How to avoid 10 common Active Directory mistakes

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.

Managing user privileges in a Windows setting presents numerous challenges for admins tasked with keeping everyone’s information safe and secure. Serious damage can be accomplished by those with elevated privileges that have bad intentions, but sometimes vulnerabilities are introduced by IT admins managing Active Directory (AD). Below are 10 common mistakes:

1. Everyday accounts with elevated credentials. Most security savvy organizations avoid this mistake by giving users with elevated privileges, such as a domain admin, a normal account to log onto their machine and a privileged, or, what many refer to as a .adm account, for elevated access. The reason for the separation is to avoid security breaches such as a spear phishing attack while logged into the account with elevated credentials.

2. Turning off Object Protections. Have you ever been working on something, hit the delete key, and realize just how big a mistake you were about to make if it weren’t for the confirmation asking if you were sure you wanted to delete?  This is usually followed by the moving of your mouse to the cancel button with brain surgeon like precision.  A better option would be to never turn off object protection.

3. No consistent way to deal with obsolete accounts. Have you ever seen an Active Directory with significantly more user accounts than actual users in the organization?  This is often a telltale sign of an organization without a good policy for dealing with obsolete accounts. Enabled accounts that aren’t actively being used are one of biggest security threats in any organization. Develop a plan to disable and ultimately delete obsolete accounts.

4. Putting all your eggs in the hands of the brilliant scripter. A mistake many organizations make when it comes to mission critical scripting is having all their eggs in the basket of a single scripter who is the only one that can make them all work.  You need to make sure at least two people understand, have access to, and can create and modify any scripts running in your environment.  This prevents the single point of failure in case the person who created the script leaves your organization.

5. Putting users in domain admins. When in doubt, delegate rights. Despite the level of flexibility provided for delegation in Active Directory, it’s been 14 years since Windows NT people still added users to domain admins in lieu of doing proper delegation. Ignoring the concept of least privilege is a major security issue.

6. Poor Active Directory Design. I once heard of an organization that structured its Active Directory design based on the alphabet.  There were 26 top level OUs, one for each letter.  Under each top level OU were functional OU’s like Sales, Marketing, Development, etc., each replicated 26 times. Needless to say, provisioning and de-provisioning of user accounts, group policy management, and permissions management was a nightmare to support.  Shortcuts were taken, and most users had too many rights.

7. Refusing to extend Schema under any circumstance. Any good Active Directory administrator will tell you that extending the schema in your AD is not a decision that should be made lightly.  Once your role out a schema extension there is no native way to role it back.  This is not to say there is never a good time to extend schema.  Weigh the pros and cons of addressing your business critical issues with a solution that extends vs. one that does not.  If the best decision is to extend schema, do so with caution.  Even though you cannot delete the extensions once deployed, they can be deactivated and rendered inert.

8. Poor backup/recovery plans. If someone deletes 10,000 directory objects today, how quickly can you recover? If an automated feed from HR improperly modifies the telephone number on thousands of users, how do you recover? Planning and testing recovery options are a must for all organizations to quickly recover from mistakes. Figuring out how to recover after an automated feed or user error puts you behind the eight ball and impacts downtime.

9. To slow to modernize. Not many companies want to be on the bleeding edge of any software rollout; however, being four to five major versions behind is the other extreme. When the trigger to upgrade is EOL on support, you’ve missed out on many advances in technology that you couldn’t capitalize on because of the age of your infrastructure. You don’t need to run the latest version of AD days after it is released; however, using extremely dated versions presents numerous challenges.  Put together a modernization plan for your Active Directory domain controllers to stay closer to the latest code stream without living constantly on the upgrade treadmill.

10. Shared Administrative Accounts.  I once worked with an organization that failed an audit because too many users belonged to the domain administrators group.  To resolve this issue, the company removed all users from domain admins and added back only two accounts.The problem was that everyone who used to have domain admin accounts received account logon information for the two new domain admins.

This company didn’t actually decrease the number of people with elevated privileges, but, removed a layer of security and accountability by allowing users to share privileged accounts. In other words, there is no accountability when numerous people share credentials to an account.

BeyondTrust’s company focus: BeyondTrust empowers organizations by delivering Privileged Account Management and Vulnerability Management solutions that reduce IT security risks and simplify compliance reporting across heterogeneous IT environments.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2014 IDG Communications, Inc.