SPHERE Insights is an ongoing column written by various members of the SPHERE team, highlighting unique viewpoints and expertise. This article comes to us from our head security expert, Douglas Bayne.
Active Directory organizes and provides access to information across your company’s users, computers and more. It is the core of an organization’s security and is the means by which users, customers, partners, IoT and devices authenticate to a system and receive their rights for traversing that system. It’s the lifeblood for your apps, files, and users. Without it, nothing else works.
Making sense of your Active Directory mess involves analyzing a vast set of controls, understanding the state of asset ownership, and learning how role-based and least-privileged access can be implemented, as well as learning how to incorporate IAM concepts, policy management, entitlement reviews, and ongoing asset certification.
It’s complicated, but we’ve formulated a simplified approach to drive how to scope and focus your workstreams.
Admin Access Understanding administrative access and gaining visibility into who can do what with which account is critical to immediate risk reduction, as well as ensuring any remediation is maintained in the future. This includes built-in privileged access groups, delegation rights and more. A gap analysis is key to identifying missing standardization customary to enterprise domains.
Group Policy Objects (GPO) Review GPOs are responsible for applying the proper settings for accounts/machines. Utilizing a combination of proprietary connectors and native Microsoft utilities, we collect the Group Policy Objects (GPO) and compare them to GPO best practices. This analysis will identify all the issues that need to be resolved, along with where current GPOs introduce security gaps, compliance violations or other risks into the technology infrastructure.
Identity Correlation Accounts are core security controls that must be managed appropriately to harden security and improve compliance with policies dictating systems access and use. All accounts need to be analyzed, and a link created to every account with an associated HR record. Additionally, non-human accounts need to be identified and gaps in ownership provided.
AD Groups Metrics AD groups administer access to data, systems, applications and platforms. Therefore, there must be a review for problematic groups, honing in on which groups provide elevated access, and a plan must be put in place to standardize group usage and potentially retro-fit existing groups to a set standard in the future. The analysis includes inventory, stale versus active, heavy group nesting, stale/empty groups and more.
We’ve developed key work streams for firms to gain an understanding and build a baseline of critical Active Directory functions as well as assets stored and managed within Active Directory.