Microsoft® Active Directory® (AD) is the nerve center enabling your federal agency to access the systems and applications staff members need to do their jobs. Because of its importance, AD is a high-risk target for inside and outside threats and can be a gateway for other potential security vulnerabilities.
The key to protecting your agency’s AD—and, in turn, the rest of your network—is to have the right processes in place to maintain its integrity, know whether something is happening that shouldn’t be, and demonstrate compliance if required.
How do you accomplish these tasks while keeping this valuable resource secure? The answer is threefold:
- Develop and enforce appropriate permissions policies
- Understand how to recognize and respond to suspicious activity
- Ensure appropriate provisioning and deprovisioning policies are in place
Let’s look at permissions first. Unfortunately, it’s common for too many people to have AD access rights—specifically, admin rights. Best practice policies recommend a minimalist approach to granting admin rights and—just as important—incorporating AD permission reporting capabilities.
Though this may seem like overkill, the need is critical. AD permissions reporting gives your federal IT team a comprehensive view of all the objects and privileges on the network, including users, groups, computers, and access rights. This type of insight will make it dramatically easier to manage permissions and grant, modify, and delete user or group access to specific objects.
Try adding comparative reporting to the mix, too. This allows teams to compare the rights of a given user to the role they fill within the agency. And here’s one more tip: consider using role-specific templates to delegate access privileges and enforce the principle of least privilege. This will help ensure security policy conformity across the agency’s IT infrastructure.
Once appropriate permissions policies have been implemented and enforced, the next step is to have a deeper ability to monitor AD activity. The best way to do this is by monitoring the following:
- AD login activity: Be sure you can see the number of failed login attempts, password reset attempts, and account deletions. You want to have the ability to dig down to the event ID level.
- Remote AD instances: The ability to see deep into remote agency sites—understanding site link names and all subnets and IP ranges—will provide invaluable information for troubleshooting remote location AD issues.
- Domain controllers: This capability will let you know whether the CPU usage has reached its threshold, whether a user account is locked, and whether there’s a login issue; a good tool will provide a view into each domain controller status and role.
Lastly, it’s critical to ensure you have the right provisioning and deprovisioning policies in place to dictate what employees have access to and ensure access is removed when an employee leaves the organization. Not having these policies in place leaves gaping security holes from bad actors or disgruntled ex-employees with malicious intentions.
There are many, many things federal IT pros can do to monitor, manage, and secure AD. The above suggestions are a great start; full, comprehensive monitoring of the AD environment will help federal IT pros better protect the network and detect problems before they’re reported by end users and before they impact agency productivity.