10 reasons you absolutely need a reporting solution for active directory to pass audits

8/2/2019 10 Reasons You Absolutely Need a Reporting Solution for Active Directory to Pass Audits

1/17

10 Reasons You Absolutely Need anActive Directory Reporting Solution to

Pass Audits, Improve Security and Reduce Costs

Written by

Randy Franklin Smith

CEO, Monterey Technology Group, I nc.

Publisher of UltimateWindowsSecurity.com

White Paper


2/17

200 9 Ques t Sof tw are , I nc . A l l r i gh t s reserved .

This guide contains proprietary information, which is protected by copyright. The

software described in this guide is furnished under a software license ornondisclosure agreement. This software may be used or copied only in accordance

with the terms of the applicable agreement. No part of this guide may be reproducedor transmitted in any form or by any means, electronic or mechanical, including

photocopying and recording for any purpose other than the purchaser's personal use

without the written permission of Quest Software, Inc.

WARRANTY

The information contained in this document is subject to change without notice.Quest Software makes no warranty of any kind with respect to this information.

QUEST SOFTWARE SPECIFICALLY DISCLAIMS THE IMPLIED WARRANTY OF THE

MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Quest Softwareshall not be liable for any direct, indirect, incidental, consequential, or other damage

alleged in connection with the furnishing or use of this information.

TRADEMARKS

Quest, Quest Software, the Quest Software logo, AccessManager, Aelita, Akonix,

AppAssure, Benchmark Factory, Big Brother, BusinessInsight, ChangeAuditor,DataFactory, DeployDirector, DirectoryAnalyzer, DirectoryTroubleshooter, DNS

Analyzer, DSExpert, ERDisk, Foglight, GPOAdmin, iToken, I/Watch, Imceda, InLook,IntelliProfile, InTrust, Invirtus, I/Watch, JClass, Jint, JProbe, LeccoTech, LiteSpeed,

LiveReorg, LogADmin, MessageStats, Monosphere, NBSpool, NetBase, NetControl,Npulse, NetPro, PassGo, PerformaSure, Quest Central, Quest vToolkit, Quest

vWorkSpace, ReportADmin, RestoreADmin, SelfServiceADmin, SharePlex, Sitraka,

SmartAlarm, Spotlight, SQL LiteSpeed, SQL Navigator, SQL Watch, SQLab, Stat,

StealthCollect, Storage Horizon, Tag and Follow, Toad, T.O.A.D., Toad World,vAutomator, vControl, vConverter, vFoglight, vOptimizer Pro, vPackager, vRanger,

vRanger Pro, vSpotlight, vStream, vToad, Vintela, Virtual DBA, VizionCore,Vizioncore vAutomation Suite, Vizioncore vBackup, Vizioncore vEssentials, Vizioncore

vMigrator, Vizioncore vReplicator, Vizioncore vTraffic, Vizioncore vWorkflow, Xaffire,and XRT are trademarks and registered trademarks of Quest Software, Inc in the

United States of America and other countries. Other trademarks and registered

trademarks used in this guide are property of their respective owners.

World Headquarters

5 Polaris Way

Aliso Viejo, CA 92656www.quest.com

e-mail: [email protected]. and Canada: 949.754.8000

Please refer to our Web site for regional and international office information.

April, 2009


3/17

CONTENTS

I NTRODUCTI ON .. . . . . .. . . . . . . .. . . . . . .. . . . . . .. . . . . . .. . . . . . . .. . . . . . .. . . . . . .. . . . . . .. . . . . . .. . . . . . . .. 4 10 I ND I SPENSABLE REPORTS .. . . . . .. . . . . . .. . . . . . .. . . . . . .. . . . . . .. . . . . . . .. . . . . . .. . . . . . .. . . 5

1.DORMANT ACCOUNTS ........................................................................ 5

2.USERS NOT REQUIRED TO CHANGE PASSWORDS ........................................ 63.GROUPS WITH MEMBERS .................................................................... 74.GROUP NESTING .............................................................................. 85.ACTIVE DIRECTORY PERMISSIONS.......................................................... 96.GENERAL USERS REPORT ................................................................... 107.SECURITY SETTINGS/POLICY REPORT FOR DOMAIN CONTROLLERS................... 118.DOMAIN CONTROLLER SERVICES .......................................................... 129.DOMAIN CONTROLLER SECURITY LOG SETTINGS........................................ 1310.TRUST RELATIONSHIPS.................................................................... 14

CONCLUSI ON .................................... ..................................... .......... 1 5 ABOU T THE AUTHOR ..................................... ................................... 16 ABOUT QUEST SOFTWA RE, I NC. ...................................................... 17

CONTACTING QUEST SOFTWARE .............................................................. 17CONTACTING QUEST SUPPORT ................................................................ 17

3


4/17

I NTRODUCTI ON

If there is one thing lacking in native Active Directory functionality, its reporting. And

if there's one thing you absolutely need in order to be secure, control costs and pass

audits, it's reporting.

Active Directory (AD) has no built-in reporting capability. In fact, an administrator

cant even obtain simple listings, such as all user accounts and their properties, or a

group membership report. Native command line utilities, such as net user, may

provide a list of user names, but they fail to list any of the account properties, such as

description, account restrictions, job title or department. Other utilities, such as

csvde, can dump any object and its properties from AD, but many properties

(especially security-related properties) store their values in a cryptic codes or binary

format, which is impossible for an administrator to analyze. Technologies such as

Windows Management Instrumentation (WMI) and Active Directory Services Interface

(ADSI) promise easy access to AD and Windows system information, but significant

investment is required for knowledgeable scripting programmers to learn the object

models, schema and idiosyncrasies of each technology.

Nevertheless, reporting is indispensable for managing AD, supporting audits and

meeting compliance requirements. For medium and large organizations, AD is the

repository of thousands of objects critical to the security of an organizationmost

notably user accounts and groups. Keeping so many objects up to date and

accounted for is difficult. And after 10 years of AD auditing experience, Ive learned

that its impossible without a minimum of basic reporting capabilities. With no AD

reporting, organizations inevitably lose track of user accounts, groups and other

objects, leading to security vulnerabilities and policy violations. Moreover,

administrators and auditors waste time collecting audit evidence when both

could be focusing on higher-value tasks.

Quest Reporter provides all ofthese reports. Exam ples are

provided below, and the reportdefinitions are available at QuestsCompliance Suite Community at

Hhttp://compliancesuite.inside.quest.com/entry!default.jspa?categoryID= 82&externalID= 2794H.

This paper describes 10 types of reports

that are indispensable for managing AD

security, satisfying audit requests, and

meeting compliance requirements.

You need to make sure that your

organization can produce these reports

and act upon them.

4


5/17

1 0 I NDI SPENSABLE REPORTS

1 . Do rm an t Accoun t s

Dormant accounts are those for users who have not logged on in a specified amount

of time (usually 30 or 90 days). They often belong to terminated employees whose

accounts were not disabled or deleted. Failing to disable or delete accounts creates a

major risk, since a terminated employee may be able to continue accessing the

organizations network and information and may have reason to do harm. Of course

terminated users who are still accessing the network will be omitted from this report,

since their accounts will have a recent log-on date. Therefore this report, when

compared with HR reports identifying terminated employees, can serve as a key

performance indicator that measures the organizations effectiveness in disabling

accounts when a relationship is terminated.

Va lue Po in ts fo r Do rm an t Accoun t s

Compl iance : Validate process for

disabling accounts of terminated

employees

Secur i ty : I dentify failures in

term ination process

Cost Savin gs: Fulfill IT audit reques

with pr actically no effort; allow

administrators to focus on higher-

value tasks

On some versions of AD, producing a report on dormant accounts is a special

challenge. While each domain controller faithfully records the date and time whenever

it authenticates a user account, Windows2000 and 2003 do not replicate this value.

Therefore the reporting solution must query

each domain controller to determine the

most recent log-on date and time. Windows

Server 2008 in highest functionality mode

solves this problem with a new field called

LastLogonTimeStamp, which is replicated

every seven days. Disabled and expired

accounts should be omitted from the report.

Quest R epo r te r Ex amp le 1 - D o r man t Ac coun ts

5


6/17

6

Ques t Repor t e r Example 2 - Users Not Requ i red t o Change Password

Va lue Po in ts fo r Use rs No t Requ i r ed

to Chang e Passw ord s

Compl iance : Validate control for

regular password changes

Secur i ty : I dentify policy violations


with practically no effort; allow

administrators t o focus on higher-

value tasks

2. Users Not Requ i r ed to Chang e Passw ord s

For most organizations, passwords are still the key security control for preventing

unauthorized access by both outsiders and insiders. However, humans tend to avoid

inconvenience and take short cuts, which can lead to easy-to-guess passwords,

password sharing and other bad practices. To protect passwords, organizations often

implement a maximum password age policy that forces users to change their

passwords on a regular basis.

AD provides a domain-wide setting, Maximum Password Age, which by default applies

to all user accounts in the domain. However, a user account-level setting, Password

does not expire, overrides the domain setting

and makes particular users exempt from

password changes. Audits frequently find

that senior employees intimidate

administrators into using this setting to

excuse them from password changes. This is

dangerous because they typically have

privileged access to important informationand transactions; this makes protecting their

passwords even more important.


7/17

3 . Groups w i t h M em bers

AD groups are used to control access to resources, including file folders, objects in

SharePoint, databases, VPN access, and other application resources. Administrators

and decision makers must periodically review group memberships to ensure that

entitlements are appropriate and up to date.

Va lue Po in ts fo r Groups w i th Mem ber

Compl iance : Validate entitlem ents

and access contr ol

Secur i ty : Identify inappropriate

access through outdated or

mis-configured group m emberships

Cost Savin gs: Eliminate laborious

GUI-based group m embership review

For added value, this report should document the groups name and description and,

if used, the Notes field and Managed By information. These fields can be used to

document entitlements granted to that

group, as well as the business user who

approves any membership changes. Member

columns may include user name, full name,

description, job title and department, if these

fields are populated in AD. Including this

information in the report allows reviewers to

quickly assess the appropriateness of any

entitlements and spot errors.

Quest R epo r te r Ex amp le 3 - G r oups w i th Member s

7


8/17

8

Ques t Repor t e r Exam ple 4 - Group Nes t in g

Va lue Poin ts fo r Group Nes t i ng

Compl iance : Validate leastprivilege control

Secur i ty : Discover inappropriat eusers with un limited authority

Cost Savin gs: Eliminate t imeconsum ing and laborious research

to r eveal collapsed group

membership of nested groups

4. Gro up Nes t in g

AD allows the nesting of groups. For example, user A may be a member of group 1,

which is a member of group 2, which is a member of group 3; therefore, user A is a

member of group 3. Group nesting is required by an important best practice for

access control in AD, which requires user roles to be separated from entitlements

using at least two levels of groups.1

While group nesting has important benefits, it can lead to some confusion and

misinterpretations of entitlements, especially as the number of nesting levels

increases. Group nesting can become convoluted,and inappropriate entitlements can

be missed. To prevent such oversights, reviewers must be able to view a flat list of all

group members, including those included by direct membership and those included

through nesting. This flat list is especially

important for critical business and system

groups like administrators, domain

administrators and enterprise administrators.

It is not unusual for security audits to find

inappropriate access among members inthese powerful groups because

administrators lack visibility into group

membership. Therefore, a group nesting

report that exposes the full set of members

for each group is critical.

1 See http://msdn.microsoft.com/en-us/library/cc246065(PROT.10).aspx.
http://msdn.microsoft.com/en-us/library/cc246065(PROT.10).aspxhttp://msdn.microsoft.com/en-us/library/cc246065(PROT.10).aspx


9/17

5 . Act i v e D i recto r y Perm issions

ADs delegation of control feature allows organizations to implement least privilege

security, which allows all users to have only those system authorities that are

required to fulfill their roles. This reduces the number of users who have powerful

administrator authority to AD and to the systems and information in the AD forest.

Va lue Po in t s fo r Act i ve D i r ec to r y

Permiss ions

Compl iance : Validate least

privilege control

Secur i ty : Discover inappropriate

user access wit h priv ileged system

authority

Cost Savin gs: Eliminate t ime-

consuming and laborious inspection

of each organizational unit s access

control list

Granular delegation of AD authority is accomplished through permissions defined in

organizational units (OUs). It is very easy to delegate authority, but it is much more

difficult to track and verify delegations: most organizations have several dozen to

hundreds of OUs, and examining a single

OUs access control list using the AD GUI is a

multi-step process. Moreover, the GUI

provides no visual indication of OUs where

the default permissions have changed, so

managing and auditing AD permissions is a

laborious and error-prone process. A report

of AD permissionsespecially one that filters

for explicitly defined permissionsisnecessary for managing least-privilege

assignment of granular administrative

authority.

Quest R epo r te r Ex amp le 5 Ac t i v e D i r ec to r y Per m is sions

9


10/17

6. Gener a l Users Repor t

Managing user accounts and fulfilling audit requests requires the ability to perform ad

hoc analysis of user accounts to answer unforeseen questions.

A spreadsheet application will enable you to

quickly filter and sort based on various

combinations of account propertiesif you

can import user account data and properties

into the spreadsheet.

Va lue Po in t s fo r Genera l Users Repor

Compl iance : Facilitates ad hocanalysis of user accounts for validati

of various controls

Secur i ty : Ease ad hoc analysis toencourage securit y analysts to dig

deeper and ask m ore questions

Cost Savin gs: Eliminat e inefficientone-at-a-t ime analysis of hundreds

or t housands of user account s

Therefore, a general users report that

includes all account properties and that can

be exported to a spreadsheet is required for

efficient analysis and control validation.

Ques t Repor te r Exam ple 6 - Genera l Users Repor t

10


11/17

7 . Secur i t y Set t i n gs / Po l i cy Repor t fo r

Dom a in Con t ro l le rs

Va lue Po in t s fo r Secu r i t y Set t i ngs /

Pol i cy Repo r t f o r Doma in Con t r o l l e r s

Compl iance : Validate system secur

Secur i ty : I dentify operating system

vulnerabilities affecting the entire

Active Directory environment

Cost Savin gs: Speed up syst em

security reviews and audits; allow


value tasks

Fundamentally, AD is an application that runs on domain controllers; therefore, AD is

only as secure as the Windows operating system upon which it runs. While group

policy should ideally be used to keep all domain controllers configured with consistent

security settings, it is possible for individual domain controllers to have inconsistent

and unsecured settings if group policy is

configured incorrectly or if a domain

controller is inadvertently moved outside the

domain controllers OU.

The Security Settings/Policy Report for

Domain Controllers enables you to assess

and track the security configuration state of

each domain controller in an AD environment

by documenting the actual security settings

of each domain controller with a query of its

local effective configuration.

Quest R epo r te r Ex amp le 7 - Sec u r i t y Se t t i ngs / Po l ic y R epo r t f o r D om a in Con t r o l l e r s

11


12/17

8. Dom ain Cont ro l le r Serv i ces

Va lue Po in ts fo r Dom a in Con t r o l l e r

Serv ices Compl iance : Validate system secur

Secur i ty : I dentify operating system

vulnerabilities impacting the ent ire

Active Directory environment

Cost Savin gs: Speed up syst em

security reviews and audits; allow


value tasks

As explained in the preceding section, domain controller security is paramount to AD

security as well as to the security of every computer and resources in the AD

environment. Background processes (called servicesin Windows) constitute the

doorways into a system from over the

network. For this reason, domain controllers

should be dedicated only to domain controllerfunctions...It is essential to avoid installing

any unneeded software, and identify any

inappropriate services that appear on domain

controllers. Ideally, a report listing all

services on each domain controller would

also include the ability to filter known

services that are required by AD.

Ques t Repor t e r Exam ple 8 - Domain Contro l le r Serv ices

12


13/17

9 . Doma in Con t ro l le r Secur i t y Log Se t t ings

The Windows security log allows you to define a maximum log size and configure

what action to take once it is reached. The security log is extremely important for

providing an audit trail of user and administrator activities, meeting compliance

requirements, and detecting unauthorized actions. Organizations should already have

a log management solution in place to regularly collect logs to a secure server for

monitoring, reporting and archival.

Va lue Po in ts fo r Dom a in Con t r o l l e r

Secur i t y Log Se t t ings

Compl iance : Validate m onitoring

and audit tr ail controls

Secur i ty : Ensure audit trails are not

lost dur ing log management out ages


with pr actically no effort; allow


value tasks

However, even with such a solution in place, the local security logs settings are

critical to the integrity of audit logs. When the log management solution is

temporarily down or unreachable, the domain controllers local security log becomes

the staging point where security events accumulate until the log management system

is operable again and can move them to the

central repository. If the security log is not

configured to its maximum recommended

size (200 MB on Windows 2000, 300 MB on

Windows 2003 and later) or configured to

stop logging when the maximum log size isreached, there is a greater chance security

events will be lost. To prevent such losses,

organizations need a report documenting

each domain controllers security log settings.

Quest R epo r te r Ex amp le 9 - D om a in Con t r o l l e r Sec u r i t y Log Se t t i ngs

13


14/17

10 . Trus t Re la t ionsh ips

Va lue Po in ts fo r T rus t Re la t i onsh ips

Compl iance : Validate authenticatio

and single sign-on controls

Secur i ty : Discover weaker trusted

domains that expose local domain

resources to risk


with practically no effort; allow

administrators t o focus on higher-

value tasks

To support single sign-on and ensure the best practice of granting each user one and

only one account, AD supports trust relationships. Trust relationships allow users in

other domains and forests to be granted access to resources in the local domain

without the creation of duplicate user accounts in the local domain. For instance, if

users in domain B need access to certain resources in domain A, a trust relationship

can be defined that allows administrators indomain A to use the existing user accounts in

the domain for granting such access.

However, when domain A trusts domain B,

any weaknesses in domain Bs

authentication, account management,

monitoring, or domain controller security are

immediately inherited by domain A. These

issues drive the need for a report that lists all

incoming trust relationships for each domain

in a given forest.

Ques t Repor t e r Exam ple 10 - Trus t Re la t ionsh ip s

14


15/17

CONCLUSI ON

Managing the security of AD, fulfilling audit requests, and documenting compliance

procedures requires the ability to query and report on the thousands of objects in a

typical AD environment. Organizations without an effective reporting solution for AD:

Waste time managing AD and fulfilling audit requests

Lose track of users and groups, which increases audit findings

Become vulnerable to major security weaknesses

The visibility into AD provided by robust reporting helps organizations improve

security and increase efficiency by eliminating the need to manually search AD

objects one by one through the GUI or write and debug custom scripts. Even in these

budget-constrained times, solutions that assist with AD reporting can be easily

justified due to strengthened security, improved compliance and reduced costs.

15


16/17

ABOUT THE AUTHOR

Randy Franklin Smith is president of Monterey Technology Group, Inc. and creator of

the UltimateWindowsSecurity.com Web site and training course series. As a Systems

Security Certified Professional (SSCP), a Microsoft Most Valued Professional (MVP),

and a Certified Information Systems Auditor (CISA), Randy specializes in Windowssecurity. Randy is an award-winning author of almost 300 articles on Windows

security issues for publications such as Windows IT Pro, for which he is a contributing

editor and author of the popular Windows Security log series. He can be reached at

[email protected].

16
http://www.montereytechgroup.com/RandyFSmith.htmhttp://www.ultimatewindowssecurity.com/http://www.isc2.org/cgi/content.cgi?category=20http://www.isc2.org/cgi/content.cgi?category=20http://mvp.support.microsoft.com/http://www.isaca.org/Template.cfm?Section=CISA_Certification&Template=/TaggedPage/TaggedPageDisplay.cfm&TPLID=16&ContentID=4526http://www.winnetmag.com/mailto:[email protected]:[email protected]://www.winnetmag.com/http://www.isaca.org/Template.cfm?Section=CISA_Certification&Template=/TaggedPage/TaggedPageDisplay.cfm&TPLID=16&ContentID=4526http://mvp.support.microsoft.com/http://www.isc2.org/cgi/content.cgi?category=20http://www.isc2.org/cgi/content.cgi?category=20http://www.ultimatewindowssecurity.com/http://www.montereytechgroup.com/RandyFSmith.htm


17/17

ABOUT QUEST SOFTWARE, I NC.

Quest Software, Inc., a leading enterprise systems management vendor, deliversinnovative products that help organizations get more performance andproductivity from their applications, databases, Windows infrastructure and

virtual environments. For applications, we deliver, manage and control complexapplication environments from end-user to database. For databases, we improveperformance, availability and manageability from design through production. ForWindows, we simplify, automate secure and extend your infrastructure. And forvirtual environments, we help you automate and control virtual desktop andserver environments to reduce costs and simplify ongoing management. Througha deep expertise in IT operations and a continued focus on what works best,Quest helps more than 100,000 customers worldwide meet higher expectationsfor enterprise IT. Quest Software can be found in offices around the globe andwww.quest.com.

Cont act in g Ques t So f t w are

Phone: 949.754.8000 (United States and Canada)Email: [email protected]: Quest Software, Inc.

World Headquarters5 Polaris WayAliso Viejo, CA 92656USA

Web site: www.quest.com

Please refer to our Web site for regional and international office information.

Cont act ing Quest Supp or tQuest Support is available to customers who have a trial version of a Quest

product or who have purchased a commercial version and have a validmaintenance contract. Quest Support provides around the clock coverage withSupportLink, our web self-service. Visit SupportLink at http://support.quest.com

From SupportLink, you can do the following:

Quickly find thousands of solutions (Knowledgebase articles/documents).

Download patches and upgrades.

Seek help from a Support engineer.

Log and update your case, and check its status.

View the Global Suppor t Guidefor a detailed explanation of support programs,online services, contact information, and policy and procedures. The guide isavailable at: http://support.quest.com/pdfs/Global Support Guide.pdf
http://www.quest.com/mailto:[email protected]:[email protected]://www.quest.com/http://www.quest.com/http://support.quest.com/http://support.quest.com/http://support.quest.com/pdfs/Global%20Support%20Guide.pdfhttp://support.quest.com/pdfs/Global%20Support%20Guide.pdfhttp://support.quest.com/pdfs/Global%20Support%20Guide.pdfhttp://support.quest.com/http://www.quest.com/mailto:[email protected]://www.quest.com/

10 reasons you absolutely need a reporting solution for active directory to pass audits

Documents