Professional Documents
Culture Documents
Agenda
Darren Mar-Elia
Microsoft MVP and Group Policy Expert
CTO and Founder of SDM Software, Inc. Former Senior Director of Product Engineering for DesktopStandard Corporation Contributing editor to Windows IT Pro magazine
Created the popular www.gpoguy.com Web site for information and utilities related to Group Policy
Published author, including his most recent book on Windows: Windows Server 2008 Security Resource Kit Guide
AD has become an important part of most organizations identity landscape Certainly, most if not all Windows desktops authenticate to AD Many backend application services use AD for authentication and authorization
AD is a point of control to your network, your applications, and your data Protecting it and managing it well cannot be more important, as a result!
Whats at Stake?
Why should you care about protecting AD?
AD controls access to sensitive corporate data Data loss either inadvertently or on purpose can be catastrophic AD provides authorization to resourcesneed to know who has access to what and what theyre doing with it!
All of these things are controlled (and potentially not controlled) through AD!
Access to AD and its objects must be protected at all times Threats can come from all angles:
Users (internal/external) who try to guess weak passwords Exploiting generic/service accounts with known passwords to get access to data Modifying group memberships to gain access to private data, applications, and resources Querying unprotected AD information to gain information about employees, groups, etc.
The Process:
Account provisioning and de-provisioning (to all systems integrated with AD) Well-documented process for granting access to groups that grant access to resources including attestation of those group memberships
1. Ability to template-ize user job functions to grant the correct access in a repeatable fashion 2. Automation of object creation and population improves data integrity, which reduces chances for inadvertent granting of access 3. Automate handling requests for group membership, including approval-based workflow and ongoing attestation of access 4. Automate delegation of AD objects, based on object class or location within AD hierarchy 5. Automate Group Policy change process, including workflow for approving new GPO changes
Protecting Against the ThreatsAuditing (contd) Useful to know when AD groups are added to resourcesfor example:
AD groups added to local Administrators groups on servers or workstations AD groups added to file share or other resource permissions
Tools & Techniques for Managing the Threats The key to control is to ensure your delegation model around AD follows a least-privilege approach
Only administrators who have a need to change AD and related data should be able to Provide approval-based workflow for critical AD changes use automation where possible to prevent mistakes
Tools & Techniques for Managing the Threats (contd) Auditing is the feedback loop! Ensure that you have the right auditing enabled.
Remember that Server 2008 contains more granular auditing controls (see next screen)
Tools & Techniques for Managing the Threats (contd) Enable auditing on specific AD objects within the AD ACL editor to ensure that changes to critical objects are tracked Alert and report on key audit events
Not to mention possible legal/regulatory penalties as a result of loss of non-public data Bottom lineAD is not just a desktop directory anymore!
Summary
Protecting AD from threats is as important as any information security job IT has today Its all about process, automation, and auditing its all about control Know your AD security model and who is changing at all times Keep out of the eye of auditors and compliance officers by ensuring your controls and audits are in place and working!
http://www.eweek.com/c/a/Security/Disgruntled-Employee-Wreaks-IT-Havoc-at-Japanese-Drug-Company-574712/
30 2011 NetIQ Corporation. All rights reserved.
of privileged administrators?
How do you know what your
power generator
Ownership interest in
(retail) in 2009
33 2011 NetIQ Corporation. All rights reserved.
remained flat
34 2011 NetIQ Corporation. All rights reserved.
in new user accounts for employees/contractors and 100% annual turnover in retail call center
Solution:
Policy/automation triggers to ensure all required fields are populated Inspection of values as they are entered to ensure they are valid Template accounts to further streamline the process and ensure consistency
36 2011 NetIQ Corporation. All rights reserved.
Solution Benefits
Security. Compliance. Efficiency. ROI.
ROI now and later Efficiencies gained hundreds
business
Improved customer
satisfaction
Paradigm Shift
39 2011 NetIQ Corporation. All rights reserved.
the Active Directory eBook: Protecting Critical Data by Managing the Active Directory Identity Lifecycle
URL - http://bit.ly/Ch1_AD Complete our survey. Enter for a chance to win an Apple iPad 2! Continue the conversation
40
Worldwide Headquarters 1233 West Loop South, Suite 810 Houston, Texas 77027 USA Worldwide: 713.548.1700 N. America Toll Free: 1.888.323.6768 Info@NetIQ.com NetIQ.com
Follow NetIQ:
NetIQ, an Attachmate business.
2011 NetIQ Corporation. All rights reserved.