Great post. Thank for Sharing
Some years ago, I worked as a software implementation consultant in the public sector. An IT Director pulled me into his office one day to ask about my team’s ERP deployment. After I answered his questions he said, “That all sounds fine. What isn’t so fine is the state of my Active Directory.” He proceeded to show me thousands of stale accounts across agencies, as well as global access rights that could put sensitive budget information at risk.
What he shared has always stayed with me. So I was excited to listen to a webinar on Best Practices for Auditing Active Directory.
The five actionable steps are exactly the advice I wish I had given that IT Director. Fortunately, you’re reading this blog so you can use these steps right away.
Active Directory (AD) auditing is the process of collecting data about your AD objects and attributes—and analyzing and reporting on that data to determine the overall health of your directory. Organizations perform audits 1) to secure AD from attackers who are after credentials and 2) to keep IT operations running smoothly. The order of these two is debatable depending on your role.
By auditing Active Directory, you can reduce security risks by identifying and remediating toxic conditions like deeply nested groups and directly assigned permissions that attackers can exploit to gain access to your network resources. You can also uncover and fix conditions like token bloat and circular nesting that slow down, or hang applications, to improve operational efficiency.
How do you perform an audit?
Active Directory auditing consists of five steps, which help you prioritize your focus areas.
Step one is to scan and map your AD environment to answer questions like:
Once you know what’s in your AD environment, you can start to triage.
Step two is prioritizing efforts based on your findings. Three places organizations often begin are:
Step 3 is gaining support to address priority issues. You can use permissions scans data, for instance, to identify stakeholders based on who has access within Active Directory—as well as who has access to Active Directory objects. For example, you can identify the manager of groups or users who will know why permissions have been set-up a certain way, e.g., delegated admin permissions to perform certain tasks like resetting passwords.
With stakeholders onboard, you can review group memberships and remediate problematic AD conditions. First, remediate privileged access to AD by verifying that the right users are in domain and enterprise admins. This least privilege approach reduces the chance that a rogue admin will abuse privileges by accessing sensitive data or adding an unauthorized user to the group’s membership. Second, involve business owners in group governance to help validate that the right members are in their groups—and that the group overall has access to the resources it needs.
Step five is making the process a continuous cycle. Once you complete your top priorities, you return to step one and repeat the process for your next priority. For example, another focus area might be ensuring AD passwords follow change policies and aren’t stored in memory.
STEALTHbits offers a number of reports you can use to audit Active Directory. Here are some of the most popular reports used by customers:
Use these five steps to begin auditing your Active Directory environment. To take advantage of STEALTHbits AD auditing tools, please check out our Credential and Data Security Assessment or contact us at firstname.lastname@example.org. To watch the full webcast, please click here.
Start a Free Stealthbits Trial!
No risk. No obligation.