how to best protect active directory in your...
TRANSCRIPT
How to best protect Active Directory in your organization
Alistair Holmes. Senior Systems Consultant
3
Security concerns with Active Directory
• Protecting critical data and enforcing policies to eliminate unregulated access
• Granting users and administrators correct access to what they need – nothing more
• Knowing what changed, when, and who made the change
• Overcoming reporting limitations to achieve necessary visibility and tracking
4
Management concerns withActive Directory
• Overcoming inadequacies of native tools
• Improving the efficiency of time-consuming and error prone user and group creation and modification
• Reducing operational costs
• Improving reporting capabilities
6
The Basics
• Always follow Microsoft “Best Practices for Securing Active Directory”
• Available from Microsoft website.
• 314 pages / 22 main bullet point.
• In a nutshell– Patch everything.– Monitor sensitive objects– Eliminate highly privileged group membership– Implement least-privilege RBAC– Migrate critical assets to pristine forests with stringent security and
monitoring requirements. (17/22)
7
Active Roles• Active Roles is used globally to
manage and secure more than 60 million Active Directory user accounts
• Active Roles is in use at more than 2,500 companies worldwide
• Product has been in existence since 2003
• Deployments range in size from 250 to 800K+ users
• Complement and extend your identity and access management strategy
9
Employee management use case
• Managing the entire lifecycle of user and group identities is one of the most time-consuming IT tasks. Every time a new employee is hired, a current employee leaves the company or simply changes department, there are multiple of IT tasks that must be performed on various systems and applications.
• Most organizations find that it takes days or even weeks to fully grant access to everything a new user needs. That’s a colossal waste of time and money
10
Employee account creation• Organizational structure of “Green” company
consists of one domain GREEN.COM distributed through several locations, having “Users”, “Groups”, and “Computers” organizational units in each city: NYC and Boston
• Company has the following policies configured (Configuration/Policies/Administration/Enterprise policies):
• Employee account creation:– User logon name generation– Email alias generation– Home folder provisioning policies– Exchange mailbox provisioning policy– Property validation and generation for cn, displayname,
UPN attributes, Office Location and Department– Groups membership auto-provisioning
12
Assign users to groups
Configure• Add user to groups and
distribution lists• Grant access to applications • Assign group memberships
and role• Assign admin permissions• Create user accounts on
connected systems.
Configure• Add user to groups and
distribution lists• Grant access to applications • Assign group memberships
and role• Assign admin permissions• Create user accounts on
connected systems.
17
Delegation of permissions use case
• Administrators are assigned to a particular role only have access to particular areas of AD, AD LDS, and/or DNS allowed in that role. As administrators are added or removed from these role templates, their access and responsibilities dynamically change, depending on which “role” they are assigned.
• Why does this matter? – Natively if you have admin rights to AD, AD LDS, or DNS you have access and visibility into everything! So from a low-level help desk associate through to high-level architects – everyone has the same rights or privileges. The more people with total access - the greater the chance for human error or malicious intent.
18
Roles Based Delegation
Computers
Domain Controllers
APAC
EMEANorth America
AD Architect
New York
Mexico City
Sr. Administrator
OU Admins / Help Desk
Application / Data Owners
Create Users/Groups
Create Groups
Reset Passwords,
Unlock Accounts
Full Control
Day-to-Day Admin
Service Desk
Change Group
Membership
App/Data Owners
Exchange Admins
Create Mailbox,
Move Mailbox
Mailbox Admin
Active Directory
AD LDS
DNS Servers
Update personal
Information
Request Changes
End user Self-Service
Self-Service
ADAM Objects
DNS Records
Job Function Roles Access
19
Role-based administration
• Domain administrator wants to give delegated administrator Arthur Smith full access control to a single OU “Service accounts" and all child objects of this OU. Domain administrator doesn't want him to be able to see any other OUs in the domain except this OU.
• Domain administrator runs Active Roles console.
• Domain administrator right-clicks on "Service accounts" OU in the domain tree and selects "Delegate control" option
20
Out of the box access templates
• Select the access template that will give delegated administrator the required level of access and nothing more
21
Example: Service accounts
• ASmith has full control access to “Service accounts" OU, he can perform his daily tasks: create service accounts, modify them, reset passwords and so on within only this OU in the managed domain.
22
Rule-based administrative views
• Domain administrator wants to create Managed Unit that will include groups with employees from Boston and NYC without changing directory structure
• Delegates permissions to ASmith for managing groups
24
Escalation and approval with change workflow use case
• Use decision points in an automated workflow that are used to obtain authorization from a person before continuing the workflow.
• These decision points are approval, rejection, escalation and delegation.
25
Approval workflow
• Junior administrator Stefan Ellis needs to add a new employee John Smith to "Information services" group. Manager of this group, Lee Parker, must approve this operation. But he is not sure whether this new user should be the member of this group and he escalates this request to chief administrator James Miller
• You can browse for the ready workflow or configure it from scratch
• Go to Configuration -> Policies -> Workflow -> Demo -> Information services group demo
32
Recover: Be ready, because it’s not if, it’s when.
• Avoid data loss and maintain business continuity with recovery solutions for Active Directory including full forest backups for disaster recovery.
• Facilitate efficient searches and fast recovery of lost data, from a single object to an entire forest,
• Keep down time to a minimum and productivity maximized even in a disaster
35
Backup/Recovery Comparison1
1 For a full comparison, please refer to “FAQ: Windows Server 2012 Recycle Bin and Recovery Manager for AD”2 Domain and forest recovery require Recovery Manager for Active Directory Forest Edition.
Windows® 2003 Windows® 2008Windows® 2008
R2/2012Recovery Manager for Active
Directory®
Backup remotely
Determine what objects have changed/been deleted
Undelete objects
Undelete objects from graphical interface |
Online object restore including all attributes
Online object restore without scripting |
Delegate data restore tasks at the container level
Roll-back changes to objects
Online restore of Group Policy Objects
Restore dozens of deleted objects in under 10 minutes
Centralized administration of backup/recovery
Automated domain/forest recovery 2
Creation of virtual lab with production data
36
A foundation for full IAM
Privilege ManagementUnderstand and control administrator activity• Enterprise privilege safe• Least-privilege access• Session management and keystroke logging• Active Directory bridge• Enforce separation of duties (SoD)
Access ManagementConvenient, secure and compliant access• Web access management• Single sign-on and federation• Directory and identity consolidation, migration and
management• Strong authentication• Password management
Identity GovernanceComplete, business-driven governance• Access governance• Data governance• Privileged account governance• Business-enabled access request
and fulfillment
• Attestation and recertification• Role engineering• Automated enterprise provisioning• Identity unification and process
orchestration
Dell One Identity
37
ExtendBring in other platforms
• Extend the unified authentication and authorization of Microsoft Active Directory to Unix, Linux and Mac systems
• Remove the stand-alone authentication and authorization requirement of native Unix in favor of the single identity, one account, single point of management
38
Unix management
Privileged Access Suite for Unix
Management Console for Unix
AD BridgeUnix Delegation
Replace SudoEnhance Sudo
39
AD Bridge• Centralized authentication
− Authenticate through AD Kerberos
− Consolidate identities & directories
− Eliminate non-secure authentication methods
• Extend AD Kerberos single sign-on
− Unix, Linux, and mac
− Standards-based applications
− Achieve single sign-on for SAP
• Configuration and administration
− Migrate and manage NIS data
− Leverage group policy for Unix, Linux and Mac
− Enhance password security
• Extend AD password policies
• Eliminate redundant, inconsistent, and non-secure passwords
• Extend AD-based self-service password reset capabilities
40
Unix delegation• Enhance sudo
− Central administration & management
− Centralized access reporting
− No new training required
− No need to update scripts & applications
• Replace sudo
− Central administration & management
− Centralized access reporting
− Advanced capabilities
• Restricts Shells
• Restricts remote host command execution
• Removes escape out
41
RepeatStay nimble
• Implement a solid suite of solutions to ensure your infrastructure stays nimble and can meet the ever changing demands of the business and technology