or improperly configured. 

Do you ever question the setup of your network? If you often run into issues or feel that your staff has more access than they really need, running a network assessment certainly wouldn’t hurt.

We offer a free, one-time network assessment where we build a report on any security issues or misconfigurations found on your network. We also understand that you might not want to tip off your existing IT person(s) that you are having a third-party audit their work, so we can do this very discreetly to give you peace of mind without causing any upset with your internal IT department.

Want to get started? Give Macro Systems a call at 703-359-9211 today!