Microsoft Active Directory Permissions: Best Practices for Data Protection
In this article, we are bringing the best practices for data protection in The most famous directory service. Microsoft Active Directory Domain Services (AD DS).
Microsoft Active Directory (AD) is a database that keeps track of all the “objects” in the system – users, computers, security groups, services, etc. In AD DS, at one central location, defining and updating all the rights a particular object has on the network.
In short lines, the vital part of any Microsoft Server System with the recommended highest rate of security.
So let’s start with tips and best practices for securing Microsoft Active Directory the best way possible.
Least-Privilege User Access (LUA)
The principle of least privilege (PoLP, also known as the principle of minimal privilege or the principle of least authority) requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user, or a program, depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose. (Wikipedia Definition)
As part of those principles, the recommendation is the usage of LUA :
LUA is the reverse of administrative privileges for all users, and then scaling back permissions as needed. It’s one of the best tips for keeping your network safe.
The “hard way” of granting permissions to users. In some way, it is personalized per each user. It’s based to determine needs of all users on network and grant permissions for that needs, no more, no less.
The process is not easy, it requires a lot of communication and takes a lot of time to configure the system that way. But in a long-term, your system will operate safely and as it should.
There are variations of this plan, like creating “section groups” with different permissions then placing everyone from the section in it. But that is not personalized setup, and still can offer too much or too little to an individual user.
Know Your Active Directory Security Model
Microsoft Active Directory security model, keeps every object stored in an Active Directory, safe and protected.
That includes domain user and computer accounts, security groups, and group policies.
It can help administrator determining user access to any object, and gives the option to specify access for groups of users, as part of security management.
Every single object in Microsoft Active Directory has a security descriptor associated with it. Security descriptor defines the permissions on an object. Of course, all these attributes include the permission set or Access Control. List (ACL), which contain numerous Access Control Entries (ACEs) which allows or denies specified security permissions to some user or security group.
ACEs can be explicit or inherited; explicit ACEs generally override inherited ACEs.
And this is just a tip of a Microsoft Active Directory Security Model iceberg.
The security model is not an easy thing to learn or explain in a single article. Even some experienced administrators have a hard time understanding the full model. So it is advised to any system Administrator to make his/her personal goal gathering knowledge about it as much as possible.
With a better understanding of it, it can provide better insight into system security functioning and better protection of your organization, and with that better productivity and quality of service.
A lot more regarding Active Directory Security Model can be found at the following link:
Keep Your Software Up To Date and Secure
In May 2017, a lot of windows server based system got attacked by WannaCry ransomware worm attack. Even Microsoft has discovered a vulnerability and released a patch, a month before the attack took place, still, a lot of systems haven’t applied it, and got struck by a worm, which intruded system, encrypted data and demanded ransom for it in form of Bitcoin.
The attack was stopped within a few days of its discovery due to emergency patches released by Microsoft, and the discovery of “kill switch” that prevented infected computers from spreading WannaCry further.
The consequence of the attack was estimated to more than 200,000 affected computers across 150 countries, with total damages ranging from hundreds of millions to billions of dollars.
Experts advise affected users against paying the ransom due to none reports of any data returned after payment and as high revenues would encourage more such attacks. After the attack had subsided, a total of 327 payments totaling $130,634.77 (51.62396539 XBT) had been transferred.
As all examples, this one is a great opportunity to learn and adopt facts and previous errors so they would not be made again.
This expensive and very real example shows the importance of software updating and applying official patches to your system software.
Software without updates applied is unreliable software. Patch or update is made for a reason, and in most cases, it makes security better, and your system less liable for any type of attacks.
For that cases, Microsoft has great sites which can help administrators maintain their systems healthy and protected. It is highly recommended for all admins to monitor TechNet, and Microsoft Secure Blog, to keep up with system software, and security updates.
It is not only up to administrators, but even their part of the job is also most important, it is up to organizations to keep their hardware updated too. Even obsolete hardware can make the risk of security breaches high. So realizing that investing in hardware is not thrown money, but it is investing in security and functionality seems like the right way for all organizations.
Usage of built-in Active Directory Features
A lot of built-in Active Directory features can help administrators in protecting data and system environment. None of them are “one program solves all” type of programs or some “big” lifesaving solutions, but correct usage of them can make a risk of potential security breaches lower.
This is a list of some of the useful built-in features :
Security Descriptor Propagator – Compares the permissions on the domain object with the permissions on the domain’s protected user accounts and groups. If it finds any mismatch, it will reset the permissions.
AdminSDHolder – Ensures enforcement of permissions on protected user accounts and groups, no matter of location on the domain.
Privileged Identity Management – Allows the administrator to grant temporary rights and permissions to an account to perform any required functions.
Role-based Access Control – Provides administrator the option of user grouping, and give them access to resources on the domain according to previously defined rules.
Usage of Isolated workstations managing DCs
If there is a need for logging on an Active Directory with an elevated account, because of any reason, these operations should always be performed from a special device, preconfigured to reduce the risks associated with everyday tasks.
Such workstations should be isolated from the internet, and when used, they should be used with Least-Privilege User Access ( Lua) ( described before) principles.
Those workstations should be completely protected by all kind of security software available. (anti-malware, endpoint firewall and application control).
DC Workstations should be kept in their own organizational unit so they could have a special group policy set applied ( restricted local logons and other limitations).
User accounts used on isolated workstations may be Service Desk accounts that have the ability to reset passwords for most of the users in a domain, accounts that are used to administer DNS records and zones, or accounts that are used for configuration management. Secure administrative hosts should be dedicated to administrative functionality, and they should not run software such as email applications, web browsers, or any type of productivity software.
In conclusion, security of Microsoft Active Directory is huge, live, topic, and it can be studied and elaborated over and over. The best practices are, with a usage of described tools and techniques, only learning and monitoring, not only your systems but Microsoft news and updates regularly.
It is a hard job, without long-term solutions. As systems develop and change, so are potential threats and malware, but being server administrator is like that, never-ending process.
Prevent Unauthorized Access to Sensitive Data!
- No more unauthorized access to sensitive data
- No more unclear permission assignments
- No more unsafe data
- No more security leaks
Get your free trial of the easiest and fastest NTFS Permission Reporter now!
Leave a ReplyWant to join the discussion?
Feel free to contribute!