The 5 Most Critical Points

Transcription

1 The 5 Most Critical Points For Active Directory Security Monitoring July 2008 Version 1.0 NetVision, Inc.

2 CONTENTS Executive Summary... 3 Introduction... 4 Overview... 4 User Account Creations... 5 Group Membership Changes... 6 Organizational Unit Changes... 7 User Account Attribute Changes... 7 Orphaned Accounts... 8 Bonus Content: Two Most Critical Points for Windows File System Security Monitoring... 9 Conclusion... 9 For More Information About NetVision... 10

3 EXECUTIVE SUMMARY Microsoft s Active Directory has clearly been established as the most widely deployed business network authentication mechanism. Both large and small enterprises leverage Active Directory s user credential store as the primary and central point for authentication across the business. Active Directory s powerful feature set, ease of use, and centralization enable simplified management of employee account and access information. Technologies like Active Directory have enabled us to quicken the pace at which we do business. The resulting ease of access to information has created substantial security and privacy concerns. More and more data is being digitized as access to that data is simplified. Employees can now enter a set of credentials and a mountain of corporate information is immediately available at their fingertips. The security concerns are obvious. Technology removes the barriers that have traditionally prevented unwarranted access. The fluidity of today s business environment amplifies the risk associated to inappropriate system and data access. People and information are mobile. Companies hire contractors and other transient workers. Employees work from home and on the road. The infrastructure that enables this fast paced, dynamic environment is necessarily complex and difficult to secure. Today s environment not only demands greater controls on systems and information, but it also demands greater accountability for access to those important assets. Many industry and government regulations have emerged which mandate audits of controls over system and information access. And even in industries or companies that are not regulated, security practitioners recognize the underlying value that regulators are trying to achieve. We must create accountability. You need to be able to provide proof of who has the potential to access sensitive information and who is actually accessing that information perhaps inappropriately. And you must be able to audit how those access rights are being granted or revoked. But how do you get there? Sorting through the technologies and requirements can be daunting. This document attempts to make it easier or at least give you a place to start. It gives system administrators a list of the top five critical security points to monitor within Active Directory. If you do nothing else to audit access rights in your environment, monitor these five things. Monitoring these five simple aspects of Active Directory will give you an overview of what user accounts exist and what rights those accounts have within the environment. They will also help you identify critical changes that could indicate alarming or high-risk activity. As a bonus, we ll include two important points of security monitoring on the Windows File System. Windows is a key component to any Active Directory environment. A successful audit should look at the Windows file system activity along with Active Directory. Use this guide to identify a starting point for creating a set of actionable security information that will both help minimize risk and position you for easy response to security audits.

4 INTRODUCTION The security infrastructure surrounding any given Active Directory implementation can be large and complex. There are a variety moving parts and access to systems and applications is granted in numerous ways. Adding to the complexity is the fact that each organization has unique needs. Some organizations are bound by governmental compliance mandates and have a high amount of risk associated to inappropriate systems access. Others, because of their particular business needs, have much less risk tied to their systems or information. For these reasons, it s difficult to identify a one-size-fits-all set of rules that will fit snuggly into every organization. But, there are a handful of key audit points that are generally considered useful for just about any organization. The points identified in this document have a wide reach across industries and organizations. NetVision has been helping its customers monitor directory and file system activity for more than a decade. Over that time, these key critical points have emerged as the most widely desired and the most valuable points of information for maintaining a secure environment. In many cases, they may represent just the tip of the iceberg in terms of security monitoring needs. In others, they meet a large percentage of the security audit requirements. OVERVIEW The five points identified in this document cover a set of administrative activity that represents some level of risk to most Active Directory environments. They include the basic activities of new account creations and confirming that old accounts are removed. They also cover rights changes via user attributes or group memberships. For many organizations, these five points represent a good example of the well known 80/20 rule. 20% of possible administrative actions represent 80% of the actual high-risk activity. That is, a small portion of action types (account creations and attribute changes, for example) represent a large portion of the activity that is actually carried out in any given day. These five points are not only the most common administrative tasks; they also represent a very high level of impact. For example, it would be difficult to think of an administrative task that represents a bigger risk to the environment than creating a new account and applying new attributes or group memberships to that account. Keeping a close account of these five points enables you to understand what administrative activity is occurring, who is taking action, when it s happening, and where the changes are being applied. The five most critical points for Active Directory monitoring include: User Account Creations Group Membership Changes Organizational Unit Renames User Account Attribute Changes Orphaned Accounts

5 USER ACCOUNT CREATIONS In Active Directory, the rights and permissions that a person has are based on the user account that they use to authenticate themselves into the system. Accounts can have rights applied directly (such as in file system Access Control Lists) or indirectly (through security group memberships). Either way, the user accounts represent the most fundamental security entity within Active Directory. They are the basic unit to which security is applied. It may be obvious, then, that the creation of new accounts in Active Directory should be monitored and audited on a regular basis. Among the most frequently asked questions by information technology auditors and managers are questions about which accounts exist and how they came to exist. Keeping a record of account creation activity makes it possible to answer these questions quickly and easily. It s also critical to store more than the simple fact that an account was created. If all you knew was that two accounts were created today, that information would hardly be useful. You would want to know which accounts were created and who created them. Without that essential information, knowledge that an account was created would be useless. Critical information to store during an account creation attempt includes: Success or Failure of Creation Attempt It s useful to know when someone attempts to create a new account, even if the attempt fails. A volume of failed attempts could indicate a security risk. Best practice therefore dictates that you store failed attempts as well as successful attempts and capture the success/fail status. Account User Name Within Active Directory, the user name or account ID is stored as the samaccountname attribute. This attribute enables you to quickly search the directory for the account. The samaccountname attribute is unique within an Active Directory forest. So, a search based on samaccountname should return the correct account. Full Distinguished Name of the New Object The Distinguished Name (DN) provides more than just another unique way to identify a user object. The DN gives you the full path of where the account lives within the directory tree. So, if you want to browse the tree to locate the new object and right-click to perform some administrative action, the DN would very helpful by providing that path. Time and Date A good audit tool will always provide the time and date that an action occurred. This enables you to search by a given time or date. If you know that some activity occurred on a given day, you can run a report on that day s activity. Also, security process audits often require that you match administrative activity with official approval process. So, an approving a new account creation should correspond to the account actually being created. Having a record of time and date on a particular act enables easy matching of that act with its approval process. Who Created the Account One of the most critical pieces of information about an account creation is the administrative account used to create the new account. Understanding WHO created (or attempted to create) a new account gives you insight into who you can contact for more information, who might require additional monitoring or, in the case of a process audit, in whose inbox to look for the approval message. Server It is often useful to know on which server a given action took place. If the action was performed inappropriately, identifying the server may help identify the security hole which allowed the action to take place. Also, understanding which servers are being used may help you make decisions about infrastructure or connectivity.

6 UserAccountControl Value The UserAccountControl attribute provides useful information about the new account such as whether the account is enabled and whether critical flags have been set. One flag indicates whether or not a password is required for this account. An account created with the password not required flag set to the affirmative value could indicate an important security risk or at least that an account has been created which is not in policy. Another similar flag sets the password to not expire, which again indicates risk and possible noncompliance with policy. Monitoring user account creations is a critical security and audit function. In addition to understanding when a new account is created, we provided some important account attributes that should be monitored and recorded as part of the process. GROUP MEMBERSHIP CHANGES Security groups represent a major component in the Active Directory security infrastructure. Security groups are used to assign rights and permissions to a group of accounts rather than to individual accounts one at a time. This simplifies management of user account rights because similar users can be grouped and managed in bulk. For example, all HR personnel that need access to a new departmental application can be granted access through a single HR Department group which is granted rights to the application. Effectiveness of Real Time Monitoring Real time monitoring gives you simplified reporting after-thefact, but also provides value via immediate alerting as well. If an account creation breaches a security policy (because the password is not required or because it was created in the wrong OU, for example) you can setup an alert that: Notifies you of the breach Initiates a remediation process to disable the new account and the account that was used to create it In addition to capturing information and issuing alerts, this real-time activity also serves as an effective deterrent against would-be attackers. Along the same lines, multiple permissions can be grouped together and easily applied to a user whose organizational role corresponds to that group. For example, if an employee moves out of the HR department and into the marketing department, an administrator could simply remove them from the HR group and add them to the membership of the Marketing group. In an ideal state, this group membership change would remove any permissions granted to the employee for HR resources and grant all newly required permissions to marketing resources. Since none of us live in an ideal state, one simple group change is often not enough. There are numerous groups within each department and people tend to acquire group memberships over time which increases their authority in the environment. To make things more complex, group memberships can be inherited. A portal application might require that users belong to a group called Portal Users. If the company wants all employees to have access to the portal, they can simply add the All Users group to the membership of the Portal Users group. So, to find a person s effective rights within the environment, you need to understand group memberships and inheritance. Because group memberships play such a dramatic role in Active Directory security, it is critical that membership changes are carefully monitored. You might want to also apply an alert to highly sensitive groups such as the Domain Admins group. Groups such as those shouldn t change often and when they do, you probably want to know about it. Members of the Domain Admins group generally have full rights within the AD domain.

7 Less sensitive group changes should probably just be monitored and recorded for audit purposes. While periodic audits can tell you what memberships were in place at a given point of time (Wed. at 4pm), adding captured change information to the query provides a full view of which group memberships were in place at any point in time. It would provide details on group membership changes that were applied on Wed. at 4:30pm after the periodic audit query completed. That information could be critical to a security audit or forensic investigation. ORGANIZATIONAL UNIT CHANGES Organizational Units (OUs) are the foundational organization element within Active Directory. User accounts and groups are hierarchically stored within a structure based on organizational units. Management of user accounts and permissions is delegated to administrative personnel at the OU level and accounts are often stored in OUs that represent either organizational structure or geography. OUs are critical for a number of reasons. Some applications grant access to resources based on the OU structure. For example, an account in the Marketing OU might be granted access to a marketing application based solely on the OU in which the account lives. Provisioning systems and other Identity Management tools use the OU structure to make important account management and authorization decisions. In some cases, account provisioning or de-provisioning will fail and the system will start generating errors if an OU is moved or renamed. This results in system downtime, lost productivity, and troubleshooting costs. Monitoring the OU structure is critical to ensuring that the Active Directory security infrastructure is being well maintained and that security policies are being enforced. Moving an OU under a new parent OU, for example, could give owners of the new parent OU administrative rights on objects within the new child OU. It s also important to note that Active Directory Group Policy Objects (GPOs) can be applied directly to OU objects. GPOs can apply important security policies to a set of objects based on their position within the OU structure. Part of monitoring OU changes should include reporting-on changes to the GPOs applied to organizational units as well as perhaps alerting when critical GPOs are removed from an OU. Significant time and effort should go into planning an Active Directory organizational structure. And you should have monitoring in place to ensure that the organizational structure, which has management and security implications, is maintained according to plan. USER ACCOUNT ATTRIBUTE CHANGES In addition to understanding which accounts have been created and enabled, knowledge of user account attributes is essential. Some permissions and identity management processes are reliant upon correct account attributes. For both security and audit purposes, monitoring and collection of audit information on account attributes should be a priority. It might not make sense to record all user attributes. There are some commonly used attributes that would be considered valuable to monitor. Common critical security attributes include: User Name External applications that leverage Active Directory for authentication or authorization typically grant rights based on AD user name. Therefore, AD user name changes are a highly important data point for monitoring. Any attempt to modify a user name should be considered suspect. There may be scenarios where a user name

8 change is warranted, but those scenarios should be handled with care and detailed attention. Common Name Similar to user name, the common name (CN) is a local identifier that must be unique within an OU. There are very few reasons to modify a common name and any changes to this attribute should be reviewed. Address address has become a critical security identifier. In some applications, address is used as the logon ID or may provide automated password reset to the address on file. For these reasons, address is a significant security attribute. For example, an account with administrative rights could be used to modify another account s address in order to gain access to a given application. UserAccountControl The UserAccountControl attribute provides useful security information about accounts such as whether the account is enabled and whether critical flags have been set. One flag indicates whether or not a password is required for this account. An account created with the password not required flag set to the affirmative value could indicate an important security risk or at least that an account has been created which is not in policy. Another similar flag sets the password to not expire, which again indicates risk and possible non-compliance with policy. A change to this attribute could also indicate that a previously disabled account was re-enabled. Job Information (Title, Department, Division, Location, Employee ID or Employee Number, Employee Type) Various job information attributes are commonly used by organizations to grant certain rights, permissions, or identity management workflow. If any of these attributes are used by your organization, you should add them to the list of attributes to watch. Distinguished Name (DN) The DN represents the full path of the user account object within the directory. A DN change might indicate a change to common name, or an OU change. A DN change could indicate a security event and should be monitored. Smart Card Required If your environment requires smart cards for authentication and leverages the Smart Card Required attribute, then this attribute should certainly be included in the monitoring plan. A change to this attribute could indicate a critical breach to security policy. The list of user account attributes that should be monitored could certainly vary from one organization to another. But, this list represents some commonly used user account attributes that could represent valuable security information. ORPHANED ACCOUNTS While not precisely something that requires real-time monitoring, orphaned accounts are a common data point to consider for audit and security of Active Directory. Any account that is enabled, but has not been used to authenticate in a given number of days could be considered orphaned. These accounts commonly represent a security threat. An orphaned account may be a remnant of an employee or contractor that is no longer with the organization. If that s the case, the ex-employee could still have access to systems and information. Orphaned accounts are also a good target for would-be attackers who could leverage an existing account. Organize your audit and monitoring solution to provide regular reports on orphaned accounts that enable you to take action as appropriate.

9 BONUS CONTENT: TWO MOST CRITICAL POINTS FOR WINDOWS FILE SYSTEM SECURITY MONITORING File-View Access Report It may be obvious to suggest that monitoring access to folders and files is important. But, most organizations have no way to answer questions around which people are accessing sensitive files. There is often a real business need for system administrators to have permissions to view information that they should not be viewing. They require rights to access information because they are the people charged with managing permissions. They understand how file system ACLs work and need rights to grant or deny ACL rights to business personnel. But, there is often no real business need for them to view the actual content of the folders or files that they are protecting. Understanding when system users open or modify a document can be critical to ensure privacy standards. But, it can also be mandatory for compliance reasons as well. Some regulations require reporting on who may have updated financial information or viewed personal health information. If sensitive financial information is stored in a spreadsheet, a record of who updated that spreadsheet could be a critical piece of forensic evidence related to financial oversight. File System Access Control Lists (ACLs) In addition to monitoring actual access to folders and files, monitoring changes to the access rights on sensitive information is also important. The permissions granted via ACLs represent the potential to take action. Ensuring that ACLs are managed properly minimizes the threat of a security breach, which is obviously better than simply catching the breach in the act. CONCLUSION The current age of technology has increased the speed of business and a fluid, dynamic business environment has mandated the need for monitoring activity on critical security infrastructures. In most organizations, there is arguably no more critical piece of security infrastructure than Active Directory (AD). AD is a central point of authentication and serves as the employee launch pad into the network. In that way, AD is often seen as a gateway to other systems and applications. In this document, we have identified five aspects of Active Directory that represent the most critical points of security monitoring. For many organizations especially ones that are strategic about their use of Active Directory monitoring the items discussed within this document would provide a solution that meets a large majority of security monitoring needs. They tell you when permissions or rights are being altered, what inappropriate rights might exist, and when changes occur to the environment that should be reviewed. That information can help minimize organizational risk while preparing you to easily respond to security audits driven by regulation or best practices.

10 FOR MORE INFORMATION For more information about NetVision or how to implement the 5 Most Critical Points for Active Directory Security Monitoring, please call us at: or visit us on the web at: ABOUT NETVISION NetVision provides periodic assessment and real-time monitoring of all three components that comprise the power of digital identity: Controls, Behavior, and Power. NetVision is focused on providing relevant answers to critical identity and access related questions across platforms on core network directories and file systems.