Imagine having to consolidate the directory services of an organization with over 100,000 users, 300 administrators and thousands of PCs. That was the problem Wayne Glabais faced in 2009 when the province of Alberta decided to merge 14 regional and local health authorities into Alberta Health Services.
It could have been a management and security nightmare with misconfigured accounts.
Fortunately for him, some of the entities used a platform from Quest Software (now part of Dell Inc.) called ActiveRoles Server (ARS), which adds management and security tools to Microsoft’s Active Directory that it doesn’t include.
“One of the challenges with having 14 organizations is they all had their own procedures for managing their environments,” Glabais said in an interview, “With Active Roles Server there are provisioning policies that you can build out where you can define what access you want to give to administrators and also what occurs when the provision. So you can do things like create a policy that when an account is created it adds things like personal log-in, email account, define fields for administrators to use special characters.
“It allowed us to keep our new directory quite clean and managed.”
Without ARS the consolidation — which took three years — “would have been extremely painful,” he added.
Active Directory is one of the most used directory services platforms in enterprises, in part because it comes free with Windows Server. That makes it a prime target for attackers hungry for user credentials.
But it doesn’t comes with all the tools organizations need to make it secure and integrate with other user directories, such as audit, login tracking and change control. So CISOs ought have to add solutions perk up Active Directory with capabilities such as user behaviour analytics, change monitoring, alerting, provisioning and deprovisioning of user accounts in bulk and managing ownership and administration of Group Policy Objects.
Last month Forrester Research looked at seven of them, including ActiveRoles Server (re-named this week to just ActiveRoles); Imanami’s GroupID; ManageEngine’s ADAudit Plus and ADManager Plus; Micro Focus’ Directory and Resource Administrator, Change Guardian for Windows, Change Guardian for Active Directory and Group Policy Administrator; Netwrix’s Auditor; Stealthbits Technologies’ StealthAudit and StealthIntercept; and Varonis’ DatAdvantage for Directory Services.
(Other solutions that focus security-related capabilities such as access and identity management and backup and recovery may also be important, but the Forrester report only looked at Active Directory-focused software.)
“Active Directory is among the most widely deployed infrastructure solutions by organizations world-wide,” noted Forrester analyst and report co-author Merritt Maxim. “It’s a very important asset in terms of authentication, and obviously, because of that it’s a tempting target for hackers.”
But, he added, many organizations have been reluctant to touch or pay much attention to it. However, he said, for better security they more visibility than Active Directory along provides.
The challenge, Maxim said, is most organizations are organic — they make acquisitions, sell divisions and reorganize, so new user groups constantly get added and it isn’t uncommon for people to change groups. With security teams often delegating someone in a group to be its administrator all that movement leads to the potential for misconfiguration or approvals outside corporate policy. The result is users who have excessive privileges or groups not appropriate with their job role.
There are lists of Active Directory best practices. But, comments Derek Melber, technical evangelist for Active Directory solutions at ManageEngine, “if you just rely on a document that tells you what to set for security and you go in Group Policies and set that security and walk away, things are going to change. What I’m trying to get the world to understand is that security hardening does not stop at configuring. It’s a day by day, minute by minute monitoring of the configuration you’ve put in place.”
Of his company’s solutions, the Web-based ADManager Plus allows bulk management of user accounts and other AD objects, delegates role-based access to help desk technicians, and generates an extensive list of AD Reports.
ADAudit Plus is a change monitoring and alerting solution that takes security logs from AD domain controllers.
Last month Stealthbits released version 7.1 of StealthAudit, which adds support for Microsoft’s Azure cloud-based directory service and Dropbox for Business, improves NAS and UNIX support, improves file owner activity alerts, and adds a number of product efficiency enhancements.
StealthIntercept analyzes authentication traffic through Active Directory for evidence of account hacking, brute force attacks, and horizontal account movement. The recently-updated version adds searches for pre-authentication failures, breached passwords, concurrent logins, impersonation logins, and golden ticket attacks.
Micro Focus’ Change Guardian monitors critical files, systems and applications in real time to detect unauthorized privileged-user activity, while Directory and Resource Administrator is for auditing.
Netwrix Auditor recently released version 7.1, which adds the ability to identify the root cause of security incidents and collect evidence for compliance even if it lies in the distant past. It also automates deactivation of inactive user accounts and reminds AD users to change their passwords before they expire.
Dell’s re-named Active Roles software was updated this week with a new user interface. It also adds the ability for administrators to make changes from mobile devices, freeing them from sticking to the office.
“It’s unwise to look at Active Directory as an island. It has to be considered part of the overall infrastructure,” said Todd Peterson, Dell’s senior product manager and identity and access management evangelist. “Often customers have a problem with Active Directory and so they’ll solve that problem in a short-sighted way, which means the next problem has to be solved in another way, whereas if they approved it from a more 30,000-foot view they’ll be able to solve a lot of problems at once.”
Varonis DatAdvantage for Directory Services collects metadata from AD and file systems to monitor how and when users authenticate to AD to get access to network resources.
According to David Gibson, the company’s vice-president of strategy and market development, the upcoming version 6.2 will add predictive threat models that can be used to analyze and detect everything from insider threats and outsider attacks to CryptoLocker infections and suspicious behavior.
“Usually what we see when we go in an do a risk assessment in an organization is they really don’t realize how their Active Directory is laid out, how many stale users they have, how much data is open to everybody in the company,” he said.
His solution builds a profile of every user which lists who the administrator is, what service accounts the user accesses, how sensitive is the data each user normally accesses, how much stale data is normally accessed, all to prepare for when unusual activity is spotted.
Imanami’s GroupID is a suite of four separately-sold modules for Active Directory (Automate, which automates membership; Self-Service, which lets users manage their own profile and groups; Synchronize, to provision accounts or update attributes; and Password Center, which allows users to reset passwords).
“Our software allows administrators to identify the types of criteria for membership in a group, then automates adding and removing of members,” says Jonathan Blackwell, the company’s product manager.
Finally, Forrester’s Maxim reminds CISOs that these solutions won’t help if Active Directory itself isn’t in good shape before they are implemented.
“There’s still an ongoing need to keep your employee information up to date and streamlined and not allowing that to languish over time so you end up with orphan accounts that could be compromised,” he said. It can be a simple as consolidating the number of domains, number of domain controllers to make AD easier to manage.
While vendors can help, the work can be done with a cross-functional group including audit, compliance, operations and security teams to identify issues.