In-Depth
Getting the Most from Active Directory in the Enterprise
How IT can address the challenges of Active Directory
by Jonathan Gohstand
Now celebrating its tenth birthday, Microsoft Active Directory has significantly impacted the typical enterprise. For example, 95 percent of Fortune 1000 companies currently use Active Directory, and most leverage the Active Directory schema extensions of Microsoft Exchange Server. If yours is one of these organizations, you’ve simplified many audit and security challenges, but a significant number of problems persist.
Active Directory typically authenticates Microsoft Windows domain clients and assigns rights to domain objects such as directories or files. However, this is insufficient to ensure proper overall authentication levels. You need to monitor server file permissions as well to prevent these permissions being used to bypass the rights granted by Active Directory groups. Looked at more broadly, databases and applications commonly do not use Active Directory at all. The resulting authentication environment is operationally complex, and if not properly maintained, may include the following risks:
- Negative audit and compliance findings
- Access to sensitive data by IT administrators or other unauthorized staff
- Breach of contractual obligations to maintain control of sensitive data
- Decreases in overall systems’ reliability
How may Active Directory help prevent these problems? Let’s start with its benefits. Active Directory establishes a scalable framework for authentication at a reasonable cost. It supports open interfaces and protocols -- notably Domain Name System (DNS), Kerberos, and Lightweight Directory Access Protocol (LDAP) -- making it reasonably straightforward to integrate into enterprise architectures. The combination of widespread adoption and the simple administration interface makes it easier to acquire and retain IT staff with competency in Active Directory infrastructure maintenance.
On the flip side, one of the biggest challenges is managing your overall rights “picture.” This happens because rights can also be granted on target objects such as shared folders. Typical audit requests and controls such as “Show me the complete picture of the actual rights a person has across the environment” or “How do I keep access controls to the minimum necessary in an operationally efficient manner?” are difficult to answer and manage without third-party support. (This situation is similar, by the way, to another widely deployed technology -- firewalls.) In practice, third-party tools are also needed to track rights on the objects themselves as well as to audit access without significantly impacting end-user performance.
Change auditing has, until recently, also been an area needing improvement. Granular, secure change auditing of Active Directory is essential to the protection of security, data, and systems. However, prior to Microsoft Windows Server 2008, Active Directory’s change auditing was quite limited, and didn’t support the necessary level of granularity and filtering. Again, third-party, add-on software was required to support typical audit control objectives, something most of us prefer to avoid for reasons of cost, performance, and risk. (An IT admin recently complained that his domain controllers burned more CPU cycles running the agents than actually performing directory services!)
Fortunately, Windows Server 2008 Active Directory improves this situation significantly. While its more advanced capabilities (such as digital rights management) are well publicized, there are many more mundane enhancements (such as the improved change auditing) that you can leverage. A far richer set of events is now written to the Security Event Log (when a change occurs, the event is recorded along with information about the state of the affected object before and after the change). When coupled with Windows Management Instrumentation (WMI) or direct access to the event logs, you may now more easily implement robust controls on changes to the Active Directory environment.
Turning to the rest of the infrastructure, it is surprising how infrequently Active Directory is leveraged. Databases and applications overwhelmingly use either another directory store (e.g., Network Information Service (NIS), OpenLDAP, etc.) or a local user database to authenticate users. Role information, such as authorization levels for particular user types, is almost always maintained within the database or application. Implementing and managing strong password controls is often a hit-or-miss affair. As a result, while the PC client domain is in reasonably good shape thanks to Active Directory, managing access controls on mission-critical applications and databases can be downright ugly.
Although there are numerous identity management solutions attempting to solve this problem, they are typically difficult to integrate and not widely deployed, especially in organizations with fewer than 5,000 users. Security Assertion Markup Language (SAML) is touted as a stepping stone to better integration of application authentication systems, but few enterprises use it internally to any significant degree.
Consider a specific example of this issue. Arguably the most common database platform deployed in global enterprises is Microsoft SQL Server 2005 running on Windows Server 2003. In this scenario, the operating system (OS) and the database (DB) have default local accounts (“administrator” and “sa” respectively). In typical deployments, the use of an Active Directory-based, domain-level admin account is employed for the OS instead of the local account, but the DB admin account in actual use is still "sa," which is completely decoupled from Active Directory.
Beyond access controls, the potential for abuse of legitimate access to data remains a huge problem, and one that directory systems such as Active Directory can’t do much about without huge investments in new architectures and systems.
Recommendations
Given this background, and the budget constraints that exist in nearly all organizations, what can you do to improve security and audit? The following practical steps are worth taking:
Leverage Active Directory Auditing Enhancements: If you haven’t already done so, familiarize yourself with all the enhancements to Windows Server 2008 Active Directory and start planning to upgrade your domain controllers. This is a simpler effort than upgrading the OS on your application servers because there are no applications on the platform to worry about. At this point, you can begin to use the enhanced AD change auditing in Server 2008, either with Microsoft or third-party tools that support the enhancements.
Implement Complete Windows Domain Access Control Change Auditing: A most basic control is to limit data access to the minimum controls necessary. To implement this control, both Active Directory group membership and file permissions on target platforms (Windows Servers and NAS units) need to be monitored. Windows 2008 domain controllers can support Active Directory change monitoring, but third-party tools are typically needed for the target platforms.
Application-Level Integration: Set the expectation internally that there are two hard and fast requirements for future new application developments or procurements: 1) the application must support a standards-based method for leveraging an external directory store, and 2) a sufficiently granular audit trail for both end-user and admin activities must be created. Note that these requirements should be included for both outsourced (cloud) and internal applications.
Application-Level Active Directory Integration: Consider going further and insisting on proven integration with Active Directory 2008. Also encourage a discussion around APIs for authorization integration and add this to the requirements’ matrix. Further, the audit trail should be easily exportable and in a format easily consumed by external systems.
Abuse of Legitimate Access: One of the tougher controls to implement is to identify situations where users abuse their access controls rights to obtain more data than needed for their jobs. A problem of operational reality, the challenge here is to implement a system and supporting processes that can identify such activity with minimal staff investment. Network-based monitoring systems can help significantly, especially with respect to granular controls on unstructured data or direct database queries.
Summary
Active Directory has greatly changed the IT directory and authentication landscape, creating a scalable, flexible, and, yes, reasonably open platform for building security controls. If you haven’t already done so, investigate the new elements of Active Directory 2008 that can be leveraged for immediate benefit, plus network tools for identifying abuse of legitimate access privileges. Longer term, look for opportunities to centralize and standardize application authentication, followed by new solutions that make it operationally viable to implement unified authorization frameworks and centralized, consistent audit trails.
Jonathan Gohstand has worked in the IT industry for more than 20 years. Before joining PacketMotion as the vice president of marketing, Gohstand worked for Cisco Systems’ Security Technology Group, where he managed product management for the IOS-based security business, helping it grow 400 percent during his tenure. He has also held international positions with Chevron Oil and FORE Systems. The author may be reached at jgohstand@packetmotion.com.