AD Administrators often face questions such as: When and Why was userX made an administrator? Have any new user accounts been added that they didn't know about? Why can't user X access this folder anymore? Where did this user account come from!?
The Active Directory Challenge
When an employee begins his/her employment at an organization, there is not a moment to lose. They must be given the right permissions, the right software, and the right access to servers, folders, and even files. Multiply this task across all levels of an organization, and with additional layers. Now think of the various group memberships each individual has permission to access.
Are the AD settings up to date for each and every employee? More importantly, is monitoring for AD changes part of an organization's security culture? Most likely, this is not the case.
However, as previously mentioned by Active Directory: Do You Need a Change Management Strategy, in today’s technology climate, monitoring for changes should be part of the organization’s security culture. Skyport’s recent report notes AD mismanagement can be to blame for 90 percent of enterprise security breaches.
Who Has Access?
As detailed by Active Directory Security, determining the access each group has within AD is the challenge. AD rights are more than group memberships.
The combined rights of Active Directory can include:
- Active Directory group membership.
- AD groups with privileged rights on computers
- Delegated rights to AD objects by modifying the default permissions (for security principles, both direct and indirect).
- Rights assigned to SIDs in SIDHistory to AD objects.
- Delegated rights to Group Policy Objects.
- User Rights Assignments configured on workstations, servers, and Domain Controllers via Group Policy (or Local Policy) define elevated rights and permissions on these systems.
- Local group membership on a computer or computers (similar to GPO assigned settings).
- Delegated rights to shared folders.
Source: Sean Metcalf: Active Directory Security
Understanding Your Organization
New hires, new fires. New buildings, new access. Though organizations do their best to keep IT departments informed with the latest employee news, do they provide the tools needed to keep an infrastructure not just compliant but also secure?
To implement change management with Active Directory, an organization will need a combined smart policy and automation-based tools. Specifically, smart tools are needed to effectively monitor for changes.
Best Practices for AD monitoring can include:
- Mechanisms for Change Control: organizations need to implement controls around users with the ability to make changes. Logs should include sufficient information to detect red flags that could indicate account compromises, such as location, device, and time.
- Ability to Understand the "Quality" of Changes: Changes via AD can move your organization out of compliance in a matter of seconds. Using a file integrity monitoring tool allows you to accurately determine if changes are negative, positive, or neutral.
- Structured Change Workflows: This can be accomplished with a comprehensive information security policy, which is required for PCI and other regulatory compliance. Built-in processes for the implementation and administration of changes are critical for organizations of any size.
- Ability to Understand and Act on Audits in Real-Time: A FIM solution with human-readable intelligence about changes, can immediately piece together the context of a change, including where it originated, who is responsible, and how it impacts your network. Contextually rich, human-readable audit logs can enable true real-time change management with Active Directory.
For more information on high-level Active Directory Monitoring and Management, we recommend Change Monitoring vs. Control vs Management: What's the Difference?
Understanding the Risks
Because the Active Directory allows for the network to be managed centrally if changes occurring to a network are not being monitored, how can they effectively stay managed? Monitoring for change is a necessity with the number of breaches occurring annually.
In Attack Methods for Gaining Domain Admin Rights in Active Directory, the attack occurs once an attacker is on the inside, and running the malicious code inside of the network. the next steps that can occur may include:
- Malware Injection (Spear-Phish, Web Exploits, etc)
- Reconnaissance (Internal)
- Credential Theft
- Exploitation & Privilege Escalation
- Data Access & Exfiltration
- Persistence (retaining access)
Source: Sean Metcalf, Active Directory Security
Systematic monitoring is necessary to ensure consistent service delivery in a large environment with many domain controllers, domains, or physical sites. As a distributed service, Active Directory relies upon many interdependent services distributed across many devices and in many remote locations.
As you increase the size of your network to take advantage of the scalability of Active Directory, monitoring becomes more important. It helps you avoid potentially serious problems, including:
- Security Policy Failure: Effective application of security policies requires correct replication of the SYSVOL policy.
- Account Lockout: Accounts and logins can fail if there are issues with your PDC emulator
- Domain Controller: Without sufficient disk space, you can experience domain controller functionality issues.
- Application Issues: Critical applications can cease operations if queries do not work.
- Directory Data Quality Problems: Data replication failures can require extensive time to resolve.
CimTrak for Active Directory
Monitoring Active Directory does not have to be a challenge. As comprehensive security, integrity, and compliance software offering agent-based coverage for a wide array of endpoints, CimTrak for Active Directory helps monitor directory services for deviations that may go unnoticed in larger environments.
Designed for awareness, CimTrak's human-readable logs, built-in intelligence, and accountability keeps organizations protected. Learn more about CimTrak today.
August 8, 2017