How to avoid 10 common Active Directory mistakes

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

Managing user privileges in a Windows setting presents numerous challenges for admins tasked with keeping everyone's information safe and secure. Serious damage can be accomplished by those with elevated privileges that have bad intentions, but sometimes vulnerabilities are introduced by IT admins managing Active Directory (AD). Below are 10 common mistakes:

1. Everyday accounts with elevated credentials. Most security savvy organizations avoid this mistake by giving users with elevated privileges, such as a domain admin, a normal account to log onto their machine and a privileged, or, what many refer to as a .adm account, for elevated access. The reason for the separation is to avoid security breaches such as a spear phishing attack while logged into the account with elevated credentials.

2. Turning off Object Protections. Have you ever been working on something, hit the delete key, and realize just how big a mistake you were about to make if it weren't for the confirmation asking if you were sure you wanted to delete?  This is usually followed by the moving of your mouse to the cancel button with brain surgeon like precision.  A better option would be to never turn off object protection.

3. No consistent way to deal with obsolete accounts. Have you ever seen an Active Directory with significantly more user accounts than actual users in the organization?  This is often a telltale sign of an organization without a good policy for dealing with obsolete accounts. Enabled accounts that aren't actively being used are one of biggest security threats in any organization. Develop a plan to disable and ultimately delete obsolete accounts.

4. Putting all your eggs in the hands of the brilliant scripter. A mistake many organizations make when it comes to mission critical scripting is having all their eggs in the basket of a single scripter who is the only one that can make them all work.  You need to make sure at least two people understand, have access to, and can create and modify any scripts running in your environment.  This prevents the single point of failure in case the person who created the script leaves your organization.

5. Putting users in domain admins. When in doubt, delegate rights. Despite the level of flexibility provided for delegation in Active Directory, it's been 14 years since Windows NT people still added users to domain admins in lieu of doing proper delegation. Ignoring the concept of least privilege is a major security issue.

6. Poor Active Directory Design. I once heard of an organization that structured its Active Directory design based on the alphabet.  There were 26 top level OUs, one for each letter.  Under each top level OU were functional OU's like Sales, Marketing, Development, etc., each replicated 26 times. Needless to say, provisioning and de-provisioning of user accounts, group policy management, and permissions management was a nightmare to support.  Shortcuts were taken, and most users had too many rights.

7. Refusing to extend Schema under any circumstance. Any good Active Directory administrator will tell you that extending the schema in your AD is not a decision that should be made lightly.  Once your role out a schema extension there is no native way to role it back.  This is not to say there is never a good time to extend schema.  Weigh the pros and cons of addressing your business critical issues with a solution that extends vs. one that does not.  If the best decision is to extend schema, do so with caution.  Even though you cannot delete the extensions once deployed, they can be deactivated and rendered inert.

8. Poor backup/recovery plans. If someone deletes 10,000 directory objects today, how quickly can you recover? If an automated feed from HR improperly modifies the telephone number on thousands of users, how do you recover? Planning and testing recovery options are a must for all organizations to quickly recover from mistakes. Figuring out how to recover after an automated feed or user error puts you behind the eight ball and impacts downtime.

9. To slow to modernize. Not many companies want to be on the bleeding edge of any software rollout; however, being four to five major versions behind is the other extreme. When the trigger to upgrade is EOL on support, you've missed out on many advances in technology that you couldn't capitalize on because of the age of your infrastructure. You don't need to run the latest version of AD days after it is released; however, using extremely dated versions presents numerous challenges.  Put together a modernization plan for your Active Directory domain controllers to stay closer to the latest code stream without living constantly on the upgrade treadmill.

10. Shared Administrative Accounts.   I once worked with an organization that failed an audit because too many users belonged to the domain administrators group.  To resolve this issue, the company removed all users from domain admins and added back only two accounts.The problem was that everyone who used to have domain admin accounts received account logon information for the two new domain admins.

This company didn't actually decrease the number of people with elevated privileges, but, removed a layer of security and accountability by allowing users to share privileged accounts. In other words, there is no accountability when numerous people share credentials to an account.

BeyondTrust's company focus: BeyondTrust empowers organizations by delivering Privileged Account Management and Vulnerability Management solutions that reduce IT security risks and simplify compliance reporting across heterogeneous IT environments.

Join the CSO newsletter!

Error: Please check your email address.

Tags Active Directorysecurityapplication securityAccess control and authentication

More about BeyondTrust

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Rod Simmons

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts