Active Directory: 10 Best Practices to Improve Security and Performance

Some may think that Active Directory and Azure Active Directory are independent.

It is true that only Microsoft Active Directory (AD) and Azure AD provide organization and standards for managing and storing corporate identity and account data. But the AD and Azure AD capabilities provided by the system are more limited.

When you know that ads are the main targets of attacks (95% according to a Cyber ​​Risk Alliance study published this year), you need to establish good practices to prevent your company from being paralyzed by ransomware. .azure

Here are 10 to help keep your Microsoft AD and Azure AD user account data in order and avoid mishaps.

One of the most effective ways to keep your AD and Azure AD environment organized and secure is to regularly review user accounts. By reviewing account properties before auditing, many problem areas can be quickly identified and corrected, including identifying and filtering non-compliant user accounts.

Another best practice in Active Directory is to associate each account (including accounts created for services and applications) with a real user. It is necessary to focus in priority on the accounts created for people or employees (end users, subcontractors, administrators, etc.) and imperatively link them to his file in his HR system.

why ? So that the employee’s access to the network can be linked to his status and role within the organization. Thus, when the role of an employee changes within the organization, it is easy to find his account and adjust his status and rights accordingly.

If too many people are allowed to create accounts within the IT department, there are inevitably many unnecessary accounts that end there. Among their favorite strategies, hackers create these types of accounts to hide their activity and increase entry points into enterprise environments.

The only way to avoid such hacks is to monitor all account creations, identify the person who started them, determine if they are still working for the company, and check why the account was created and what is still required. By monitoring new accounts, hackers have limited access to them.

Automation of account creation ensures that new accounts meet standards, as the process reduces the risk of human error. Creating an account usually includes the following steps:

> create account in AD;

> Defining identity attributes (job title, phone numbers, etc.);

> Create account mailbox in Microsoft Exchange / Office 365;

> add the account to the appropriate groups for the user role;

> Register AD account in other apps, if applicable.

Another major security risk for organizations using the ad management tools provided by the system is fake or orphaned user accounts. They often fail to deactivate or modify the rights of users’ accounts when they leave the company.

It is not enough to find accounts that do not have a recent login information to manage these accounts. Especially if they can still access the network, their account will not appear as inactive.

This issue can be eliminated by several management approaches that consider the full AD account lifecycle, from setup to setup. If your company’s HR app includes a workflow, you can automate emailing admins when a user is terminated, roles changed, or reports are sent to another admin.

If these same applications allow programming of automatic transmission of reports, it would be useful to program a daily report at the end of the contract and position changes.

Thanks to the lastLogonTimestamp attribute, dealing with inactive accounts is relatively easy. This replication (every seven days) polls the domain controllers and sees the last login time, which helps identify inactive users.

Not all accounts directly correspond to a person. For example, many organizations are turning to automated process automation to handle repetitive and time-consuming tasks. These accounts often have privileged access to servers and data, and should never be allowed to log in interactively.

By disabling interactive logins, administrators (who know the account’s password) are prevented from logging in anonymously under that account, without taking individual responsibility.

There are legitimate exceptions to user account standards. For example, an app might require a user account with a given name that would violate normal naming conventions.

In this kind of situation, you need a way to document legitimate and approved exceptions. The best way to do this is to create an organizational unit called Exceptions or Exception accounts report in the Description or Notes fields. But just classifying the account as an exception is not enough; The purpose and owner of the account must be documented.

One of the reasons why ads often get crowded is because too many people are allowed to create user accounts. To secure it and make it compliant, only a few duly trained individuals should be authorized to create accounts.

Many organizations rely on simple email to process requests for new accounts, job changes, etc. This approach makes it difficult to track account management standards or demonstrate compliance. While it will never be a fully automated option, workflow techniques are definitely an improvement over email alone.

Even if it means retrieving it, AD is the nerve center of the system. It is essential to focus your efforts there because without implementing good practices, and even with enhanced security, you remain vulnerable to attacks.

Leave a Comment