5 Tips for Improving AD Security

5 Tips for Improving AD Security

Todd: Good afternoon, everybody! This is Todd O’Bert, president and CEO of
Productive Corporation. I am joined here beside me with a microscope
and a magnifying glass because he is going to get deep into Active Directory. That man is Pete Greco, our VP of Sales and
Technology. Today we’re going to talk about five ways
to improve Active Directory security. But before we get in that we have a couple
things to cover first is meeting Productive in one min or less. Then it is scaring the pants off you guys
about what is happening in Active Directory. Then bring it all back together and giving
you some great stuff to work on. So that is how we do it. If this is your first time joining us, welcome. If you are coming back, welcome back. Here’s how we do it we try to present a lot
of relevant content and answer questions along the way so if you do have a question
utilize the chat feature and let me know and we will get your answer get your question
answered to the best of our abilities. So with that let’s buckle up and meet Productive
in one minute or less. “Who is Productive Corporation?” you say. Well, thank you for asking. I am so glad you silently asked. Productive Corporation provides security solutions
for mid-sized companies. We also have a six-armed man that offers specialized
expertise to answer licensing and technical questions. We implement, test, and optimize the products
that we sell. We also offer security assessments. We do a lot of work around Active Directory
security services as well as configuration assistance of UTM and endpoint products. We also produce a lot of third-party content
for you on our web site on the web you can find this at productivecorp.com/content or
our YouTube channel. The bottom line is we have a lot of resources
to help you, whether its implementation, assessment, licensing, optimization services, or just
knowledge, that’s why we are here. We’re here to help. Productivecorp.com. 800-726-4099. So one of the ways that we help is we talk
about poignant topics that we are hearing from our customers that we are seeing in the
marketplace today that’s all about Active Directory, right? Founded a long time ago starting in 1999 in
fact and so it’s been around and because it’s been around for a long time it’s functional
but there are also some issues that some of you may know or not know that exist just due
to longevity of the product. So the man with the plan that will be talking
to you about that today is Mr. Pete Greco. Pete is our VP of Sales and Technology and
has been in the security technology business for, you know, almost two decades. Has done a lot, has seen a lot has laughed
has cried a lot because that’s what happens when you’re in the security business. So with that I’m going to turn the microphone
over to Pete. And Pete let’s have a warm virtual round of
applause for Mr. Pete Greco. Pete? [silence] Ah, you know, Pete decided that now is the
time he wants to chime in after the applause dies down, Pete? Pete: [laughing] Thanks so much. Hello, everybody and thank you for jumping
on with us today we are going to get through this hopefully as quick as we can so that
everybody can get back on with their holiday shopping and lunchtime activities so what
what are we talking about here right it is dating back to 1999, right? As Todd put on here you might remember some
fun things like the Melissa virus, that was a good one. Followed up by SQL Slammer, right? Lots of Y2K conversations. I remember writing many a letter stating that
different products were Y2K compliant or were not. The Intel Pentium 3, I remember wanting one
of those so badly, right? And of course the reason that we’re here,
because I was still stuck with my 486 DX, right? Todd: [laughs] Pete: And the reason that we’re here today
is to talk about Active Directory, right, just getting released. And I think a lot of folks agreed back then
that they liked it a whole lot better than that inactive directory, right? And so it was brand new and here we are in
2016, soon to be 2017, and a lot is still the same, right? And so the original version a little bit of
a different screen, look, and feel. I miss the the 16 bit colors that’s for sure. Takes you back to your Mario days almost right
everybody was running the sun on physical servers. These things were saving you a lot of money
compared to running a UNIX network so a lot of folks did not mind a
ending the the ginormous cost for disk and RAM, right? And a totally different feel to the network
back then. A lot more complexity as involved over this
last you know nearly 20 years now. So let’s talk a little bit about why we’re
even doing this presentation, right? We’ve been talking to a lot of folks lately
who are nervous or have already been compromised through some kind of credential-type situation,
which is obviously managed by Active Directory. And one of the big things to be worried about
here, right, is if somebody does get legitimate access to the directory through a user or
can compromise your ad server through another way and are able to create their own super
user credentials, right? They’re basically going to be able to control
the entire network and the tricky thing here is it is so easy to hide information in the
directory structure where it’s not that you would never find it but it could possibly
take you forever to find it and if you do get a major hacker or a major exposure point. The only way to really be a hundred percent
sure that you’ve gotten rid of every last trace of that intruder would be to completely
rebuild the domain. And if if you’re not aware I’m going to tell
you right now that is not easy to do, right? We’re actually working with someone on a project
just like that and the time-consuming nature of just migrating profiles over can be completely
ridiculous,right? So how do we get to a point where we are exposed? Where our AD structure has become weaker or
has become out of control. You know, a lot of it stems from AD structures
being handed down from generation to generation right and we hear this a lot. “I’ve been here for a year. I’m still trying to get a handle on how the
backup product is working. How our endpoint security product is working. Why
we created the gateway policies the way that we have them, right?” And then you’re trying to get on top of Active
Directory and figure out what’s going on there. So much to do, so little time and a lot of
times folks might be getting some kind of a nice transfer of duties from someone who’s
getting promoted. That’s a little bit more helpful, but a lot
of times you’re jumping into this thing cold and the person who maybe was managing this
previously is completely out of the picture and not able to communicate with them or ask
them questions or find out why things got done the way they got done. And in many situations even that predecessor
does not know why this stuff got set up this way, right? So one of the ways where
we really fool ourselves and when I say “we” I mean “me,” right, is everything is working,
you know? And when I say everything is working, everybody
is able to get the connectivity they need, everybody is able to get the access that they
need when they show up in the morning, they’re they’re logging in, right, and being able
to go to the Internet and being able to go to their whatever map drive and and hit the
CRM and this kind of stuff. And it gives us the ability to snooze, figuring
out where our problems are right because we’re running to solve the problems for things that
are clearly not working. “Why can’t I access that drive?” “When I enter my password here I’m not
getting logged in those are going to be the first problems we solve right and so now we
have folks moving from from group to group getting extended permissions as their roles
change which is creating a weaker environment for us. And this last bullet that that Todd threw
on here is potentially one of the most telling things for most environments, right, is temporary
changes become permanent. And I’ve been guilty of this myself where
we’re increasing access trying to solve a problem we’re making a lot of
changes in a lot of different places, trying to figure out why something’s not working. And once we solve the problem, maybe, we don’t
know or can’t remember all the different things that we did. We’re not entirely sure which of the things
we did actually got it working or we jump to the next fire with the intention of coming
back to this after lunch or when I get in first thing in the morning or I’ll do it later
tonight from home and life and business gets in the way. Todd: Yeah, I mean or you just go, right? I mean you say even more it’s working now,
okay? So let’s wait a few weeks right and then over
a few weeks other stuff happens, right, not even a try, you know? I mean it’s just, right, so all of the above. Pete: Yeah, exactly. I don’t think from the bulk of the folks that
we work with, the last thing that I would ever say is that it’s due to laziness. It’s definitely too much other stuff happening
simultaneously and it becomes something on the task list that maybe never never gets
addressed and when it does, might not recall all the stuff that you did or can’t find that
original document so, right? The sky is falling. So what do we do, well, first of all it’s
not falling. You’re still up and running, right? So as as we put in here, less hype, please. Let’s be realistic about what’s going on and
take a look at some tips to get in on top of your AD, right? So a lot of good stuff in here. This is, you know, as we were putting this
list together these were kind of the quick five things we could come up with depending
on your environment, right? There might be other things that you need
to get focused on and hopefully you’re doing all of this stuff or doing a lot of this stuff
already, right? So take it off no individual permissions and
I think a lot of folks if they’re building a new directory or their modernizing their
servers to 2012 and they’re really doing a big review. This is one of the big things that they should
be trying to get on track on top of is really getting permissions given the group so that
it’s much much easier to manage who has access to what and control that group structure versus
trying to figure out based on the individuals. Who has access to what and how do we keep
control on limiting that access, right? Then we also want to make sure that we’re
really making sure we need all of those groups because the
more groups we create the more stuff that is for us to be aware of and and to be thinking
about and as you get larger and larger those groups are going to grow but even as you get
to be huge you still want to be able to keep control over the number of groups that you’re
creating and the permissions that you’re giving access to and doing a periodic audit to figure
out where you’re at there. And then of course this is a, you know, I
honestly don’t know if this is a no-brainer. We’re talking to a lot of folks about least
privileged access as a concept. I think when we do that we do see a lot of
people in agreement and and really on the same page and understanding what we’re talking
about but really trying to figure out how do we give the least amount of access that
permits somebody to get their job done, right, in an environment? And we see in the larger organizations that
is executed I think a little bit with more intent. I think in the smaller organizations, a lot
of times the thought processes is because we trust everybody we’re not as concerned
about the access that they have. We know Sheila is not going to be going to
the finance server because that’s not her job and she’s been a loyal employee for a
long time. And that’s one way to think about it but what
happens if Sheila’s credentials get compromised and now those credentials have access to it? That’s where, yeah, you kinda…especially
when you’re talking to non-technical management, the way you really got to help them understand
is it’s not that we’re worried about Sheila. It’s we’re worried about Sheila’s credentials
and if somebody else gets those they’re now going to have access to everything and they
are not trustworthy, right? So let’s move on to tip number two. Doing the the reviews and the audits to figure
out who does have access to what. What should they have access to and really
being able to identify and create the roles that match the
permissions so that you can actually get the folks with just enough access to do their
job that goes back to that least privileged access, right? That’s how we do that and when you’re creating
a brand new AD, right, that’s pretty easy to get off on the right foot. When you’re working on a directory structure
like ours that’s been around for 15 years, right? A little bit more work because we’ve had a
lot of folks come and go over that time. We’ve had a lot of different kinds of roles. There was a lot of access and things
that we did in 2004, in 2005, and 2006 that we don’t do today, but some of those groups
and permissions might might still be hanging around. So we need to get an understanding of what
that stuff is and make sure that we’re limiting it, disabling it, deleting it, and correcting
it so that we can have a much safer situation. And part of that obviously extends to the
thing that scares me the most: service accounts, right? And I understand why they’re needed. Obviously you’ve got all kinds of stuff communicating
over the network, needs to get access so that it can connect with, you know, a SQL database,
be able to send out alerts to admins or process owners or whatever it might be, right? But every time you see these service accounts
it’s not clear, always, what they go to or are they still needed and we were looking
at some service accounts that we had just yesterday as we were getting ready for this
and we saw a whole bunch of accounts that we finally identified were different versions
they were created because of different versions and then different installs on different servers,
a lot of which we didn’t have anymore. And I think for a long time we were really
looking at those and trying to identify are any of these still needed and do we have the
time to figure out if we’re causing a problem for ourselves if
we disable this? And so we took the leap we got the problem
solved took a little bit of time and that’s I think part of the reason why we get so out
of whack with our directory structure is having the time to actually solve some of these problems
versus knowing, “Hey, I’m just going to let this service account role.” Might not be needed but if it is needed I’m
not going to stop a business process when I really don’t have time to to figure out
what’s going on. And the next thing that we really need to
look at is when we install something that creates a
service account for us in somewhat of an automated fashion. What kind of access is
it given? A lot of the software publishers, they’re
putting things in with full access because it lowers the amount of folks who are going
to call in for technical support, right? So when they’re building the software products,
whether it’s a CRM or some kind of email system or some kind of security tool or business
productivity tool or whatever, it is they’re trying to figure
out how does this work in every environment? How do we make this thing so that it’s as
easy as possible and get you up and running on the technology and gives you that quick
ROI? And a lot of times what they’re not thinking
about is how do I make this as secure as possible unless maybe what you’re buying is actually
a security product, right? But a lot of folks are just trying to figure
out how do I make this work in most environments and the challenge that we run into there is
now you’ve got a service account that potentially has an exploit affiliated with that program
where they’re able to come in and leverage that service account and start
owning your environment that way. So doing a review of those in figuring out
how do we set those permissions in the most correct place and which of these services
are no longer in use. Here’s an app that we ran from 2003 to 2008. Well, let’s delete that one that that’s not
needed anymore right. And then then your big challenge is what do
we do with legacy stuff? We have a legacy CRM
product that I think next year will finally blow it away but we’ve needed to keep the
service account around even though the the virtual guess that’s installed in is completely
shut off. Unless we need it for something we’ll fire
it up get the data that we need and then close it back down but the service account remains
active right so that’s a lot of weird stuff that we see in our environment. I know you folks see it in your environment. That makes it tricky to stay on top of but
that’s why they call this work and, you know, not play. So tip number four here: clean up licensing. A lot of times and this is what you know one
of our senior techs here Jane says is, worst
case scenario you get those identities cleaned up and you’re going to potentially save yourself
some licensing costs of figuring out where I need less cals and need less licenses for
things and if you’ve got a cleaner tighter directory, you’re going to be able to get
a little cleaner information about how many users you have and how many users need access
to what and some of that good kind of stuff. And you got to make
sure that you’re documenting everything that you’re doing so that you have a good policy
to you know make sure you know what’s getting changed, make sure you know who needs access
to what. As Jane puts it, you know, document, document,
document. Or the other things she likes saying is make
sure you’re writing herself a term paper so you know what what’s going on, right? And then tip number five: auditing sensitive
folders. And this is where we really see a lot of exposure
and it stems from AD though you’re witnessing it on that file server or shared drives or
map drives. How we want to look at it where folks are
getting added as an individual and this kind of goes back to tip one of no individual access
or individual rights. Individuals get added to certain kinds of
groups. They now have access that gets forgotten about
as their role changes. That access never gets taken away and periodically
we got to go through and make sure that all that stuff is tight. The way that a lot of folks have really tried
to improve their security is through file and folder encryption,
right? So we’re encrypting these these file shares. We’re doing full-disk encryption on our on
our laptops. That’s kind of a no-brainer there, right? But now we’re doing file and folder encryption
and we’re telling folks, hey, put your sensitive docs here but if we’re not controlling who
actually has access to those encrypted areas, again a credential hack. And now you’ve got someone with legitimate
access to a place where you didn’t want them to have access at all. Or where access was not required for them
to do their job, able to get in there and get that data decrypted and can lead to data
theft. So improving that. Now if someone’s hacking into that server
someone comes in and grabs that thing and runs out with it they’re not going to be able
to access that drive, but if they’re able to get that credential, they’re getting all
the information that that person had access to the next thing. They’re going to be trying to do is escalate
those privileges, right? And that becomes a whole different, a whole
different angle. The next thing that we need to think about
then is how do we make sure that we’re getting the data in the in the right place and that’s
a whole other webinar that everybody can be looking forward to seeing in 2017. Okay, so some good resources to know. You know, before we had Jane Tyler here who
is an Active Directory mastermind, I had to go out and just figure out how to do stuff
by by looking it up on the on the internet and so a lot of great resources out there. Productive Corporation would like to be one
of those resources for you and let you all have access to
to Jane and the rest of our tech team to help you guys do some of this auditing and clean
up and process implementation, right? And really figure out what’s going on. But a lot of great
sites out here as well that I like taking advantage of and and obviously a lot of this
stuff goes back to the to the main source, the owners of Active Directory, Microsoft,
a lot of great information there. I think what a lot of folks have found value
in is they figure out what needs to be done and then let us come in and help you help
you do it, even as a staff augmentation-type situation I think a lot of folks have found
have found to be beneficial. We have a handout for you. Todd: I stepped on your line, no I that’s,
I’ll go. So yeah so there’s a handout called 80 helpful
links, doc word format in honor of Microsoft, has some of our top links that we use and
have utilized for information gathering about AD. So feel free to download that, you should
see it in the in the right hand of your of the presentation here and with that I have
a quick question for Pete. What tools are we selling to monitor or maintain
active directory and that’s primarily for auditing and maintenance? Pete: Yeah so I’m think I’m going to cover
the whole thing we would if you’re looking for a product for monitoring, seeing those
permissions in a high-level way and even being able
to do some remediation the product to take a look at would be Stealth Bits. Would love to have an individual conversation
and we can do a custom demo so you can kind of see how that tool looks and operates before
we did that what we like to do is really have a
needs analysis conversation. Takes really sub-thirty minutes. A lot of times it’s even quicker
to figure out what makes the most sense for you and come up with a game plan for
investigation and then from that investigation we can figure out what’s, what’s a great way
to go to help shore up your environment based on your specific needs. Todd: Yep, exactly. So to let us know so yeah, so you got the
resource doc. There anything else final thoughts, Pete? Pete: No. Would definitely be interested in chatting
further with anybody who’s interested. Your Productive rep will be following up with
you after the presentation today. Active Directory
security is, you know, one of the many things that we do as you saw from our Meet Productive
in One Minute, very interested in chatting with everybody to find out a little bit more
about what’s going on in your environment and see if we can give you some solid advice
or help you out. Todd: Yeah, and what’s the kind of the play. I mean, we get somebody on I mean we’re willing
to chat with them for, I mean, this isn’t just work calling them and pitching them and
we’re talking to doing some you know, real kind of understanding what they have going
on, right? I mean that’s an initial call take and what’s
what kind of benefit that with any of these guys
get from that. Pete: Yeah, so you know it’s it’s different
for every environment but an initial call typically is sub-thirty minutes for us to
really kind of figure out what’s going on what you’re worried about what you’re trying
to solve and figure out what kinds of suggestions we can make and a lot of these conversations
is we’re giving giving you some information that you can run back and do yourself. And a lot of the stuff that we’re doing for
clients, Todd, is not things that they can’t do themselves. A lot of times it’s they simply don’t have
the time in the bandwidth to do it right and when you bring in somebody like a Jane Tyler
or a Steve Gitto here who is focused on this right they’ve already done the research for
you and they can come in and and really just hit the ground running. Keep you in the loop, obviously, you know? A lot of the stuff that we do around Active
Directory and kind of the higher level security a little bit different from kind of endpoint
protection or gateway protection, you know, really requires access and some understanding
of what what were you trying to accomplish here or what does this do for
you or why do you guys think you need it this way so that we can help you understand how
to do it in a in a smarter way. But a lot of times we need that input from
you so that we can understand what the reasons were because sometimes we come in and see
something and say hey this is not how I would do it but there’s actually an excellent reason
for why that’s the only way to do it for this specific environment, right? So it’s a, it’s very interactive and you know,
like I said, an initial investigative call sub-thirty minutes. A lot of times sub-twenty minutes and we can
kind of figure out what’s a plan to create a plan
that sounds kind of crazy I know, but a lot of times that’s what we’re doing is we’re
creating a plan that allows us to help you create a plan
so that you can see exactly what we think needs to happen and give you a framework for
how how to go about doing that. Todd: Awesome! All right, well thanks, Pete. I mean, engage with us right we’ll
get you in involved with our subject matter experts and we will roll from there. So we’re at the bottom of the hour. I really appreciate everybody taking a time
today. We know from working with you guys how much
you have on your plate so the fact that you spent thirty minutes with us is much appreciated,
I say. Thank you, I’m Todd O’Bert along with Pete
Greco from productive wishing you a fantastic balance of your day and week and hopefully
we’ll talk soon thanks everybody.

Daniel Ostrander

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *