Upload
sana-fatima-dhanjy
View
220
Download
0
Embed Size (px)
Citation preview
8/2/2019 10 Reasons You Absolutely Need a Reporting Solution for Active Directory to Pass Audits
1/17
10 Reasons You Absolutely Need anActive Directory Reporting Solution to
Pass Audits, Improve Security and Reduce Costs
Written by
Randy Franklin Smith
CEO, Monterey Technology Group, I nc.
Publisher of UltimateWindowsSecurity.com
White Paper
8/2/2019 10 Reasons You Absolutely Need a Reporting Solution for Active Directory to Pass Audits
2/17
200 9 Ques t Sof tw are , I nc . A l l r i gh t s reserved .
This guide contains proprietary information, which is protected by copyright. The
software described in this guide is furnished under a software license ornondisclosure agreement. This software may be used or copied only in accordance
with the terms of the applicable agreement. No part of this guide may be reproducedor transmitted in any form or by any means, electronic or mechanical, including
photocopying and recording for any purpose other than the purchaser's personal use
without the written permission of Quest Software, Inc.
WARRANTY
The information contained in this document is subject to change without notice.Quest Software makes no warranty of any kind with respect to this information.
QUEST SOFTWARE SPECIFICALLY DISCLAIMS THE IMPLIED WARRANTY OF THE
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Quest Softwareshall not be liable for any direct, indirect, incidental, consequential, or other damage
alleged in connection with the furnishing or use of this information.
TRADEMARKS
Quest, Quest Software, the Quest Software logo, AccessManager, Aelita, Akonix,
AppAssure, Benchmark Factory, Big Brother, BusinessInsight, ChangeAuditor,DataFactory, DeployDirector, DirectoryAnalyzer, DirectoryTroubleshooter, DNS
Analyzer, DSExpert, ERDisk, Foglight, GPOAdmin, iToken, I/Watch, Imceda, InLook,IntelliProfile, InTrust, Invirtus, I/Watch, JClass, Jint, JProbe, LeccoTech, LiteSpeed,
LiveReorg, LogADmin, MessageStats, Monosphere, NBSpool, NetBase, NetControl,Npulse, NetPro, PassGo, PerformaSure, Quest Central, Quest vToolkit, Quest
vWorkSpace, ReportADmin, RestoreADmin, SelfServiceADmin, SharePlex, Sitraka,
SmartAlarm, Spotlight, SQL LiteSpeed, SQL Navigator, SQL Watch, SQLab, Stat,
StealthCollect, Storage Horizon, Tag and Follow, Toad, T.O.A.D., Toad World,vAutomator, vControl, vConverter, vFoglight, vOptimizer Pro, vPackager, vRanger,
vRanger Pro, vSpotlight, vStream, vToad, Vintela, Virtual DBA, VizionCore,Vizioncore vAutomation Suite, Vizioncore vBackup, Vizioncore vEssentials, Vizioncore
vMigrator, Vizioncore vReplicator, Vizioncore vTraffic, Vizioncore vWorkflow, Xaffire,and XRT are trademarks and registered trademarks of Quest Software, Inc in the
United States of America and other countries. Other trademarks and registered
trademarks used in this guide are property of their respective owners.
World Headquarters
5 Polaris Way
Aliso Viejo, CA 92656www.quest.com
e-mail: [email protected]. and Canada: 949.754.8000
Please refer to our Web site for regional and international office information.
April, 2009
8/2/2019 10 Reasons You Absolutely Need a Reporting Solution for Active Directory to Pass Audits
3/17
CONTENTS
I NTRODUCTI ON .. . . . . .. . . . . . . .. . . . . . .. . . . . . .. . . . . . .. . . . . . . .. . . . . . .. . . . . . .. . . . . . .. . . . . . .. . . . . . . .. 4 10 I ND I SPENSABLE REPORTS .. . . . . .. . . . . . .. . . . . . .. . . . . . .. . . . . . .. . . . . . . .. . . . . . .. . . . . . .. . . 5
1.DORMANT ACCOUNTS ........................................................................ 5
2.USERS NOT REQUIRED TO CHANGE PASSWORDS ........................................ 63.GROUPS WITH MEMBERS .................................................................... 74.GROUP NESTING .............................................................................. 85.ACTIVE DIRECTORY PERMISSIONS.......................................................... 96.GENERAL USERS REPORT ................................................................... 107.SECURITY SETTINGS/POLICY REPORT FOR DOMAIN CONTROLLERS................... 118.DOMAIN CONTROLLER SERVICES .......................................................... 129.DOMAIN CONTROLLER SECURITY LOG SETTINGS........................................ 1310.TRUST RELATIONSHIPS.................................................................... 14
CONCLUSI ON .................................... ..................................... .......... 1 5 ABOU T THE AUTHOR ..................................... ................................... 16 ABOUT QUEST SOFTWA RE, I NC. ...................................................... 17
CONTACTING QUEST SOFTWARE .............................................................. 17CONTACTING QUEST SUPPORT ................................................................ 17
3
8/2/2019 10 Reasons You Absolutely Need a Reporting Solution for Active Directory to Pass Audits
4/17
I NTRODUCTI ON
If there is one thing lacking in native Active Directory functionality, its reporting. And
if there's one thing you absolutely need in order to be secure, control costs and pass
audits, it's reporting.
Active Directory (AD) has no built-in reporting capability. In fact, an administrator
cant even obtain simple listings, such as all user accounts and their properties, or a
group membership report. Native command line utilities, such as net user, may
provide a list of user names, but they fail to list any of the account properties, such as
description, account restrictions, job title or department. Other utilities, such as
csvde, can dump any object and its properties from AD, but many properties
(especially security-related properties) store their values in a cryptic codes or binary
format, which is impossible for an administrator to analyze. Technologies such as
Windows Management Instrumentation (WMI) and Active Directory Services Interface
(ADSI) promise easy access to AD and Windows system information, but significant
investment is required for knowledgeable scripting programmers to learn the object
models, schema and idiosyncrasies of each technology.
Nevertheless, reporting is indispensable for managing AD, supporting audits and
meeting compliance requirements. For medium and large organizations, AD is the
repository of thousands of objects critical to the security of an organizationmost
notably user accounts and groups. Keeping so many objects up to date and
accounted for is difficult. And after 10 years of AD auditing experience, Ive learned
that its impossible without a minimum of basic reporting capabilities. With no AD
reporting, organizations inevitably lose track of user accounts, groups and other
objects, leading to security vulnerabilities and policy violations. Moreover,
administrators and auditors waste time collecting audit evidence when both
could be focusing on higher-value tasks.
Quest Reporter provides all ofthese reports. Exam ples are
provided below, and the reportdefinitions are available at QuestsCompliance Suite Community at
Hhttp://compliancesuite.inside.quest.com/entry!default.jspa?categoryID= 82&externalID= 2794H.
This paper describes 10 types of reports
that are indispensable for managing AD
security, satisfying audit requests, and
meeting compliance requirements.
You need to make sure that your
organization can produce these reports
and act upon them.
4
8/2/2019 10 Reasons You Absolutely Need a Reporting Solution for Active Directory to Pass Audits
5/17
1 0 I NDI SPENSABLE REPORTS
1 . Do rm an t Accoun t s
Dormant accounts are those for users who have not logged on in a specified amount
of time (usually 30 or 90 days). They often belong to terminated employees whose
accounts were not disabled or deleted. Failing to disable or delete accounts creates a
major risk, since a terminated employee may be able to continue accessing the
organizations network and information and may have reason to do harm. Of course
terminated users who are still accessing the network will be omitted from this report,
since their accounts will have a recent log-on date. Therefore this report, when
compared with HR reports identifying terminated employees, can serve as a key
performance indicator that measures the organizations effectiveness in disabling
accounts when a relationship is terminated.
Va lue Po in ts fo r Do rm an t Accoun t s
Compl iance : Validate process for
disabling accounts of terminated
employees
Secur i ty : I dentify failures in
term ination process
Cost Savin gs: Fulfill IT audit reques
with pr actically no effort; allow
administrators to focus on higher-
value tasks
On some versions of AD, producing a report on dormant accounts is a special
challenge. While each domain controller faithfully records the date and time whenever
it authenticates a user account, Windows2000 and 2003 do not replicate this value.
Therefore the reporting solution must query
each domain controller to determine the
most recent log-on date and time. Windows
Server 2008 in highest functionality mode
solves this problem with a new field called
LastLogonTimeStamp, which is replicated
every seven days. Disabled and expired
accounts should be omitted from the report.
Quest R epo r te r Ex amp le 1 - D o r man t Ac coun ts
5
8/2/2019 10 Reasons You Absolutely Need a Reporting Solution for Active Directory to Pass Audits
6/17
6
Ques t Repor t e r Example 2 - Users Not Requ i red t o Change Password
Va lue Po in ts fo r Use rs No t Requ i r ed
to Chang e Passw ord s
Compl iance : Validate control for
regular password changes
Secur i ty : I dentify policy violations
Cost Savin gs: Fulfill IT audit reques
with practically no effort; allow
administrators t o focus on higher-
value tasks
2. Users Not Requ i r ed to Chang e Passw ord s
For most organizations, passwords are still the key security control for preventing
unauthorized access by both outsiders and insiders. However, humans tend to avoid
inconvenience and take short cuts, which can lead to easy-to-guess passwords,
password sharing and other bad practices. To protect passwords, organizations often
implement a maximum password age policy that forces users to change their
passwords on a regular basis.
AD provides a domain-wide setting, Maximum Password Age, which by default applies
to all user accounts in the domain. However, a user account-level setting, Password
does not expire, overrides the domain setting
and makes particular users exempt from
password changes. Audits frequently find
that senior employees intimidate
administrators into using this setting to
excuse them from password changes. This is
dangerous because they typically have
privileged access to important informationand transactions; this makes protecting their
passwords even more important.
8/2/2019 10 Reasons You Absolutely Need a Reporting Solution for Active Directory to Pass Audits
7/17
3 . Groups w i t h M em bers
AD groups are used to control access to resources, including file folders, objects in
SharePoint, databases, VPN access, and other application resources. Administrators
and decision makers must periodically review group memberships to ensure that
entitlements are appropriate and up to date.
Va lue Po in ts fo r Groups w i th Mem ber
Compl iance : Validate entitlem ents
and access contr ol
Secur i ty : Identify inappropriate
access through outdated or
mis-configured group m emberships
Cost Savin gs: Eliminate laborious
GUI-based group m embership review
For added value, this report should document the groups name and description and,
if used, the Notes field and Managed By information. These fields can be used to
document entitlements granted to that
group, as well as the business user who
approves any membership changes. Member
columns may include user name, full name,
description, job title and department, if these
fields are populated in AD. Including this
information in the report allows reviewers to
quickly assess the appropriateness of any
entitlements and spot errors.
Quest R epo r te r Ex amp le 3 - G r oups w i th Member s
7
8/2/2019 10 Reasons You Absolutely Need a Reporting Solution for Active Directory to Pass Audits
8/17
8
Ques t Repor t e r Exam ple 4 - Group Nes t in g
Va lue Poin ts fo r Group Nes t i ng
Compl iance : Validate leastprivilege control
Secur i ty : Discover inappropriat eusers with un limited authority
Cost Savin gs: Eliminate t imeconsum ing and laborious research
to r eveal collapsed group
membership of nested groups
4. Gro up Nes t in g
AD allows the nesting of groups. For example, user A may be a member of group 1,
which is a member of group 2, which is a member of group 3; therefore, user A is a
member of group 3. Group nesting is required by an important best practice for
access control in AD, which requires user roles to be separated from entitlements
using at least two levels of groups.1
While group nesting has important benefits, it can lead to some confusion and
misinterpretations of entitlements, especially as the number of nesting levels
increases. Group nesting can become convoluted,and inappropriate entitlements can
be missed. To prevent such oversights, reviewers must be able to view a flat list of all
group members, including those included by direct membership and those included
through nesting. This flat list is especially
important for critical business and system
groups like administrators, domain
administrators and enterprise administrators.
It is not unusual for security audits to find
inappropriate access among members inthese powerful groups because
administrators lack visibility into group
membership. Therefore, a group nesting
report that exposes the full set of members
for each group is critical.
1 See http://msdn.microsoft.com/en-us/library/cc246065(PROT.10).aspx.
http://msdn.microsoft.com/en-us/library/cc246065(PROT.10).aspxhttp://msdn.microsoft.com/en-us/library/cc246065(PROT.10).aspx8/2/2019 10 Reasons You Absolutely Need a Reporting Solution for Active Directory to Pass Audits
9/17
5 . Act i v e D i recto r y Perm issions
ADs delegation of control feature allows organizations to implement least privilege
security, which allows all users to have only those system authorities that are
required to fulfill their roles. This reduces the number of users who have powerful
administrator authority to AD and to the systems and information in the AD forest.
Va lue Po in t s fo r Act i ve D i r ec to r y
Permiss ions
Compl iance : Validate least
privilege control
Secur i ty : Discover inappropriate
user access wit h priv ileged system
authority
Cost Savin gs: Eliminate t ime-
consuming and laborious inspection
of each organizational unit s access
control list
Granular delegation of AD authority is accomplished through permissions defined in
organizational units (OUs). It is very easy to delegate authority, but it is much more
difficult to track and verify delegations: most organizations have several dozen to
hundreds of OUs, and examining a single
OUs access control list using the AD GUI is a
multi-step process. Moreover, the GUI
provides no visual indication of OUs where
the default permissions have changed, so
managing and auditing AD permissions is a
laborious and error-prone process. A report
of AD permissionsespecially one that filters
for explicitly defined permissionsisnecessary for managing least-privilege
assignment of granular administrative
authority.
Quest R epo r te r Ex amp le 5 Ac t i v e D i r ec to r y Per m is sions
9
8/2/2019 10 Reasons You Absolutely Need a Reporting Solution for Active Directory to Pass Audits
10/17
6. Gener a l Users Repor t
Managing user accounts and fulfilling audit requests requires the ability to perform ad
hoc analysis of user accounts to answer unforeseen questions.
A spreadsheet application will enable you to
quickly filter and sort based on various
combinations of account propertiesif you
can import user account data and properties
into the spreadsheet.
Va lue Po in t s fo r Genera l Users Repor
Compl iance : Facilitates ad hocanalysis of user accounts for validati
of various controls
Secur i ty : Ease ad hoc analysis toencourage securit y analysts to dig
deeper and ask m ore questions
Cost Savin gs: Eliminat e inefficientone-at-a-t ime analysis of hundreds
or t housands of user account s
Therefore, a general users report that
includes all account properties and that can
be exported to a spreadsheet is required for
efficient analysis and control validation.
Ques t Repor te r Exam ple 6 - Genera l Users Repor t
10
8/2/2019 10 Reasons You Absolutely Need a Reporting Solution for Active Directory to Pass Audits
11/17
7 . Secur i t y Set t i n gs / Po l i cy Repor t fo r
Dom a in Con t ro l le rs
Va lue Po in t s fo r Secu r i t y Set t i ngs /
Pol i cy Repo r t f o r Doma in Con t r o l l e r s
Compl iance : Validate system secur
Secur i ty : I dentify operating system
vulnerabilities affecting the entire
Active Directory environment
Cost Savin gs: Speed up syst em
security reviews and audits; allow
administrators to focus on higher-
value tasks
Fundamentally, AD is an application that runs on domain controllers; therefore, AD is
only as secure as the Windows operating system upon which it runs. While group
policy should ideally be used to keep all domain controllers configured with consistent
security settings, it is possible for individual domain controllers to have inconsistent
and unsecured settings if group policy is
configured incorrectly or if a domain
controller is inadvertently moved outside the
domain controllers OU.
The Security Settings/Policy Report for
Domain Controllers enables you to assess
and track the security configuration state of
each domain controller in an AD environment
by documenting the actual security settings
of each domain controller with a query of its
local effective configuration.
Quest R epo r te r Ex amp le 7 - Sec u r i t y Se t t i ngs / Po l ic y R epo r t f o r D om a in Con t r o l l e r s
11
8/2/2019 10 Reasons You Absolutely Need a Reporting Solution for Active Directory to Pass Audits
12/17
8. Dom ain Cont ro l le r Serv i ces
Va lue Po in ts fo r Dom a in Con t r o l l e r
Serv ices Compl iance : Validate system secur
Secur i ty : I dentify operating system
vulnerabilities impacting the ent ire
Active Directory environment
Cost Savin gs: Speed up syst em
security reviews and audits; allow
administrators to focus on higher-
value tasks
As explained in the preceding section, domain controller security is paramount to AD
security as well as to the security of every computer and resources in the AD
environment. Background processes (called servicesin Windows) constitute the
doorways into a system from over the
network. For this reason, domain controllers
should be dedicated only to domain controllerfunctions...It is essential to avoid installing
any unneeded software, and identify any
inappropriate services that appear on domain
controllers. Ideally, a report listing all
services on each domain controller would
also include the ability to filter known
services that are required by AD.
Ques t Repor t e r Exam ple 8 - Domain Contro l le r Serv ices
12
8/2/2019 10 Reasons You Absolutely Need a Reporting Solution for Active Directory to Pass Audits
13/17
9 . Doma in Con t ro l le r Secur i t y Log Se t t ings
The Windows security log allows you to define a maximum log size and configure
what action to take once it is reached. The security log is extremely important for
providing an audit trail of user and administrator activities, meeting compliance
requirements, and detecting unauthorized actions. Organizations should already have
a log management solution in place to regularly collect logs to a secure server for
monitoring, reporting and archival.
Va lue Po in ts fo r Dom a in Con t r o l l e r
Secur i t y Log Se t t ings
Compl iance : Validate m onitoring
and audit tr ail controls
Secur i ty : Ensure audit trails are not
lost dur ing log management out ages
Cost Savin gs: Fulfill IT audit reques
with pr actically no effort; allow
administrators to focus on higher-
value tasks
However, even with such a solution in place, the local security logs settings are
critical to the integrity of audit logs. When the log management solution is
temporarily down or unreachable, the domain controllers local security log becomes
the staging point where security events accumulate until the log management system
is operable again and can move them to the
central repository. If the security log is not
configured to its maximum recommended
size (200 MB on Windows 2000, 300 MB on
Windows 2003 and later) or configured to
stop logging when the maximum log size isreached, there is a greater chance security
events will be lost. To prevent such losses,
organizations need a report documenting
each domain controllers security log settings.
Quest R epo r te r Ex amp le 9 - D om a in Con t r o l l e r Sec u r i t y Log Se t t i ngs
13
8/2/2019 10 Reasons You Absolutely Need a Reporting Solution for Active Directory to Pass Audits
14/17
10 . Trus t Re la t ionsh ips
Va lue Po in ts fo r T rus t Re la t i onsh ips
Compl iance : Validate authenticatio
and single sign-on controls
Secur i ty : Discover weaker trusted
domains that expose local domain
resources to risk
Cost Savin gs: Fulfill IT audit reques
with practically no effort; allow
administrators t o focus on higher-
value tasks
To support single sign-on and ensure the best practice of granting each user one and
only one account, AD supports trust relationships. Trust relationships allow users in
other domains and forests to be granted access to resources in the local domain
without the creation of duplicate user accounts in the local domain. For instance, if
users in domain B need access to certain resources in domain A, a trust relationship
can be defined that allows administrators indomain A to use the existing user accounts in
the domain for granting such access.
However, when domain A trusts domain B,
any weaknesses in domain Bs
authentication, account management,
monitoring, or domain controller security are
immediately inherited by domain A. These
issues drive the need for a report that lists all
incoming trust relationships for each domain
in a given forest.
Ques t Repor t e r Exam ple 10 - Trus t Re la t ionsh ip s
14
8/2/2019 10 Reasons You Absolutely Need a Reporting Solution for Active Directory to Pass Audits
15/17
CONCLUSI ON
Managing the security of AD, fulfilling audit requests, and documenting compliance
procedures requires the ability to query and report on the thousands of objects in a
typical AD environment. Organizations without an effective reporting solution for AD:
Waste time managing AD and fulfilling audit requests
Lose track of users and groups, which increases audit findings
Become vulnerable to major security weaknesses
The visibility into AD provided by robust reporting helps organizations improve
security and increase efficiency by eliminating the need to manually search AD
objects one by one through the GUI or write and debug custom scripts. Even in these
budget-constrained times, solutions that assist with AD reporting can be easily
justified due to strengthened security, improved compliance and reduced costs.
15
8/2/2019 10 Reasons You Absolutely Need a Reporting Solution for Active Directory to Pass Audits
16/17
ABOUT THE AUTHOR
Randy Franklin Smith is president of Monterey Technology Group, Inc. and creator of
the UltimateWindowsSecurity.com Web site and training course series. As a Systems
Security Certified Professional (SSCP), a Microsoft Most Valued Professional (MVP),
and a Certified Information Systems Auditor (CISA), Randy specializes in Windowssecurity. Randy is an award-winning author of almost 300 articles on Windows
security issues for publications such as Windows IT Pro, for which he is a contributing
editor and author of the popular Windows Security log series. He can be reached at
16
http://www.montereytechgroup.com/RandyFSmith.htmhttp://www.ultimatewindowssecurity.com/http://www.isc2.org/cgi/content.cgi?category=20http://www.isc2.org/cgi/content.cgi?category=20http://mvp.support.microsoft.com/http://www.isaca.org/Template.cfm?Section=CISA_Certification&Template=/TaggedPage/TaggedPageDisplay.cfm&TPLID=16&ContentID=4526http://www.winnetmag.com/mailto:[email protected]:[email protected]://www.winnetmag.com/http://www.isaca.org/Template.cfm?Section=CISA_Certification&Template=/TaggedPage/TaggedPageDisplay.cfm&TPLID=16&ContentID=4526http://mvp.support.microsoft.com/http://www.isc2.org/cgi/content.cgi?category=20http://www.isc2.org/cgi/content.cgi?category=20http://www.ultimatewindowssecurity.com/http://www.montereytechgroup.com/RandyFSmith.htm8/2/2019 10 Reasons You Absolutely Need a Reporting Solution for Active Directory to Pass Audits
17/17
ABOUT QUEST SOFTWARE, I NC.
Quest Software, Inc., a leading enterprise systems management vendor, deliversinnovative products that help organizations get more performance andproductivity from their applications, databases, Windows infrastructure and
virtual environments. For applications, we deliver, manage and control complexapplication environments from end-user to database. For databases, we improveperformance, availability and manageability from design through production. ForWindows, we simplify, automate secure and extend your infrastructure. And forvirtual environments, we help you automate and control virtual desktop andserver environments to reduce costs and simplify ongoing management. Througha deep expertise in IT operations and a continued focus on what works best,Quest helps more than 100,000 customers worldwide meet higher expectationsfor enterprise IT. Quest Software can be found in offices around the globe andwww.quest.com.
Cont act in g Ques t So f t w are
Phone: 949.754.8000 (United States and Canada)Email: [email protected]: Quest Software, Inc.
World Headquarters5 Polaris WayAliso Viejo, CA 92656USA
Web site: www.quest.com
Please refer to our Web site for regional and international office information.
Cont act ing Quest Supp or tQuest Support is available to customers who have a trial version of a Quest
product or who have purchased a commercial version and have a validmaintenance contract. Quest Support provides around the clock coverage withSupportLink, our web self-service. Visit SupportLink at http://support.quest.com
From SupportLink, you can do the following:
Quickly find thousands of solutions (Knowledgebase articles/documents).
Download patches and upgrades.
Seek help from a Support engineer.
Log and update your case, and check its status.
View the Global Suppor t Guidefor a detailed explanation of support programs,online services, contact information, and policy and procedures. The guide isavailable at: http://support.quest.com/pdfs/Global Support Guide.pdf
http://www.quest.com/mailto:[email protected]:[email protected]://www.quest.com/http://www.quest.com/http://support.quest.com/http://support.quest.com/http://support.quest.com/pdfs/Global%20Support%20Guide.pdfhttp://support.quest.com/pdfs/Global%20Support%20Guide.pdfhttp://support.quest.com/pdfs/Global%20Support%20Guide.pdfhttp://support.quest.com/http://www.quest.com/mailto:[email protected]://www.quest.com/