Addressing IAM Challenges and Cleaning up AD
Updated: Jan 15
Current Identity and Access Management (IAM) processes have become complex and convoluted making it challenging to protect customer, partner, and employee identities. As a trusted cloud security partner to the area’s enterprise companies, we are spending a good deal of time helping to improve Identity and Access Management foundational processes and tools. Current IAM challenges fall into 4 major areas: operational implementation, process risk and efficiency, privileged access management and Active Directory hygiene. In this blog we will review recommendations for addressing these challenges and dive deeper into where to start with your Active Directory cleanup. Read on to review:
High-Level IAM Challenges and Recommendations
Active Directory Cleanup Checklist and Recommendations
How To Build A Strong IAM Program
ENTERPRISE IAM CHALLENGES AND RECOMMENDATIONS
Operational Implementation – This refers to the advancement of the organizational entity that is accountable for IAM. Currently, companies are dealing with a lack of quantitative program management and have a need for a global tools strategy.
Hybrid Pathways recommends auditing and updating of IAM staffing, governance, and documentation, as well as rationalizing IAM tools.
Process Risk and Efficiency – This is the opportunity to apply processes and tools to optimize workflow and introduce greater automation. Higher efficiency yields cost savings over time, with risk reduction through a reduced attack surface and improved configurability. There are several opportunities for process improvements that will benefit enterprises today, and most require coordination with other groups. Currently, companies have immature and manual processes that are causing a lot of friction in the user experience.
Hybrid Pathways recommends reviewing and updating process enablers such as RACI, service levels, asset ownership, and entitlement reviews. In addition, the enhancement of processes related to ticketing, demand management, knowledge management, reconciliation feeds, and self-service capabilities will smooth out the process and improve efficiency. By automating dashboards for easier tracking and management, issues can be identified and resolved more quickly.
Privileged Access Management (PAM) - This is the protection of identities and accounts used for privileged use cases such as the administration of servers containing sensitive information or performing critical functions. Improvements to privileged access management are needed to decrease vulnerability to emerging threats.
Hybrid Pathways recommends upgrading and/or implementing of both a privileged access management tool and privileged identity management (PIM) tool.
Active Directory (AD) – This includes the design and implementation of Microsoft Active Directory serving companies globally. Companies often have disparate AD forests, domains, and organizational units (OU) in multiple geographies. There may be an excessive number of OUs, making ongoing management and operational support difficult. Domain controllers are frequently running on an end-of-life operating system, incurring costs for extended support. Underlying server infrastructure builds are not always consistent between servers and may not be based on industry hardening standards (e.g., CIS Benchmarks) or AD best practices.
Hybrid Pathways recommends Active Directory intra-domain cleanup, an infrastructure upgrade, followed by inter-domain cleanup and forest and domain consolidation.
ACTIVE DIRECTORY CLEANUP – WHERE TO START?
Many companies need to get their on-premise Microsoft Active Directory (AD) under control. Knowing where to start can be a challenge. Following is a short guide to help you prioritize the steps that will provide immediate benefits, increasing the security and manageability of your AD implementation.
Checklist for Reviewing and Updating AD Policies and Standards
Depending on the nature of your business and the maturity of your organization, your identity and access management policies and standards may vary, but the following principles are a good starting point:
Account Inactivity Policy: If an account is not used for a specified period of time, it should be disabled and subsequently deleted. Consider a 90-day rule, but no more than 180 days.
Password Length & Complexity: Passwords should be at least 12 characters in length, with a combination of upper and lower-case letters, numbers, and special characters.
Standard Account Naming Convention: Ensure that usernames are consistent, for example john.smith, or jsmith. Consider appending a random number to help manage duplicate names and make user email addresses harder for spammers to guess, for example email@example.com.
Privileged Account Naming Convention: Use special names for non-standard accounts, for example local admin, domain admin, and enterprise admin might begin with an identifier such as “a”; a local administrator account would be a.jsmith3468.
Just-In-Time Administration: As an alternative to privileged user accounts, consider just-in-time (JIT) administration via Active Directory customization or equivalent privileged access management system, which grants users temporary permissions to perform privileged tasks, thereby preventing malicious or unauthorized users from gaining access after the permissions have expired. Access is granted only when users need it. Combine JIT with the fine-grained controls provided in AD’s Just Enough Administration (JEA) to apply the principle of least privilege.
Limit Standard Account Authority: Standard accounts should never be given administrative privileges, either individually or a part of a privileged group.
Organization Unit (OU) and AD Group Naming Convention: OUs and groups should have a clear purpose and be named accordingly. Remember that OUs are an organizational construct and could be applied departmentally or geographically within the company. Groups are a security construct and should be used for granting permission to access resources.
Patching Policy for AD Infrastructure: Ensure that your patching policy specifically includes the Active Directory infrastructure (i.e., Domain Controllers), and ensure that reports are provided to IT and InfoSec management at least monthly.
Immediate Actions to Improve Your AD Implementation
Here are some tactical actions that can be taken to reduce the attack surface of your Active Directory implementation:
Disable any active accounts belonging to users no longer with the company. This should be accomplished in two steps:
1) Disable the inactive account by moving it to a “Disable” OU. Change the password to a long string of random characters.
2) After 30 days, which allows the account to be re-enabled if it is disabled in error, delete the account.
Disable the Guest account on all computers.
Disable the built-in local Administrator account, rename it to something less guessable, and store the password securely. Use a privileged access management vault if available.
Disable SMB Version 1 to reduce the possibility of compromise by ransomware that spreads by exploiting vulnerabilities in this older file-sharing protocol.
Next Steps in AD Cleanup
Once basic tactical actions have been completed, continue cleanup steps that require more effort or the use of other tools.
Consider moving toward Microsoft Azure AD to manage access to Office 365 and SaaS applications, as directory service trends toward the cloud. Azure AD is a “flat” structure by nature; there are no OUs or forests. Consolidating an existing on-premises AD into a single forest will make any future migration to Azure AD much easier.
Windows 10 devices, such as user workstations, can be joined directly to Azure AD. There is no group policy in Azure AD, but Microsoft Intune, a mobile device management (MDM) tool, can be used to provide fine-grained administrative control.
Most enterprises will continue to use Active Directory to manage conventional on-premises infrastructure and applications.
Scan your Active Directory infrastructure for vulnerabilities using a commercially available scanning tool. Establish a regular cadence for scanning, reporting, and remediation.
Identify and disable inactive accounts, moving them to the “Disable” OU and then deleting after 30 days. Inactive accounts can be found using PowerShell, Windows Remote Server Administration Tools (RSAT), or other commercially available AD reporting tools. If there are many accounts that need follow-up, consider creating a “Followup” OU to facilitate prioritization.
Identify accounts that were created over 30 days ago but have never been used. Contact account owners and ensure that the accounts are legitimate and are still required. Disable and then delete unneeded accounts.
Lock down service accounts, ensuring least privilege required to perform its role. Also consider:
1) Disabling interactive logon – A user cannot log in to the account from a console
2) Disabling local admin accounts
3) Establishing a time-based login window – For example, if a service account runs a process at 1:00am each day, the login could be restricted to between 12:00am and 2:00am.
Inspect and remove (as far as practical) groups with no active users, or groups with only one active user.
New Tooling and Processes to Support AD Going Forward
Consider projects to bring in new tooling and processes as needed to support a healthy Active Directory going forward.
Automate cleanup tasks such as entitlement reviews and disabling accounts.
Invest in a password auditing tool to ensure user passwords meet complexity requirements. Schedule scanning to ensure ongoing compliance with password policy.
Secure the Windows build password with Microsoft’s Local Administrator Password Solution (LAPS).
Establish a standard build for domain controllers, hardened to a standard such as the Center for Internet Security (CIS) benchmarks. Consider Windows Server Core in order to reduce the attack surface.
Coordinate with HR to establish a process to check and adjust employee access after every job role change.
Implement bastion hosts (also known as “jump servers”) to help facilitate secure administrative access to Active Directory resources.
BUILDING A STRONG IAM PROGRAM
The activities around operational implementation, process risk and efficiency, privileged access management, and Active Directory hygiene are important today as companies refine the foundational security elements for effective IAM. Other foundational elements to a strong IAM program include:
Top-down management commitment to security (your security programs are funded)
Solutions are architected with security “baked in", not "bolted on” – teams are using secure practices as part of the daily development process
Programs are properly resourced and staffed. Adequate staffing is based on a documented operational model, RACI.
There is clear understanding of what needs to be protected, including vital systems, location of all sensitive data, and current privileged users
There is a focus on hygiene and applying the principle of least privilege
For planning and budgeting purposes, Hybrid Pathways recommends reviewing current maturity levels and developing multi-year roadmaps in the context of the company’s business drivers and goals, for example:
Continuous improvement of the user / customer experience
Gaining cost savings over time through better process efficiency
Realizing maximum value from tools investment
Future-proofing the IAM architecture
Keeping up with and surpassing competitors’ capabilities
Ensuring readiness to adjust to a dynamic threat landscape
Maturing IAM Capabilities
When assessing IAM capability maturity, one way to look at the capabilities is based on Control Categories defined by COSO (The Committee of Sponsoring Organizations of the Treadway Commission). www.coso.org/aboutus.htm. Companies are looking to mature IAM capabilities to a point where they are well defined and understood and can be measured and controlled using quantitative techniques. Today’s IAM maturity is falling between levels 2-3 depending on the capabilities. Some capabilities have become more repeatable but are not yet proactive at a company level. Companies will begin to see more efficiency gains as they evolve their maturity to levels 3-4.
The investment in mature IAM capabilities is returned to the business as reduced risk, improved user experience, better process efficiency, and reduced technology debt.
The following table illustrates a typical IAM maturity and the benefits of investing in IAM activities. Currently companies have more mature risk assessment and control and monitoring activities. The categories of IAM program development that are the least mature are the establishment of a control environment and information and communications.
By focusing on improving maturity in activities related to the control environment, companies can expect strong upside in process efficiency and tools & technology, as well as positive improvements in risk reduction and user experience. Improvements in information and communication also has strong benefit in process efficiency, user experience and tools & technology. Moving the needle on Control Activities has a positive impact on improving the user experience, streamlining processes, and tools and technology.
Companies’ multi-year IAM plans include updating these foundational capabilities and improving their overall maturity.
The following example shows the 3-year priorities:
Identity Access Management will continue to grow in scope and scale. New technologies such as biometrics and blockchain may provide helpful solutions for some companies while IoT could put even more devices on the networks. With the continued expansion of cloud services, users will be looking for easier and improved experience with single sign-on. Getting the foundations in place and doing a solid job of the daily foundational activities will help ensure the security of your data and the satisfaction of your users.
To learn more about what peer companies are doing, or how you can improve your IAM processes, contact your Hybrid Pathways partner.