There are perhaps hundreds of techniques and Active Directory tools that could potentially help you manage your organization’s Active Directory (AD) better. We will, however, look at the most important tips you could apply to manage your AD more effectively.
1. Minimize Administrators
How many network administrators do you need? Keeping a lid on the number of administrators is perhaps the most important thing you can do. The more the administrators you have, the higher the risk that something could accidentally or deliberately go wrong.
Have the fewest possible administrators needed to keep things running as they should. Make sure each administrator is extensively trained in their role. The administrator must have their own ordinary user account separate from their admin account. That way, they would only briefly log in as an administrator when they need to before reverting to their ordinary account for tasks that don’t require such elevated privileges.
2. No Shared Administrator Accounts
A decade or two ago, it was not uncommon for organizations to have generic administrator accounts that were shared between various IT and operations personnel. As a security control, the password would be split into two or three parts each held by a different individual in the organization.
While this seemed like a good way to prevent any one individual from wreaking havoc on the system unchecked, it inadvertently made accountability difficult. If an action was initiated by the account was deemed illegal or fraudulent, which of the 2 or 3 persons with the parts of the password would be held responsible?
To avoid such ambiguity, each administrator account should be assigned to and operated by a single individual. To minimize the risk of misuse and abuse, no administrator account should have unfettered permission. Instead, segment admin accounts into specific roles.
3. Documentation
Documentation is a necessary evil of IT operations and management. If you don’t keep track of administrator activities, you will find it difficult to investigate incidents and make it harder for network administrators to prove their innocence in the event of fraud.
The more administrator actions you can document the better. However, at the minimum, documentation should cover forest and domain configuration, trust relationships, password and audit policies, organizational unit, group policy objects, server names, IP addresses, network topology, server changelogs, backup procedures and changes to the AD schema.
4. Disable Guest Accounts
Guest accounts may be permissible on a home computer but they should be banned on enterprise networks. The danger of having guest accounts often outweighs any temporary advantages of having them. They can be exploited by a hacker.
5. Rename Default Administrator Account
Like guest accounts, default administrator accounts are a popular target for hackers. Default administrator credentials are public information and provide a fairly easy avenue for network access by malware and unauthorized third parties. Remember, hackers are keen on spending the least amount of time possible in breaking into a network and will, therefore, prefer to focus on networks where the barriers to entry are few.
To avoid making your company’s network a sitting duck, rename the default administrator account. If possible, steer clear from using other commonly used administrator account names such as admin, super admin and root.
Instead, you could create names that make it clear an account has administrator-level privileges but while including an additional text string that prevents the administrator account name from being too predictable. Good examples of administrator account names are admin.john or admin.seattle.
6. Strong Password Rules
The stronger your password policies are, the lower the chances of an unauthorized person breaking or guessing the password of a legitimate user account.
Force users to change passwords regularly (at least every 3 months). Require that passwords have a minimum length and that they should contain a mix of numbers, symbols, and lower and upper letters. Reject sequential strings in a password (e.g. 123 or abc), dictionary names or password reuse.
It’s advisable that you have more rigorous password policies for administrator accounts than you do for ordinary users.
7. Physical Security
The growing number of spectacular cyberattacks that hit global headlines each year has seen organizations focus on cybersecurity. Unfortunately, this has sometimes been to the detriment of good old physical security.
Yet, if someone can physically access your servers, they can do much greater damage than they would if they only had virtual access. They could plug in a thumb drive, load a CD/DVD, remove a hard drive or steal an entire server. Restrict server physical access to only persons who already have virtual admin-level access to the same servers.
By applying these tips, your organization can maximize the positive power of AD.