Active Directory: How To Secure Your IT Infrastructure

Active Directory (AD) is for responsible for the authentication and authorization of resources throughout the organization of the IT infrastructure. It is not uncommon for a local AD to be used in connection with Azure AD for authentication for Microsoft 320 and also many other Cloud -Services used. However, as an important component of the infrastructure, the AD is also an attractive target for cybercriminals. Microsoft itself states that around millions of total 500 Millions of active AD accounts are under attack. In view of this finding, those responsible for IT security should not rely solely on the effectiveness of their specific security tools. Rather, they should ensure the health of the AD by regularly conducting a series of checks. This article therefore provides a guide to the most important measures.

Number 1: Users who haven’t in the last few days were registered

Inactive user accounts are not only a problem of AD management, but can also be a represent a serious security risk for the entire company. It is not uncommon for these affected accounts to belong to people who have left the company and should no longer have access to its systems or data. They open the door to abuse, and not just from former employees. Rather, such accounts arouse the desires of outside attackers as well as insiders, such as disgruntled employees who could use the account to steal data, damage systems, send email that could damage your company’s reputation, and more . Because the actual owner of the account no longer uses it, these activities can go unnoticed for a long time.

Even without actual abuse, there is a risk that unused accounts could cause a company significant difficulties bring. Compliance regulations often require that outdated user accounts are carefully monitored and managed. Failure to do so can result in failed audits, fines and other penalties. This is another reason why the AD should be checked regularly (at least monthly) for unused accounts. Managers should keep a list of all accounts, with account names, last login time, number of logins, and account status (active, suspended, disabled, etc.). If there are indications of an inactive account, the person responsible can deactivate or delete the account after consultation with the user’s manager.

Number 2: Domain users with expired password

Accounts with expired passwords may not have been inactive long enough to be caught in Control #1, but they can still pose a security risk. In the case of an expired password, the person responsible should check whether the user is, for example, only on vacation or ill or whether the account is actually no longer used and should be deactivated or deleted.

Number 3: privileged users

Attackers often try to gain elevated privileges in order to be able to access as many systems and data as possible. Therefore, the member accounts of privileged groups should be kept under close scrutiny. The IT security officer should be able to see all members of each privileged group and their last login time at all times. This also applies to nested groups. You also have to be on the lookout for members who haven’t logged in for a long time and might need to be removed from the group. The same applies to users who have never logged in and therefore may not need elevated rights.

Number 4: Services that do not run on a system account

Since non-system account services typically require elevated privileges, they need to be carefully monitored and managed, much like privileged users. Those responsible for IT security should have access to detailed information about all services at all times so that they can ensure that the accounts are set up correctly. For example, privileged services should have passwords that are long, complex, and changed regularly.

Number 5: Software installed on domain controllers

Each domain controller (DC) in an organization should only run the software that is necessary for operation, e.g. B. DNS. Redundant code running on a DC introduces unnecessary risk to the Active Directory environment. It should therefore be checked regularly whether unnecessary software is hidden on a company’s DC.

Number 6: Information on Hot Fixes

Unpatched systems are a common target for hackers. That is why all IT systems should always be kept up to date. In order to accomplish this, those responsible need an up-to-date overview of all systems and the hotfixes that are installed on them.

The controls listed are clearly necessary to ensure the security of an organization’s Active Directory environment. In everyday life, however, implementation often fails due to the lack of time on the part of the IT team. Unless the IT infrastructure is very small, automation with suitable tools is essential. This is the only way that the necessary controls can be carried out automatically and the corresponding reports created, which means that the Secu rity teams can be relieved to a considerable extent.