Thursday, November 18, 2010

Auditing is Important, But Periodic Security Assessments Are Also Important

In the last post we took a look at some of the most important tasks that you should definitely consider auditing in the Active Directory. It is very helpful and vlauable to have the right audit settings in place, and turned on, so tha when these tasks are enacted, you are in the know.

However, it is also important to keep in mind that auditing is primarily a reactive measure, i.e. it informs you about the occurence of an event that has already taken place. While this can certainly be helpful in maintaining security, this is not always true.

Consider for instance a scenario wherein a delegated administrator was able to reset the password of a more powerful administrator. Now suppose you had auditing turned on, an audit event would certainly be generated but by the time you would take notice of it, and figure out that this seemed unusual, that individual could log in as the powerful administrator and do substantial damage and you would not be able to prevent that from happening.

So, in this case, while auditing would help figure out who may have compromised security, the fact is that the damage would have been done, and auditing would not have helped you prevent this security incident.

The point here is that while auditing is important, it is equally important to periodically audit your Active Directory so you can identify and lock-down any excessive administrative grants that could endanger the security of your Active Directory.

By the way, when you are reviewing security grants in Active Directory, please make sure that you review them correctly. What you see in Active Directory permissions is not always what really is. Meaning that just because someone is specified some privileges in some security entry, it does not necessarily mean that that individual would actually have the ablity to carry out that task. This is because there could be other privileges for that user, or some group that he/she is a member of and these other privileges could negate the first privilege.

That's all for now. Thanks, and have a happy Thanksgiving!

4 comments:

  1. Charles,

    You certainly make a very good point about the importance of periodically assessing security in Active Directory, especially if you have multiple admins.

    BTW, just wanted to let you know that I came across a tool that I think might be suited perfectly for such periodic AD assessments.

    It is called Gold Finger for and it has just about every AD report you can think of. There's also a free version available, which is the one I tried.

    Thought it might help in your assessments, esp if you need to them on a regular basis.

    Cheers,
    Marc

    ReplyDelete
  2. Hi Charles,

    Active Directory Security is critical to organizational security today and the need to know who has what access in Active Directory has become critical today.

    A good Permissions Analyzer for Active Directory can help identify, lockdown and audit security permissions in Active Directory quickly and efficiently.

    I recently came across a helpful post on How to View Active Directory (AD) Security Permissions and Perform ACL / Permissions Analysis so I thought I'd share it with you.

    Thanks,
    Aaron

    ReplyDelete
  3. Hello Charles,

    What are your thoughts about the security implications of outsourcing the management of critical IT services like DNS, DHCP, Active Directory, email (Exhange) etc. to outsourced providers. I think outsourcing of Microsoft's Active Directory technology impacts global security but I would like to hear your thoughts on the same.

    Thanks,
    Rajiv.

    ReplyDelete
  4. Hello Charles,

    In my experience as an IT analyst, I have found that while many organizations use Active Directory so extensively, most of them don't seem to be aware of the various Active Directory Risks that exist today, and how these risks impact Active Directory Security. This is concerning because Active Directory is so widely deployed today and I worry that it may be vulnerable, whether to Kerberos-to-NTLM downgrade attacks, or other kinds of attacks such as Active Directory Privilege Escalation which it seems could be launched by insiders as well.

    Best wishes,
    Andrew

    ReplyDelete