I don’t make my kids clean their rooms just to facilitate harmonious feng shui. They’re busy tirelessly mining through millions of Legos and, when scooping up all those pieces seems overwhelming or uninteresting, I try to explain why. An organized room is a healthier – and safer – place to play.
There’s a clear parallel here with AD: a clean Active Directory is a healthy Active Directory. The health of AD affects the well-being of other applications and systems. For example: how long can your CEO or manager go without e-mail? Exchange and Active Directory are tied together like Daisy and Violet Hilton at a creepy 1920’s side show attraction (look it up). I’ve seen perfectly healthy Exchange databases crash and become corrupt because the domain controllers had inadequate resources to correctly replicate mailbox information.
Exchange is easy to pick on, but many modern applications rely heavily on AD. Any type of cloud application – think Office 365 – will require synching and/or federating AD to an outside directory. When you’re paying per user, stale objects can be expensive to migrate or sync.
Directory security is also directly related to AD hygiene. Stale objects, like test or temporary accounts or user accounts that were never de-provisioned put systems and data at risk. Nested security groups become difficult to manage when it’s time to unravel entangled permissions and access rights.
Any assessment or health check performed on Active Directory is an inanimate, point-in-time snapshot of the environment. This is an excellent starting point, but Active Directory is a living database. AD objects and attributes are constantly changing. For a more accurate picture, invest in a management platform that not only assesses the directory’s current condition, but also monitors and reports on configuration changes over time.
STEALTHbits now offers a free download of our StealthAUDIT AD Assessment that allows you to quickly and easily assess your Active Directory and plan your own Active Directory cleanup. Since many large organizations have multiple teams that manage different aspects of Active Directory, I like to organize the report types according to domain controller functions and directory services. Here’s the key information to gather for each report type:
Domain Controllers
Directory Services
Because Active Directory directly impacts the availability of so many systems and users, cleanup projects that follow assessments can take time. To track progress efficiently, I recommend enabling automatic report generation and then keeping the history of these reports in the StealthAUDIT SQL database. Additionally, the StealthAUDIT SQL database is an open architecture that allows standard T-SQL queries, so the data collections can be pulled into key enterprise management solutions such as SIEM, IAM and other investigative tools.
With this documentation in hand, you can demonstrate risk mitigation and validate the success of your AD cleanup projects. You will be able to prove that an organized directory is a healthier – and safer – place to play. Uh, I mean work.
Proper data security begins with a strong foundation. Find out what you're standing on with a free deep-dive into the security of your Structured and Unstructured Data, Active Directory, and Windows infrastructure.
Read more© 2022 Stealthbits Technologies, Inc.
Leave a Reply