How to best protect Active Directory in your organization Alistair Holmes. Senior Systems Consultant
So where do we start? Lets break it down Security Management 2
Security concerns with Active Directory Protecting critical data and enforcing policies to eliminate unregulated access Granting users and administrators correct access to what they need nothing more Knowing what changed, when, and who made the change Overcoming reporting limitations to achieve necessary visibility and tracking 3
Management concerns with Active Directory Overcoming inadequacies of native tools Improving the efficiency of timeconsuming and error prone user and group creation and modification Reducing operational costs Improving reporting capabilities 4
So where do we start? 5
The Basics Always follow Microsoft Best Practices for Securing Active Directory Available from Microsoft website. 314 pages / 22 main bullet point. In a nutshell Patch everything. Monitor sensitive objects Eliminate highly privileged group membership Implement least-privilege RBAC Migrate critical assets to pristine forests with stringent security and monitoring requirements. (17/22) 6
Active Roles Active Roles is used globally to manage and secure more than 60 million Active Directory user accounts Active Roles is in use at more than 2,500 companies worldwide Product has been in existence since 2003 Deployments range in size from 250 to 800K+ users Complement and extend your identity and access management strategy 7
Active Roles 8
Employee management use case Managing the entire lifecycle of user and group identities is one of the most time-consuming IT tasks. Every time a new employee is hired, a current employee leaves the company or simply changes department, there are multiple of IT tasks that must be performed on various systems and applications. Most organizations find that it takes days or even weeks to fully grant access to everything a new user needs. That s a colossal waste of time and money 9
Employee account creation Organizational structure of Green company consists of one domain GREEN.COM distributed through several locations, having Users, Groups, and Computers organizational units in each city: NYC and Boston Company has the following policies configured (Configuration/Policies/Administration/Enterprise policies): Employee account creation: User logon name generation Email alias generation Home folder provisioning policies Exchange mailbox provisioning policy Property validation and generation for cn, displayname, UPN attributes, Office Location and Department Groups membership auto-provisioning 10
Create new employee 11
Assign users to groups Configure Configure Add user to groups and Add user distribution to groups lists and Grant access to distribution applications lists Assign Grant group access memberships to applications Assign group memberships and role Assign admin permissions and role Create Assign user admin accounts permissions Create connected user accounts systems. on connected systems. 12
Automated creation of Exchange properties 13
Employee account change or termination 14
Results 15
Employee undo-termination 16
Delegation of permissions use case Administrators are assigned to a particular role only have access to particular areas of AD, AD LDS, and/or DNS allowed in that role. As administrators are added or removed from these role templates, their access and responsibilities dynamically change, depending on which role they are assigned. Why does this matter? Natively if you have admin rights to AD, AD LDS, or DNS you have access and visibility into everything! So from a low-level help desk associate through to highlevel architects everyone has the same rights or privileges. The more people with total access - the greater the chance for human error or malicious intent. 17
Roles Based Delegation AD Architect Sr. Administrator Exchange Admins OU Admins / Help Desk End user Self-Service Application / Data Owners Day-to-Day Admin Mailbox Admin Service Desk Self-Service Full Control Create Mailbox, Move Mailbox App/Data Owners Create Users/Groups Create Groups Reset Passwords, Unlock Accounts Update personal Information Request Changes Change Group Membership Active Directory Computers Domain Controllers APAC EMEA North America AD LDS New York Mexico City ADAM Objects DNS Servers DNS Records Job Function Roles Access 18
Role-based administration Domain administrator wants to give delegated administrator Arthur Smith full access control to a single OU Service accounts" and all child objects of this OU. Domain administrator doesn't want him to be able to see any other OUs in the domain except this OU. Domain administrator runs Active Roles console. Domain administrator right-clicks on "Service accounts" OU in the domain tree and selects "Delegate control" option 19
Out of the box access templates Select the access template that will give delegated administrator the required level of access and nothing more 20
Example: Service accounts ASmith has full control access to Service accounts" OU, he can perform his daily tasks: create service accounts, modify them, reset passwords and so on within only this OU in the managed domain. 21
Rule-based administrative views Domain administrator wants to create Managed Unit that will include groups with employees from Boston and NYC without changing directory structure Delegates permissions to ASmith for managing groups 22
Rules Select rule membership and specify the rule 23
Escalation and approval with change workflow use case Use decision points in an automated workflow that are used to obtain authorization from a person before continuing the workflow. These decision points are approval, rejection, escalation and delegation. 24
Approval workflow Junior administrator Stefan Ellis needs to add a new employee John Smith to "Information services" group. Manager of this group, Lee Parker, must approve this operation. But he is not sure whether this new user should be the member of this group and he escalates this request to chief administrator James Miller You can browse for the ready workflow or configure it from scratch Go to Configuration -> Policies -> Workflow -> Demo -> Information services group demo 25
Workflow options and start conditions 26
Workflow object selection 27
Drag-and-drop "Approval" activity 28
Approvers selection 29
Notifications for workflow 30
Escalation 31
Recover: Be ready, because it s not if, it s when. Avoid data loss and maintain business continuity with recovery solutions for Active Directory including full forest backups for disaster recovery. Facilitate efficient searches and fast recovery of lost data, from a single object to an entire forest, Keep down time to a minimum and productivity maximized even in a disaster 32
Recovery Manager for Active Directory: Quick, Scalable Restore of Granular Objects 33
Recovery Manager Forest Edition: Completes your Forest Disaster Recovery Plan 34
Backup/Recovery Comparison 1 Backup remotely Determine what objects have changed/been deleted Windows 2003 Windows 2008 Windows 2008 R2/2012 Recovery Manager for Active Directory Undelete objects Undelete objects from graphical interface Online object restore including all attributes Online object restore without scripting Delegate data restore tasks at the container level Roll-back changes to objects Online restore of Group Policy Objects Restore dozens of deleted objects in under 10 minutes Centralized administration of backup/recovery Automated domain/forest 1 For recovery a full comparison, 2 please refer to FAQ: Windows Server 2012 Recycle Bin and Recovery Manager for AD 2 Domain and forest recovery require Recovery Manager for Active Directory Forest Edition. Creation of virtual lab with production data 35
A foundation for full IAM Identity Governance Complete, business-driven governance Access governance Data governance Privileged account governance Business-enabled access request and fulfillment Access Management Convenient, secure and compliant access Web access management Single sign-on and federation Directory and identity consolidation, migration and management Strong authentication Password management Dell One Identity Attestation and recertification Role engineering Automated enterprise provisioning Identity unification and process orchestration Privilege Management Understand and control administrator activity Enterprise privilege safe Least-privilege access Session management and keystroke logging Active Directory bridge Enforce separation of duties (SoD) 36
Extend Bring in other platforms Extend the unified authentication and authorization of Microsoft Active Directory to Unix, Linux and Mac systems Remove the stand-alone authentication and authorization requirement of native Unix in favor of the single identity, one account, single point of management 37
Unix management Privileged Access Suite for Unix Management Console for Unix AD Bridge Enhance Sudo Unix Delegation Replace Sudo 38
AD Bridge Centralized authentication Authenticate through AD Kerberos Consolidate identities & directories Eliminate non-secure authentication methods Extend AD Kerberos single sign-on Unix, Linux, and mac Standards-based applications Achieve single sign-on for SAP Configuration and administration Migrate and manage NIS data Leverage group policy for Unix, Linux and Mac Enhance password security Extend AD password policies Eliminate redundant, inconsistent, and nonsecure passwords Extend AD-based self-service password reset capabilities 39
Unix delegation Enhance sudo Central administration & management Centralized access reporting No new training required No need to update scripts & applications Replace sudo Central administration & management Centralized access reporting Advanced capabilities Restricts Shells Restricts remote host command execution Removes escape out 40
Repeat Stay nimble Implement a solid suite of solutions to ensure your infrastructure stays nimble and can meet the ever changing demands of the business and technology 41
Thank you How to best protect Active Directory in your organization