Active Directory Security Modeling isn’t just for the beautiful!

Active Directory Security Modeling. Even as I type the phrase I note how ubiquitous the term can be. Not even TechNet or Google give any hard and fast rules around scope, design, or *gasp* actual implementation. Yet this ‘model’ is at the very core of AD, and AD is at the very core of the Microsoft IT footprint.

So many aspects can go into a security model of this sort, right?

• You have at the core your OU structure, how it’s named, how it’s laid out.
• The associated group policy objects how they link, what they define
• Users naming structures, parent containers, classifications, and populated attributes
• Computer objects and their naming, attributes, and classifications
• Groups with ALL their use cases, naming conventions, scope, nesting, and parent containers

Whew….and this is just the first layer. We haven’t even begun to dive into contacts, printers, shares, service connection points, or schema. Why would someone put so much work into defining something like this?

What about:

• Lower SLAs (Less time firefighting)
• Spend less money integrating new applications & infrastructure (or be able to integrate new applications)
• Decrease in Audit Findings / time spent on Audit requests
• Computer objects and their naming, attributes, and classifications
• Groups with ALL their use cases, naming conventions, scope, nesting, and parent containers

These are just a few of the short term benefits I can think of. Long term you have Windows 7 / 8, and AD / server 2012 migrations. Microsoft is changing the game once again in 2012 with Dynamic Access Controls and claims. These technologies will change how we think about access and access application for ever in the MS footprint. Not to mention they will most likely cut support for 2003, 2008 much like they did for 2000.

Where do you even start with 10 or more years of just a rat’s nest of AD forest trusts, cross domain nesting and no real vision into your infrastructure? You’re not alone in asking this question. A high level executive at MS recently stated on a call I was on that the number one question MS identity and access management is asked is “How can I tell if / how my groups are being used?”

The answer; you can. You need to define what the edge cases of your model are; this may involve setting up a completely new forest. Then write it down to a standard document. You then MUST clean up AD itself. Figure out all the objects that can be cut right out. Then you HAVE to scan everywhere a group can be used, and I mean EVERYWHERE. Once you have that you simply match to your edge cases defined and figure out the delta. None of this is easy, and it’s not even close to the end solution. You still need to change any deviations and make sure the deviations don’t happen again. STEALTHbits is truly the only vendor that can do all this from start to finish, other competitors drag over objects with little discretion and zero conformance. That subsequently leads to another project to conform. For more information, check out StealthAUDIT for Active Directory or feel free to Contact Us.

Don’t miss a post! Subscribe to The Insider Threat Security Blog here:

Name

Email*