Active Directory Security Modeling. Even as I type the phrase I note how ubiquitous the term can be. Not even TechNet or Google give any hard and fast rules around scope, design, or *gasp* actual implementation. Yet this ‘model’ is at the very core of AD, and AD is at the very core of the Microsoft IT footprint.
So many aspects can go into a security model of this sort, right?
Whew….and this is just the first layer. We haven’t even begun to dive into contacts, printers, shares, service connection points, or schema. Why would someone put so much work into defining something like this?
These are just a few of the short term benefits I can think of. Long term you have Windows 7 / 8, and AD / server 2012 migrations. Microsoft is changing the game once again in 2012 with Dynamic Access Controls and claims. These technologies will change how we think about access and access application for ever in the MS footprint. Not to mention they will most likely cut support for 2003, 2008 much like they did for 2000.
Where do you even start with 10 or more years of just a rat’s nest of AD forest trusts, cross domain nesting and no real vision into your infrastructure? You’re not alone in asking this question. A high level executive at MS recently stated on a call I was on that the number one question MS identity and access management is asked is “How can I tell if / how my groups are being used?”
The answer; you can. You need to define what the edge cases of your model are; this may involve setting up a completely new forest. Then write it down to a standard document. You then MUST clean up AD itself. Figure out all the objects that can be cut right out. Then you HAVE to scan everywhere a group can be used, and I mean EVERYWHERE. Once you have that you simply match to your edge cases defined and figure out the delta. None of this is easy, and it’s not even close to the end solution. You still need to change any deviations and make sure the deviations don’t happen again. STEALTHbits is truly the only vendor that can do all this from start to finish, other competitors drag over objects with little discretion and zero conformance. That subsequently leads to another project to conform. For more information, check out StealthAUDIT for Active Directory or feel free to Contact Us.
Ian Andersen is the VP of Pre-Sales Engineering at STEALTHbits Technologies. A seasoned security leader offering nineteen years of IT systems experience. Multi-platform systems development, management, and security design expertise. Before becoming the VP of Pre-Sales Engineering, Ian lead the STEALTHbits Technologies Service Enablement Team.
Proper data security begins with a strong foundation. Find out what you're standing on with a free deep-dive into the security of your Structured and Unstructured Data, Active Directory, and Windows infrastructure.
Read more© 2022 Stealthbits Technologies, Inc.
Leave a Reply