In late 2018, OSIsoft disclosed to the California Attorney General that malicious actors compromised company credentials. As far as the company could tell, the attack affected 29 devices and 135 user accounts. OSIsoft officials expressed that even though the company’s Active Directory (AD) uses cryptographic protection, employee credentials were potentially compromised.
Active Directory is a powerful scripting tool that communicates with PowerShell, simplifying admin network security tasks. On average, a single data breach costs U.S. enterprises an average of $500,000, according to PricewaterhouseCoopers (PwC). Admins can prevent this kind of loss by maintaining the network Active Directory.
Most enterprises have overlooked similar legacy management vulnerabilities for a decade or more, according to Active Directory expert Sean Metcalf. During this time, cyber threats have evolved, but corporate network security practices have not. Expresses Metcalf, IT leaders must now view network security from the perspective of assumed compromise.
Furthermore, says Metcalf, enterprises must clamp down on active Domain Admin accounts. The only time this account should remain active is when it’s needed. Also, admins should use Active Directory to create custom groups with specific access.
IT professionals can deploy several Active Directory procedures to protect corporate and consumer data as well as maintain brand reputation. The following are a few best practices for keeping Active Directory clean and secure.
1. Disable Accounts for Employees on Extended Leave
Employees may go on extended leave for several reasons, such as maternity leave or active duty. In such cases, it’s best practice to disable their user account through Active Directory until that employee returns.
Even after doing so, malicious actors can still exploit the account of an employee who is on leave. For instance, a hacker could deploy a phishing attack by contacting the helpdesk and tricking an admin into re-enabling the account.
Duly, admins should trigger a password reset for absent employees, remove those individuals from all user groups and revoke similar permissions. If needed, the employee can request access to resources when they return to work.
2. Managing Accounts for Departed Personnel
When employees exit employment, for any reason, admins should immediately disable that user’s Active Directory account. When admins disable an account, they usually wait to delete it for a specified time.
Admins should establish a scheduled deletion period for disabled accounts to keep the number of dormant credentials from growing out of control. It’s important to schedule this time so that deletion can synchronize with enterprise resources such as Office 365 and Azure AD.
For safety, admins should be able to recover the user’s mail server account for 30 days after deletion. At that point, the former user’s access is completely revoked, barring any other administrative actions.
3. Backup Exchange Data
In the event of a breach, the admin may need to recover the entire Active Directory forest. As a failsafe, admins save the Active Directory in various states. When needed, they can recover the last trusted backup of the AD.
When this occurs, admin’s need the password for the Domain Admin account. Accordingly, they should always have the Administrator and Directory Services Restore Mode (DSRM) password stored in a safe place.
This emergency scenario reinforces the importance of keeping the active directory clean. If you must restore the Active Directory, you don’t want to reinstate outdated credentials, thereby restoring an attack vector for malicious actors.
4. Exercise Caution With the Admin Account
Many admin’s use a standardized build script to manage the built-in Administrator account. The script, however, automatically sets the same password for all systems in the environment.
In this scenario, if a malicious actor compromises one admin account, they’ll have access to all admin accounts. What’s worse, the script might set the same password for the built-in administrator for all domain members.
Admins should disable the built-in Administrator, according to ITPro Today. They should only use this account for setup and disaster recovery.
If an admin uses the Recovery Console or Safe Mode, the built-in Administrator automatically enables. Once the admin reboots in normal mode, the built-in Administrator disables.
5. Make Sure That Guest Access Stays Disabled
Among large organizations, admins may find it challenging to keep track of many different custom permissions. Resultantly, they should regularly audit custom role definitions to prevent unnecessary admin permissions that a script may assign by default.
Guest accounts allow users to access the network without a password. Therefore, it’s a common attack vector for malicious actors. Admins should disable guest account services altogether when they’re not needed. Also, it’s good policy to set guest accounts as disabled by default and rename them.
Admins should also make sure that no unnecessary guest user accounts exist in the Active Directory. If guest accounts are active, the admin should make sure that it has limited permissions. Also, the admin should ensure that guests cannot invite users to the network.
6. Purge Inactive Accounts
An inactive user is an account that hasn’t accessed data or logged into the network for 90 days or more. A Varonis study finds a 26 percent of all accounts belong to inactive users. With one organization in the study, Varonis found that 90% of all user accounts were stale.
To find stale accounts, admins use the PowerShell command Get-ADComputer or Active Directory reporting tools such as ManageEngine or Goverlan Reach. To identify the accounts, they target a specific elapsed time since the last time the user logged on in their query as a desired condition (90 days for example). The admin can then delete the stale accounts.
7. Manage and Purge User Groups
Some groups may have no active users. In this case, admins delete the entire group.
By deleting inactive groups, admins mitigate vulnerabilities. However, they should also consider consolidating near empty groups after relocating users.
Only default Active Directory groups that are empty should remain. Admins must also monitor admin group membership and remove any defunct accounts and should audit Admin group membership regularly.
8. Automate Active Directory Cleaning
As enterprises continue to operate, the number of accounts with admin rights grows. Eventually, the number of accounts goes beyond what admins can manage manually. Nevertheless, they must continue to monitor the status of these accounts and maintain the Active Directory.
IT Process Automation (ITPA) is the key to active directory security. A system that requires approval for new accounts is helpful. However, an automated system to keep admin groups empty until needed is the best way to limit admin group membership. An automated system, like Goverlan, can simplify Active Directory cleaning, user onboarding and the termination of stale accounts.
Today, ITPA is a critical tool for maintaining Active Directory security. Active Directory robots enable admins to maintain network integrity. The robots only access systems based on instructions provided by admins. What’s more, they help admins remain ever vigilant against a continuous stream of emerging malicious threats.