Accounts & Groups
Adequate protection of these 5 IT assets is critical and essential for maintaining Active Directory security.
Domain Controllers – A domain controller (DC) is arguably the most critical server in the entire network, because it is a Kerberos Key Distribution Center (KDC) and because it hosts the Active Directory, which stores and protects all domain user accounts and their passwords, security groups and their memberships, and all computer security policies.
The compromise of a single domain controller is tantamount to the compromise of the entire Active Directory forest, and by extension, a potential compromise of the entire IT infrastructure.
It is very important to provide adequate physical, system and network security to all DCs in a forest.
Active Directory Backups – Active Directory backups contain sensitive information, and physical access to a backup could, with some effort, be used to obtain access to administrative credentials.
It is equally important to provide adequate physical security to all Active Directory backup copies.
Administrative Accounts and Groups – Active Directory administrative accounts are the crown jewels of administrative power. These privileged accounts hold the proverbial keys to the kingdom.
The compromise of a single administrative account is tantamount to the compromise of the entire Active Directory forest, and by extension, a potential compromise of the entire IT infrastructure.
It is extremely important to ensure that the number of IT personnel who possess unrestricted administrative access in Active Directory is minimized. It is also equally important to ensure that only highly trustworthy IT personnel have the means to manage administrative accounts and groups (e.g. Reset an admin's password, Enable a disabled admin's account, Modify the membership of an admin group such as Domain Admins etc.).
Administrative Workstations – Administrative workstations are the computers that Active Directory administrators log on to and use to administer the Active Directory. These workstations as well all software running on them must always be highly trustworthy.
The compromise of a single administrative workstation could also be used to compromise the entire Active Directory forest, and by extension, a potential compromise of the entire IT infrastructure.
It is thus equally important to provide adequate physical, system and network security for all administrative workstations.
Administrative Delegations – Administrative Delegations refer to the entirety of delegations performed in various parts of the Active Directory, such as on organizational units, containers, accounts and groups, for tasks related to identity and access management, such as user account password resets.
Delegated access is one of the most overlooked areas of Active Directory security but it is one of the most sensitive areas of security, because a single unauthorized delegation in Active Directory could be used to compromise one or more IT assets very easily and almost instantly.
For example, the unauthorized delegated ability to be able to reset the CEO's or a Domain Admin's account's password, could be used to effortlessly misused to reset his/her password and instantly logon as the CEO/Domain Admin.
Similarly, the unauthorized delegated ability to be able to modify the membership of a security group that is being used to protect one or more critical IT resources (e.g. files, databases, apps) in the IT infrastructure, could be used to instantly obtain unauthorized access to all such IT resources.
It is thus very important to ensure that organizations know exactly who is delegated what administrative access, on which OUs, accounts and groups in their Active Directory, at all times.
It is highly recommended that organizations provide adequate security for these 5 IT assets are at all times.