Microsoft Active Directory (AD) is the nerve center enabling your federal agency to access the systems and applications staff members need to do their jobs. AD is also a high-risk target for inside and outside threats and can be a gateway for other potential security vulnerabilities.
The key to protecting your agency’s AD is to have the right processes in place to maintain its integrity, know whether something is happening that shouldn’t be, and demonstrate compliance if required.
Here’s how you accomplish these tasks while keeping this valuable resource secure:
Develop and enforce appropriate permissions policies
Understand how to recognize and respond to suspicious activity
Ensure appropriate provisioning and deprovisioning policies are in place
Let’s look at permissions first. Unfortunately, it’s common for too many people to have AD access rights—specifically, admin rights. Best practice policies recommend a minimalist approach to granting admin rights and—just as important—incorporating AD permission reporting capabilities.
This need is critical. AD permissions reporting gives your federal IT team a comprehensive view of all the objects and privileges on the network, including users, groups, computers, and access rights. This type of insight make it dramatically easier to manage permissions and grant, modify, and delete user or group access to specific objects.
Try adding comparative reporting to the mix, too. This allows teams to compare the rights of a given user to the role they fill within the agency. And here’s one more tip: consider using role-specific templates to delegate access privileges and enforce the principle of least privilege. This helps ensure security policy conformity across the agency’s IT infrastructure.
Once appropriate permissions policies have been implemented and enforced, the next step is to have a deeper ability to monitor AD activity. The best way to do this is by monitoring the following:
AD login activity. Be sure you can see the number of failed login attempts, password reset attempts, and account deletions. You want to have the ability to dig down to the event ID level.
Remote AD instances. The ability to see deep into remote agency sites—understanding site link names and all subnets and IP ranges—provides invaluable information for troubleshooting remote location AD issues.
Domain controllers. This capability lets you know whether the CPU usage has reached its threshold, whether a user account is locked, and whether there’s a login issue; a good tool will provide a view into each domain controller status and role.
Lastly, it’s critical to have the right provisioning and deprovisioning policies in place to dictate what employees have access to and ensure access is removed when an employee leaves the organization. Not having these policies in place leaves gaping security holes from bad actors or disgruntled ex-employees with malicious intentions.
The above suggestions are a great start; full, comprehensive monitoring of the AD environment will help federal IT pros better protect the network and detect problems before they’re reported by end users and before they impact agency productivity.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community.
More than 150,000 members are here to solve problems, share technology and best practices, and directly
contribute to our product development process.