Brad Bussie presented a great webinar a couple weeks ago and laid out a simple, straightforward 5-step plan for Active Directory (AD) Clean-up. We’ve gotten so much positive feedback on his webinar, that I thought I summarize some of the key takeaways for those of you who weren’t able to attend. (You can also listen to an on-demand replay of the webinar here.)
For many organizations, Active Directory (AD) is the main hub for all authentications and authorizations to an organization’s IT infrastructure. The problem is, it’s become difficult to manage due to many reasons. For example, a migrated directory is inherited from another technology managed by a large number of people with no defined process for day-to-day operations. Unfortunately to those involved in managing AD, cleaning it up may sound like a novel idea, but the potential to introduce unknown problems into the equation prove to be a great barrier in beginning the process.
So what does a messy Active Directory actually mean to you?
- Lots of stale resources
- Little insight into group permissions and access (“group grants”)
- Lack of an established, good process for provisioning and de-provisioning accounts
- No defined owners identified or involved
- Problems with operations and monitoring
Why should you clean up Active Directory?
- Security – Understand who has access to what, how they received that access, and what they are doing with it
- Group Transformation – Drive consistency across groups for easier management and compliance
- Audit & Compliance – Pass internal and external audits to remain compliant
- Identity Management – Better secure structured and unstructured data with a clean Active Directory integrating with an Identity Access Management (IAM) solution
- Migration & Consolidation – Clean-up Active Directory to facilitate a merger with another organization
How can I do it?
StealthAUDIT offers organizations a variety of reports to clean up their Active Directory environment. Below are 5 steps for streamlining the clean-up of AD:
Step 1: Mitigate Toxic Conditions
Use reports to identify and clean up stale users, stale computers, and empty and duplicate groups, keeping track of your progress in de-provisioning workflows.
Step 2: Analyze Groups
Know who is in what group, including sensitive groups—and where groups are nested or have broken group membership (circular nesting). Then, report on and remediate these issues.
Step 3: Uncover Group Grants
Discover where groups have access, and what level of access, so you can map Active Directory to the business structure. This process helps you close down open shares and implement least privileged access to better protect your data and resources.
Step 4: Determine Ownership
Probable owner reports look at all groups and users assigned to them, calculates the manager of the resource, and gives information about the probable owner with a percent chance. This capability enables you to identify, assign, and involve business data managers so they can provision access.
Step 5: Tie it all Together
STEALTHbits’ clean-up workflow automates the process of: 1) detecting stale objects, 2) mapping groups to resources, 3) identifying owners responsible for granting data access, and 4) governing and maintaining a clean Active Directory. Like software development, this is a continuous process in which you continually fine-tune your AD.
What are the benefits of StealthAUDIT for Active Directory?
- Leverage the solution’s ability to query, analyze, report on, and remediate unwanted objects within Active Directory and file systems
- Understand who has access to what and what they are doing with that access
- Know “who owns what?” and get data owners involved in decision-making when it comes to resources and entitlements
- Meet and exceed audit and compliance needs
- Improve overall security, performance and business agility with a clean, structured AD
To watch the full webcast, 5 Steps for Cleaning up Active Directory, click here.
To download and install a free Active Directory assessment, click here.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Nate is a Marketing Manager at STEALTHbits and has worked in the IT Security industry for 5 years.