Managing Active Directory is not an easy task, but someone has to do it. If this “someone” is you, then you should always keep in mind that human beings make mistakes, even if they are AD gurus.
To minimize the risk of such mistakes from happening on your watch, I’ll walk you through the most common ones and help ensure that you never make them again.
Mistake #1. Using accounts with admin rights for everyday use
Don’t use domain admin or even local domain accounts for login if you don’t need such privileges. Use a normal account to log onto a machine and a privileged/admin account for elevated access. The reason for this separation is to avoid security breaches such as a spear phishing attack or malware injection while logged into the account with elevated credentials.
Mistake #2. Adding users to Domain Admins group instead of delegating access
Ignoring the concept of the least privilege is a major security issue. Consider a delegated Active Directory security model, especially for common administrative tasks such as unlocking accounts and resetting passwords. You need to carefully evaluate the job duties of everyone who needs to work with AD. Think about specific processes that can be automated. For example, the helpdesk role may include permissions to reset user passwords, connect computers to the domain, and modify certain security groups. Use AD Delegation Best Practices for more efficient management of AD delegation.
Mistake #3. Having poor backup/recovery plans
If someone deletes an Active Directory object, how quickly can you recover from this unauthorized change? Planning and testing recovery options are a must for all organizations to quickly recover from mistakes. Configure and use an AD tombstone or recycle bin to recover AD objects. Consider a delegated Active Directory security model, especially for common administrative tasks, such as unlocking accounts, and resetting passwords
Mistake #4. Managing Active Directory from your domain controllers
This means that the administrator physically logs into a domain controller and launches the management tools from the server. This bad practice isn’t limited to regular AD object management—it may also occur with Group Policy Management, DHCP, and DNS consoles. As best practices suggest, domain controllers should only run the roles required for domain services (which include the DNS role, but never use DC for DNS; always point it at another DC), and all daily administration should take place on protected administrative machines.
Mistake #5. Not terminating stale accounts
Stale accounts should be disabled and then deleted, because if you leave them untouched, a former employee or a malicious user can use them for data exfiltration. A healthy AD environment is a clean AD environment. When an administrator leaves stale users, computers, groups, or even GPOs around, they also unnecessarily complicate their environment.
Mistake #6. Having poor password policies in place
Before you pin the vulnerability of passwords on the bad habits of users, you may want to examine your policies compared to compliance and password best practices. Here are just a few tips:
- Never set a user’s password to never expire.
- Set a service account’s password to not expire, and then schedule a regular reset.
- Using the same password for multiple accounts means that an attacker has the master key as soon as he compromises one service.
- Use different passwords for your work, personal email, Facebook account, etc.
- Follow Password Best Practices to better manage passwords.
Mistake #7. No Active Directory auditing and monitoring
Monitor your AD health and quickly troubleshoot outages. Extend Event Log Size on your domain controller to maximum. Always track changes in your Active Directory, especially changes to the Domain Admins group. To track changes you need to enable audit policy; follow best practices to configure it properly. Tracking changes will definitely ease your investigation and troubleshooting process.
Have you found any of the listed mistakes are common for your domain? Keep it a secret, quickly correct them, and pretend you’ve always been managing Active Directory like a pro!