Locking Down Your Network with Active Directory
Active Directory is a feature of most Windows Server operating systems. In other words, if your organization has a Windows server, you most likely have Active Directory. Active Directory essentially dishes out access permissions to your users as they are logged in to the network.
This might sound pretty boring, but you can do a LOT to control your users and protect your business. On the other side of the coin, if your Active Directory isn’t set up very well, you could be leaving things wide open, preventing you from meeting industry compliance regulations or granting your users with more access than they really should have.
We’re going to discuss some of our Active Directory best practices, but a quick disclaimer first: there isn’t a one-size-fits-all solution for all organizations. Depending on your security needs, the type of permissions you need to have, and any compliance regulations your business falls under, some of these policies won’t apply as-is for you. Still, if you are coming from a situation where you don’t have anything (or hardly anything) in place, this is a great place to start.
Nobody Needs to be an Administrator
When users log into their PC on your domain, they are logging in with their domain account, which is centralized in Active Directory.
Not a single user on your network, whether it’s the owner of the company, or your onsite IT person, or the Pope, needs to log into Windows on a daily basis with administrative privileges. This includes both privileged access as the Domain Admin, AND as a local admin on that particular machine.
Why? It’s just too risky. This overrides all other settings and there is just no reason for it. Instead, we suggest following the least privilege administrative model. Each user should only have the minimum permissions to complete their work. You can always elevate access temporarily if needed. Otherwise, if a user gets a virus, that virus will have the same access the user does and could do a lot more damage because the user has access he or she didn’t need in the first place. The virus has the capability to spread across the network, whereas if the user’s permissions were locked down, the virus would only have a minimal impact.
This means that everyone on the network, including the business owner, IT staff, and/or the Pope, log in as a regular non-administrator to do their normal day-to-day work. If they need to get administrative control, they can log in with a separate admin account.
Keep that administrative account secret, safe, and carefully guarded (by the Swiss Guard if need be).
Force Strong, Complex Passwords and Set Password Expirations
Human beings are terrible at creating and memorizing complex passwords. Unfortunately, hackers, or at least the tools that hackers use, are very good at guessing passwords that aren’t complex enough.
Quick tip: Teach your staff to use passphrases instead. Combining multiple random words is actually more secure than using an eight-character complex password. Keep in mind, the words need to be very random. Here’s a quick example:
Bad Passphrase Examples:
Good Passphrase Examples:
Back to Active Directory, you should require passwords to be long - at least 12 characters and lock a user out after three failed attempts. Forcing passwords to expire every 30, 60, or 90 days is a good idea too, and Active Directory can remember the password history to prevent a user from rotating back to last month’s password.
Delegate Permissions to Security Groups, not Individual Accounts
This is something we catch pretty often when we audit a prospect’s network for security issues. At some point, it was decided that one particular user needed access to a specific directory so that person’s account was granted that permission.
You’ll want to be able to keep track of who can see what. This will save you a lot of time and money when it comes to managing it and making sense of it later.
Use LAPS (Local Administrator Password Solution)
LAPS is a handy tool built into Active Directory that enables Active Directory to handle the local administrator accounts on each individual PC on the network. This local administrator account basically has full control over everything on that particular workstation or laptop, so it is something you definitely don’t want compromised.
Many businesses and IT experts will deploy images of Windows across each computer in the organization to save a ton of time when configuring settings. Basically, when you purchase a new workstation, IT takes a pre-built clone configuration that includes the operating system, most of the software, and optimal settings for your company, and rolls it out on the new system. Unfortunately, this image-based deployment will also carry over admin accounts and passwords. LAPS solved this by assigning each device its own unique password that is controlled through Active Directory. It’s one of the best free and simple solutions for protecting your network against lateral threat movement from device to device.
Document Everything, and Schedule Reviews and Clean Up Sessions
Ever find a note you wrote down for yourself a year later and wonder what was going through your mind when you wrote it?
We don’t all have hyperthymesia (the ability to remember an abnormally large number of things in vivid detail). You may have put a ton of thought and foresight into building out your permission groups and determining who should have access to what, but when you go to revisit that a year or two later, it is going to be like trying to read a foreign language.
Document everything carefully. What groups have access to what directories? What network permissions do they have? Are there exceptions? Having all of this clearly defined and kept updated as things change will make managing and re-arranging things much faster.
It doesn’t hurt to plan regular audits of your Active Directory as well, depending on how often things change, or users get added or moved around.
Active Directory is the Backbone of Issue Monitoring
Because Active Directory essentially rules over every user and device on your network, it can also collect logs and report on signs of compromise and other issues. Our technicians in the Network Operations Center utilize this data for clients that we provide monitoring and maintenance for, because when we catch a problem early, we can resolve it before the client even feels the results of it.
Here are just a few things that Active Directory lets you monitor and report on:
- Group permission changes
- Account lockouts
- Antivirus being disabled or removed
- Logon and Logoffs
- Spikes in bad password attempts
- Usage of local administrator accounts
Plus, we are able to do Windows Event Log reporting, which includes a ton of information about each individual machine like the status of the hard drive, errors that could result in computer crashes and slowdown issues, failed updates, and a whole lot more.
Get Your Network Assessed
This just barely scratches the surface with what a properly configured Active Directory can do for your organization. Whenever we audit a new client’s network for the very first time, we often see Active Directory being underutilized or improperly configured.
Do you ever question the setup of your network? If you often run into issues or feel that your staff has more access than they really need, running a network assessment certainly wouldn’t hurt.
We offer a free, one-time network assessment where we build a report on any security issues or misconfigurations found on your network. We also understand that you might not want to tip off your existing IT person(s) that you are having a third-party audit their work, so we can do this very discreetly to give you peace of mind without causing any upset with your internal IT department.
Want to get started? Give us a call at 603-889-0800 today.
- Tech Term: What are Proxy Servers? While proxy server is a tech term that is frequently cited, it is not understood by a vast majority of people. Today we will describe what a proxy server is, and why organizations like yours use them. What is a Proxy Server? Simply put, a proxy server is a computer that acts as an intermediary be...
- Tip of the Week: Easy to Remember Tricks for Windows 10 Working with your computer for so much of the day means you need to get as much productivity out of it as possible. If you can speed up some of the ways you access specific information, you can get even more done. Shortcuts are very helpful to this end. Here are some of the easiest and best ways you...
- Tip of the Week: Download the Second Windows 10 Update of 20... Windows 10 just got a second update for 2018. Some experts think this many major updates to the OS is too many, but when you start to look at the features available through this second update, you may be happy that Microsoft has decided to release it (and re-release it). Today, we’ll take a look at ...
- Tip of the Week: Using Microsoft Word to Edit a PDF Document In case you’re looking for a nice alternative PDF file-editing software, the most recent version of Microsoft Word can do so. Since the investment for Adobe Acrobat isn’t for everyone, you can instead turn to the tried-and-true all-purpose word processing software to edit your PDF files. Open the P...
- Tip of the Week: Did You Know Your Computer Can Do All This? Your computer is mostly just a machine used to accomplish specific tasks. This doesn’t mean that you shouldn’t know all of the advanced tips that help you get the most out of it, though. Here are some of the best shortcuts that you can use to take full advantage of your workstation. WindowsYour Win...
- Tip of the Week: Cortana Can Help You Cheer On Your Team It’s football season once again, and this year, we want to show you how to set up Cortana to follow your favorite teams--football or otherwise. It’s actually easier than you might think! Before we begin, remember that this only works on devices that have Cortana, so it will likely need to be set up ...