Downtime – It can be both a good and a bad thing. This, of course, depends greatly upon the context of the situation that the word is being used in. For example, having a little downtime while lounging on a sunny beach in Hawaii, sipping Pina Coladas and listening to classic rock is a much different scenario than having infrastructure downtime caused by a catastrophic change in Active Directory. In one case, the worst possible result may be a little case of sun burn and the realization that you probably aren’t in as good of shape as you were 10 years ago. In the other, business is brought to a virtual halt while productivity (as well as profit) is lost due to the cost of remediation and lack of communication.
So, which scenario do you prefer?
Unfortunately for most, it’s likely that the latter has the greatest chance of occurring in everyday life, if not having happened already. There’s a good reason for that though – there are many factors in an IT environment that can lead to it. Below, I have laid out some of the more common causes of downtime relating to Active Directory:
|Issue||Importance||Effects||How Does it Cause Downtime?|
|GPO Change||GPOs control security, user experience, and domain behaviors across the entire enterprise||Varied. Removal of needed applications, inability to log on to a domain, improper access, etc.||Certain GPO settings (who can log on to machines, key group memberships, key applications) impact business directly and can cause a domain to fail entirely|
|Changes to Critical Groups||Groups are used to secure data and applications||Adding a user to a group can give them access to things they should not have. Alternatively, removing a user from a group can prevent a user from accessing resources they need||Time must be spent to clean up the mess when people are added and removed from groups that give them more or less access than they should have|
|Account Lockouts||People who are locked out cannot gain access to the environment||If key company accounts such as executives, VIP’s, service, etc. become locked out, it can have drastic downstream effects||Unlocking the account, trying to figure out why it was locked out, and making changes to prevent it from happening again take time. If a service account becomes locked, applications can fail|
|Moves/Deletions of Objects||Objects in Active Directory can either be resources (like printers), or security principals (user or computer accounts and groups)||Effects of a deletion or move can vary, but effects of the affected object are changed, giving it a similar result to GPO modification||There can be many reasons, but, in short – if key objects are deleted/moved, critical systems and applications could fail or be inaccessible|
These are events that can happen to anyone, at any time, at any organization, very easily. Why is this? Quite plainly, it can be very hard for administrators to keep track of and police who has the ability to do what both within AD and the resources AD provides access to. This leaves the door wide open for devastating change to happen, whether by accident or malicious intent. And for those that believe native logs will provide adequate detail on changes – unfortunately that is simply not the truth. Native logs fail to generate the full picture of what is really happening in these situations – they will likely miss key details, do not scale, are difficult to configure, and can be turned off. They are not the solutions to the problem.
So what’s the alternative? Although there can be many answers to this question, we here at STEALTHbits think it’s just one word – StealthINTERCEPT. StealthINTERCEPT provides real-time change & access monitoring and blocking for Active Directory, Exchange, and file systems, with absolutely no reliance on native logging facilities. As a result, StealthINTERCEPT authoritatively sees all the changes and access events occurring within these critical systems and applications before they happen, gathering all the available details about the events that aren’t natively supplied in standard logs, and also providing you the opportunity to actually PREVENT these events from occurring in the first place.
AD change is a difficult and challenging problem to address, and that’s why we want to make it simple. So, why don’t you learn a little more about how we can help? We think that everybody is deserving of some downtime – the good type – the type that comes when a boss grants extra vacation because he is so happy with how secure your Active Directory has become.
Be sure to use sunscreen.
To learn more about StealthINTERCEPT, click here
To contact us, click here
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Nate is a Marketing Manager at STEALTHbits and has worked in the IT Security industry for 5 years.