This is always a sore point for any IT Admin, but it is something that they deal with on a day-to-day basis. The way that one restricts ‘exchange access’ and limits the exchange admin center activities, the same can be applied to the Active Directory. Active Directory Environment and Exchange work together, if you compromise 1 generally the other is compromised too.
How often do you visit your firewall rules and see what access is granted? Do you allow every port open to your Active Directory Servers or do you limit them to port 636 for secure LDAP? Are your Active Directory Servers exposed to internet threats? Meaning, can you access it using a remote desktop to a public IP or can you open the Active Directory snap-in on a machine and connect remotely? Whatsoever, you need to look at securing your environment.
It is important to put something in front of the Active Directory environment like a sonic wall or F5 and only allow DNS (port 53) or Secure LDAP (port 636). This is just the tip of the iceberg. Once you have fixed the access, you then generate a report or reports to know what is going on in your system environment.
Before we look at the number of domain admins, there are a few questions that need immediate attention. Do you make use of the default administrator account in Active Directory Environment or has this account been disabled with a very strong password and has the name changed to prevent brute force attacks? How many domain admins do you have? Are there enterprise and schema admins as well? The question is why? Nobody needs that constant level of rights unless you are performing installations like extended schema from an exchange installation.
The more domain admins, the more risk you are at. You might have a domain admin who uses his/her machine to download torrents and these generally are riddled with malware and viruses. Also, did you know that you can enable 2 Factor securities run on a domain controller so when a user logs in they require surpassing that extra layer of security?
Do you allow non-admin users to login to Active Directory and perform functions? If so, your risk is so widespread, anyone can make a change or cripple your environment and malware works like that as well.
Auditing is the next thing. Do you know who or what is trying to brute force user or admin accounts? Have you enabled advanced auditing to see what is going on? Do you know how many Organizational Units (OU) you have and what is in them? If you don’t, you could have anything in the Active Directory Environment bypassing security because they have no group policies applied.
The next question to ask is how often do your passwords expire? This is a tricky topic as some believe a very strong password should be set and not changed while others believe every 30 days, it needs to be changed.
As you may have noticed, we have listed a few topics that come to mind immediately, if you tackle these topics strategically, then you have taken the step to secure your Active Directory environment.
I would recommend using a 3rd party tool to assist you in identifying problems or risks in the environment. You can refer to it as an active directory environment management tool.
This tool is from Ossisto365. The security risk assessment software they provide has 130+ different tests that will highlight every area in Active Directory Environment, these include but not limited to:
- DNS Health
- Group Policy
- Security Groups
- Event Log Checks
Here is a sample of Active directory environment application Ossisto365 in question:
There are many more, but once you have run the test and identified the risks, you can present this to your Change Advisory Board (CAB), as it does not only shows the risk but advises how you can fix it with their recommended remediation steps.
If your companies are planning to run hybrid and sync with Azure AD; you need to be aware of the fact that the number of items in your forest will affect the licensing of SQL and you should not sync old data before doing a cleanup. This would involve removing stale accounts in Active Directory Environment, emptying Organizational Units, Checking Service Accounts for applications that may no longer exist or for 3rd party contractors, whose accounts are still active, but no longer support your environment.
On a final note, when auditors come and ask you to provide them with information like elevated accounts, service accounts, password expiration, etc. you can use the tool above to show them where you were at before the audit and how you have cleaned up after you ran the tool and followed the recommendations.
Remember being transparent is the best approach. Yes, you might get a warning from the auditors, but they can see that you have taken the right approach to correct things.