Managing Active Directory for Data Integrity and Security

Darren Mar-Elia Microsoft MVP and Group Policy Expert

Renee Bradshaw Senior Product Marketing Manager, NetIQ

2011 NetIQ Corporation. All rights reserved.

Agenda

Managing Active Directory for Data Integrity and Security

Why is managing Active Directory (AD) important? What kinds of data losses can result from lack of AD control? Threat vectors to think about Protections you can put in place to secure identity data Tools and techniques for managing the threats The compliance downside to not protecting AD

Tame Your Active Directory Environment: Lessons Learned Q and A

2011 NetIQ Corporation. All rights reserved.

About the Speaker

Darren Mar-Elia
Microsoft MVP and Group Policy Expert
CTO and Founder of SDM Software, Inc. Former Senior Director of Product Engineering for DesktopStandard Corporation Contributing editor to Windows IT Pro magazine

Created the popular www.gpoguy.com Web site for information and utilities related to Group Policy
Published author, including his most recent book on Windows: Windows Server 2008 Security Resource Kit Guide

2011 NetIQ Corporation. All rights reserved.

Managing Active Directory for Data Integrity & Security

By Darren Mar-Elia,
Microsoft MVP and Group Policy Expert

Why Is Managing AD Important?

AD has become an important part of most organizations identity landscape Certainly, most if not all Windows desktops authenticate to AD Many backend application services use AD for authentication and authorization

Why Is Managing AD Important? (Contd)

AD is increasingly used by other platforms
Linux/Unix/Mac

AD is a point of control to your network, your applications, and your data Protecting it and managing it well cannot be more important, as a result!

Whats at Stake?
Why should you care about protecting AD?
AD controls access to sensitive corporate data Data loss either inadvertently or on purpose can be catastrophic AD provides authorization to resourcesneed to know who has access to what and what theyre doing with it!

Data Loss Risks

Lack of control over AD:

Users accessing sensitive company data because they are in the wrong AD groups Terminated employees whose accounts are still active able to still access company resources Unauthorized users able to add others into sensitive privileged groups Server administrators getting access to production servers and data because least privilege rules werent followed Non-employees with access to your network, getting access to sensitive data because of poor access controls

Data Loss Risks (contd)

Access to sensitive data within AD if not properly protected

Ability to see information related to employees Ability to edit groups that might grant access to mailboxes, file shares, databases, etc. Ability to modify key AD configuration objects that effect the availability of AD itself (e.g., site objects) Ability to modify Group Policy Objects that control user lockdown and server security

All of these things are controlled (and potentially not controlled) through AD!

Examining the Threat Vectors

Access to AD and its objects must be protected at all times Threats can come from all angles:
Users (internal/external) who try to guess weak passwords Exploiting generic/service accounts with known passwords to get access to data Modifying group memberships to gain access to private data, applications, and resources Querying unprotected AD information to gain information about employees, groups, etc.

Protecting Against the Threats

There are a number of things you can do to protect against the threats:
Process Automation Auditing

Protecting Against the Threats--Process

The Process:
Account provisioning and de-provisioning (to all systems integrated with AD) Well-documented process for granting access to groups that grant access to resources including attestation of those group memberships

Protecting Against the ThreatsProcess (contd)

Solid delegation plan over AD objects that take a least-privilege approach to access Change process in place for all substantial changes to AD objects Process in place for alerting and reviewing AD change audit logs

Protecting Against the Threats--Automation

Automation enables many of the process aspects of good AD management, including
Automatically provisioning new accounts Automatically deprovisioning across all systems and applications when an employee/contract or goes away

Protecting Against the ThreatsAutomation Steps

1. Ability to template-ize user job functions to grant the correct access in a repeatable fashion 2. Automation of object creation and population improves data integrity, which reduces chances for inadvertent granting of access 3. Automate handling requests for group membership, including approval-based workflow and ongoing attestation of access 4. Automate delegation of AD objects, based on object class or location within AD hierarchy 5. Automate Group Policy change process, including workflow for approving new GPO changes

Protecting Against the Threats--Auditing

Auditing is the feedback loop for good AD management Ensures processes and automation are working as expected Validates that no unauthorized changes are happening against AD Provides evidence for auditors/compliance officers of your processes

Protecting Against the ThreatsAuditing (contd)

Important to track several angles of AD usage:
Who is changing what AD objects? (e.g., groups, users, AD configuration objects, GPOs) Who is accessing key AD objects & properties? Who is logging into AD and from where?

Protecting Against the ThreatsAuditing (contd) Useful to know when AD groups are added to resourcesfor example:
AD groups added to local Administrators groups on servers or workstations AD groups added to file share or other resource permissions

Tools & Techniques for Managing the Threats The key to control is to ensure your delegation model around AD follows a least-privilege approach
Only administrators who have a need to change AD and related data should be able to Provide approval-based workflow for critical AD changes use automation where possible to prevent mistakes

Tools & Techniques for Managing the Threats (contd)

The AD delegation of control wizard in ADU&C is a good starting point for establishing a delegation model for AD objects But you should get familiar with ADs granular security model using the ACL editor (next screen)

Editing Native AD Permissions

Tools & Techniques for Managing the Threats (contd)

Keep tight control over who can change group memberships
Automation around group membership changes can help tremendously here

Have a change control process in place

Tools & Techniques for Managing the Threats (contd) Auditing is the feedback loop! Ensure that you have the right auditing enabled.
Remember that Server 2008 contains more granular auditing controls (see next screen)

Granular Auditing in Server 2008/R2

Tools & Techniques for Managing the Threats (contd) Enable auditing on specific AD objects within the AD ACL editor to ensure that changes to critical objects are tracked Alert and report on key audit events

The Compliance Downside to Not Protecting AD

In the identity world, negligence around managing access to corporate resources has consequences If AD is compromised accidentally or maliciously, data loss outside the companys walls is a real possibility
And its attendant impact on the companys reputation

Not to mention possible legal/regulatory penalties as a result of loss of non-public data Bottom lineAD is not just a desktop directory anymore!

The Compliance Downside to Not Protecting AD

From an audit perspective, auditors expect that you can show that you have processes in place for controlling AD And, you should be able to prove that those processes are working via:
Audit logs/reports Print outs of your AD configuration Showing that users are in proper groups for accessing privileged or sensitive data, systems, and applications

Summary

Protecting AD from threats is as important as any information security job IT has today Its all about process, automation, and auditing its all about control Know your AD security model and who is changing at all times Keep out of the eye of auditors and compliance officers by ensuring your controls and audits are in place and working!

Tame Your Active Directory Environment: Lessons Learned

Renee Bradshaw
Senior Product Marketing Manager, NetIQ

2011 NetIQ Corporation. All rights reserved.

When It All Goes Wrong.

Poor Access Control | Privilege Misuse

http://www.eweek.com/c/a/Security/Disgruntled-Employee-Wreaks-IT-Havoc-at-Japanese-Drug-Company-574712/
30 2011 NetIQ Corporation. All rights reserved.

Ask Yourself These Questions

Managing user privileges throughout the identity lifecycle

How long does it take to on-board

(or off-board) a staff member?

What is in place to align privileges

as staff roles change?

Is there a process for re-certifying

privileges over time?

How do you ensure separation of

duties and enforcement of controls?

How do you minimize the number

of privileged administrators?
How do you know what your

administrators are doing with their privileges?

31 2011 NetIQ Corporation. All rights reserved.

The Well-Managed Active Directory Environment

A must have

Threat cannot be eliminated

Insider threat, privilege misuse, malware, hacking Hurricanes, floods

Mitigate the potential for loss

Appropriate security controls Identity lifecycle management Plywood, flood insurance

Manage and Protect AD

Fewer business disruptions Increased administration efficiency Better enterprise security and compliance
32 2011 NetIQ Corporation. All rights reserved.

About NRG Energy

Business overview

Fortune 300 wholesale

power generator
Ownership interest in

44 power generating facilities

24,005 MW net ownership Assets located in United

States, Australia and Germany

Purchased Reliant Energy

(retail) in 2009
33 2011 NetIQ Corporation. All rights reserved.

About NRG Energy

Business situation and drivers for IAM solution

Until last year, NRG primarily

owned power plants

Acquired Reliant Energy, adding

1.8m retail customers

Introduced new issues around

managing security and assets

Included moves of data centers

and information assets

Policies required revision

Grew by 50% but resources

remained flat
34 2011 NetIQ Corporation. All rights reserved.

Secure Delegation of Privileges

Reduce Active Directory administrative privileges. Improve auditing and reporting.

Problem: Far too many users

with Domain Admin and other administrative privileges

Solution:
Secure delegation for finegrained administration of AD environment NetIQs ActiveView allows HD/support staff to administer objects without elevated native permissions Self-service portal will enable NRG users to update basic information about themselves
35 2011 NetIQ Corporation. All rights reserved.

Web Console for Delegated Administration

Automated User Provisioning

Streamline user account creation. Improve quality of AD data.

Problem: Dramatic increase

in new user accounts for employees/contractors and 100% annual turnover in retail call center
Solution:
Policy/automation triggers to ensure all required fields are populated Inspection of values as they are entered to ensure they are valid Template accounts to further streamline the process and ensure consistency
36 2011 NetIQ Corporation. All rights reserved.

Enforcement of Data Completeness

Automated User De-Provisioning

Disable accounts quickly. Remove from downstream systems. Ensure SOX compliance.

Problem: Large volume of

terms for contractors and other accounts

Solution:
Custom web portal for HR Creates work orders to remove users from downstream systems when HR rep disables account Produces daily log for AD objects owned or managed by the disabled account (users, DLs, security groups, etc.) Sends confirmation to Security for follow-up and remediation
37 2011 NetIQ Corporation. All rights reserved.

Automated Workflow for Terminations

NERC Advisory Processing

Timely assessment and processing of NERC regulatory bulletins (advisories).

Problem: Frequent bulletins

trigger security assessments at 70 power gen locations

Solution:
Distributes bulletins to plant managers Captures responses and updates spreadsheet with plant locations and contacts After 8 hours, sends an interim sheet to regulatory team for initial impact assessment After 24 hours, sends a "final" tally to regulatory team
38 2011 NetIQ Corporation. All rights reserved.

Automated Workflow for Advisory Processing

Solution Benefits
Security. Compliance. Efficiency. ROI.
ROI now and later Efficiencies gained hundreds

of hours of manual work per month

Improved compliance with

SOX and NERC CIP

Satisfaction of prior year

internal audit findings

Better alignment with the

business
Improved customer

satisfaction
Paradigm Shift
39 2011 NetIQ Corporation. All rights reserved.

Learn More at NetIQ.com

Download Chapter 1 from

the Active Directory eBook: Protecting Critical Data by Managing the Active Directory Identity Lifecycle
URL - http://bit.ly/Ch1_AD Complete our survey. Enter for a chance to win an Apple iPad 2! Continue the conversation

on Twitter.com/NetIQ, Facebook.com/NetIQ or Community.Netiq.com

40

2011 NetIQ Corporation. All rights reserved.

Worldwide Headquarters 1233 West Loop South, Suite 810 Houston, Texas 77027 USA Worldwide: 713.548.1700 N. America Toll Free: 1.888.323.6768 Info@NetIQ.com NetIQ.com

Follow NetIQ:
NetIQ, an Attachmate business.
2011 NetIQ Corporation. All rights reserved.